apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: edge-test-jobs
spec:
  bucketPolicyOnly: true
  location: us-east1
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: edge-jobs-${cluster_hash}-ci-publish
spec:
  member: serviceAccount:github-actions-runner@ret-edge-pltf-infra.iam.gserviceaccount.com
  resourceRef:
    name: edge-test-jobs
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
  # because we are scoping this to a specific bucket, this role is safe to give
  role: roles/storage.admin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: edge-jobs-${cluster_hash}-runner-writer
spec:
  member: serviceAccount:github-actions-runner@ret-edge-pltf-infra.iam.gserviceaccount.com
  resourceRef:
    name: edge-test-jobs
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
  role: roles/storage.admin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ncr-${cluster_hash}-read-edge-jobs
spec:
  member: domain:ncr.com
  resourceRef:
    name: edge-test-jobs
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
  role: roles/storage.objectViewer