[CI] Add service accounts for accessing buckets

boomanaiden154 · web-flow · commit 31d03a55c294 · 2025-07-21T07:55:05.000-07:00
This patch wires up the necessary service accounts so that we can access the GCS buckets set up in an earlier patch from inside the cluster. Reviewers: lnihlen, Keenuts, cmtice, dschuff, gburgessiv Reviewed By: cmtice Pull Request: #508
diff --git a/premerge/gke_cluster/main.tf b/premerge/gke_cluster/main.tf
@@ -176,3 +176,65 @@ resource "google_storage_bucket" "object_cache_windows" {
   uniform_bucket_level_access = true
   public_access_prevention    = "enforced"
 }
+
+resource "google_service_account" "object_cache_linux_gsa" {
+  account_id   = format("%s-linux-gsa", var.region)
+  display_name = format("%s Linux Object Cache Service Account", var.region)
+}
+
+resource "google_service_account" "object_cache_windows_gsa" {
+  account_id   = format("%s-windows-gsa", var.region)
+  display_name = format("%s Windows Object Cache Service Account", var.region)
+}
+
+resource "google_storage_bucket_iam_binding" "linux_bucket_binding" {
+  bucket = google_storage_bucket.object_cache_linux.name
+  role   = "roles/storage.objectUser"
+  members = [
+    format("serviceAccount:%s", google_service_account.object_cache_linux_gsa.email),
+  ]
+
+  depends_on = [
+    google_storage_bucket.object_cache_linux,
+    google_service_account.object_cache_linux_gsa,
+  ]
+}
+
+resource "google_storage_bucket_iam_binding" "windows_bucket_binding" {
+  bucket = google_storage_bucket.object_cache_windows.name
+  role   = "roles/storage.objectUser"
+  members = [
+    format("serviceAccount:%s", google_service_account.object_cache_windows_gsa.email),
+  ]
+
+  depends_on = [
+    google_storage_bucket.object_cache_windows,
+    google_service_account.object_cache_windows_gsa
+  ]
+}
+
+resource "google_service_account_iam_binding" "linux_bucket_gsa_workload_binding" {
+  service_account_id = google_service_account.object_cache_linux_gsa.name
+  role               = "roles/iam.workloadIdentityUser"
+
+  members = [
+    "serviceAccount:${google_service_account.object_cache_linux_gsa.project}.svc.id.goog[${var.linux_runners_namespace_name}/${var.linux_runners_kubernetes_service_account_name}]",
+  ]
+
+  depends_on = [
+    google_service_account.object_cache_linux_gsa,
+  ]
+}
+
+resource "google_service_account_iam_binding" "windows_bucket_gsa_workload_binding" {
+  service_account_id = google_service_account.object_cache_windows_gsa.name
+  role               = "roles/iam.workloadIdentityUser"
+
+  members = [
+    "serviceAccount:${google_service_account.object_cache_windows_gsa.project}.svc.id.goog[${var.windows_2022_runners_namespace_name}/${var.windows_2022_runners_kubernetes_service_account_name}]",
+  ]
+
+  depends_on = [
+    google_service_account.object_cache_windows_gsa,
+  ]
+}
diff --git a/premerge/gke_cluster/variables.tf b/premerge/gke_cluster/variables.tf
@@ -33,3 +33,23 @@ variable "service_node_pool_locations" {
   type        = list(any)
   default     = null
 }
+
+variable "linux_runners_namespace_name" {
+  description = "The name of the namespace containing the Linux runners"
+  type        = string
+}
+
+variable "linux_runners_kubernetes_service_account_name" {
+  description = "The name of the kubernetes service account used to access the Linux object cache GCS bucket"
+  type        = string
+}
+
+variable "windows_2022_runners_namespace_name" {
+  description = "The name of the namespace containing the Windows runners"
+  type        = string
+}
+
+variable "windows_2022_runners_kubernetes_service_account_name" {
+  description = "The name of the kubernetes service account used to access the Windows object cache GCS bucket"
+  type        = string
+}
diff --git a/premerge/main.tf b/premerge/main.tf
@@ -43,29 +43,44 @@ resource "local_file" "terraform_state" {
 
