add support for gcr buckets with uniform_bucket_level_access = true (#30

) * apply requested minor changes by @madhifallah and @anouarchattouna * refactor: remove external * refactor: apply minor changes requested by @anouarchattouna * refactor: add newline to EOF of data.tf requested by @anouarchattouna Co-authored-by: Anouar Chattouna <[email protected]> Co-authored-by: patricklubach <[email protected]> Co-authored-by: Anouar Chattouna <[email protected]>
mirakl · Jan 18, 2022 · b882a21 · b882a21
1 parent 0ea8b25
commit b882a21
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 20 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/data.tf b/data.tf
@@ -1,2 +1,9 @@
 # get project details
 data "google_project" "this" {}
+
+data "google_storage_bucket" "bucket" {
+  for_each = toset(local.buckets)
+
+  name = each.value
+}
+
diff --git a/iam.tf b/iam.tf
@@ -1,14 +1,23 @@
 # Grant cleaner service account access to delete references in Google Container Registry
+# for buckets with uniform_bucket_level_access = false
 resource "google_storage_bucket_access_control" "this" {
-  for_each = {
-    for item in toset(local.project_storage_region) : "${item.storage_region}.${item.project_id}" => item
-  }
+  for_each = toset(local.google_storage_bucket_access_control)
 
-  bucket = each.value.storage_region != "" ? "${each.value.storage_region}.artifacts.${each.value.project_id}.appspot.com" : "artifacts.${each.value.project_id}.appspot.com"
+  bucket = each.value
   role   = "WRITER"
   entity = "user-${google_service_account.cleaner.email}"
 }
 
+# Grant cleaner service account access to delete references in Google Container Registry
+# for buckets with uniform_bucket_level_access = true
+resource "google_storage_bucket_iam_member" "this" {
+  for_each = toset(local.google_storage_bucket_iam_member)
+
+  bucket = each.value
+  role   = "roles/storage.legacyBucketWriter"
+  member = "serviceAccount:${google_service_account.cleaner.email}"
+}
+
 # Add IAM policy binding to the Cloud Run service
 resource "google_cloud_run_service_iam_binding" "this" {
   location = google_cloud_run_service.this.location

diff --git a/locals.tf b/locals.tf
@@ -67,4 +67,18 @@ locals {
       }
     ]
   ])
+
+  buckets = [
+    for repo in var.gcr_repositories : repo.storage_region != null ? "${repo.storage_region}.artifacts.${repo.project_id != null ? repo.project_id : local.google_project_id}.appspot.com" : "artifacts.${repo.project_id != null ? repo.project_id : local.google_project_id}.appspot.com"
+  ]
+
+  # Buckets having uniform_bucket_level_access = true
+  google_storage_bucket_iam_member = [
+    for bucket in local.buckets : bucket if data.google_storage_bucket.bucket[bucket].uniform_bucket_level_access
+  ]
+
+  # Buckets having uniform_bucket_level_access = false
+  google_storage_bucket_access_control = [
+    for bucket in local.buckets : bucket if !data.google_storage_bucket.bucket[bucket].uniform_bucket_level_access
+  ]
 }
diff --git a/versions.tf b/versions.tf
@@ -5,7 +5,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.1.0"
+      version = ">= 3.88.0"
     }
   }
 }