From a3719d9ace251f144a7bb008c47d24b8cfb9c271 Mon Sep 17 00:00:00 2001
From: Dazhong Xia <dazhong.xia@catalyst.coop>
Date: Fri, 8 Nov 2024 13:31:02 -0800
Subject: [PATCH 1/2] Add NREL GHA runner WIF setup.

---
 terraform/.terraform.lock.hcl | 82 +++++++++++++++++------------------
 terraform/main.tf             | 34 ++++++++++++++-
 2 files changed, 73 insertions(+), 43 deletions(-)

diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
index 7f0356bd96..037e2d0b38 100644
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -2,60 +2,60 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/google" {
-  version     = "5.39.0"
-  constraints = ">= 3.64.0, 5.39.0, < 6.0.0"
+  version     = "6.10.0"
+  constraints = ">= 3.64.0, 6.10.0, < 7.0.0"
   hashes = [
-    "h1:KPHFS08CuJBLiSpfsBU9WSrGt0IIYmktUCtYWJG3IVU=",
-    "zh:384aa2857e00c05588796acef2a2dd4b71c8cac28cd1f3a3dabb20c295ea4908",
-    "zh:3b137eac3b424922aa93727e7667c474addea7e075967bc03ad40f9b3f0eaaf4",
-    "zh:4664adafacdee0fa97ccfe76d474582024b3f6bc77bc7dcb061359f1321af0d1",
-    "zh:48f61605fee70a9f91958f3ff6bbfb34058ba5fa50a09987a493b0275f76026d",
-    "zh:6c18c0ceaf6de40ae3012df116e1c919b8deba3b7667eb150d9392014ea412d4",
-    "zh:b90cc80f69725d63a9149ad040b6adf7c17122223d272c771c966960bd32f5f2",
-    "zh:c5724ac3ac93d835ba8e1721f80ee275602f55d4d86c976dc4c9e99afbda8e60",
-    "zh:c5cbdf303da617ba099778b6a4897496cef7fd15ea0363454bd2a0780b7200c9",
-    "zh:f37c93a769a222c201a61762f9aed7227d9788d8a31d172d63e78cd3a5676bc8",
+    "h1:OjdstqHpDb3mzZoA/WiuGXndoLF8DfT6XdMaUHDgBvI=",
+    "zh:016ef442d70497f34d209ccba94afa5b5e8027b6a60516452549a04c5f4b1e95",
+    "zh:0e521ae9ab51dea6f9c310291c9e288a482bf37e149bc3e5920547d2a73a6d23",
+    "zh:1ad1cc5e8f7c8f0b42cc6d37c5e0a3c77557bb18d91070930d361c3d6866bf23",
+    "zh:64580f23f5e87d4f843a617dab9a96093671f5826c2de8bc60fb3c619f00810d",
+    "zh:7d29aed1a73b99e50909fe7ce2fea92ba28cd4b4943d185d9187295f991bf35f",
+    "zh:80ccce9ad3c64528f05b9432d6bf8278d6555ffcb1c80f563b6f24a88d269979",
+    "zh:af49d0083c2a46bfd022d35f7a06a0626b71d67f6b3c75b04b5723e8977d1096",
+    "zh:ce767ca2ed4aaf63d0fcb48f0c2756b26096cff7fd33d513ed65a4e5758371f9",
+    "zh:d4515ffcf5a804c4f1da750f9a4a5edaef6a4cb95e49040bb18a422eb6b4832e",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f7eff51a6b70a45142d48de5732e0b84f9afb227507c7e05a7d711f4028f0959",
-    "zh:f838e2ad7b4bd7d840136957f6ceae750d86fbc36c2b31fdd37ff5b0c798b313",
+    "zh:f701206edcfff3e7ee8ca159cde65264e55ec59e2d455facb57cca782a197bbc",
+    "zh:f984b7b6700f6c075329d43e8a0be25f20f1b124e90e1e1e13bd90a8e468743d",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/google-beta" {
-  version     = "5.39.1"
-  constraints = ">= 3.64.0, < 6.0.0"
+  version     = "6.10.0"
+  constraints = ">= 3.64.0, < 7.0.0"
   hashes = [
-    "h1:0Kj1zAlYL6Xs8mh/rlGhttQwjcf0AIqeNDF6UuPhelc=",
-    "zh:07fcc7db2fdc302627f2cddd16fe6b2bf1e8a0fd24e41172afaee96dcb7894bd",
-    "zh:0f17e28afe3322b692cf912b09378333f59e51d3e62da27e8a337e86b34cb9e9",
-    "zh:252abaeb1dd9739f7b919d1ed3728c20f266c761125b6c33dc17fbbf08af77fb",
-    "zh:313c8db8dfb4b80d44aff470d6dcc2c7f5f6dbf4484717636e7fe42a401f5dff",
-    "zh:353ecd422983e3d993c7daa3fb0d7fd6663b663dfd95894734dc8f5261dba6bf",
-    "zh:486ffdfe5e834a03dd374813451fb6ec15392934b1adfadac0b9c2485f6f8e27",
-    "zh:847a88f8c392efd0c84e85d716d2ab7ec3a2d52c213c6b79db67aedd31b23a81",
-    "zh:9569b0d3029198d5dac39a7d714553d3456eb9db885393965f585b33ded60c7e",
-    "zh:b79475e63c78a24c70500c0e28e7526104b385fd5fa08f332d8bf0c94d6597de",
