Read GCP proxy EPP SSL secret from GCS

This allows us to not ship the proxy with certificates/private keys. The secret is still encrypted by KMS. Reading the secret only happens once when the first EPP request comes in, which should not incur any tangible performance penalty.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=191771680

java/google/registry/proxy/terraform/example_config.tf

@@ -7,11 +7,12 @@ terraform {
 }
 
 module "proxy" {
-  source               = "../../modules"
-  proxy_project_name   = "YOUR_PROXY_PROJECT"
-  nomulus_project_name = "YOUR_NOMULUS_GPROJECT"
-  gcr_project_name     = "YOUR_GCR_PROJECT"
-  proxy_domain_name    = "YOUR_PROXY_DOMAIN"
+  source                   = "../../modules"
+  proxy_project_name       = "YOUR_PROXY_PROJECT"
+  nomulus_project_name     = "YOUR_NOMULUS_GPROJECT"
+  gcr_project_name         = "YOUR_GCR_PROJECT"
+  proxy_domain_name        = "YOUR_PROXY_DOMAIN"
+  proxy_certificate_bucket = "YOU_CERTIFICATE_BUCKET"
 }
 
 output "proxy_service_account_client_id" {

java/google/registry/proxy/terraform/modules/gcs.tf

@@ -0,0 +1,10 @@
+resource "google_storage_bucket" "proxy_certificate" {
+  name          = "${var.proxy_certificate_bucket}"
+  storage_class = "MULTI_REGIONAL"
+}
+
+resource "google_storage_bucket_iam_member" "member" {
+  bucket = "${google_storage_bucket.proxy_certificate.name}"
+  role   = "roles/storage.objectViewer"
+  member = "serviceAccount:${google_service_account.proxy_service_account.email}"
+}

java/google/registry/proxy/terraform/modules/input.tf

@@ -10,6 +10,9 @@ variable "gcr_project_name" {}
 # The base domain name of the proxy, without the whois. or epp. part.
 variable "proxy_domain_name" {}
 
+# The GCS bucket that stores the encrypted SSL certificate.
+variable "proxy_certificate_bucket" {}
+
 # Cloud KMS keyring name
 variable "proxy_key_ring" {
   default = "proxy-key-ring"