Add NREL GHA runner WIF setup

[jdangerx]

Overview

Helps with catalyst-cooperative/nrel-fuel-and-industry-inputs#5.

What problem does this address?

The NREL github runner didn't have access to the archives on GCP.

What did you change?

• put archives.catalyst.coop bucket under terraform management
• add service account, permissions, and WIF for NREL GH runner

Testing

Here was the terraform plan. It took two applys to actually get it to stick since the service account took a little time to create.

Terraform will perform the following actions:                                                                                   
                                                                                                                                
  # google_service_account.nrel_finito_inputs_gha will be created                                                               
  + resource "google_service_account" "nrel_finito_inputs_gha" {                                                                
      + account_id   = "nrel-finito-inputs-gha"                                                                                 
      + disabled     = false                                              
      + display_name = "NREL FINITO inputs github action service account"                                                                                                                           
      + email        = (known after apply)                                                                                                                                
      + id           = (known after apply)                      
      + member       = (known after apply)                                                       
      + name         = (known after apply)                                                                                                            
      + project      = "catalyst-cooperative-pudl"                                                                             
      + unique_id    = (known after apply)                                                                                      
    }                                                                                                                                                 
                                                                                    
  # google_storage_bucket_iam_member.nrel_finito_inputs_archiver_gcs_iam["roles/storage.insightsCollectorService"] will be created                                                                   
  + resource "google_storage_bucket_iam_member" "nrel_finito_inputs_archiver_gcs_iam" {                                         
      + bucket = "archives.catalyst.coop"                                                                                       
      + etag   = (known after apply)                            
      + id     = (known after apply)                                                                                                                                      
      + member = (known after apply)                           
      + role   = "roles/storage.insightsCollectorService"                                                                      
    }                                                                                                                                                                     
                                                                                                 
  # google_storage_bucket_iam_member.nrel_finito_inputs_archiver_gcs_iam["roles/storage.objectCreator"] will be created                                                                             
  + resource "google_storage_bucket_iam_member" "nrel_finito_inputs_archiver_gcs_iam" {                                                               
      + bucket = "archives.catalyst.coop"                                                        
      + etag   = (known after apply)                                                                                                                  
      + id     = (known after apply)                                                                                                                                                                
      + member = (known after apply)                                      
      + role   = "roles/storage.objectCreator"                                                                                                        
    }                                                                                                                                                                                               
                                                                                                                                                      
  # google_storage_bucket_iam_member.nrel_finito_inputs_archiver_gcs_iam["roles/storage.objectViewer"] will be created                                                    
  + resource "google_storage_bucket_iam_member" "nrel_finito_inputs_archiver_gcs_iam" {                                         
      + bucket = "archives.catalyst.coop"                                           
      + etag   = (known after apply)                                                                                                                                      
      + id     = (known after apply)                                                
      + member = (known after apply)                                                                                                                                      
      + role   = "roles/storage.objectViewer"                                                                                                                             
    }                                                                                                                                                                     
                                                                                                 
  # module.gh_oidc.google_service_account_iam_member.wif-sa["nrel-finito-inputs-gha"] will be created                           
  + resource "google_service_account_iam_member" "wif-sa" {                                                                    
      + etag               = (known after apply)                                                                               
      + id                 = (known after apply)                                                                                                                                                    
      + member             = "principalSet://iam.googleapis.com/projects/345950277072/locations/global/workloadIdentityPools/gh-actions-pool/attribute.repository/catalyst-cooperative/nrel-fuel-and-industry-inputs"
      + role               = "roles/iam.workloadIdentityUser"                                                                                                                                       
      + service_account_id = "projects/catalyst-cooperative-pudl/serviceAccounts/nrel-finito-inputs-gha@catalyst-cooperative-pudl.iam.gserviceaccount.com"                                           
    }                                                                                                                                                                                               
                                                               
Plan: 5 to add, 0 to change, 0 to destroy.   

[jdangerx]

@e-belfer more of an FYI - and @zschira more of an "actually review this terraform setup" thing.

[zschira]

@e-belfer if NREL is switching to onedrive, it seems this might be outdated now?

[e-belfer]

@zschira We still will be working on this project through December and who knows, there may be future iterations. So for now I think we should keep it as is / not take it down.

[jdangerx]

Since this reflects the latest infra state in GCP we should merge it. Otherwise I can't make new changes to infrastructure without basing my terraform config off of this branch. If we want to undo the NREL WIF changes later it's very easy to just delete all this stuff and make terraform remove the infrastructure.

[zschira]

Sorry for the delay, approved!