Merge pull request #497 from battlecode/jerrym-saturn-perms

Give saturn permission to access private data
battlecode · Jan 9, 2023 · 473c778 · 473c778
2 parents d1c4f5f + 5b48d56
commit 473c778
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 0 deletions.
diff --git a/deploy/galaxy/main.tf b/deploy/galaxy/main.tf
@@ -175,6 +175,7 @@ module "saturn_compile" {
   storage_secure_name = google_storage_bucket.secure.name
 
   artifact_registry_name = var.artifact_registry_name
+  storage_releases_name  = var.storage_releases_name
 
   secret_id = google_secret_manager_secret.saturn.secret_id
 
@@ -202,6 +203,7 @@ module "saturn_execute" {
   storage_secure_name = google_storage_bucket.secure.name
 
   artifact_registry_name = var.artifact_registry_name
+  storage_releases_name  = var.storage_releases_name
 
   secret_id = google_secret_manager_secret.saturn.secret_id
 

diff --git a/deploy/galaxy/variables.tf b/deploy/galaxy/variables.tf
@@ -58,6 +58,11 @@ variable "siarnaq_secrets" {
   type        = map
 }
 
+variable "storage_releases_name" {
+  description = "Name of Google Cloud Storage bucket resource for game releases"
+  type        = string
+}
+
 variable "artifact_registry_name" {
   description = "Name of the Artifact Registry where the build image can be found"
   type        = string

diff --git a/deploy/main.tf b/deploy/main.tf
@@ -50,6 +50,7 @@ module "production" {
   max_compile_instances = 5
   max_execute_instances = 50
   saturn_secrets        = var.saturn_secrets_production
+  storage_releases_name = module.releases.storage_bucket_name
 
   depends_on = [
     google_project_service.artifactregistry,
@@ -85,6 +86,7 @@ module "staging" {
   max_compile_instances = 1
   max_execute_instances = 1
   saturn_secrets        = var.saturn_secrets_staging
+  storage_releases_name = module.releases.storage_bucket_name
 
   depends_on = [
     google_project_service.artifactregistry,

diff --git a/deploy/saturn/main.tf b/deploy/saturn/main.tf
@@ -16,6 +16,12 @@ resource "google_storage_bucket_iam_member" "secure" {
   member = "serviceAccount:${google_service_account.this.email}"
 }
 
+resource "google_storage_bucket_iam_member" "releases" {
+  bucket = var.storage_releases_name
+  role   = "roles/storage.objectViewer"
+  member = "serviceAccount:${google_service_account.this.email}"
+}
+
 resource "google_artifact_registry_repository_iam_member" "this" {
   location   = var.gcp_region
   repository = var.artifact_registry_name

diff --git a/deploy/saturn/variables.tf b/deploy/saturn/variables.tf
@@ -38,6 +38,11 @@ variable "artifact_registry_name" {
   type        = string
 }
 
+variable "storage_releases_name" {
+  description = "Name of Google Cloud Storage bucket resource for game releases"
+  type        = string
+}
+
 variable "secret_id" {
   description = "ID of the Secret resource"
   type        = string