Add ability to give users / groups write access to buckets

GCS allows individual Google Users as well as Google Groups
to have permissions to read / write to GCS buckets (unlike AWS).
We can use this to allow community leaders to manage who can read
and write to GCS buckets from outside the cloud by managing membership
in a Google Group!

In this commit, we set up the persistent buckets of the LEAP hubs
to have this functionality. Access is managed via a Google Group -
I have temporarily created this under the 2i2c org and invited
Julius (the community champion) as an administrator. But perhaps
it should be just created as a regular google group. Using groups
here allows management of this access to not require any 2i2c
engineering work.

Future work would probably fold the separate variable we have
for determining if a bucket is accessible publicly as an attribute
as well.

Ref https://github.com/2i2c-org/infrastructure/issues/2096

terraform/gcp/buckets.tf

@@ -36,6 +36,15 @@ locals {
       }
     ]
   ]))
+
+  bucket_extra_admin_members = distinct(flatten([
+    for bucket_name, properties in var.user_buckets : [
+      for extra_member in properties.extra_admin_members : {
+        bucket_name = bucket_name
+        member = extra_member
+      }
+    ]
+  ]))
 }
 
 resource "google_storage_bucket_iam_member" "member" {
@@ -45,6 +54,13 @@ resource "google_storage_bucket_iam_member" "member" {
   member   = "serviceAccount:${google_service_account.workload_sa[each.value.hub_name].email}"
 }
 
+resource "google_storage_bucket_iam_member" "extra_admin_members" {
+  for_each = { for bm in local.bucket_extra_admin_members : "${bm.bucket_name}.${bm.member}" => bm }
+  bucket   = google_storage_bucket.user_buckets[each.value.bucket_name].name
+  role     = "roles/storage.admin"
+  member   = each.value.member
+}
+
 resource "google_storage_default_object_access_control" "public_rule" {
   for_each = toset(var.bucket_public_access)
   bucket   = google_storage_bucket.user_buckets[each.key].name

terraform/gcp/projects/leap.tfvars

@@ -25,17 +25,21 @@ filestore_capacity_gb = 1024
 
 user_buckets = {
   "scratch-staging" : {
-    "delete_after" : 7
+    "delete_after" : 7,
+    "extra_admin_members": []
   },
   "scratch" : {
-    "delete_after" : 7
+    "delete_after" : 7,
+    "extra_admin_members": []
   }
   # For https://github.com/2i2c-org/infrastructure/issues/1230#issuecomment-1278183441
   "persistent" : {
-    "delete_after" : null
+    "delete_after" : null,
+    "extra_admin_members": ["group:[email protected]"]
   },
   "persistent-staging" : {
-    "delete_after" : null
+    "delete_after" : null,
+    "extra_admin_members": ["group:[email protected]"]
   }
 }
 

terraform/gcp/variables.tf

@@ -195,17 +195,24 @@ variable "enable_network_policy" {
 }
 
 variable "user_buckets" {
-  type        = map(object({ delete_after : number }))
+  type        = map(object({ delete_after : number, extra_admin_members: list(string) }))
   default     = {}
   description = <<-EOT
   GCS Buckets to be created.
 
   The key for each entry will be prefixed with {var.prefix}- to form
   the name of the bucket.
 
-  The value is a map, with 'delete_after' the only accepted key in that
-  map - it lists the number of days after which any content in the
-  bucket will be deleted. Set to null to not delete data.
+  The value is a map, accepting the following keys:
+
+  'delete_after' specifies the number of days after which any content
+  in the bucket will be deleted. Set to null to not delete data.
+
+  'extra_admin_members' describes extra identies (user groups, user accounts,
+  service accounts, etc) that will have *full* access to this bucket. This
+  is primarily useful for moving data into and out of buckets from outside
+  the cloud. See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam#member/members
+  for the format this would be specified in.
   EOT
 }