From 28d80e3ececf214fdf29ede0d7ec11eb4c4aa412 Mon Sep 17 00:00:00 2001
From: Rodrigo Queiro <rodrigoq@google.com>
Date: Fri, 3 Nov 2023 16:07:01 +0100
Subject: [PATCH] Allow robot-service@ to read from GCR explicitly. (#243)

This is a step towards removing the blanket objectAdmin ACL.
(b/299475780) It's a second attempt after the rollback in #237.

As far as I can tell, robot-service@ does not need to read other files
from CRC buckets (config.sh, crc_version.txt, etc) in the general case,
although integration tests might need more privilege.
---
 deploy.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/deploy.sh b/deploy.sh
index 4e800673..624fc7ba 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -243,6 +243,16 @@ function terraform_post {
     gcloud container clusters update "${cluster[@]}" --quiet \
       --enable-vertical-pod-autoscaling
   fi
+
+  # I couldn't work out how to identify exactly which buckets back GCR in a
+  # given project: some have just "artifacts", some have just "eu.artifacts",
+  # and some have both. Since GCR will be turned down in favor of GAR in 2024,
+  # it seems simplest just to apply the ACLs with gcloud until then.
+  for bucket in $(gcloud storage buckets list --project "${GCP_PROJECT_ID}" --format "value(name)" | grep "artifacts.*appspot.com") ; do
+    gcloud storage buckets add-iam-policy-binding "gs://${bucket}" \
+      --member "serviceAccount:robot-service@${GCP_PROJECT_ID}.iam.gserviceaccount.com" \
+      --role "roles/storage.objectViewer"
+  done
 }
 
 function terraform_delete {