From 9655955563f14859ab7d9cef91c7e633f94d4a09 Mon Sep 17 00:00:00 2001 From: Greg Malkov Date: Tue, 31 Mar 2020 14:28:04 -0400 Subject: [PATCH 1/8] split framework module into terra-cluster and terra-env --- framework/cloudsql.tf | 26 ------- framework/sa.tf | 52 -------------- identity-concentrator/cloudsql.tf | 21 ++++++ .../outputs.tf | 15 +++- .../provider.tf | 0 identity-concentrator/sa.tf | 12 ++++ identity-concentrator/variables.tf | 72 +++++++++++++++++++ poc-service/cloudsql.tf | 21 ++++++ poc-service/outputs.tf | 30 ++++++++ poc-service/provider.tf | 7 ++ poc-service/sa.tf | 12 ++++ poc-service/variables.tf | 66 +++++++++++++++++ {framework => terra-cluster}/api-services.tf | 0 {framework => terra-cluster}/k8s.tf | 1 - {framework => terra-cluster}/nat.tf | 2 +- {framework => terra-cluster}/network.tf | 0 terra-cluster/outputs.tf | 3 + terra-cluster/provider.tf | 7 ++ terra-cluster/sa.tf | 17 +++++ {framework => terra-cluster}/variables.tf | 57 +-------------- terra-env/apps.tf | 23 ++++++ terra-env/apps.tf~Stashed changes | 23 ++++++ terra-env/outputs.tf | 46 ++++++++++++ terra-env/provider.tf | 7 ++ terra-env/variables.tf | 25 +++++++ 25 files changed, 410 insertions(+), 135 deletions(-) delete mode 100644 framework/cloudsql.tf delete mode 100644 framework/sa.tf create mode 100644 identity-concentrator/cloudsql.tf rename {framework => identity-concentrator}/outputs.tf (56%) rename {framework => identity-concentrator}/provider.tf (100%) create mode 100644 identity-concentrator/sa.tf create mode 100644 identity-concentrator/variables.tf create mode 100644 poc-service/cloudsql.tf create mode 100644 poc-service/outputs.tf create mode 100644 poc-service/provider.tf create mode 100644 poc-service/sa.tf create mode 100644 poc-service/variables.tf rename {framework => terra-cluster}/api-services.tf (100%) rename {framework => terra-cluster}/k8s.tf (99%) rename {framework => terra-cluster}/nat.tf (98%) rename {framework => terra-cluster}/network.tf (100%) create mode 100644 terra-cluster/outputs.tf create mode 100644 terra-cluster/provider.tf create mode 100644 terra-cluster/sa.tf rename {framework => terra-cluster}/variables.tf (55%) create mode 100644 terra-env/apps.tf create mode 100644 terra-env/apps.tf~Stashed changes create mode 100644 terra-env/outputs.tf create mode 100644 terra-env/provider.tf create mode 100644 terra-env/variables.tf diff --git a/framework/cloudsql.tf b/framework/cloudsql.tf deleted file mode 100644 index ccd4eead..00000000 --- a/framework/cloudsql.tf +++ /dev/null @@ -1,26 +0,0 @@ -locals { - env_psql_app_dbs = { - for env_db in setproduct(keys(var.postgres_app_dbs), toset(var.envs)): - "${env_db[1]}-${env_db[0]}" => { - db = "${env_db[1]}-${var.postgres_app_dbs[env_db[0]]["db"]}" - username = "${env_db[1]}-${var.postgres_app_dbs[env_db[0]]["username"]}" - } - } -} - -# Cloud SQL database -module "cloudsql" { - source = "github.com/broadinstitute/terraform-shared.git//terraform-modules/cloudsql-postgres?ref=cloudsql-postgres-1.0.0-tf-0.12" - - providers = { - google.target = google.target - } - project = var.google_project - cloudsql_name = "${local.cluster_name}-db" - cloudsql_instance_labels = { - "cluster" = local.cluster_name - } - cloudsql_tier = var.cloudsql_tier - - app_dbs = local.env_psql_app_dbs -} diff --git a/framework/sa.tf b/framework/sa.tf deleted file mode 100644 index e7266ef5..00000000 --- a/framework/sa.tf +++ /dev/null @@ -1,52 +0,0 @@ -# -# Application Service Accounts -# - -locals { - env_app_sas = { - for env_sa in setproduct(keys(var.app_service_accounts), toset(var.envs)): - "${env_sa[1]}-${env_sa[0]}" => { - roles = var.app_service_accounts[env_sa[0]].roles - } - } -} -resource "google_service_account" "app" { - for_each = local.env_app_sas - - project = var.google_project - account_id = each.key - display_name = each.key -} - -locals { - sa_roles = flatten([ - for sa in keys(local.env_app_sas): [ - for role in local.env_app_sas[sa].roles: { - sa = sa - role = role - } - ] - ]) -} -resource "google_project_iam_member" "app" { - for_each = zipmap(range(length(local.sa_roles)), local.sa_roles) - - project = var.google_project - role = each.value.role - member = "serviceAccount:${google_service_account.app[each.value.sa].email}" -} - - -# CI access -resource "google_service_account" "ci" { - project = var.google_project - account_id = "${local.owner}-ci-sa" - display_name = "${local.owner}-ci-sa" -} - -resource "google_project_iam_member" "ci" { - count = length(var.ci_sa_roles) - project = var.google_project - role = element(var.ci_sa_roles, count.index) - member = "serviceAccount:${google_service_account.ci.email}" -} diff --git a/identity-concentrator/cloudsql.tf b/identity-concentrator/cloudsql.tf new file mode 100644 index 00000000..a6f65395 --- /dev/null +++ b/identity-concentrator/cloudsql.tf @@ -0,0 +1,21 @@ +module "cloudsql" { + source = "github.com/broadinstitute/terraform-shared.git//terraform-modules/cloudsql-postgres?ref=cloudsql-postgres-1.0.0-tf-0.12" + + providers = { + google.target = google.target + } + project = var.google_project + cloudsql_name = "${var.service}-db-${local.owner}" + cloudsql_instance_labels = { + "env" = local.owner + "app" = var.service + } + cloudsql_tier = var.db_tier + + app_dbs = { + "${var.service}" = { + db = local.db_name + username = local.db_user + } + } +} diff --git a/framework/outputs.tf b/identity-concentrator/outputs.tf similarity index 56% rename from framework/outputs.tf rename to identity-concentrator/outputs.tf index adf9f808..b2080894 100644 --- a/framework/outputs.tf +++ b/identity-concentrator/outputs.tf @@ -1,3 +1,16 @@ +# +# Service Account Outputs +# + +output "app_sa_id" { + value = google_service_account.app.account_id +} + + +# +# CloudSQL PostgreSQL Outputs +# + output "cloudsql_public_ip" { value = module.cloudsql.public_ip } @@ -12,6 +25,6 @@ output "cloudsql_root_user_password" { } output "cloudsql_app_db_creds" { - value = module.cloudsql.app_db_creds + value = length(module.cloudsql.app_db_creds) == 0 ? {} : module.cloudsql.app_db_creds[var.service] sensitive = true } diff --git a/framework/provider.tf b/identity-concentrator/provider.tf similarity index 100% rename from framework/provider.tf rename to identity-concentrator/provider.tf diff --git a/identity-concentrator/sa.tf b/identity-concentrator/sa.tf new file mode 100644 index 00000000..5fb7349a --- /dev/null +++ b/identity-concentrator/sa.tf @@ -0,0 +1,12 @@ +resource "google_service_account" "app" { + project = var.google_project + account_id = "${var.service}-${local.owner}" + display_name = "${var.service}-${local.owner}" +} +resource "google_project_iam_member" "app_roles" { + count = length(var.sa_roles) + + project = var.google_project + role = var.sa_roles[count.index] + member = "serviceAccount:${google_service_account.app.email}" +} diff --git a/identity-concentrator/variables.tf b/identity-concentrator/variables.tf new file mode 100644 index 00000000..23c9d6de --- /dev/null +++ b/identity-concentrator/variables.tf @@ -0,0 +1,72 @@ +# See: https://github.com/hashicorp/terraform/issues/21418#issuecomment-495818852 +variable dependencies { + type = any + default = [] + description = "Work-around for Terraform 0.12's lack of support for 'depends_on' in custom modules." +} + + +# +# General Vars +# +variable "google_project" { + type = string + description = "The google project" +} +variable "cluster" { + description = "Terra GKE cluster suffix, whatever is after terra-" +} +variable "owner" { + type = string + description = "Environment or developer" + default = "" +} +locals { + owner = var.owner == "" ? terraform.workspace : var.owner +} +variable "service" { + description = "App name" + default = "ic" +} + + +# +# Service Account Vars +# + +variable "sa_roles" { + type = list(string) + description = "Service account roles" + default = [ + "roles/cloudsql.client", // To use cloudsql + "roles/cloudkms.cryptoKeyEncrypterDecrypter", // To encrypt sensitive data to store in datastore + "roles/cloudkms.publicKeyViewer", // To sign jwt with kms + "roles/cloudkms.signer", // To sign jwt with kms + "roles/datastore.indexAdmin", // TO mange datastore index + "roles/datastore.user", // To use datastore + "roles/cloudkms.admin", // To manage cryptographic keys for IC + "roles/monitoring.editor" // To use stackdriver + ] +} + +# +# Postgres CloudSQL DB Vars +# +variable "db_tier" { + default = "db-g1-small" + description = "The default tier (DB instance size) for the CloudSQL instance" +} +variable "db_name" { + type = string + description = "Postgres db name" + default = "" +} +variable "db_user" { + type = string + description = "Postgres username" + default = "" +} +locals { + db_name = var.db_name == "" ? var.service : var.db_name + db_user = var.db_user == "" ? var.service : var.db_user +} diff --git a/poc-service/cloudsql.tf b/poc-service/cloudsql.tf new file mode 100644 index 00000000..a6f65395 --- /dev/null +++ b/poc-service/cloudsql.tf @@ -0,0 +1,21 @@ +module "cloudsql" { + source = "github.com/broadinstitute/terraform-shared.git//terraform-modules/cloudsql-postgres?ref=cloudsql-postgres-1.0.0-tf-0.12" + + providers = { + google.target = google.target + } + project = var.google_project + cloudsql_name = "${var.service}-db-${local.owner}" + cloudsql_instance_labels = { + "env" = local.owner + "app" = var.service + } + cloudsql_tier = var.db_tier + + app_dbs = { + "${var.service}" = { + db = local.db_name + username = local.db_user + } + } +} diff --git a/poc-service/outputs.tf b/poc-service/outputs.tf new file mode 100644 index 00000000..b2080894 --- /dev/null +++ b/poc-service/outputs.tf @@ -0,0 +1,30 @@ +# +# Service Account Outputs +# + +output "app_sa_id" { + value = google_service_account.app.account_id +} + + +# +# CloudSQL PostgreSQL Outputs +# + +output "cloudsql_public_ip" { + value = module.cloudsql.public_ip +} + +output "cloudsql_instance_name" { + value = module.cloudsql.instance_name +} + +output "cloudsql_root_user_password" { + value = module.cloudsql.root_user_password + sensitive = true +} + +output "cloudsql_app_db_creds" { + value = length(module.cloudsql.app_db_creds) == 0 ? {} : module.cloudsql.app_db_creds[var.service] + sensitive = true +} diff --git a/poc-service/provider.tf b/poc-service/provider.tf new file mode 100644 index 00000000..389ece2d --- /dev/null +++ b/poc-service/provider.tf @@ -0,0 +1,7 @@ +provider "google" { + alias = "target" +} + +provider "google-beta" { + alias = "target" +} diff --git a/poc-service/sa.tf b/poc-service/sa.tf new file mode 100644 index 00000000..5fb7349a --- /dev/null +++ b/poc-service/sa.tf @@ -0,0 +1,12 @@ +resource "google_service_account" "app" { + project = var.google_project + account_id = "${var.service}-${local.owner}" + display_name = "${var.service}-${local.owner}" +} +resource "google_project_iam_member" "app_roles" { + count = length(var.sa_roles) + + project = var.google_project + role = var.sa_roles[count.index] + member = "serviceAccount:${google_service_account.app.email}" +} diff --git a/poc-service/variables.tf b/poc-service/variables.tf new file mode 100644 index 00000000..4aedd198 --- /dev/null +++ b/poc-service/variables.tf @@ -0,0 +1,66 @@ +# See: https://github.com/hashicorp/terraform/issues/21418#issuecomment-495818852 +variable dependencies { + type = any + default = [] + description = "Work-around for Terraform 0.12's lack of support for 'depends_on' in custom modules." +} + + +# +# General Vars +# +variable "google_project" { + type = string + description = "The google project" +} +variable "cluster" { + description = "Terra GKE cluster suffix, whatever is after terra-" +} +variable "owner" { + type = string + description = "Environment or developer" + default = "" +} +locals { + owner = var.owner == "" ? terraform.workspace : var.owner +} +variable "service" { + description = "App name" + default = "poc" +} + + +# +# Service Account Vars +# + +variable "sa_roles" { + type = list(string) + description = "Service account roles" + default = [ + "roles/storage.admin", + "roles/container.admin" + ] +} + +# +# Postgres CloudSQL DB Vars +# +variable "db_tier" { + default = "db-g1-small" + description = "The default tier (DB instance size) for the CloudSQL instance" +} +variable "db_name" { + type = string + description = "Postgres db name" + default = "" +} +variable "db_user" { + type = string + description = "Postgres username" + default = "" +} +locals { + db_name = var.db_name == "" ? var.service : var.db_name + db_user = var.db_user == "" ? var.service : var.db_user +} diff --git a/framework/api-services.tf b/terra-cluster/api-services.tf similarity index 100% rename from framework/api-services.tf rename to terra-cluster/api-services.tf diff --git a/framework/k8s.tf b/terra-cluster/k8s.tf similarity index 99% rename from framework/k8s.tf rename to terra-cluster/k8s.tf index 4d551cf9..9b210a25 100644 --- a/framework/k8s.tf +++ b/terra-cluster/k8s.tf @@ -1,4 +1,3 @@ - module "k8s-master" { # terraform-shared repo source = "github.com/broadinstitute/terraform-shared.git//terraform-modules/k8s-master?ref=k8s-master-0.2.1-tf-0.12" diff --git a/framework/nat.tf b/terra-cluster/nat.tf similarity index 98% rename from framework/nat.tf rename to terra-cluster/nat.tf index f11b1dc7..83373342 100644 --- a/framework/nat.tf +++ b/terra-cluster/nat.tf @@ -6,7 +6,7 @@ resource "google_compute_router" "router" { network = google_compute_network.k8s-cluster-network.self_link bgp { - asn = 64516 + asn = 64515 } } diff --git a/framework/network.tf b/terra-cluster/network.tf similarity index 100% rename from framework/network.tf rename to terra-cluster/network.tf diff --git a/terra-cluster/outputs.tf b/terra-cluster/outputs.tf new file mode 100644 index 00000000..b71b4ed8 --- /dev/null +++ b/terra-cluster/outputs.tf @@ -0,0 +1,3 @@ +output "ci_sa_id" { + value = google_service_account.ci.account_id +} diff --git a/terra-cluster/provider.tf b/terra-cluster/provider.tf new file mode 100644 index 00000000..389ece2d --- /dev/null +++ b/terra-cluster/provider.tf @@ -0,0 +1,7 @@ +provider "google" { + alias = "target" +} + +provider "google-beta" { + alias = "target" +} diff --git a/terra-cluster/sa.tf b/terra-cluster/sa.tf new file mode 100644 index 00000000..fe902f30 --- /dev/null +++ b/terra-cluster/sa.tf @@ -0,0 +1,17 @@ +# +# Service Accounts +# + +# CI access +resource "google_service_account" "ci" { + project = var.google_project + account_id = "${local.owner}-ci-sa" + display_name = "${local.owner}-ci-sa" +} + +resource "google_project_iam_member" "ci" { + count = length(var.ci_sa_roles) + project = var.google_project + role = element(var.ci_sa_roles, count.index) + member = "serviceAccount:${google_service_account.ci.email}" +} diff --git a/framework/variables.tf b/terra-cluster/variables.tf similarity index 55% rename from framework/variables.tf rename to terra-cluster/variables.tf index f2f8ae5c..7006cb27 100644 --- a/framework/variables.tf +++ b/terra-cluster/variables.tf @@ -22,7 +22,7 @@ locals { } variable "service" { description = "App name" - default = "framework" + default = "terra" } @@ -46,10 +46,10 @@ variable "cluster_network" { default = "" } locals { - cluster_network = var.cluster_network == "" ? var.service : var.cluster_network + cluster_network = var.cluster_network == "" ? "${var.service}-${local.owner}" : var.cluster_network } variable "k8s_version_prefix" { - default = "1.15.9-gke.24" + default = "1.15.9" } variable "private_master_ipv4_cidr_block" { default = "10.128.18.0/28" @@ -69,28 +69,6 @@ variable "node_pools" { } -# -# PostgreSQL CloudSQL Vars -# - -variable "postgres_app_dbs" { - description = "List of PostgreSQL db name and username pairs" - type = map(object({ - db = string - username = string - })) - default = { - kernel-service-poc = { - db = "poc" - username = "poc" - } - } -} -variable "cloudsql_tier" { - default = "db-custom-16-32768" - description = "The default tier (DB instance size) for the CloudSQL instance" -} - # # CI SA vars @@ -103,32 +81,3 @@ variable "ci_sa_roles" { "roles/container.admin" ] } - - -# -# Application SA vars -# - -variable "app_service_accounts" { - description = "List of application service accounts and their roles required per environment" - type = map(object({ - roles = list(string) - })) - default = { - kernel-service-poc = { - roles = [ - "roles/cloudsql.client" - ] - } - } -} - - -# -# Environment vars -# -variable "envs" { - type = list(string) - default = [] - description = "A list of environments for each of which some resources need to be duplicated" -} diff --git a/terra-env/apps.tf b/terra-env/apps.tf new file mode 100644 index 00000000..40198d06 --- /dev/null +++ b/terra-env/apps.tf @@ -0,0 +1,23 @@ +module "poc_service" { + source = "github.com/broadinstitute/terraform-ap-modules.git//poc-service?ref=poc-service-0.0.0" + + google_project = var.google_project + cluster = var.cluster + + providers = { + google.target = google.target + google-beta.target = google-beta.target + } +} + +module "identity_concentrator" { + source = "github.com/broadinstitute/terraform-ap-modules.git//identity-concentrator?ref=identity-concentrator-0.0.0" + + google_project = var.google_project + cluster = var.cluster + + providers = { + google.target = google.target + google-beta.target = google-beta.target + } +} diff --git a/terra-env/apps.tf~Stashed changes b/terra-env/apps.tf~Stashed changes new file mode 100644 index 00000000..40198d06 --- /dev/null +++ b/terra-env/apps.tf~Stashed changes @@ -0,0 +1,23 @@ +module "poc_service" { + source = "github.com/broadinstitute/terraform-ap-modules.git//poc-service?ref=poc-service-0.0.0" + + google_project = var.google_project + cluster = var.cluster + + providers = { + google.target = google.target + google-beta.target = google-beta.target + } +} + +module "identity_concentrator" { + source = "github.com/broadinstitute/terraform-ap-modules.git//identity-concentrator?ref=identity-concentrator-0.0.0" + + google_project = var.google_project + cluster = var.cluster + + providers = { + google.target = google.target + google-beta.target = google-beta.target + } +} diff --git a/terra-env/outputs.tf b/terra-env/outputs.tf new file mode 100644 index 00000000..55c71e6a --- /dev/null +++ b/terra-env/outputs.tf @@ -0,0 +1,46 @@ +# +# POC Service Outputs +# + +output "poc_sa_id" { + value = module.poc_service.app_sa_id +} + +output "poc_db_ip" { + value = module.poc_service.cloudsql_public_ip +} +output "poc_db_instance" { + value = module.poc_service.cloudsql_instance_name +} +output "poc_db_root_pass" { + value = module.poc_service.cloudsql_root_user_password + sensitive = true +} +output "poc_db_creds" { + value = module.poc_service.cloudsql_app_db_creds + sensitive = true +} + + +# +# Identity Concentrator Outputs +# + +output "ic_sa_id" { + value = module.identity_concentrator.app_sa_id +} + +output "ic_db_ip" { + value = module.identity_concentrator.cloudsql_public_ip +} +output "ic_db_instance" { + value = module.identity_concentrator.cloudsql_instance_name +} +output "ic_db_root_pass" { + value = module.identity_concentrator.cloudsql_root_user_password + sensitive = true +} +output "ic_db_creds" { + value = module.identity_concentrator.cloudsql_app_db_creds + sensitive = true +} diff --git a/terra-env/provider.tf b/terra-env/provider.tf new file mode 100644 index 00000000..389ece2d --- /dev/null +++ b/terra-env/provider.tf @@ -0,0 +1,7 @@ +provider "google" { + alias = "target" +} + +provider "google-beta" { + alias = "target" +} diff --git a/terra-env/variables.tf b/terra-env/variables.tf new file mode 100644 index 00000000..a82e40ae --- /dev/null +++ b/terra-env/variables.tf @@ -0,0 +1,25 @@ +# See: https://github.com/hashicorp/terraform/issues/21418#issuecomment-495818852 +variable dependencies { + type = any + default = [] + description = "Work-around for Terraform 0.12's lack of support for 'depends_on' in custom modules." +} + + +# +# General Vars +# + +variable "google_project" { + description = "The google project" +} +variable "cluster" { + description = "Terra GKE cluster suffix, whatever is after terra-" +} +variable "owner" { + description = "Environment or developer" + default = "" +} +locals { + owner = var.owner == "" ? terraform.workspace : var.owner +} From 2a657595ac90552ebc23dabf0c97c47d216dfbb1 Mon Sep 17 00:00:00 2001 From: Greg Malkov <51164901+gmalkov@users.noreply.github.com> Date: Tue, 31 Mar 2020 16:24:39 -0400 Subject: [PATCH 2/8] Update outputs.tf --- identity-concentrator/outputs.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/identity-concentrator/outputs.tf b/identity-concentrator/outputs.tf index b2080894..f66d5149 100644 --- a/identity-concentrator/outputs.tf +++ b/identity-concentrator/outputs.tf @@ -25,6 +25,7 @@ output "cloudsql_root_user_password" { } output "cloudsql_app_db_creds" { + # Avoiding error on destroy with below condition value = length(module.cloudsql.app_db_creds) == 0 ? {} : module.cloudsql.app_db_creds[var.service] sensitive = true } From 27de300f17beac3395e1539fcf59ff1c09303d9d Mon Sep 17 00:00:00 2001 From: Greg Malkov <51164901+gmalkov@users.noreply.github.com> Date: Tue, 31 Mar 2020 16:26:18 -0400 Subject: [PATCH 3/8] Update outputs.tf --- poc-service/outputs.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/poc-service/outputs.tf b/poc-service/outputs.tf index b2080894..f66d5149 100644 --- a/poc-service/outputs.tf +++ b/poc-service/outputs.tf @@ -25,6 +25,7 @@ output "cloudsql_root_user_password" { } output "cloudsql_app_db_creds" { + # Avoiding error on destroy with below condition value = length(module.cloudsql.app_db_creds) == 0 ? {} : module.cloudsql.app_db_creds[var.service] sensitive = true } From 431cf69a230dbb03b6e2df0b8538b70ee65b45ca Mon Sep 17 00:00:00 2001 From: Greg Malkov <51164901+gmalkov@users.noreply.github.com> Date: Tue, 31 Mar 2020 16:30:34 -0400 Subject: [PATCH 4/8] Update sa.tf --- terra-cluster/sa.