[infra] Add bucket contraints to all buckets

Bucket constraints, listing the pools and service accounts that
builds from this bucket are allowed to use, are now required
on shadow buckets.

Adding them to all buckets in dart-ci, based on the pools and
service accounts the builders are currently using in each bucket.

Bug: b/285098783
Change-Id: I8a9af76a679c1dc93f6cbfdc7f66731608f8d6cf
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/308041
Reviewed-by: Jonas Termansen <sortie@google.com>
Commit-Queue: William Hesse <whesse@google.com>

generated/cr-buildbucket.cfg

@@ -44,6 +44,10 @@ buckets {
     }
   }
   shadow: "ci.shadow"
+  constraints {
+    pools: "luci.dart.ci"
+    service_accounts: "dart-luci-ci-builder@dart-ci.iam.gserviceaccount.com"
+  }
 }
 buckets {
   name: "ci.sandbox"
@@ -8808,12 +8812,26 @@ buckets {
     }
   }
   shadow: "ci.sandbox.shadow"
+  constraints {
+    pools: "dart.tests"
+    pools: "luci.dart.try"
+    service_accounts: "dart-luci-try-builder@dart-ci.iam.gserviceaccount.com"
+  }
 }
 buckets {
   name: "ci.sandbox.shadow"
+  constraints {
+    pools: "dart.tests"
+    pools: "luci.dart.try"
+    service_accounts: "dart-luci-try-builder@dart-ci.iam.gserviceaccount.com"
+  }
 }
 buckets {
   name: "ci.shadow"
+  constraints {
+    pools: "luci.dart.ci"
+    service_accounts: "dart-luci-ci-builder@dart-ci.iam.gserviceaccount.com"
+  }
 }
 buckets {
   name: "try"
@@ -13357,6 +13375,10 @@ buckets {
     }
   }
   shadow: "try.shadow"
+  constraints {
+    pools: "luci.dart.try"
+    service_accounts: "dart-luci-try-builder@dart-ci.iam.gserviceaccount.com"
+  }
 }
 buckets {
   name: "try.monorepo"
@@ -13955,12 +13977,24 @@ buckets {
     }
   }
   shadow: "try.monorepo.shadow"
+  constraints {
+    pools: "dart.tests"
+    service_accounts: "dart-luci-try-builder@dart-ci.iam.gserviceaccount.com"
+  }
 }
 buckets {
   name: "try.monorepo.shadow"
+  constraints {
+    pools: "dart.tests"
+    service_accounts: "dart-luci-try-builder@dart-ci.iam.gserviceaccount.com"
+  }
 }
 buckets {
   name: "try.shadow"
+  constraints {
+    pools: "luci.dart.try"
+    service_accounts: "dart-luci-try-builder@dart-ci.iam.gserviceaccount.com"
+  }
 }
 buckets {
   name: "try.shared"
@@ -14007,9 +14041,17 @@ buckets {
     }
   }
   shadow: "try.shared.shadow"
+  constraints {
+    pools: "luci.dart.try"
+    service_accounts: "dart-luci-try-builder@dart-ci.iam.gserviceaccount.com"
+  }
 }
 buckets {
   name: "try.shared.shadow"
+  constraints {
+    pools: "luci.dart.try"
+    service_accounts: "dart-luci-try-builder@dart-ci.iam.gserviceaccount.com"
+  }
 }
 common_config {
   builds_notification_topics {

generated/realms.cfg

@@ -93,6 +93,10 @@ realms {
 }
 realms {
   name: "ci.sandbox.shadow"
+  bindings {
+    role: "role/buildbucket.builderServiceAccount"
+    principals: "user:dart-luci-try-builder@dart-ci.iam.gserviceaccount.com"
+  }
   bindings {
     role: "role/buildbucket.triggerer"
     principals: "user:dart-internal-cbuild@dart-ci-internal.iam.gserviceaccount.com"
@@ -102,6 +106,10 @@ realms {
 }
 realms {
   name: "ci.shadow"
+  bindings {
+    role: "role/buildbucket.builderServiceAccount"
+    principals: "user:dart-luci-ci-builder@dart-ci.iam.gserviceaccount.com"
+  }
   bindings {
     role: "role/buildbucket.triggerer"
     principals: "user:dart-luci-ci-builder@dart-ci.iam.gserviceaccount.com"
@@ -160,6 +168,10 @@ realms {
 }
 realms {
   name: "try.monorepo.shadow"
+  bindings {
+    role: "role/buildbucket.builderServiceAccount"
+    principals: "user:dart-luci-try-builder@dart-ci.iam.gserviceaccount.com"
+  }
   bindings {
     role: "role/buildbucket.triggerer"
     principals: "group:project-dart-tryjob-access"
@@ -169,6 +181,10 @@ realms {
 }
 realms {
   name: "try.shadow"
+  bindings {
+    role: "role/buildbucket.builderServiceAccount"
+    principals: "user:dart-luci-try-builder@dart-ci.iam.gserviceaccount.com"
+  }
   bindings {
     role: "role/buildbucket.triggerer"
     principals: "group:project-dart-tryjob-access"
@@ -189,6 +205,10 @@ realms {
 }
 realms {
   name: "try.shared.shadow"
+  bindings {
+    role: "role/buildbucket.builderServiceAccount"
+    principals: "user:dart-luci-try-builder@dart-ci.iam.gserviceaccount.com"
+  }
   bindings {
     role: "role/buildbucket.triggerer"
     principals: "group:project-dart-tryjob-access"

