about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2023-06-09T10·47+0300
committertazjin <tazjin@tvl.su>2023-06-09T12·21+0000
commiteae70200cefb613a301f518ada681572950848d0 (patch)
treec68a1ef1c5fddff8e2495bc7f26cbe339f16f5c5
parentfb7db9b692c763bb15870d64e03661e9858feab0 (diff)
feat(corp/ops): configure data storage bucket r/6248
Note that there doesn't seem to be a TF resource type for the IAM
binding between the bucket and the service account itself (other than
applying to all buckets in the folder, which I don't want).

For this reason I've added the `storage.uploader` IAM binding to the
`rih-backend` service account *on the bucket* manually.

Change-Id: I9fb06c7857e61dc642d9ea0d89159a0e343dc984
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8728
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
-rw-r--r--corp/ops/yandex/rih.tf84
1 files changed, 77 insertions, 7 deletions
diff --git a/corp/ops/yandex/rih.tf b/corp/ops/yandex/rih.tf
index cf54fc81f8dc..d2f58e7e8eac 100644
--- a/corp/ops/yandex/rih.tf
+++ b/corp/ops/yandex/rih.tf
@@ -17,7 +17,7 @@ resource "yandex_iam_service_account" "rih_storage_sa" {
 
 resource "yandex_resourcemanager_folder_iam_member" "rih_sa_storage_editor" {
   folder_id = local.rih_folder_id
-  role      = "storage.editor"
+  role      = "storage.admin"
   member    = "serviceAccount:${yandex_iam_service_account.rih_storage_sa.id}"
 }
 
@@ -78,12 +78,6 @@ resource "yandex_iam_service_account" "rih_backend" {
   folder_id = local.rih_folder_id
 }
 
-resource "yandex_resourcemanager_folder_iam_member" "rih_backend_storage_editor" {
-  folder_id = local.rih_folder_id
-  role      = "storage.editor"
-  member    = "serviceAccount:${yandex_iam_service_account.rih_backend.id}"
-}
-
 resource "yandex_resourcemanager_folder_iam_member" "rih_backend_image_pull" {
   folder_id = local.rih_folder_id
   role      = "container-registry.images.puller"
@@ -167,3 +161,79 @@ resource "yandex_dns_recordset" "cname_api_russiaishiring_com" {
   data    = [yandex_api_gateway.rih_gateway.domain]
   ttl     = 600
 }
+
+# Bucket setup for data receival bucket
+#
+# The bucket is set up and controlled by the default storage account,
+# but a separate key is set up for the rih-backend IAM account which
+# can only access the information in this bucket.
+
+resource "yandex_kms_symmetric_key" "backend_data_key" {
+  name              = "rih-backend-data-key"
+  default_algorithm = "AES_128"
+  rotation_period   = "4380h" # ~6 months
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "yandex_storage_bucket" "rih_backend_data" {
+  access_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.access_key
+  secret_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.secret_key
+  bucket     = "rih-backend-data"
+  folder_id  = local.rih_folder_id
+  acl        = "private"
+
+  versioning {
+    enabled = true
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = yandex_kms_symmetric_key.backend_data_key.id
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "yandex_iam_service_account_static_access_key" "rih_backend_static_key" {
+  service_account_id = yandex_iam_service_account.rih_backend.id
+  description        = "RIH backend bucket access key"
+}
+
+resource "yandex_lockbox_secret" "rih_backend_storage_key" {
+  name      = "rih-backend-storage-key"
+  folder_id = local.rih_folder_id
+}
+
+resource "yandex_lockbox_secret_version" "rih_backend_storage_secret" {
+  secret_id = yandex_lockbox_secret.rih_backend_storage_key.id
+
+  entries {
+    key        = "access_key"
+    text_value = yandex_iam_service_account_static_access_key.rih_backend_static_key.access_key
+  }
+
+  entries {
+    key        = "secret_key"
+    text_value = yandex_iam_service_account_static_access_key.rih_backend_static_key.secret_key
+  }
+}
+
+# TODO(tazjin): needs provider update
+#
+# resource "yandex_lockbox_secret_iam_binding" "viewer" {
+#   secret_id = yandex_lockbox_secret.rih_backend_storage_key.id
+#   role = "viewer"
+
+#   members = [
+#     "serviceAccount:${yandex_iam_service_account.rih_backend.id}"
+#   ]
+# }