Rough outline of terraform

deployment/live/example-gcp/main.tf

@@ -0,0 +1,61 @@
+terraform {
+  backend "gcs" {
+    bucket = "bucket-tfstate"
+    prefix = "example-gcs/terraform.tfstate"
+  }
+}
+
+provider "google" {
+  project = var.project_id
+}
+
+# Remote state
+resource "google_kms_key_ring" "terraform_state" {
+  name     = "bucket-tfstate"
+  location = var.location
+}
+
+resource "google_kms_crypto_key" "terraform_state_bucket" {
+  name     = "terraform-state-bucket"
+  key_ring = google_kms_key_ring.terraform_state.id
+}
+
+resource "google_storage_bucket" "terraform_state" {
+  name          = "bucket-tfstate"
+  force_destroy = false
+  location      = var.location
+  storage_class = "STANDARD"
+  versioning {
+    enabled = true
+  }
+  encryption {
+    default_kms_key_name = google_kms_crypto_key.terraform_state_bucket.id
+  }
+  uniform_bucket_level_access = true
+}
+
+
+data "terraform_remote_state" "log" {
+  backend   = "gcs"
+  workspace = terraform.workspace
+  config = {
+    bucket = "bucket-tfstate"
+    prefix = "example-gcs/terraform.tfstate"
+  }
+}
+
+# Log instance
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+module "gcs-log" {
+  source = "../../modules/gcs"
+
+  base_name  = var.base_name
+  project_id = var.project_id
+  location   = var.location
+}
+
+

deployment/live/example-gcp/terraform.tfvars

@@ -0,0 +1,2 @@
+base_name = "example-gcs"
+location  = "us-central1"

deployment/live/example-gcp/variables.tf

@@ -0,0 +1,14 @@
+variable "project_id" {
+  description = "GCP project ID where the log is hosted"
+  type        = string
+}
+
+variable "base_name" {
+  description = "Base name to use when naming resources"
+  type        = string
+}
+
+variable "location" {
+  description = "Location in which to create resources"
+  type        = string
+}

deployment/modules/gcs/main.tf

@@ -0,0 +1,46 @@
+# Services
+resource "google_project_service" "serviceusage_googleapis_com" {
+  service = "serviceusage.googleapis.com"
+}
+resource "google_project_service" "storage_api_googleapis_com" {
+  service = "storage-api.googleapis.com"
+}
+resource "google_project_service" "storage_component_googleapis_com" {
+  service = "storage-component.googleapis.com"
+}
+resource "google_project_service" "storage_googleapis_com" {
+  service = "storage.googleapis.com"
+}
+
+## Resources
+
+# Service accounts
+
+resource "google_service_account" "log_writer" {
+  account_id   = "${var.base_name}-writer"
+  display_name = "Log writer service account"
+}
+
+
+# Buckets
+
+resource "google_storage_bucket" "log" {
+  location                    = var.location
+  name                        = var.base_name
+  storage_class               = "STANDARD"
+  uniform_bucket_level_access = true
+}
+
+resource "google_storage_bucket_iam_binding" "log_bucket_writer" {
+  bucket = google_storage_bucket.log.name
+  role   = "roles/storage.legacyBucketWriter"
+  members = [
+    google_service_account.log_writer.member
+  ]
+}
+resource "google_storage_bucket_iam_member" "log_bucket_reader" {
+  bucket = google_storage_bucket.log.name
+  role   = "roles/storage.legacyObjectReader"
+  member = "allUsers"
+}
+

deployment/modules/gcs/outputs.tf

@@ -0,0 +1,4 @@
+output "log_bucket" {
+  description = "Log GCS bucket"
+  value       = google_storage_bucket.log
+}

deployment/modules/gcs/variables.tf

@@ -0,0 +1,14 @@
+variable "project_id" {
+  description = "GCP project ID where the log is hosted"
+  type        = string
+}
+
+variable "base_name" {
+  description = "Base name to use when naming resources"
+  type        = string
+}
+
+variable "location" {
+  description = "Location in which to create resources"
+  type        = string
+}