TF: Update LB bucket role members following a DRYer approach

Run terraform fmt -recursive
2024-11-19 04:50:01 +01:00 · 2023-05-22 15:25:05 +00:00 · 2023-05-22 15:25:05 +00:00 · f306840add
commit f306840add
parent 44b318521f
5 changed files with 46 additions and 14 deletions
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -104,8 +104,8 @@ module "lb" {
  internal_ip_testnet  = local.env == "staging" ? "127.0.0.1" : data.terraform_remote_state.blc-testnet.outputs.blc_internal_ip_testnet
  # NOTE: There is no testnet server on staging. The IP is set to 127.0.0.1
  # above so that the nginx conf does not see an empty IP and fail.
-  target_pool          = length(google_compute_target_pool.lb-pool) > 0 ? google_compute_target_pool.lb-pool[0].self_link : ""
-  health_check         = length(google_compute_http_health_check.lb-health) > 0 ? google_compute_http_health_check.lb-health[0].self_link : ""
+  target_pool  = length(google_compute_target_pool.lb-pool) > 0 ? google_compute_target_pool.lb-pool[0].self_link : ""
+  health_check = length(google_compute_http_health_check.lb-health) > 0 ? google_compute_http_health_check.lb-health[0].self_link : ""

  create_resources = local.create_mainnet

@ -131,12 +131,9 @@ module "tor" {
  gcloud_docker        = var.gcloud_docker
  tor_docker           = var.tor_docker
  node_exporter_docker = var.node_exporter_docker
-  kms_key              = element(concat(google_kms_crypto_key.tor-crypto-key.*.name, [""]), 0)
-  kms_key_ring         = element(concat(google_kms_key_ring.tor-key-ring.*.name, [""]), 0)
-  kms_key_link = element(
-    concat(google_kms_crypto_key.tor-crypto-key.*.self_link, [""]),
-    0,
-  )
+  kms_key              = try(google_kms_crypto_key.tor-crypto-key[0].name, null)
+  kms_key_ring         = try(google_kms_key_ring.tor-key-ring[0].name, null)
+  kms_key_link         = try(google_kms_crypto_key.tor-crypto-key[0].id, null)
  tor_lb = element(
    concat(google_compute_global_address.tor-lb.*.address, [""]),
    0,
--- a/terraform/modules/blc/main.tf
+++ b/terraform/modules/blc/main.tf
@ -26,7 +26,7 @@ resource "google_compute_instance_group_manager" "blc" {
  }

  update_policy {
-    type                  = var.env == "staging" ? "PROACTIVE": "OPPORTUNISTIC"
+    type                  = var.env == "staging" ? "PROACTIVE" : "OPPORTUNISTIC"
    minimal_action        = "RESTART"
    replacement_method    = "RECREATE"
    max_surge_fixed       = 0
@ -78,7 +78,7 @@ resource "google_compute_instance_template" "blc" {
  }

  metadata = {
-    user-data              = data.template_cloudinit_config.blc[0].rendered
+    user-data = data.template_cloudinit_config.blc[0].rendered
  }

  service_account {
--- a/terraform/modules/lb/iam.tf
+++ b/terraform/modules/lb/iam.tf
@ -12,3 +12,38 @@ resource "google_project_iam_member" "satapi-lb" {
  count   = var.create_resources
 }

+# GCS buckets access for TLS management
+locals {
+  buckets = var.create_resources == "1" ? {
+    public  = google_storage_bucket.satapi-lb-public[0].name
+    private = google_storage_bucket.satapi-lb-private[0].name
+  } : {}
+
+  roles = {
+    objectCreator      = "roles/storage.objectCreator",
+    objectViewer       = "roles/storage.objectViewer",
+    legacyBucketWriter = "roles/storage.legacyBucketWriter"
+  }
+
+  bucket_role_pairs = flatten([
+    for b_key, b_name in local.buckets : [
+      for r_key, r_value in local.roles : {
+        bucket_key = b_key
+        bucket     = b_name
+        role_key   = r_key
+        role       = r_value
+      }
+    ]
+  ])
+
+  bucket_roles = { for br in local.bucket_role_pairs : "${br.bucket_key}_${br.role_key}" => br }
+}
+
+resource "google_storage_bucket_iam_member" "satapi_lb_roles" {
+  # for_each = local.bucket_roles
+  for_each = var.create_resources == "1" ? local.bucket_roles : {}
+
+  bucket = each.value.bucket
+  role   = each.value.role
+  member = "serviceAccount:${google_service_account.satapi-lb[0].email}"
+}
--- a/terraform/modules/lb/main.tf
+++ b/terraform/modules/lb/main.tf
@ -16,7 +16,7 @@ resource "google_compute_region_instance_group_manager" "satapi-lb" {
  }

  update_policy {
-    type                  = var.env == "staging" ? "PROACTIVE": "OPPORTUNISTIC"
+    type                  = var.env == "staging" ? "PROACTIVE" : "OPPORTUNISTIC"
    minimal_action        = "RESTART"
    replacement_method    = "RECREATE"
    max_surge_fixed       = 0
@ -57,13 +57,13 @@ resource "google_compute_instance_template" "satapi-lb" {
  }

  network_interface {
-    network = data.google_compute_network.satapi-lb.self_link
+    network    = data.google_compute_network.satapi-lb.self_link
    network_ip = google_compute_address.satapi-lb-internal[0].address
    access_config {}
  }

  metadata = {
-    user-data              = data.template_cloudinit_config.satapi-lb[0].rendered
+    user-data = data.template_cloudinit_config.satapi-lb[0].rendered
  }

  service_account {
--- a/terraform/modules/tor/main.tf
+++ b/terraform/modules/tor/main.tf
@ -64,7 +64,7 @@ resource "google_compute_instance_template" "tor" {
  }

  metadata = {
-    user-data              = data.template_cloudinit_config.tor[0].rendered
+    user-data = data.template_cloudinit_config.tor[0].rendered
  }

  service_account {