Skip to content

Commit

Permalink
terraform: add hgbundler access rule and ACL for GCS bundle bucket (B…
Browse files Browse the repository at this point in the history 
…ug 1760180)

These rules were overlooked when I added a new GCS bucket for
us-west1 in GCP. Add an admin ACL for the hgbundler user and
an `objectViewer` ACL for `allUsers` to grant public read
access. Rename the generic `hgbundler-*` rules to be specific
to `us-central1`, and update the state via `terrraform state mv`.

--HG--
extra : amend_source : e6269ad4dd8283c7aa6fb68405bf0a3bdf7d9e84
extra : histedit_source : 0067ba8fce20bfd8d9cf346be7ab64d5d518aee3
  • Loading branch information
@cgsheeh
cgsheeh committed Mar 17, 2022
1 parent 1bfb63c commit 838b60f
Showing 1 changed file with 18 additions and 5 deletions.
23 changes: 18 additions & 5 deletions terraform/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -275,6 +275,20 @@ resource "google_storage_bucket" "gcp-bundles-uc1" {
}
}

resource "google_storage_bucket_iam_member" "hgbundler-access-uc1" {
bucket = google_storage_bucket.gcp-bundles-uc1.name
role = "roles/storage.objectAdmin"
member = "serviceAccount:${google_service_account.gcp-hgbundler.email}"
}

# Allow public read access to the world for the bundles buckets
resource "google_storage_bucket_iam_member" "public-bundle-rule-uc1" {
bucket = google_storage_bucket.gcp-bundles-uc1.name
role = "roles/storage.objectViewer"

member = "allUsers"
}

resource "google_storage_bucket" "gcp-bundles-uw1" {
name = "moz-hg-bundles-gcp-us-west1"
location = "us-west1"
Expand All @@ -298,15 +312,14 @@ resource "google_storage_bucket" "gcp-bundles-uw1" {
}
}

resource "google_storage_bucket_iam_member" "hgbundler-access" {
bucket = google_storage_bucket.gcp-bundles-uc1.name
resource "google_storage_bucket_iam_member" "hgbundler-access-uw1" {
bucket = google_storage_bucket.gcp-bundles-uw1.name
role = "roles/storage.objectAdmin"
member = "serviceAccount:${google_service_account.gcp-hgbundler.email}"
}

# Allow public read access to the world for the bundles bucket
resource "google_storage_bucket_iam_member" "public-bundle-rule" {
bucket = google_storage_bucket.gcp-bundles-uc1.name
resource "google_storage_bucket_iam_member" "public-bundle-rule-uw1" {
bucket = google_storage_bucket.gcp-bundles-uw1.name
role = "roles/storage.objectViewer"

member = "allUsers"
Expand Down

0 comments on commit 838b60f

Please sign in to comment.