diff --git a/terragrunt/accounts/rust-backup-staging/account.json b/terragrunt/accounts/rust-backup-staging/account.json new file mode 100644 index 000000000..0967ef424 --- /dev/null +++ b/terragrunt/accounts/rust-backup-staging/account.json @@ -0,0 +1 @@ +{} diff --git a/terragrunt/accounts/rust-backup-staging/rust-assets-backup/terragrunt.hcl b/terragrunt/accounts/rust-backup-staging/rust-assets-backup/terragrunt.hcl new file mode 100644 index 000000000..48115cc43 --- /dev/null +++ b/terragrunt/accounts/rust-backup-staging/rust-assets-backup/terragrunt.hcl @@ -0,0 +1,39 @@ +terraform { + source = "../../../modules//rust-assets-backup" +} + +include { + path = find_in_parent_folders() + merge_strategy = "deep" +} + +inputs = { + project_id = "concrete-racer-468119-m7" + region = "europe-west1" + + # Source buckets to backup - staging AWS S3 buckets + source_buckets = { + crates-io = { + bucket_name = "staging-crates-io" + cloudfront_domain = "cloudfront-static.staging.crates.io" + description = "Staging crates for testing" + } + static-rust-lang-org = { + bucket_name = "dev-static-rust-lang-org" + cloudfront_domain = "cloudfront-dev-static.rust-lang.org" + description = "Development Rust releases" + } + } + + # TODO: add the rest of the infra admins + # infra admins can have admin access to staging for testing/development + admins = [ + "jandavidnose@rustfoundation.org", + "joelmarcey@rustfoundation.org", + "marcoieni@rustfoundation.org", + "walterpearce@rustfoundation.org" + ] + + viewers = [ + ] +} diff --git a/terragrunt/modules/rust-assets-backup/_terraform.tf b/terragrunt/modules/rust-assets-backup/_terraform.tf new file mode 100644 index 000000000..0a3078100 --- /dev/null +++ b/terragrunt/modules/rust-assets-backup/_terraform.tf @@ -0,0 +1,42 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 6.49" + } + } +} + +variable "project_id" { + description = "GCP project ID for the backup" + type = string +} + +variable "region" { + description = "GCP region for the backup" + type = string +} + +variable "source_buckets" { + description = "Map of source AWS S3 buckets to backup" + type = map(object({ + bucket_name = string + cloudfront_domain = string + description = string + })) +} + +variable "admins" { + description = "List of email addresses of users with admin access" + type = list(string) +} + +variable "viewers" { + description = "List of email addresses of users with read-only access" + type = list(string) +} + +provider "google" { + project = var.project_id + region = "europe-west1" +} diff --git a/terragrunt/modules/rust-assets-backup/iam.tf b/terragrunt/modules/rust-assets-backup/iam.tf new file mode 100644 index 000000000..5a622fc2c --- /dev/null +++ b/terragrunt/modules/rust-assets-backup/iam.tf @@ -0,0 +1,15 @@ +resource "google_project_iam_member" "iam_admins" { + for_each = toset(var.admins) + + project = var.project_id + role = "roles/owner" + member = "user:${each.value}" +} + +resource "google_project_iam_member" "iam_viewers" { + for_each = toset(var.viewers) + + project = var.project_id + role = "roles/viewer" + member = "user:${each.value}" +} diff --git a/terragrunt/modules/rust-assets-backup/storage.tf b/terragrunt/modules/rust-assets-backup/storage.tf new file mode 100644 index 000000000..8873a059c --- /dev/null +++ b/terragrunt/modules/rust-assets-backup/storage.tf @@ -0,0 +1,28 @@ +# Create GCS buckets for backup storage +resource "google_storage_bucket" "backup_buckets" { + for_each = var.source_buckets + + name = "backup-${each.key}" + location = var.region + project = var.project_id + + # Use Archive storage class for cost optimization + storage_class = "ARCHIVE" + + # Enable versioning to protect against accidental deletion/modification + versioning { + enabled = true + } + + # Configure soft delete policy to retain deleted objects for recovery + # for a certain period of time + soft_delete_policy { + retention_duration_seconds = 7776000 # 90 days + } + + labels = { + purpose = "rust-assets-backup" + source = each.key + managed-by = "terraform" + } +}