feat: support volume access for gcp (#125)

tuteng · web-flow · commit 45ed5acb7f55 · 2025-03-27T10:49:36.000+08:00
diff --git a/examples/gcp/volume-access/main.tf b/examples/gcp/volume-access/main.tf
@@ -0,0 +1,16 @@
+module "sn_managed_cloud_access_bucket" {
+  source = "../../../modules/gcp/volume-access"
+
+  streamnative_org_id = "<your-org-id>"
+  project             = "<your-gcs-bucket-project-name>"
+
+  cluster_projects = [
+    "<your-ursa-cluster-project-name>"
+  ]
+
+  account_id = "<your-google-service-account-id>"
+
+  buckets = [
+    "<your-gcs-bucket-path>"
+  ]
+}
diff --git a/modules/gcp/volume-access/main.tf b/modules/gcp/volume-access/main.tf
@@ -0,0 +1,72 @@
+locals {
+  streamnative_gsa = distinct(var.streamnative_vendor_access_gsa)
+  cluster_projects = distinct(var.cluster_projects)
+  buckets_list     = distinct([for item in var.buckets : "${split("/", item)[0]}"])
+  buckets_path     = distinct([for item in var.buckets : "${replace(item, "/(\\/|\\/\\*)+$/", "")}"])
+}
+
+# Grant permissions to the project service account that will be impersonated by StreamNative Control Plane service account
+locals {
+  impersonation_roles = [
+    "roles/storage.objectUser",
+    "roles/storage.objectViewer",
+  ]
+  impersonation_iam_bindings = flatten([
+    for role in local.impersonation_roles : [
+      for bucket_path in local.buckets_path : {
+        bucket : split("/", bucket_path)[0],
+        role : role,
+        expression : role == "roles/storage.objectViewer" ? "" : (length(split("/", bucket_path)) == 1 ? format("resource.name.startsWith(\"projects/_/buckets/%s/objects\")", split("/", bucket_path)[0]) : format("resource.name.startsWith(\"projects/_/buckets/%s/objects/%s/\")", split("/", bucket_path)[0], join("/", slice(split("/", bucket_path), 1, length(split("/", bucket_path))))))
+      }
+    ]
+  ])
+
+}
+resource "google_service_account" "gsa" {
+  account_id   = var.account_id
+  project      = var.project
+  display_name = "StreamNative Cloud Control Plane access bucket service account."
+}
+
+resource "google_storage_bucket_iam_member" "gcs" {
+  count  = length(local.impersonation_iam_bindings)
+  bucket = local.impersonation_iam_bindings[count.index].bucket
+  role   = local.impersonation_iam_bindings[count.index].role
+  member = "serviceAccount:${google_service_account.gsa.email}"
+
+  condition {
+    title       = "restrict_to_data_path"
+    description = "Restrict gcs access"
+    expression  = local.impersonation_iam_bindings[count.index].expression
+  }
+
+  depends_on = [google_service_account.gsa]
+}
+
+resource "google_service_account_iam_member" "sn_control_plane" {
+  count              = length(local.streamnative_gsa)
+  service_account_id = google_service_account.gsa.id
+  role               = "roles/iam.serviceAccountTokenCreator"
+  member             = "serviceAccount:${local.streamnative_gsa[count.index]}"
+  depends_on         = [google_service_account.gsa]
+}
+
+data "google_project" "project" {
+  count      = length(local.cluster_projects)
+  project_id = local.cluster_projects[count.index]
+}
+
+resource "google_service_account_iam_member" "sn_data_plane" {
+  count              = length(local.cluster_projects)
+  service_account_id = google_service_account.gsa.id
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project[count.index].number}/locations/global/workloadIdentityPools/${local.cluster_projects[count.index]}.svc.id.goog/namespace/${var.streamnative_org_id}"
+  depends_on         = [google_service_account.gsa]
+
+}
+
+output "google_service_account" {
+  value       = google_service_account.gsa
+  description = "Google Service Account for Access GCS Bucket"
+  depends_on  = [google_service_account.gsa]
+}
diff --git a/modules/gcp/volume-access/variables.tf b/modules/gcp/volume-access/variables.tf
@@ -0,0 +1,43 @@
+variable "streamnative_org_id" {
+  type        = string
+  description = "Your Organization ID within StreamNative Cloud. This will be the organization ID in the StreamNative console, e.g. \"o-xhopj\"."
+  validation {
+    condition     = length(var.streamnative_org_id) <= 18
+    error_message = "The organization ID must not exceed 18 characters. If you reach this limit, please contact StreamNative support."
+  }
+}
+
+variable "streamnative_vendor_access_gsa" {
+  default = [
+    "cloud-manager@sncloud-production.iam.gserviceaccount.com"
+  ]
+  type        = list(string)
+  description = "The GSA will be used by StreamnNative cloud."
+}
+
+variable "account_id" {
+  type        = string
+  description = "Google Service Account ID, <id>@<your-project>.iam.gserviceaccount.com"
+}
+
+variable "project" {
+  type        = string
+  description = "Name of the project that your gcs bucket is located in"
+}
+
+variable "cluster_projects" {
+  type        = list(string)
+  description = "The name of the project your ursa cluster belongs to."
+}
+
+variable "buckets" {
+  description = "User bucket and path name"
+  type        = list(string)
+
+  validation {
+    condition = alltrue([
+      for s in var.buckets : length(split("/", s)) >= 2
+    ])
+    error_message = "Invalid bucket path found, please make sure the bucket contains at least one path <bucket-name>/<bucket-path>"
+  }
+}
