deploy datadog to GCP

Author: upodroid

infra/gcp/bash/ensure-organization.sh

@@ -65,6 +65,7 @@ module "project" {
     "logging.googleapis.com",
     "monitoring.googleapis.com",
     "secretmanager.googleapis.com",
+    "cloudasset.googleapis.com",
   ]
 }
 

infra/gcp/terraform/boskos/main.tf

@@ -31,5 +31,11 @@ module "iam" {
     "roles/secretmanager.secretAccessor" = [
       "serviceAccount:k8s-infra-prow-build.svc.id.goog[external-secrets/external-secrets]"
     ]
+    "roles/viewer" = [
+      "serviceAccount:[email protected]"
+    ]
+    "roles/serviceusage.serviceUsageConsumer" = [
+      "serviceAccount:[email protected]"
+    ]
   }
 }

infra/gcp/terraform/k8s-infra-gcp-gcve/iam.tf

@@ -0,0 +1,9 @@
+# k8s-infra-seed Terraform layer
+
+This terraform layer manages the following infrastucture:
+
+1. The kubernetes.io GCP organization
+1. All org level configurations
+1. The k8s-infra-seed GCP project.
+
+It will eventually replace k8s-infra-kubernetes-io project.

infra/gcp/terraform/k8s-infra-seed/README.md

@@ -0,0 +1,71 @@
+module "iam" {
+  source  = "terraform-google-modules/iam/google//modules/organizations_iam"
+  version = "~> 8.1"
+
+  organizations = [data.google_organization.org.org_id]
+
+  mode = "authoritative"
+
+  bindings = {
+    "roles/owner" = [
+      google_service_account.atlantis.member,
+      "group:[email protected]",
+    ]
+
+    "roles/billing.admin" = [
+      google_service_account.atlantis.member,
+      "group:[email protected]",
+      "user:[email protected]",
+    ]
+    "roles/billing.viewer" = [
+      "group:[email protected]"
+    ]
+    "roles/resourcemanager.organizationAdmin" = [
+      "serviceAccount:[email protected]",
+      "group:[email protected]",
+      "user:[email protected]",
+    ]
+
+    "roles/resourcemanager.folderAdmin" = [
+      "group:[email protected]",
+      google_service_account.atlantis.member,
+    ]
+    "roles/browser" = [
+      "group:[email protected]",
+      "group:[email protected]",
+      "user:[email protected]",
+      google_service_account.datadog.member,
+    ]
+    "roles/resourcemanager.projectCreator" = [
+      "group:[email protected]",
+      google_service_account.atlantis.member,
+    ]
+    "roles/orgpolicy.policyAdmin" = [
+      "group:[email protected]",
+      "serviceAccount:[email protected]",
+    ]
+    "roles/cloudsupport.admin" = [
+      "group:[email protected]",
+    ]
+
+    "organizations/758905017065/roles/audit.viewer" = [
+      "group:[email protected]",
+      "serviceAccount:[email protected]"
+    ]
+    "organizations/758905017065/roles/organization.admin" = [ #TODO: remove this role and use the predefined google roles
+      "group:[email protected]"
+    ]
+    "roles/serviceusage.serviceUsageConsumer" = [
+      google_service_account.datadog.member,
+    ]
+    "roles/compute.viewer" = [
+      google_service_account.datadog.member,
+    ]
+    "roles/cloudasset.viewer" = [
+      google_service_account.datadog.member,
+    ]
+    "roles/monitoring.viewer" = [
+      google_service_account.datadog.member,
+    ]
+  }
+}

infra/gcp/terraform/k8s-infra-seed/iam.tf

@@ -0,0 +1,3 @@
+data "google_organization" "org" {
+  domain = "kubernetes.io"
+}

infra/gcp/terraform/k8s-infra-seed/main.tf

@@ -0,0 +1,39 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+provider "google" {
+}
+
+provider "google-beta" {
+}
+
+terraform {
+  required_version = "1.10.5"
+
+  backend "gcs" {
+    bucket = "k8s-infra-terraform"
+    prefix = "k8s-infra-seed"
+  }
+
+  required_providers {
+    google = {
+      version = "6.26.0"
+    }
+    google-beta = {
+      version = "6.26.0"
+    }
+  }
+}

infra/gcp/terraform/k8s-infra-seed/provider.tf

@@ -0,0 +1,28 @@
+resource "google_service_account" "atlantis" {
+  account_id   = "atlantis"
+  display_name = "Atlantis"
+  project      = var.seed_project_id
+}
+
+resource "google_service_account_iam_binding" "atlantis" {
+  service_account_id = google_service_account.atlantis.id
+
+  role = "roles/iam.workloadIdentityUser"
+  members = [
+    "serviceAccount:k8s-infra-prow.svc.id.goog[atlantis/atlantis]",
+  ]
+}
+
+resource "google_service_account" "datadog" {
+  account_id = "datadog"
+  project    = var.seed_project_id
+}
+
+resource "google_service_account_iam_binding" "datadog" {
+  service_account_id = google_service_account.datadog.id
+  role               = "roles/iam.serviceAccountTokenCreator"
+  members = [
+    "serviceAccount:ddgci-3aada836c27bc3f0fb00@datadog-gci-sts-us5-prod.iam.gserviceaccount.com",
+    "serviceAccount:service-127754664067@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com"
+  ]
+}

infra/gcp/terraform/k8s-infra-seed/service-accounts.tf

@@ -0,0 +1 @@
+seed_project_id = "k8s-infra-seed"

infra/gcp/terraform/k8s-infra-seed/terraform.tfvars

@@ -0,0 +1,4 @@
+variable "seed_project_id" {
+  description = "The ID of the seed project."
+  type        = string
+}