chore: moving over cas-shelf resources to cas-cif

terraform/main.tf

@@ -41,3 +41,74 @@ resource "google_service_account" "account" {
   depends_on   = [google_storage_bucket.bucket]
 }
 
+# Assign Storage Admin role for the corresponding service accounts
+resource "google_storage_bucket_iam_member" "admin" {
+  for_each   = { for v in var.apps : v => v }
+  bucket     = ${var.openshift_namespace}-each.value
+  role       = "roles/storage.admin"
+  member     = "serviceAccount:${google_service_account.account[each.key].email}"
+  depends_on = [google_service_account.account]
+}
+
+# Create viewer GCP service accounts for each GCS bucket
+resource "google_service_account" "viewer_account" {
+  for_each     = { for v in var.apps : v => v }
+  account_id   = "ro-${var.openshift_namespace}-${each.value}"
+  display_name = "${var.openshift_namespace}-${each.value} Viewer Service Account"
+  depends_on   = [google_storage_bucket.bucket]
+}
+
+resource "google_project_iam_custom_role" "viewer_role" {
+  role_id     = "casStorageViewer"
+  title       = "Storage Viewer Role"
+  description = "A role for accounts allowed to list the contents of buckets and to access files in them"
+  permissions = ["storage.buckets.get", "storage.buckets.list", "storage.objects.get", "storage.objects.list"]
+}
+
+# Assign Storage Viewer role for the corresponding service accounts
+resource "google_storage_bucket_iam_member" "viewer" {
+  for_each   = { for v in var.apps : v => v }
+  bucket     = ${var.openshift_namespace}-each.value
+  role       = google_project_iam_custom_role.viewer_role.id
+  member     = "serviceAccount:${google_service_account.viewer_account[each.key].email}"
+  depends_on = [google_service_account.viewer_account]
+}
+
+# Create keys for the service accounts
+resource "google_service_account_key" "key" {
+  for_each           = { for v in var.apps : v => v }
+  service_account_id = ${var.openshift_namespace}-google_service_account.account[each.key].name
+}
+
+resource "kubernetes_secret" "secret_sa" {
+  for_each = { for v in var.apps : v => v }
+  metadata {
+    name      = "gcp-${var.openshift_namespace}-${each.value}-service-account-key"
+    namespace = ${var.openshift_namespace}
+    labels = {
+      created-by = "Terraform"
+    }
+  }
+
+  data = {
+    "bucket_name"      = ${var.openshift_namespace}-each.value
+    "credentials.json" = base64decode(google_service_account_key.key[each.key].private_key)
+    "viewer_credentials.json" = base64decode(google_service_account_key.viewer_key[each.key].private_key)
+  }
+}
+
+resource "kubernetes_secret" "secret_tfc" {
+  for_each = { for v in var.kubernetes_namespaces : v => v }
+  metadata {
+    name      = "terraform-cloud-workspace"
+    namespace = each.key
+    labels = {
+      created-by = "Terraform"
+    }
+  }
+
+  data = {
+    "token"        = var.terraform_cloud_token
+    "workspace_id" = var.terraform_cloud_workspace_id
+  }
+}

terraform/variables.tf

@@ -31,3 +31,16 @@ variable "openshift_namespace" {
   type = string
   description = "The OCP project namespace"
 }
+
+variable "kubernetes_namespaces" {
+  type        = list(string)
+  description = "The OCP namespaces to run jobs"
+}
+
+variable "terraform_cloud_token" {
+  description = "The user/team token of Terraform Cloud"
+}
+
+variable "terraform_cloud_workspace_id" {
+  description = "The workspace id of Terraform Cloud"
+}