initial commit

Signed-off-by: Jason Hall <imjasonh@gmail.com>

terraform/iam.tf

@@ -0,0 +1,32 @@
+resource "google_service_account" "forgejo" {
+  account_id   = "forgejo-vm"
+  display_name = "Forgejo VM service account"
+}
+
+resource "google_secret_manager_secret_iam_member" "forgejo_secrets" {
+  for_each  = toset(["forgejo-secret-key", "forgejo-internal-token"])
+  project   = var.project_id
+  secret_id = each.value
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.forgejo.email}"
+}
+
+resource "google_storage_bucket_iam_member" "backups_writer" {
+  bucket = google_storage_bucket.backups.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.forgejo.email}"
+}
+
+resource "google_iap_tunnel_instance_iam_member" "ssh_admin" {
+  project  = var.project_id
+  zone     = var.zone
+  instance = google_compute_instance.forgejo.name
+  role     = "roles/iap.tunnelResourceAccessor"
+  member   = "user:${var.admin_email}"
+}
+
+resource "google_project_iam_member" "ssh_os_login" {
+  project = var.project_id
+  role    = "roles/compute.osLogin"
+  member  = "user:${var.admin_email}"
+}