build: add SA for code locations

infra/app.tf

@@ -4,6 +4,13 @@ resource "kubernetes_namespace" "dagster" {
   }
 }
 
+resource "kubernetes_service_account" "user_locations" {
+  metadata {
+    name      = "user-locations"
+    namespace = kubernetes_namespace.dagster.metadata[0].name
+  }
+}
+
 data "google_secret_manager_secret_version" "postgres_password" {
   secret     = "POSTGRESQL_PASSWORD_${local.environment_toupper}"
   depends_on = [module.sql]
@@ -102,13 +109,48 @@ resource "helm_release" "dagster" {
     value = "600Mi"
   }
 
+  set {
+    name = "computeLogManager.type"
+    value = "GCSComputeLogManager"
+  }
+
+  set {
+    name = "computeLogManager.config.gcsComputeLogManager.bucket"
+    value = "${google_storage_bucket.cloud_storage["logs"].name}"
+  }
+
+  set {
+    name = "computeLogManager.config.gcsComputeLogManager.prefix"
+    value = "dagster-logs-${var.environment}"
+  }
+
   # Values.yaml references secret by name
   set_sensitive {
     name  = "postgresql.postgresqlPassword"
     value = data.google_secret_manager_secret_version.postgres_password.secret_data
   }
 }
 
+module "dagster_prd_workload_identity" {
+  source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  use_existing_k8s_sa = true
+  cluster_name        = module.gke.cluster_name
+  location            = module.gke.location
+  name                = "dagster-${var.environment}"
+  namespace           = kubernetes_namespace.dagster.metadata[0].name
+  project_id          = var.gcp_project
+}
+
+module "dagster_user_locations_workload_identity" {
+  source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  use_existing_k8s_sa = true
+  cluster_name        = module.gke.cluster_name
+  location            = module.gke.location
+  name                = kubernetes_service_account.user_locations.metadata[0].name
+  namespace           = kubernetes_namespace.dagster.metadata[0].name
+  project_id          = var.gcp_project
+}
+
 # resource "local_file" "helm_manifest" {
 #   content = yamlencode(jsondecode(helm_release.dagster.manifest))
 #   filename = "${path.module}/values.yml"

infra/iam.tf

@@ -38,6 +38,10 @@ resource "google_service_account" "datareadwriter" {
   account_id = "datareadwriter-${var.environment}"
 }
 
+resource "google_service_account" "dagster_code_locations" {
+  account_id = "dagstercodelocations-${var.environment}"
+}
+
 resource "google_service_account_key" "datareadwriter" {
   service_account_id = google_service_account.datareadwriter.id
 }
@@ -50,6 +54,20 @@ resource "google_storage_bucket_iam_member" "data_lake" {
   member = "serviceAccount:${google_service_account.datareadwriter.email}"
 }
 
+resource "google_storage_bucket_iam_member" "logs" {
+
+  bucket = google_storage_bucket.cloud_storage["logs"].name
+  role   = "roles/storage.admin"
+  member = "serviceAccount:${module.dagster_prd_workload_identity.gcp_service_account_email}"
+}
+
+resource "google_storage_bucket_iam_member" "logs_user_locations_sa" {
+
+  bucket = google_storage_bucket.cloud_storage["logs"].name
+  role   = "roles/storage.admin"
+  member = "serviceAccount:${module.dagster_user_locations_workload_identity.gcp_service_account_email}"
+}
+
 resource "google_storage_hmac_key" "key" {
   service_account_email = google_service_account.datareadwriter.email
 }

infra/storage.tf

@@ -6,7 +6,7 @@ module "naming_storage" {
     var.environment
   ]
   resource_short_names = [
-    "dala", "inge", "arch", "dagster-logs"
+    "dala", "inge", "arch", "logs"
   ]
 }