-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbuild_cache.tf
More file actions
67 lines (58 loc) · 1.78 KB
/
build_cache.tf
File metadata and controls
67 lines (58 loc) · 1.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# GCS Bucket for BuildKit build cache
resource "google_storage_bucket" "build_cache" {
name = "gitpod-runner-buildcache-${var.runner_id}"
location = var.region
project = var.project_id
# Storage configuration
storage_class = "STANDARD"
uniform_bucket_level_access = true
public_access_prevention = "enforced"
default_event_based_hold = false
requester_pays = false
force_destroy = true
# Lifecycle management - automatic cleanup of old cache data (30 days for production)
lifecycle_rule {
condition {
age = 30 # Hardcoded to 30 days for production
matches_storage_class = ["STANDARD"]
}
action {
type = "Delete"
}
}
# Clean up incomplete multipart uploads
lifecycle_rule {
condition {
age = 1
}
action {
type = "AbortIncompleteMultipartUpload"
}
}
# Versioning disabled for cache data (not needed)
versioning {
enabled = false
}
# CMEK encryption (optional)
dynamic "encryption" {
for_each = local.kms_key_name != null ? [1] : []
content {
default_kms_key_name = local.kms_key_name
}
}
# Labels for resource management
labels = merge(var.labels, {
gitpod-component = "build-cache"
managed-by = "terraform"
purpose = "buildkit-cache"
})
}
# IAM binding for dedicated build cache service account
resource "google_storage_bucket_iam_member" "cache_access" {
bucket = google_storage_bucket.build_cache.name
role = "roles/storage.objectAdmin"
member = "serviceAccount:${local.build_cache_sa_email}"
depends_on = [google_storage_bucket.build_cache]
}
# Note: Required APIs (storage.googleapis.com and iamcredentials.googleapis.com)
# are enabled by the main services module