64 lines
2.2 KiB
HCL
64 lines
2.2 KiB
HCL
# https://longhorn.io/docs/1.9.1/snapshots-and-backups/backup-and-restore/set-backup-target/#set-up-gcp-cloud-storage-backupstore
|
|
resource "google_storage_bucket" "longhorn_backup" {
|
|
name = "arcodange-backup"
|
|
location = "NAM4" # https://cloud.google.com/storage/docs/locations#location-dr
|
|
force_destroy = true
|
|
|
|
public_access_prevention = "enforced"
|
|
}
|
|
|
|
resource "google_service_account" "longhorn_backup" {
|
|
account_id = "longhorn-backup"
|
|
}
|
|
|
|
resource "google_storage_bucket_iam_member" "longhorn_backup" {
|
|
bucket = google_storage_bucket.longhorn_backup.name
|
|
role = "roles/storage.admin"
|
|
member = "serviceAccount:${google_service_account.longhorn_backup.email}"
|
|
}
|
|
|
|
resource "google_storage_hmac_key" "longhorn_backup" {
|
|
service_account_email = google_service_account.longhorn_backup.email
|
|
|
|
}
|
|
|
|
locals {
|
|
vault_mount_kvv2 = { path = "kvv2" }
|
|
}
|
|
data "vault_auth_backend" "kubernetes" {
|
|
path = "kubernetes"
|
|
}
|
|
|
|
resource "vault_kv_secret_v2" "longhorn_gcs_backup" {
|
|
mount = local.vault_mount_kvv2.path
|
|
name = "longhorn/gcs-backup"
|
|
cas = 1
|
|
delete_all_versions = true
|
|
data_json = jsonencode({
|
|
AWS_ACCESS_KEY_ID = google_storage_hmac_key.longhorn_backup.access_id
|
|
AWS_SECRET_ACCESS_KEY = google_storage_hmac_key.longhorn_backup.secret
|
|
AWS_ENDPOINTS : "https://storage.googleapis.com"
|
|
})
|
|
}
|
|
|
|
data "vault_policy_document" "longhorn_gcs_backup" {
|
|
rule {
|
|
path = "${local.vault_mount_kvv2.path}/data/longhorn/gcs-backup"
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
|
|
resource "vault_policy" "longhorn_gcs_backup" {
|
|
name = "longhorn-gcs-backup"
|
|
policy = data.vault_policy_document.longhorn_gcs_backup.hcl
|
|
}
|
|
|
|
resource "vault_kubernetes_auth_backend_role" "longhorn" {
|
|
backend = data.vault_auth_backend.kubernetes.path
|
|
role_name = "longhorn"
|
|
bound_service_account_names = ["longhorn-vault-secret-reader"] # le meme que dans le manifest VaultAuth
|
|
bound_service_account_namespaces = ["longhorn-system"]
|
|
token_policies = [vault_policy.longhorn_gcs_backup.name]
|
|
audience = "vault"
|
|
alias_name_source = "serviceaccount_name"
|
|
} |