# https://longhorn.io/docs/1.9.1/snapshots-and-backups/backup-and-restore/set-backup-target/#set-up-gcp-cloud-storage-backupstore resource "google_storage_bucket" "longhorn_backup" { name = "arcodange-backup" location = "NAM4" # https://cloud.google.com/storage/docs/locations#location-dr force_destroy = true public_access_prevention = "enforced" } resource "google_service_account" "longhorn_backup" { account_id = "longhorn-backup" } resource "google_storage_bucket_iam_member" "longhorn_backup" { bucket = google_storage_bucket.longhorn_backup.name role = "roles/storage.admin" member = "serviceAccount:${google_service_account.longhorn_backup.email}" } resource "google_storage_hmac_key" "longhorn_backup" { service_account_email = google_service_account.longhorn_backup.email } locals { vault_mount_kvv2 = { path = "kvv2" } } data "vault_auth_backend" "kubernetes" { path = "kubernetes" } resource "vault_kv_secret_v2" "longhorn_gcs_backup" { mount = local.vault_mount_kvv2.path name = "longhorn/gcs-backup" cas = 1 delete_all_versions = true data_json = jsonencode({ AWS_ACCESS_KEY_ID = google_storage_hmac_key.longhorn_backup.access_id AWS_SECRET_ACCESS_KEY = google_storage_hmac_key.longhorn_backup.secret AWS_ENDPOINTS: "https://storage.googleapis.com" }) } data "vault_policy_document" "longhorn_gcs_backup" { rule { path = "${local.vault_mount_kvv2.path}/data/longhorn/gcs-backup" capabilities = ["read"] } } resource "vault_policy" "longhorn_gcs_backup" { name = "longhorn-gcs-backup" policy = data.vault_policy_document.longhorn_gcs_backup.hcl } resource "vault_kubernetes_auth_backend_role" "longhorn" { backend = data.vault_auth_backend.kubernetes.path role_name = "longhorn" bound_service_account_names = ["longhorn-vault-secret-reader"] # le meme que dans le manifest VaultAuth bound_service_account_namespaces = ["longhorn-system"] token_policies = [vault_policy.longhorn_gcs_backup.name] audience = "vault" alias_name_source = "serviceaccount_name" }