feat: gcs resource

README.md

@@ -11,6 +11,7 @@ A collection of GCP resources ready to be used with [Humanitec](https://humanite
 The following resources are included:
 
 * [dns/basic](./humanitec-resource-defs/dns/basic): GCP Cloud DNS `dns` resource.
+* [gcs/basic](./humanitec-resource-defs/gcs/basic): A basic cloud storage bucket.
 * [redis/basic](./humanitec-resource-defs/redis/basic): GCP Memorystore `redis` resource.
 
 The `humanitec-resource-defs` directory includes the respective resource definitions.

examples/gcs/README.md

@@ -0,0 +1,72 @@
+# Example: gcs resource based on Google Cloud Storage
+
+This example configures a [gcs](https://developer.humanitec.com/platform-orchestrator/reference/resource-types/#gcs) Resource Definition using Google Cloud Storage, with two different access policies:
+
+* `basic-admin` (full access)
+* `basic-read-only` (read-only access)
+
+Those Resource Definitions can be used in your Score file using:
+
+```yaml
+resources:
+  ...
+  gcs:
+    type: gcs
+    class: basic-admin
+```
+
+The workload service account will automatically be assigned the necessary GCP Service Account with the selected role bindings.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| humanitec | ~> 0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| humanitec | ~> 0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| gcp\_service\_account\_workload | ../../humanitec-resource-defs/gcp-service-account/workload | n/a |
+| gcs\_basic | ../../humanitec-resource-defs/gcs/basic | n/a |
+| gcs\_basic\_admin | ../../humanitec-resource-defs/gcs/passthrough | n/a |
+| gcs\_basic\_read\_only | ../../humanitec-resource-defs/gcs/passthrough | n/a |
+| iam\_role\_binding\_gcs\_admin | ../../humanitec-resource-defs/iam-role-binding/gcs | n/a |
+| iam\_role\_binding\_gcs\_read\_only | ../../humanitec-resource-defs/iam-role-binding/gcs | n/a |
+| k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a |
+| workload | ../../humanitec-resource-defs/workload/service-account | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
+| [humanitec_resource_definition_criteria.gcp_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.gcs_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.gcs_basic_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.gcs_basic_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.iam_role_binding_gcs_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.iam_role_binding_gcs_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| credentials | GCP credentials | `string` | n/a | yes |
+| location | The location of the bucket | `string` | n/a | yes |
+| project | GCP project ID | `string` | n/a | yes |
+| name | Name of the example application | `string` | `"hum-rp-gcs-example"` | no |
+| prefix | n/a | `string` | `"hum-rp-gcs-ex-"` | no |
+| resource\_packs\_gcp\_rev | GCP Resource Pack git ref | `string` | `"refs/heads/main"` | no |
+| resource\_packs\_gcp\_url | GCP Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-gcp.git"` | no |
+<!-- END_TF_DOCS -->

examples/gcs/main.tf

@@ -0,0 +1,153 @@
+resource "humanitec_application" "example" {
+  id   = var.name
+  name = var.name
+}
+
+# GCS bucket
+
+locals {
+  # Classes used to build the resource definition graph
+  gcs_basic_class            = "basic"
+  gcs_admin_policy_class     = "gcs-basic-admin"
+  gcs_read_only_policy_class = "gcs-basic-read-only"
+
+  # Classes that developers can select from
+  gcs_basic_admin_class     = "basic-admin"
+  gcs_basic_read_only_class = "basic-read-only"
+}
+
+
+module "gcs_basic" {
+  source = "../../humanitec-resource-defs/gcs/basic"
+
+  resource_packs_gcp_url = var.resource_packs_gcp_url
+  resource_packs_gcp_rev = var.resource_packs_gcp_rev
+
+  project       = var.project
+  credentials   = var.credentials
+  force_destroy = true
+  location      = var.location
+
+  prefix = var.prefix
+}
+
+resource "humanitec_resource_definition_criteria" "gcs_basic" {
+  resource_definition_id = module.gcs_basic.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.gcs_basic_class
+}
+
+# Add different access policy to gcs basic bucket
+
+# Admin
+
+## Policy
+
+module "iam_role_binding_gcs_admin" {
+  source = "../../humanitec-resource-defs/iam-role-binding/gcs"
+
+  prefix = var.prefix
+
+  gcs_resource_class = local.gcs_basic_class
+  name               = "admin"
+  role               = "roles/storage.admin"
+}
+
+resource "humanitec_resource_definition_criteria" "iam_role_binding_gcs_admin" {
+  resource_definition_id = module.iam_role_binding_gcs_admin.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.gcs_admin_policy_class
+}
+
+## Exposed passthrough resource definition
+module "gcs_basic_admin" {
+  source = "../../humanitec-resource-defs/gcs/passthrough"
+
+  prefix = var.prefix
+
+  gcs_resource_class    = local.gcs_basic_class
+  policy_resource_class = local.gcs_admin_policy_class
+}
+
+resource "humanitec_resource_definition_criteria" "gcs_basic_admin" {
+  resource_definition_id = module.gcs_basic_admin.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.gcs_basic_admin_class
+}
+
+# Read-only
+
+## Policy
+
+module "iam_role_binding_gcs_read_only" {
+  source = "../../humanitec-resource-defs/iam-role-binding/gcs"
+
+  prefix = var.prefix
+
+  gcs_resource_class = local.gcs_basic_class
+  name               = "read-only"
+  role               = "roles/storage.objectViewer"
+}
+
+resource "humanitec_resource_definition_criteria" "iam_role_binding_gcs_read_only" {
+  resource_definition_id = module.iam_role_binding_gcs_read_only.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.gcs_read_only_policy_class
+}
+
+## Exposed passthrough resource definition
+module "gcs_basic_read_only" {
+  source = "../../humanitec-resource-defs/gcs/passthrough"
+
+  prefix = var.prefix
+
+  gcs_resource_class    = local.gcs_basic_class
+  policy_resource_class = local.gcs_read_only_policy_class
+}
+
+resource "humanitec_resource_definition_criteria" "gcs_basic_read_only" {
+  resource_definition_id = module.gcs_basic_read_only.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.gcs_basic_read_only_class
+}
+
+# Required resources for workload identity
+
+
+module "k8s_service_account" {
+  source = "../../humanitec-resource-defs/k8s/service-account"
+
+  prefix = var.prefix
+}
+
+resource "humanitec_resource_definition_criteria" "k8s_service_account" {
+  resource_definition_id = module.k8s_service_account.id
+  app_id                 = humanitec_application.example.id
+}
+
+module "gcp_service_account_workload" {
+  source = "../../humanitec-resource-defs/gcp-service-account/workload"
+
+  resource_packs_gcp_url = var.resource_packs_gcp_url
+  resource_packs_gcp_rev = var.resource_packs_gcp_rev
+
+  project     = var.project
+  credentials = var.credentials
+  prefix      = var.prefix
+}
+
+resource "humanitec_resource_definition_criteria" "gcp_service_account_workload" {
+  resource_definition_id = module.gcp_service_account_workload.id
+  app_id                 = humanitec_application.example.id
+}
+
+module "workload" {
+  source = "../../humanitec-resource-defs/workload/service-account"
+
+  prefix = var.prefix
+}
+
+resource "humanitec_resource_definition_criteria" "workload" {
+  resource_definition_id = module.workload.id
+  app_id                 = humanitec_application.example.id
+}

