Migrate k8s-triage, k8s-metrics to terraform, setup k8s-triage dataset

[spiffxp]

Related:

• Part of: Migrate triage dashboard to wg-k8s-infra #1305
• Followup to: infra/gcp: setup k8s-project-triage special-case #2454
• Depends on: config/jobs: setup canary triage job, mv other triage jobs test-infra#23126

Since converting go.k8s.io/triage to triage.k8s.io is going to be more involved than I thought, setup to migrate gs://k8s-gubernator/triage to gs://k8s-triage. The bucket is currently populated with whatever it contained a while ago (which is basically as fresh as it's going to get since kettle has been down this whole time)

The dependency test-infra PR sets up a job that runs in k8s-infra-prow-build-trusted to update gs://k8s-triage

While I initially did all the provisioning for this via ensure-main-project.sh, I have since updated the PR to do all of this via terraform. I migrated all of the setup code for gs://k8s-metrics while doing so.

This also adds a bigquery dataset kubernetes-public:k8s-triage for the ci-test-infra-triage-canary job to be able to write to. A future test-infra PR will configure the job to write to it instead of currently failing to write to k8s-gubernator:temp.triage

In setting up the dataset, I'm trying out use of IAM roles instead of basic access (ref: https://cloud.google.com/bigquery/docs/access-control-basic-roles)

[spiffxp]

Ran ./infra/gcp/ensure-main-project.sh and manually removed gs://k8s-project-triage

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• infra/gcp/OWNERS [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[spiffxp]

/assign @ameukam
/hold
I'm going to deploy this now but anticipate I may need to edit the terraform state slightly, so don't want to merge until I've confirmed everything is as expected.

[spiffxp]

Copy-pasta comments need updating

I also think we need to put boilerplate license in our tf files...

[spiffxp]

Out of excessive paranoia I'm backing up the buckets first:

gsutil mb -p kubernetes-public gs://k8s-triage-bak
gsutil mb -p kubernetes-public gs://k8s-metrics-bak
gsutil -m rsync -r gs://k8s-triage gs://k8s-triage-bak # Operation completed over 1.5k objects/7.6 GiB.
gsutil -m rsync -r gs://k8s-metrics gs://k8s-metrics-bak # Operation completed over 7.7k objects/5.1 GiB.

[ameukam]

/lgtm

[spiffxp]

In terms of manual stuff I had to do to get this to work, this was basically it...

terraform import google_storage_bucket.triage_bucket kubernetes-public/k8s-triage
terraform import google_storage_bucket.metrics_bucket kubernetes-public/k8s-metrics

The rest was terraform apply, read error, do what it said, repeat...

It's maybe worth noting that after my first successful terraform apply, I ran again and saw the following

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # google_bigquery_dataset.triage_dataset has been changed
  ~ resource "google_bigquery_dataset" "triage_dataset" {
      ~ etag                            = "ObAE6ASzv6jJuAl9fPwfqg==" -> "cyljn5Sy1j+fDr/MKBXOag=="
        id                              = "projects/kubernetes-public/datasets/k8s_triage"
      ~ last_modified_time              = 1628805757044 -> 1628806369623
        # (10 unchanged attributes hidden)

      - access {
          - role          = "OWNER" -> null
          - user_by_email = "[email protected]" -> null
        }
      - access {
          - role          = "OWNER" -> null
          - special_group = "projectOwners" -> null
        }
      - access {
          - role          = "READER" -> null
          - special_group = "projectReaders" -> null
        }
      + access {
          + role          = "WRITER"
          + user_by_email = "[email protected]"
        }
      - access {
          - role          = "WRITER" -> null
          - special_group = "projectWriters" -> null
        }
      + access {
          + group_by_email = "[email protected]"
          + role           = "OWNER"
        }
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────

No changes. Your infrastructure matches the configuration.

[spiffxp]

/hold cancel
Changes in here have been deployed

[spiffxp]

Some manual cleanup...

gsutil rm -r gs://k8s-project-triage # what existed prior to this PR

[ameukam]

/lgtm

[sftim]

I spotted 2 typos. Nothing serious!

[sftim]

post-merge nit:

Suggested change

	description = "Dataset for kubernetes/test-infra/triage to store temprorary results"
	description = "Dataset for kubernetes/test-infra/triage to store temporary results"

[sftim]

post-merge nit:

Suggested change

	// Preserve legacy storage bindings, give storage.admim members legacy bucket owner
	// Preserve legacy storage bindings, give storage.admin members legacy bucket owner

[spiffxp]

This broke https://testgrid.k8s.io/wg-k8s-infra-prow#metrics-bigquery

#2548 should address