-    "zh:bf70c9fcd96d2abd1d3682cfd39075709745185b874a005465c6c067ce102dee",
-    "zh:d644a1043481d16a5788847b4204933f528bf65fb571546aec62f7da19d7e6b4",
+    "h1:W4ps9gOsSXRLKVbUbmeCFiDmn9Be+d1j5DbFhcmMIHU=",
+    "zh:180bbb1bc216378d82106dc4371f01fb0409ccc29c1513a1dd59aff7033f1fbb",
+    "zh:1ee7fbfbd5f71db275ed0e56d2264fca6e6e0e1d6e2ab0495da5c95bee87204d",
+    "zh:2b12896a4489152c1bf01217dd886eef0784f18f922f133e828e1a687128aaca",
+    "zh:5d1885e63b4bdb711a1bec19b699626fbd676a88087f00107cdb807c8a0213ca",
+    "zh:7a094a659d5fe5032dab6c79ccbdc6e86d16cd4da122b6f350d84f12db624e99",
+    "zh:8941627a145d5787bbdfad65e01f10200f98e160059214472a0287a5d67e45d9",
+    "zh:9626157fbd7e06ace9f3e0491213fa33849a54f21a3fe35fe11a0f0362fb1721",
+    "zh:bcb41673a90b757ac2b6e8c30e358ef101509434c006f08b788028390843267e",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:fce9ef4741bf14472e7216952364f471370f8147f8fadfee89dfcee1562a3a83",
+    "zh:fd667034bb71eb67e50f871286db039139ad08313575e633884feb5b4e359b13",
+    "zh:ffd2089f326da9682f7669c2d4bc9349a968bf83ff05043d202be171237f86fb",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version = "3.6.2"
+  version = "3.6.3"
   hashes = [
-    "h1:R5qdQjKzOU16TziCN1vR3Exr/B+8WGK80glLTT4ZCPk=",
-    "zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec",
-    "zh:1bcd2d8161e89e39886119965ef0f37fcce2da9c1aca34263dd3002ba05fcb53",
-    "zh:37c75d15e9514556a5f4ed02e1548aaa95c0ecd6ff9af1119ac905144c70c114",
-    "zh:4210550a767226976bc7e57d988b9ce48f4411fa8a60cd74a6b246baf7589dad",
-    "zh:562007382520cd4baa7320f35e1370ffe84e46ed4e2071fdc7e4b1a9b1f8ae9b",
-    "zh:5efb9da90f665e43f22c2e13e0ce48e86cae2d960aaf1abf721b497f32025916",
-    "zh:6f71257a6b1218d02a573fc9bff0657410404fb2ef23bc66ae8cd968f98d5ff6",
+    "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=",
+    "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451",
+    "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8",
+    "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe",
+    "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1",
+    "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36",
+    "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e",
     "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:9647e18f221380a85f2f0ab387c68fdafd58af6193a932417299cdcae4710150",
-    "zh:bb6297ce412c3c2fa9fec726114e5e0508dd2638cad6a0cb433194930c97a544",
-    "zh:f83e925ed73ff8a5ef6e3608ad9225baa5376446349572c2449c0c0b3cf184b7",
-    "zh:fbef0781cb64de76b1df1ca11078aecba7800d82fd4a956302734999cfd9a4af",
+    "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30",
+    "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615",
+    "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad",
+    "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556",
+    "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0",
   ]
 }
diff --git a/terraform/main.tf b/terraform/main.tf
index c020ff4bbd..61eb6ee53f 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "5.39.0"
+      version = "6.10.0"
     }
   }
 }
@@ -70,6 +70,10 @@ module "gh_oidc" {
       sa_name   = "projects/catalyst-cooperative-mozilla/serviceAccounts/mozilla-dev-sa@catalyst-cooperative-mozilla.iam.gserviceaccount.com"
       attribute = "attribute.repository/catalyst-cooperative/mozilla-sec-eia"
     }
+    "nrel-finito-inputs-gha" = {
+      sa_name   = "projects/${var.project_id}/serviceAccounts/${google_service_account.nrel_finito_inputs_gha.email}"
+      attribute = "attribute.repository/catalyst-cooperative/nrel-fuel-and-industry-inputs"
+    }
   }
 }
 