examples/gcs/providers.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    humanitec = {
+      source  = "humanitec/humanitec"
+      version = "~> 0"
+    }
+  }
+
+  required_version = ">= 1.3.0"
+}
+
+provider "humanitec" {}

examples/gcs/terraform.tfvars.example

@@ -0,0 +1,20 @@
+
+# GCP credentials
+credentials = ""
+
+# The location of the bucket
+location = ""
+
+# Name of the example application
+name = "hum-rp-gcs-example"
+
+prefix = "hum-rp-gcs-ex-"
+
+# GCP project ID
+project = ""
+
+# GCP Resource Pack git ref
+resource_packs_gcp_rev = "refs/heads/main"
+
+# GCP Resource Pack git url
+resource_packs_gcp_url = "https://github.com/humanitec-architecture/resource-packs-gcp.git"

examples/gcs/variables.tf

@@ -0,0 +1,37 @@
+variable "project" {
+  description = "GCP project ID"
+  type        = string
+}
+
+variable "credentials" {
+  description = "GCP credentials"
+  type        = string
+}
+
+variable "location" {
+  description = "The location of the bucket"
+  type        = string
+}
+
+variable "resource_packs_gcp_url" {
+  description = "GCP Resource Pack git url"
+  type        = string
+  default     = "https://github.com/humanitec-architecture/resource-packs-gcp.git"
+}
+
+variable "resource_packs_gcp_rev" {
+  description = "GCP Resource Pack git ref"
+  type        = string
+  default     = "refs/heads/main"
+}
+
+variable "name" {
+  description = "Name of the example application"
+  type        = string
+  default     = "hum-rp-gcs-example"
+}
+
+variable "prefix" {
+  type    = string
+  default = "hum-rp-gcs-ex-"
+}

humanitec-resource-defs/gcp-service-account/workload/README.md

@@ -0,0 +1,37 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| humanitec | ~> 0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| humanitec | ~> 0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [humanitec_resource_definition.main](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| credentials | GCP credentials | `string` | n/a | yes |
+| prefix | n/a | `string` | n/a | yes |
+| project | GCP project ID | `string` | n/a | yes |
+| resource\_packs\_gcp\_rev | GCP Resource Pack git ref | `string` | `"refs/heads/main"` | no |
+| resource\_packs\_gcp\_url | GCP Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-gcp.git"` | no |
+| roles | List of roles to assign to the service account | `set(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| id | n/a |
+<!-- END_TF_DOCS -->

humanitec-resource-defs/gcp-service-account/workload/main.tf

@@ -0,0 +1,37 @@
+resource "humanitec_resource_definition" "main" {
+  driver_type = "humanitec/terraform"
+  id          = "${var.prefix}gcp-service-account-workload"
+  name        = "${var.prefix}gcp-service-account-workload"
+  type        = "gcp-service-account"
+
+  driver_inputs = {
+    secrets_string = jsonencode({
+      variables = {
+        credentials = var.credentials
+      }
+    })
+
+    values_string = jsonencode({
+      source = {
+        path = "modules/gcp-service-account/workload"
+        rev  = var.resource_packs_gcp_rev
+        url  = var.resource_packs_gcp_url
+      }
+
+      variables = {
+        project = var.project
+        roles   = var.roles
+
+        prefix = var.prefix
+
+        namespace = "$${resources.k8s-namespace#k8s-namespace.outputs.namespace}"
+
+        grants = "$${resources.workload>aws-policy.outputs.grant}"
+
+        res_id = "$${context.res.id}"
+        app_id = "$${context.app.id}"
+        env_id = "$${context.env.id}"
+      }
+    })
+  }
+}

humanitec-resource-defs/gcp-service-account/workload/outputs.tf

@@ -0,0 +1,3 @@
+output "id" {
+  value = humanitec_resource_definition.main.id
+}

humanitec-resource-defs/gcp-service-account/workload/providers.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    humanitec = {
+      source  = "humanitec/humanitec"
+      version = "~> 0"
+    }
+  }
+
+  required_version = ">= 1.3.0"
+}