-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
186 lines (143 loc) · 5.55 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
resource "google_filestore_instance" "default" {
location = var.location
name = var.name
description = var.description
tier = var.tier
protocol = var.protocol
file_shares {
name = var.file_shares.name
capacity_gb = var.file_shares.capacity_gb
source_backup = var.file_shares.source_backup
dynamic "nfs_export_options" {
for_each = var.file_shares.nfs_export_options
content {
ip_ranges = nfs_export_options.value.ip_ranges
access_mode = nfs_export_options.value.access_mode
squash_mode = nfs_export_options.value.squash_mode
anon_uid = nfs_export_options.value.anon_uid
anon_gid = nfs_export_options.value.anon_gid
}
}
}
networks {
network = var.networks.network
modes = var.networks.modes
connect_mode = var.networks.connect_mode
reserved_ip_range = var.networks.reserved_ip_range
}
kms_key_name = var.kms_key_name
deletion_protection_enabled = var.deletion_protection_enabled
deletion_protection_reason = var.deletion_protection_reason
dynamic "performance_config" {
for_each = var.performance_config != null ? [var.performance_config] : []
content {
dynamic "iops_per_tb" {
for_each = performance_config.value.iops_per_tb != null ? [performance_config.value.iops_per_tb] : []
content {
max_iops_per_tb = performance_config.value.iops_per_tb.max_iops_per_tb
}
}
dynamic "fixed_iops" {
for_each = performance_config.value.fixed_iops != null ? [performance_config.value.fixed_iops] : []
content {
max_iops = performance_config.value.fixed_iops.max_iops
}
}
}
}
labels = var.labels
}
###############
# Auto Backup #
###############
resource "google_service_account" "filestore_backup_scheduler" {
count = var.enable_auto_backup ? 1 : 0
account_id = "filestore-backup-scheduler"
display_name = "Filestore Automatic Backup Scheduler Service Account"
}
resource "google_service_account" "filestore_backup_runner" {
count = var.enable_auto_backup ? 1 : 0
account_id = "filestore-backup-runner"
display_name = "Filestore Automatic Backup Runner Service Account"
}
resource "google_service_account_iam_binding" "cloudscheduler_agent_filestore_backup_scheduler" {
count = var.enable_auto_backup ? 1 : 0
service_account_id = google_service_account.filestore_backup_scheduler[0].id
role = "roles/cloudscheduler.serviceAgent"
members = [
# Built-in Cloud Scheduler service agent created on API enablement
"serviceAccount:service-${local.project_number}@gcp-sa-cloudscheduler.iam.gserviceaccount.com"
]
}
resource "google_cloud_run_service_iam_binding" "filestore_backup_scheduler_invoker" {
count = var.enable_auto_backup ? 1 : 0
service = google_cloudfunctions2_function.backup[0].name
role = "roles/run.invoker"
members = [
google_service_account.filestore_backup_scheduler[0].member
]
}
# Unfortunately, there is no resource-based IAM binding for Filestore instance resource
resource "google_project_iam_binding" "filestore_backup_runner_file_editor" {
count = var.enable_auto_backup ? 1 : 0
project = data.google_client_config.current[0].project
role = "roles/file.editor"
members = [
google_service_account.filestore_backup_runner[0].member
]
condition {
title = "${google_filestore_instance.default.name} instance"
expression = "resource.name.startsWith('projects/${local.project_id}/locations/${local.region}/backups/${google_filestore_instance.default.name}')"
}
}
resource "google_storage_bucket_object" "function_source" {
count = var.enable_auto_backup ? 1 : 0
bucket = var.auto_backup_function_storage_bucket_name
name = "filestore-backup-${data.archive_file.backup_function[0].output_md5}.zip"
source = data.archive_file.backup_function[0].output_path
detect_md5hash = data.archive_file.backup_function[0].output_md5
}
resource "google_cloudfunctions2_function" "backup" {
count = var.enable_auto_backup ? 1 : 0
name = "filestore-backup"
description = "Filestore Automatic Backup"
location = var.auto_backup_function_location
build_config {
runtime = "python312"
entry_point = "create_backup"
source {
storage_source {
bucket = google_storage_bucket_object.function_source[0].bucket
object = google_storage_bucket_object.function_source[0].name
}
}
}
service_config {
max_instance_count = 1
available_memory = "256Mi"
timeout_seconds = 60
service_account_email = google_service_account.filestore_backup_runner[0].email
environment_variables = {
PROJECT_ID = local.project_id
INSTANCE_LOCATION = google_filestore_instance.default.location
INSTANCE_NAME = google_filestore_instance.default.name
INSTANCE_FILE_SHARE_NAME = google_filestore_instance.default.file_shares[0].name
BACKUP_REGION = local.region
}
}
}
resource "google_cloud_scheduler_job" "backup" {
count = var.enable_auto_backup ? 1 : 0
name = "filestore-backup"
description = "Filestore Automatic Backup Workflow Scheduler"
schedule = var.auto_backup_schedule
time_zone = var.auto_backup_time_zone
http_target {
http_method = "GET"
uri = google_cloudfunctions2_function.backup[0].url
oidc_token {
service_account_email = google_service_account.filestore_backup_scheduler[0].email
audience = google_cloudfunctions2_function.backup[0].url
}
}
}