Add pudl usage metrics gcp infrastructure (#3841)

* Add pudl usage metrics gcp infrastructure - Mount pudl-usage-metrics db to superset cloud run - Create a new bucket for raw usage metrics archives - Give github action service account permision to write to the bucket * Give pudl usage metrics etl service account permission to read from archive bucket * Give pudl usage metrics etl service account permission to read from archive bucket and list buckets, previous commit was missing a role * Give usage metrics service account permission on s3 logs bucket
catalyst-cooperative · Sep 17, 2024 · 410708e · 410708e
1 parent b1fe8ef
commit 410708e
Showing 1 changed file with 45 additions and 1 deletion.
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -228,7 +228,7 @@ resource "google_cloud_run_v2_service" "pudl-superset" {
     volumes {
       name = "cloudsql"
       cloud_sql_instance {
-        instances = ["catalyst-cooperative-pudl:us-central1:superset-database"]
+        instances = ["catalyst-cooperative-pudl:us-central1:superset-database", "catalyst-cooperative-pudl:us-central1:pudl-usage-metrics-db"]
       }
     }
   }
@@ -396,3 +396,47 @@ resource "google_service_account_iam_member" "gce-default-account-iam" {
   role               = "roles/iam.serviceAccountUser"
   member             = "serviceAccount:345950277072@cloudbuild.gserviceaccount.com"
 }
+
+resource "google_secret_manager_secret" "pudl_usage_metrics_db_connection_string" {
+  secret_id = "pudl-usage-metrics-db-connection-string"
+  replication {
+    auto {}
+  }
+}
+
+resource "google_storage_bucket" "pudl_usage_metrics_archive_bucket" {
+  name          = "pudl-usage-metrics-archives.catalyst.coop"
+  location      = "US"
+  storage_class = "STANDARD"
+
+  uniform_bucket_level_access = true
+}
+
+resource "google_service_account" "usage_metrics_archiver" {
+  account_id   = "usage-metrics-archiver"
+  display_name = "PUDL usage metrics archiver github action service account"
+}
+
+resource "google_storage_bucket_iam_member" "usage_metrics_archiver_gcs_iam" {
+  for_each = toset(["roles/storage.objectCreator", "roles/storage.objectViewer"])
+
+  bucket = google_storage_bucket.pudl_usage_metrics_archive_bucket.name
+  role = each.key
+  member = "serviceAccount:${google_service_account.usage_metrics_archiver.email}"
+}
+
+resource "google_storage_bucket_iam_member" "usage_metrics_etl_gcs_iam" {
+  for_each = toset(["roles/storage.legacyBucketReader", "roles/storage.objectViewer"])
+
+  bucket = google_storage_bucket.pudl_usage_metrics_archive_bucket.name
+  role = each.key
+  member = "serviceAccount:pudl-usage-metrics-etl@catalyst-cooperative-pudl.iam.gserviceaccount.com"
+}
+
+resource "google_storage_bucket_iam_member" "usage_metrics_etl_s3_logs_gcs_iam" {
+  for_each = toset(["roles/storage.legacyBucketReader", "roles/storage.objectViewer"])
+
+  bucket = "pudl-s3-logs.catalyst.coop"
+  role = each.key
+  member = "serviceAccount:pudl-usage-metrics-etl@catalyst-cooperative-pudl.iam.gserviceaccount.com"
+}