apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: edge-argo-logs
  annotations:
    cnrm.cloud.google.com/state-into-spec: merge
spec:
  lifecycleRule:
  - action:
      type: Delete
    condition:
      age: 60
      withState: ANY
  location: us-east1
  uniformBucketLevelAccess: true
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: edge-test-logs-bucket-admin
spec:
  member: serviceAccount:edge-test@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    name: edge-argo-logs
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
  # because we are scoping this to a specific bucket, this role is safe to give
  role: roles/storage.admin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: edge-test-logs-viewer
spec:
  member: serviceAccount:edge-test@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    name: edge-argo-logs
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
  role: roles/storage.objectViewer
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: argo-server-logs-viewer
spec:
  member: serviceAccount:argo-server@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    name: edge-argo-logs
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
  role: roles/storage.objectViewer
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: argo-server-logs-bucket-admin
spec:
  member: serviceAccount:argo-server@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
    external: edge-argo-logs
  # because we are scoping this to a specific bucket, this role is safe to give
  role: roles/storage.admin