 data "google_client_config" "current" {}
 
+locals {
+  linux_runners_namespace_name                         = "llvm-premerge-linux-runners"
+  linux_runners_kubernetes_service_account_name        = "linux-runners-ksa"
+  windows_2022_runners_namespace_name                  = "llvm-premerge-windows-2022-runners"
+  windows_2022_runners_kubernetes_service_account_name = "windows-runners-ksa"
+}
+
 module "premerge_cluster_us_central" {
-  source               = "./gke_cluster"
-  cluster_name         = "llvm-premerge-cluster-us-central"
-  region               = "us-central1-a"
-  libcxx_machine_type  = "n2d-standard-32"
-  linux_machine_type   = "n2-standard-64"
-  windows_machine_type = "n2-standard-32"
-  gcs_bucket_location  = "us-central1"
+  source                                               = "./gke_cluster"
+  cluster_name                                         = "llvm-premerge-cluster-us-central"
+  region                                               = "us-central1-a"
+  libcxx_machine_type                                  = "n2d-standard-32"
+  linux_machine_type                                   = "n2-standard-64"
+  windows_machine_type                                 = "n2-standard-32"
+  gcs_bucket_location                                  = "us-central1"
+  linux_runners_namespace_name                         = local.linux_runners_namespace_name
+  linux_runners_kubernetes_service_account_name        = local.linux_runners_kubernetes_service_account_name
+  windows_2022_runners_namespace_name                  = local.windows_2022_runners_namespace_name
+  windows_2022_runners_kubernetes_service_account_name = local.windows_2022_runners_kubernetes_service_account_name
 }
 
 # We explicitly specify a single zone for the service node pool locations as
 # terraform by default will create node_count nodes per zone. We only want
 # node_count nodes rather than (node_count * zone count) nodes, so we
 # explicitly enumerate a specific region.
 module "premerge_cluster_us_west" {
-  source                      = "./gke_cluster"
-  cluster_name                = "llvm-premerge-cluster-us-west"
-  region                      = "us-west1"
-  libcxx_machine_type         = "n2d-standard-32"
-  linux_machine_type          = "n2d-standard-64"
-  windows_machine_type        = "n2d-standard-32"
-  service_node_pool_locations = ["us-west1-a"]
-  gcs_bucket_location         = "us-west1"
+  source                                               = "./gke_cluster"
+  cluster_name                                         = "llvm-premerge-cluster-us-west"
+  region                                               = "us-west1"
+  libcxx_machine_type                                  = "n2d-standard-32"
+  linux_machine_type                                   = "n2d-standard-64"
+  windows_machine_type                                 = "n2d-standard-32"
+  service_node_pool_locations                          = ["us-west1-a"]
+  gcs_bucket_location                                  = "us-west1"
+  linux_runners_namespace_name                         = local.linux_runners_namespace_name
+  linux_runners_kubernetes_service_account_name        = local.linux_runners_kubernetes_service_account_name
+  windows_2022_runners_namespace_name                  = local.windows_2022_runners_namespace_name
+  windows_2022_runners_kubernetes_service_account_name = local.windows_2022_runners_kubernetes_service_account_name
 }
 
 provider "helm" {
@@ -130,8 +145,8 @@ module "premerge_cluster_us_central_resources" {
   cluster_name                        = "llvm-premerge-cluster-us-central"
   grafana_token                       = data.google_secret_manager_secret_version.grafana_token.secret_data
   runner_group_name                   = "llvm-premerge-cluster-us-central"
-  linux_runners_namespace_name        = "llvm-premerge-linux-runners"
-  windows_2022_runners_namespace_name = "llvm-premerge-windows-2022-runners"
+  linux_runners_namespace_name        = local.linux_runners_namespace_name
+  windows_2022_runners_namespace_name = local.windows_2022_runners_namespace_name
   github_arc_version                  = "0.12.1"
   providers = {
     kubernetes = kubernetes.llvm-premerge-us-central
@@ -147,8 +162,8 @@ module "premerge_cluster_us_west_resources" {
   cluster_name                        = "llvm-premerge-cluster-us-west"
   grafana_token                       = data.google_secret_manager_secret_version.grafana_token.secret_data
   runner_group_name                   = "llvm-premerge-cluster-us-west"
-  linux_runners_namespace_name        = "llvm-premerge-linux-runners"
-  windows_2022_runners_namespace_name = "llvm-premerge-windows-2022-runners"
+  linux_runners_namespace_name        = local.linux_runners_namespace_name
+  windows_2022_runners_namespace_name = local.windows_2022_runners_namespace_name
   github_arc_version                  = "0.12.1"
   providers = {
     kubernetes = kubernetes.llvm-premerge-us-west
