Merge pull request #7299 from ameukam/releng-releases-prod-iam

gcp/dl: Define IAM policy for the production bucket

Author: k8s-ci-robot

infra/gcp/terraform/k8s-infra-releases-prod/.terraform.lock.hcl

@@ -0,0 +1,52 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+data "google_iam_policy" "releng_access" {
+  binding {
+    role = "roles/storage.objectViewer"
+    members = [
+      "group:[email protected]",
+      "serviceAccount:${google_service_account.fastly_reader.email}"
+    ]
+  }
+
+  // TODO: remove this after https://github.com/kubernetes/release/issues/3425
+  binding {
+    role    = "roles/storage.objectAdmin"
+    members = ["serviceAccount:[email protected]"]
+  }
+
+  binding {
+    role = "roles/storage.legacyBucketOwner"
+    members = [
+      "projectOwner:${google_project.project.project_id}",
+      "projectEditor:${google_project.project.project_id}"
+    ]
+  }
+
+  binding {
+    role = "roles/storage.legacyBucketReader"
+    members = [
+      "projectViewer:${google_project.project.project_id}",
+      "group:[email protected]"
+    ]
+  }
+}
+
+resource "google_storage_bucket_iam_policy" "releng_access_policy" {
+  bucket      = module.k8s_releases_prod.bucket_name
+  policy_data = data.google_iam_policy.releng_access.policy_data
+}

infra/gcp/terraform/k8s-infra-releases-prod/iam.tf

@@ -49,21 +49,6 @@ resource "google_storage_hmac_key" "fastly_reader_key" {
   service_account_email = google_service_account.fastly_reader.email
 }
 
-// TODO: remove this after https://github.com/kubernetes/release/issues/3425
-resource "google_storage_bucket_iam_member" "release_object_admin" {
-  bucket     = module.k8s_releases_prod.bucket_name
-  role       = "roles/storage.objectAdmin"
-  member     = "serviceAccount:[email protected]"
-  depends_on = [module.k8s_releases_prod]
-}
-
-resource "google_storage_bucket_iam_member" "fastly_reader" {
-  bucket     = module.k8s_releases_prod.bucket_name
-  role       = "roles/storage.objectViewer"
-  member     = "serviceAccount:${google_service_account.fastly_reader.email}"
-  depends_on = [module.k8s_releases_prod]
-}
-
 resource "google_storage_bucket_iam_member" "gcs-backup-bucket" {
   bucket     = module.k8s_releases_prod.bucket_name
   role       = "roles/storage.admin"

infra/gcp/terraform/k8s-infra-releases-prod/main.tf

@@ -29,11 +29,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 5.39.0"
+      version = "~> 5.44.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "~> 5.39.0"
+      version = "~> 5.44.0"
     }
   }
 }