Tf public media buckets (#8324)

autogpt_platform/infra/terraform/environments/dev.tfvars

@@ -97,4 +97,8 @@ role_bindings = {
 }
 
 pods_ip_cidr_range     = "10.1.0.0/16"
-services_ip_cidr_range = "10.2.0.0/20"
+services_ip_cidr_range = "10.2.0.0/20"
+
+public_bucket_names = ["website-artifacts"]
+standard_bucket_names = []
+bucket_admins = ["gcp-devops-agpt@agpt.co", "gcp-developers@agpt.co"]

autogpt_platform/infra/terraform/environments/prod.tfvars

@@ -97,4 +97,8 @@ role_bindings = {
 }
 
 pods_ip_cidr_range     = "10.1.0.0/16"
-services_ip_cidr_range = "10.2.0.0/20"
+services_ip_cidr_range = "10.2.0.0/20"
+
+public_bucket_names = ["website-artifacts"]
+standard_bucket_names = []
+bucket_admins = ["gcp-devops-agpt@agpt.co", "gcp-developers@agpt.co"]

autogpt_platform/infra/terraform/main.tf

@@ -61,4 +61,14 @@ module "iam" {
   service_accounts           = var.service_accounts
   workload_identity_bindings = var.workload_identity_bindings
   role_bindings              = var.role_bindings
-}
+}
+
+module "storage" {
+  source = "./modules/storage"
+
+  project_id = var.project_id
+  region = var.region
+  standard_bucket_names = var.standard_bucket_names
+  public_bucket_names = var.public_bucket_names
+  bucket_admins = var.bucket_admins
+}

autogpt_platform/infra/terraform/modules/storage/main.tf

@@ -0,0 +1,64 @@
+
+# Public Buckets
+resource "google_storage_bucket" "public_buckets" {
+  for_each      = toset(var.public_bucket_names)
+  name          = "${var.project_id}-${each.value}"
+  location      = var.region
+  force_destroy = true
+
+  uniform_bucket_level_access = true
+
+  cors {
+    origin          = ["*"]
+    method          = ["GET", "HEAD", "OPTIONS"]
+    response_header = ["*"]
+    max_age_seconds = 3600
+  }
+}
+
+resource "google_storage_bucket_iam_policy" "public_access" {
+  for_each = google_storage_bucket.public_buckets
+
+  bucket      = each.value.name
+  policy_data = jsonencode({
+    bindings = [
+      {
+        role    = "roles/storage.objectViewer"
+        members = ["allUsers"]
+      },
+      {
+        role    = "roles/storage.admin"
+        members = [for admin in var.bucket_admins : "group:${admin}"]
+      }
+    ]
+  })
+}
+
+# Standard Buckets, with default permissions
+resource "google_storage_bucket" "standard_buckets" {
+  for_each      = toset(var.standard_bucket_names)
+  name          = "${var.project_id}-${each.value}"
+  location      = var.region
+  force_destroy = true
+
+  uniform_bucket_level_access = true
+
+  versioning {
+    enabled = true
+  }
+
+}
+
+resource "google_storage_bucket_iam_member" "standard_access" {
+  for_each = {
+    for pair in setproduct(keys(google_storage_bucket.standard_buckets), ["gcp-devops-agpt@agpt.co", "gcp-developers@agpt.co"]) :
+    "${pair[0]}-${pair[1]}" => {
+      bucket = google_storage_bucket.standard_buckets[pair[0]].name
+      member = "group:${pair[1]}"
+    }
+  }
+
+  bucket = each.value.bucket
+  role   = "roles/storage.objectAdmin"
+  member = each.value.member
+}

autogpt_platform/infra/terraform/modules/storage/outputs.tf

@@ -0,0 +1,19 @@
+output "public_bucket_names" {
+  description = "The names of the created website artifacts buckets"
+  value       = { for k, v in google_storage_bucket.public_buckets : k => v.name }
+}
+
+output "public_bucket_urls" {
+  description = "The URLs of the created website artifacts buckets"
+  value       = { for k, v in google_storage_bucket.public_buckets : k => v.url }
+}
+
+output "standard_bucket_names" {
+  description = "The names of the created standard buckets"
+  value       = { for k, v in google_storage_bucket.standard_buckets : k => v.name }
+}
+
+output "standard_bucket_urls" {
+  description = "The URLs of the created standard buckets"
+  value       = { for k, v in google_storage_bucket.standard_buckets : k => v.url }
+}

autogpt_platform/infra/terraform/modules/storage/variables.tf

@@ -0,0 +1,27 @@
+variable "project_id" {
+  description = "The ID of the project"
+  type        = string
+}
+
+variable "region" {
+  description = "The region where the bucket will be created"
+  type        = string
+}
+
+variable "public_bucket_names" {
+  description = "List of bucket names that should be publicly accessible"
+  type        = list(string)
+  default     = []
+}
+
+variable "standard_bucket_names" {
+  description = "List of bucket names that should be publicly accessible"
+  type        = list(string)
+  default     = []
+}
+
+variable "bucket_admins" {
+  description = "List of groups that should be admins of the buckets"
+  type        = list(string)
+  default     = ["gcp-devops-agpt@agpt.co", "gcp-developers@agpt.co"]
+}

autogpt_platform/infra/terraform/variables.tf

@@ -110,4 +110,23 @@ variable "services_ip_cidr_range" {
   description = "The IP address range for services"
   type        = string
   default     = "10.2.0.0/20"
-}
+}
+
+variable "public_bucket_names" {
+  description = "List of bucket names that should be publicly accessible"
+  type        = list(string)
+  default     = []
+}
+
+variable "standard_bucket_names" {
+  description = "List of bucket names that should be publicly accessible"
+  type        = list(string)
+  default     = []
+}
+
+variable "bucket_admins" {
+  description = "List of groups that should be admins of the buckets"
+  type        = list(string)
+  default     = ["gcp-devops-agpt@agpt.co", "gcp-developers@agpt.co"]
+}
+