Fix permissions and temporal bucket

common/modules/gcp-project/main.tf

@@ -73,6 +73,7 @@ variable "service_apis" {
     "resourceviews.googleapis.com",
     "servicemanagement.googleapis.com",
     "serviceusage.googleapis.com",
+    "sourcerepo.googleapis.com",
     "stackdriver.googleapis.com",
     "storage-api.googleapis.com",
   ]
@@ -100,6 +101,7 @@ data "google_iam_policy" "combined" {
 
     members = [
       "${local.service_accounts}",
+      "serviceAccount:${google_project.project.number}@cloudbuild.gserviceaccount.com",
     ]
   }
 
@@ -143,6 +145,14 @@ data "google_iam_policy" "combined" {
     ]
   }
 
+  binding {
+    role = "roles/iam.serviceAccountActor"
+
+    members = [
+      "serviceAccount:${google_project.project.number}@cloudbuild.gserviceaccount.com",
+    ]
+  }
+
   binding {
     role = "roles/iam.serviceAccountAdmin"
 
@@ -196,6 +206,7 @@ data "google_iam_policy" "combined" {
 
     members = [
       "${local.backup_service_accounts}",
+      "serviceAccount:${google_project.project.number}@cloudbuild.gserviceaccount.com",
     ]
   }
 
@@ -208,15 +219,7 @@ data "google_iam_policy" "combined" {
   }
 
   binding {
-    role = "roles/compute.storageAdmin"
-
-    members = [
-      "${local.backup_service_accounts}",
-    ]
-  }
-
-  binding {
-    role = "roles/viewer"
+    role = "roles/owner"
 
     members = [
       "${local.backup_service_accounts}",
@@ -292,11 +295,20 @@ data "google_iam_policy" "combined" {
     ]
   }
 
+  binding {
+    role = "roles/sourcerepo.serviceAgent"
+
+    members = [
+      "serviceAccount:service-${google_project.project.number}@sourcerepo-service-accounts.iam.gserviceaccount.com",
+    ]
+  }
+
   binding {
     role = "roles/compute.storageAdmin"
 
     members = [
       "serviceAccount:${google_service_account.gke_cluster_pod_k8s_snapshots.email}",
+      "${local.backup_service_accounts}",
     ]
   }
 

common/modules/gcp-project/service_accounts.tf

@@ -17,6 +17,7 @@ resource "google_service_account" "backup_exporter" {
   account_id   = "backup-exporter"
   display_name = "backup-exporter"
   project      = "${google_project.project.project_id}"
+
   #  count        = "${local.root_project_iam ? 0 : 1}"
 }
 

gcp/modules/backup-exporter/main.tf

@@ -11,6 +11,10 @@ variable "schedule" {}
 
 # Terragrunt variables
 
+data "google_project" "project" {
+  project_id = "${var.project_id}"
+}
+
 data "template_file" "backup-exporter" {
   template = "${file("values.yaml")}"
 
@@ -38,3 +42,15 @@ module "backup-exporter" {
 
   chart_name = "${var.charts_dir}/backup-exporter"
 }
+
+resource "google_storage_bucket" "backup_daisy_bkt" {
+  project = "${data.google_project.project.project_id}"
+  name    = "${data.google_project.project.name}-daisy-bkt"
+
+  force_destroy = true
+
+  # Default region "US" should be fixed in favor of TF_VAR_infra_region for consistency:
+  # https://issues.gpii.net/browse/GPII-3707
+  # location = "${var.infra_region}"
+  location = "US"
+}

gcp/modules/backup-exporter/service_account_iam.tf

@@ -22,3 +22,21 @@ resource "google_service_account_iam_policy" "pod_default_iam" {
   service_account_id = "${data.google_service_account.backup_exporter.name}"
   policy_data        = "${data.google_iam_policy.backup_exporter.policy_data}"
 }
+
+resource "google_storage_bucket_iam_binding" "member" {
+  bucket = "${google_storage_bucket.backup_daisy_bkt.name}"
+  role   = "roles/storage.objectAdmin"
+
+  members = [
+    "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com",
+  ]
+}
+
+resource "google_storage_bucket_iam_binding" "owner" {
+  bucket = "${google_storage_bucket.backup_daisy_bkt.name}"
+  role   = "roles/storage.admin"
+
+  members = [
+    "user:alfredo@raisingthefloor.org",
+  ]
+}