project.star

@@ -85,6 +85,10 @@ luci.bucket(
     acls = [
         acl.entry(acl.BUILDBUCKET_TRIGGERER, users = [accounts.ci_builder]),
     ],
+    constraints = luci.bucket_constraints(
+        pools = ["luci.dart.ci"],
+        service_accounts = [accounts.ci_builder],
+    ),
 )
 luci.bucket(
     name = "ci.shadow",
@@ -92,12 +96,20 @@ luci.bucket(
     acls = [
         acl.entry(acl.BUILDBUCKET_TRIGGERER, users = [accounts.ci_builder]),
     ],
+    constraints = luci.bucket_constraints(
+        pools = ["luci.dart.ci"],
+        service_accounts = [accounts.ci_builder],
+    ),
 )
 luci.bucket(
     name = "ci.sandbox",
     acls = [
         acl.entry(acl.BUILDBUCKET_TRIGGERER, users = CI_SANDBOX_TRIGGERERS),
     ],
+    constraints = luci.bucket_constraints(
+        pools = ["luci.dart.try", "dart.tests"],
+        service_accounts = [accounts.try_builder],
+    ),
 )
 luci.bucket(
     name = "ci.sandbox.shadow",
@@ -105,6 +117,10 @@ luci.bucket(
     acls = [
         acl.entry(acl.BUILDBUCKET_TRIGGERER, users = CI_SANDBOX_TRIGGERERS),
     ],
+    constraints = luci.bucket_constraints(
+        pools = ["luci.dart.try", "dart.tests"],
+        service_accounts = [accounts.try_builder],
+    ),
 )
 TRY_ACLS = [
     acl.entry(
@@ -126,6 +142,10 @@ luci.bucket(
             ],
         ),
     ],
+    constraints = luci.bucket_constraints(
+        pools = ["luci.dart.try"],
+        service_accounts = [accounts.try_builder],
+    ),
 )
 
 # Shadow bucket for try.
@@ -133,6 +153,10 @@ luci.bucket(
     name = "try.shadow",
     shadows = "try",
     acls = TRY_ACLS,
+    constraints = luci.bucket_constraints(
+        pools = ["luci.dart.try"],
+        service_accounts = [accounts.try_builder],
+    ),
 )
 
 # Tryjobs specific to the monorepo repo.
@@ -149,6 +173,10 @@ luci.bucket(
             ],
         ),
     ],
+    constraints = luci.bucket_constraints(
+        pools = ["dart.tests"],
+        service_accounts = [accounts.try_builder],
+    ),
 )
 
 # Shadow bucket for try.monorepo.
@@ -165,11 +193,30 @@ luci.bucket(
             ],
         ),
     ],
+    constraints = luci.bucket_constraints(
+        pools = ["dart.tests"],
+        service_accounts = [accounts.try_builder],
+    ),
 )
 
 # Tryjobs for all repos.
-luci.bucket(name = "try.shared", acls = TRY_ACLS)
-luci.bucket(name = "try.shared.shadow", shadows = "try.shared", acls = TRY_ACLS)
+luci.bucket(
+    name = "try.shared",
+    acls = TRY_ACLS,
+    constraints = luci.bucket_constraints(
+        pools = ["luci.dart.try"],
+        service_accounts = [accounts.try_builder],
+    ),
+)
+luci.bucket(
+    name = "try.shared.shadow",
+    shadows = "try.shared",
+    acls = TRY_ACLS,
+    constraints = luci.bucket_constraints(
+        pools = ["luci.dart.try"],
+        service_accounts = [accounts.try_builder],
+    ),
+)
 
 # Swarming permissions in realms.cfg.