Add GCS bucket for external TestGrid configurations

Add a GCS bucket so we can migrate testgrid dashboards from Google to
the Kubernetes infrastructure

Ref:
  - #8973

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

Author: ameukam

infra/gcp/terraform/k8s-infra-prow/buckets.tf

@@ -82,6 +82,38 @@ module "testgrid_config_bucket" {
   ]
 }
 
+// Create gs://k8s-testgrid-config-external to store TestGrid configs.
+// - testgrid.prow.k8s.io (community-operated, K8s project configs only)
+// See: https://github.com/kubernetes/k8s.io/issues/8973
+module "testgrid_config_external_bucket" {
+  source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version = "~> 5"
+
+  name       = "k8s-testgrid-config-external"
+  project_id = module.project.project_id
+  location   = "us-central1"
+
+  uniform_bucket_level_access = true
+
+  iam_members = [
+    {
+      // Let the upload job write to this bucket.
+      role   = "roles/storage.objectAdmin"
+      member = "serviceAccount:k8s-testgrid-config-updater@k8s-infra-prow-build-trusted.iam.gserviceaccount.com"
+    },
+    {
+      // Let K8s TestGrid canary read configs from this bucket.
+      role   = "roles/storage.objectViewer"
+      member = "serviceAccount:testgrid-canary@k8s-testgrid.iam.gserviceaccount.com"
+    },
+    {
+      // Let K8s TestGrid production read configs from this bucket.
+      role   = "roles/storage.objectViewer"
+      member = "serviceAccount:updater@k8s-testgrid.iam.gserviceaccount.com"
+    }
+  ]
+}
+
 // Create gs://k8s-ci-logs to store logs from Prow jobs.
 module "prow_bucket" {
   source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"