@@ -115,7 +119,7 @@ resource "google_cloud_run_v2_service" "pudl-superset" {
   location = "us-central1"
   client   = "terraform"
 
-  launch_stage = "BETA"
+  launch_stage = "GA"
 
   template {
     execution_environment = "EXECUTION_ENVIRONMENT_GEN2"
@@ -279,6 +283,7 @@ resource "google_sql_database_instance" "postgres_pvp_instance_name" {
       password_change_interval    = "30s"
       enable_password_policy      = true
     }
+
   }
   # set `deletion_protection` to true, will ensure that one cannot accidentally delete this instance by
   # use of Terraform whereas `deletion_protection_enabled` flag protects this instance at the GCP level.
@@ -470,3 +475,28 @@ resource "google_secret_manager_secret" "superset_bot_password" {
     auto {}
   }
 }
+
+resource "google_storage_bucket" "pudl_archive_bucket" {
+  name          = "archives.catalyst.coop"
+  location      = "US-EAST1"
+  storage_class = "STANDARD"
+
+  uniform_bucket_level_access = true
+}
+
+resource "google_service_account" "nrel_finito_inputs_gha" {
+  account_id   = "nrel-finito-inputs-gha"
+  display_name = "NREL FINITO inputs github action service account"
+}
+
+resource "google_storage_bucket_iam_member" "nrel_finito_inputs_archiver_gcs_iam" {
+  for_each = toset([
+    "roles/storage.objectCreator",
+    "roles/storage.objectViewer",
+    "roles/storage.insightsCollectorService"
+  ])
+
+  bucket = google_storage_bucket.pudl_archive_bucket.name
+  role = each.key
+  member = "serviceAccount:${google_service_account.nrel_finito_inputs_gha.email}"
+}

From 981b753a1ebf66eff2257d2885f9498fb92957e2 Mon Sep 17 00:00:00 2001
From: Dazhong Xia <dazhong.xia@catalyst.coop>
Date: Mon, 30 Dec 2024 10:41:29 -0500
Subject: [PATCH 2/2] keep this branch up-to-date so I can do other terraform
 things.

---
 terraform/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/main.tf b/terraform/main.tf
index 61eb6ee53f..6a47019722 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "6.10.0"
+      version = "6.14.1"
     }
   }
 }