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/terra-cluster/sa.tf b/terra-cluster/sa.tf index fe902f30..9a5c4439 100644 --- a/terra-cluster/sa.tf +++ b/terra-cluster/sa.tf @@ -2,13 +2,12 @@ # Service Accounts # -# CI access +# CI/GitHub Actions Service Account resource "google_service_account" "ci" { project = var.google_project account_id = "${local.owner}-ci-sa" display_name = "${local.owner}-ci-sa" } - resource "google_project_iam_member" "ci" { count = length(var.ci_sa_roles) project = var.google_project From 836cf9795025340931e7fd31e570f05c4cd3ed6b Mon Sep 17 00:00:00 2001 From: Greg Malkov <51164901+gmalkov@users.noreply.github.com> Date: Wed, 1 Apr 2020 08:54:56 -0400 Subject: [PATCH 5/8] Delete apps.tf~Stashed changes --- terra-env/apps.tf~Stashed changes | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 terra-env/apps.tf~Stashed changes diff --git a/terra-env/apps.tf~Stashed changes b/terra-env/apps.tf~Stashed changes deleted file mode 100644 index 40198d06..00000000 --- a/terra-env/apps.tf~Stashed changes +++ /dev/null @@ -1,23 +0,0 @@ -module "poc_service" { - source = "github.com/broadinstitute/terraform-ap-modules.git//poc-service?ref=poc-service-0.0.0" - - google_project = var.google_project - cluster = var.cluster - - providers = { - google.target = google.target - google-beta.target = google-beta.target - } -} - -module "identity_concentrator" { - source = "github.com/broadinstitute/terraform-ap-modules.git//identity-concentrator?ref=identity-concentrator-0.0.0" - - google_project = var.google_project - cluster = var.cluster - - providers = { - google.target = google.target - google-beta.target = google-beta.target - } -} From c28eeb098b540608b6d9fade773db746203412ed Mon Sep 17 00:00:00 2001 From: Greg Malkov Date: Wed, 1 Apr 2020 09:49:26 -0400 Subject: [PATCH 6/8] format and moving vars to locals --- identity-concentrator/cloudsql.tf | 10 +++--- identity-concentrator/outputs.tf | 4 +-- identity-concentrator/sa.tf | 8 ++--- identity-concentrator/variables.tf | 51 ++++++++++++++---------------- poc-service/cloudsql.tf | 10 +++--- poc-service/outputs.tf | 4 +-- poc-service/sa.tf | 8 ++--- poc-service/variables.tf | 39 ++++++++++------------- terra-cluster/api-services.tf | 4 +-- terra-cluster/k8s.tf | 20 ++++++------ terra-cluster/nat.tf | 14 ++++---- terra-cluster/network.tf | 8 ++--- terra-cluster/sa.tf | 4 +-- terra-cluster/variables.tf | 38 +++++++++------------- terra-env/apps.tf | 8 ++--- terra-env/outputs.tf | 10 +++--- terra-env/variables.tf | 7 ++-- 17 files changed, 114 insertions(+), 133 deletions(-) diff --git a/identity-concentrator/cloudsql.tf b/identity-concentrator/cloudsql.tf index a6f65395..bd74de4d 100644 --- a/identity-concentrator/cloudsql.tf +++ b/identity-concentrator/cloudsql.tf @@ -1,19 +1,19 @@ module "cloudsql" { - source = "github.com/broadinstitute/terraform-shared.git//terraform-modules/cloudsql-postgres?ref=cloudsql-postgres-1.0.0-tf-0.12" + source = "github.com/broadinstitute/terraform-shared.git//terraform-modules/cloudsql-postgres?ref=cloudsql-postgres-1.0.0-tf-0.12" providers = { - google.target = google.target + google.target = google.target } project = var.google_project - cloudsql_name = "${var.service}-db-${local.owner}" + cloudsql_name = "${local.service}-db-${local.owner}" cloudsql_instance_labels = { "env" = local.owner - "app" = var.service + "app" = local.service } cloudsql_tier = var.db_tier app_dbs = { - "${var.service}" = { + "${local.service}" = { db = local.db_name username = local.db_user } diff --git a/identity-concentrator/outputs.tf b/identity-concentrator/outputs.tf index f66d5149..4f3e01b3 100644 --- a/identity-concentrator/outputs.tf +++ b/identity-concentrator/outputs.tf @@ -20,12 +20,12 @@ output "cloudsql_instance_name" { } output "cloudsql_root_user_password" { - value = module.cloudsql.root_user_password + value = module.cloudsql.root_user_password sensitive = true } output "cloudsql_app_db_creds" { # Avoiding error on destroy with below condition - value = length(module.cloudsql.app_db_creds) == 0 ? {} : module.cloudsql.app_db_creds[var.service] + value = length(module.cloudsql.app_db_creds) == 0 ? {} : module.cloudsql.app_db_creds[local.service] sensitive = true } diff --git a/identity-concentrator/sa.tf b/identity-concentrator/sa.tf index 5fb7349a..4c7ebc55 100644 --- a/identity-concentrator/sa.tf +++ b/identity-concentrator/sa.tf @@ -1,12 +1,12 @@ resource "google_service_account" "app" { project = var.google_project - account_id = "${var.service}-${local.owner}" - display_name = "${var.service}-${local.owner}" + account_id = "${local.service}-${local.owner}" + display_name = "${local.service}-${local.owner}" } resource "google_project_iam_member" "app_roles" { - count = length(var.sa_roles) + count = length(local.sa_roles) project = var.google_project - role = var.sa_roles[count.index] + role = local.sa_roles[count.index] member = "serviceAccount:${google_service_account.app.email}" } diff --git a/identity-concentrator/variables.tf b/identity-concentrator/variables.tf index 23c9d6de..196e170e 100644 --- a/identity-concentrator/variables.tf +++ b/identity-concentrator/variables.tf @@ -1,7 +1,7 @@ # See: https://github.com/hashicorp/terraform/issues/21418#issuecomment-495818852 variable dependencies { - type = any - default = [] + type = any + default = [] description = "Work-around for Terraform 0.12's lack of support for 'depends_on' in custom modules." } @@ -10,63 +10,60 @@ variable dependencies { # General Vars # variable "google_project" { - type = string + type = string description = "The google project" } variable "cluster" { description = "Terra GKE cluster suffix, whatever is after terra-" } variable "owner" { - type = string + type = string description = "Environment or developer" - default = "" + default = "" } locals { - owner = var.owner == "" ? terraform.workspace : var.owner -} -variable "service" { - description = "App name" - default = "ic" + owner = var.owner == "" ? terraform.workspace : var.owner + service = "ic" } # # Service Account Vars # - variable "sa_roles" { - type = list(string) + type = list(string) description = "Service account roles" default = [ - "roles/cloudsql.client", // To use cloudsql - "roles/cloudkms.cryptoKeyEncrypterDecrypter", // To encrypt sensitive data to store in datastore - "roles/cloudkms.publicKeyViewer", // To sign jwt with kms - "roles/cloudkms.signer", // To sign jwt with kms - "roles/datastore.indexAdmin", // TO mange datastore index - "roles/datastore.user", // To use datastore - "roles/cloudkms.admin", // To manage cryptographic keys for IC - "roles/monitoring.editor" // To use stackdriver + "roles/cloudsql.client", // To use cloudsql + "roles/cloudkms.cryptoKeyEncrypterDecrypter", // To encrypt sensitive data to store in datastore + "roles/cloudkms.publicKeyViewer", // To sign jwt with kms + "roles/cloudkms.signer", // To sign jwt with kms + "roles/datastore.indexAdmin", // TO mange datastore index + "roles/datastore.user", // To use datastore + "roles/cloudkms.admin", // To manage cryptographic keys for IC + "roles/monitoring.editor" // To use stackdriver ] } + # # Postgres CloudSQL DB Vars # variable "db_tier" { - default = "db-g1-small" + default = "db-g1-small" description = "The default tier (DB instance size) for the CloudSQL instance" } variable "db_name" { - type = string + type = string description = "Postgres db name" - default = "" + default = "" } variable "db_user" { - type = string + type = string description = "Postgres username" - default = "" + default = "" } locals { - db_name = var.db_name == "" ? var.service : var.db_name - db_user = var.db_user == "" ? var.service : var.db_user + db_name = var.db_name == "" ? local.service : var.db_name + db_user = var.db_user == "" ? local.service : var.db_user } diff --git a/poc-service/cloudsql.tf b/poc-service/cloudsql.tf index a6f65395..bd74de4d 100644 --- a/poc-service/cloudsql.tf +++ b/poc-service/cloudsql.tf @@ -1,19 +1,19 @@ module "cloudsql" { - source = "github.com/broadinstitute/terraform-shared.git//terraform-modules/cloudsql-postgres?ref=cloudsql-postgres-1.0.0-tf-0.12" + source = "github.com/broadinstitute/terraform-shared.git//terraform-modules/cloudsql-postgres?ref=cloudsql-postgres-1.0.0-tf-0.12" providers = { - google.target = google.target + google.target = google.target } project = var.google_project - cloudsql_name = "${var.service}-db-${local.owner}" + cloudsql_name = "${local.service}-db-${local.owner}" cloudsql_instance_labels = { "env" = local.owner - "app" = var.service + "app" = local.service } cloudsql_tier = var.db_tier app_dbs = { - "${var.service}" = { + "${local.service}" = { db = local.db_name username = local.db_user } diff --git a/poc-service/outputs.tf b/poc-service/outputs.tf index f66d5149..4f3e01b3 100644 --- a/poc-service/outputs.tf +++ b/poc-service/outputs.tf @@ -20,12 +20,12 @@ output "cloudsql_instance_name" { } output "cloudsql_root_user_password" { - value = module.cloudsql.root_user_password + value = module.cloudsql.root_user_password sensitive = true } output "cloudsql_app_db_creds" { # Avoiding error on destroy with below condition - value = length(module.cloudsql.app_db_creds) == 0 ? {} : module.cloudsql.app_db_creds[var.service] + value = length(module.cloudsql.app_db_creds) == 0 ? {} : module.cloudsql.app_db_creds[local.service] sensitive = true } diff --git a/poc-service/sa.tf b/poc-service/sa.tf index 5fb7349a..4c7ebc55 100644 --- a/poc-service/sa.tf +++ b/poc-service/sa.tf @@ -1,12 +1,12 @@ resource "google_service_account" "app" { project = var.google_project - account_id = "${var.service}-${local.owner}" - display_name = "${var.service}-${local.owner}" + account_id = "${local.service}-${local.owner}" + display_name = "${local.service}-${local.owner}" } resource "google_project_iam_member" "app_roles" { - count = length(var.sa_roles) + count = length(local.sa_roles) project = var.google_project - role = var.sa_roles[count.index] + role = local.sa_roles[count.index] member = "serviceAccount:${google_service_account.app.email}" } diff --git a/poc-service/variables.tf b/poc-service/variables.tf index 4aedd198..4ef8392b 100644 --- a/poc-service/variables.tf +++ b/poc-service/variables.tf @@ -1,7 +1,7 @@ # See: https://github.com/hashicorp/terraform/issues/21418#issuecomment-495818852 variable dependencies { - type = any - default = [] + type = any + default = [] description = "Work-around for Terraform 0.12's lack of support for 'depends_on' in custom modules." } @@ -10,57 +10,52 @@ variable dependencies { # General Vars # variable "google_project" { - type = string + type = string description = "The google project" } variable "cluster" { description = "Terra GKE cluster suffix, whatever is after terra-" } variable "owner" { - type = string + type = string description = "Environment or developer" - default = "" + default = "" } locals { - owner = var.owner == "" ? terraform.workspace : var.owner -} -variable "service" { - description = "App name" - default = "poc" + owner = var.owner == "" ? terraform.workspace : var.owner + service = "poc" } # # Service Account Vars # - -variable "sa_roles" { - type = list(string) - description = "Service account roles" - default = [ +locals { + sa_roles = [ "roles/storage.admin", "roles/container.admin" ] } + # # Postgres CloudSQL DB Vars # variable "db_tier" { - default = "db-g1-small" + default = "db-g1-small" description = "The default tier (DB instance size) for the CloudSQL instance" } variable "db_name" { - type = string + type = string description = "Postgres db name" - default = "" + default = "" } variable "db_user" { - type = string + type = string description = "Postgres username" - default = "" + default = "" } locals { - db_name = var.db_name == "" ? var.service : var.db_name - db_user = var.db_user == "" ? var.service : var.db_user + db_name = var.db_name == "" ? local.service : var.db_name + db_user = var.db_user == "" ? local.service : var.db_user } diff --git a/terra-cluster/api-services.tf b/terra-cluster/api-services.tf index 828fb01d..aff191da 100644 --- a/terra-cluster/api-services.tf +++ b/terra-cluster/api-services.tf @@ -4,8 +4,8 @@ module "enable-services" { providers = { google.target = google.target } - project = var.google_project - services = [ + project = var.google_project + services = [ "serviceusage.googleapis.com", "container.googleapis.com", "iam.googleapis.com", diff --git a/terra-cluster/k8s.tf b/terra-cluster/k8s.tf index 9b210a25..7c57ef0f 100644 --- a/terra-cluster/k8s.tf +++ b/terra-cluster/k8s.tf @@ -1,17 +1,17 @@ module "k8s-master" { # terraform-shared repo - source = "github.com/broadinstitute/terraform-shared.git//terraform-modules/k8s-master?ref=k8s-master-0.2.1-tf-0.12" + source = "github.com/broadinstitute/terraform-shared.git//terraform-modules/k8s-master?ref=k8s-master-0.2.1-tf-0.12" dependencies = [ module.enable-services, google_compute_network.k8s-cluster-network ] - name = local.cluster_name - location = var.cluster_location + name = local.cluster_name + location = var.cluster_location version_prefix = var.k8s_version_prefix - network = local.cluster_network - subnetwork = local.cluster_network + network = local.cluster_network + subnetwork = local.cluster_network private_ipv4_cidr_block = var.private_master_ipv4_cidr_block istio_enable = true @@ -19,19 +19,19 @@ module "k8s-master" { module "k8s-node-pool" { # terraform-shared repo - source = "github.com/broadinstitute/terraform-shared.git//terraform-modules/k8s-node-pool?ref=k8s-node-pool-0.1.0-tf-0.12" + source = "github.com/broadinstitute/terraform-shared.git//terraform-modules/k8s-node-pool?ref=k8s-node-pool-0.1.0-tf-0.12" dependencies = [ module.k8s-master ] - name = var.node_pools[0].name + name = var.node_pools[0].name master_name = module.k8s-master.name - location = var.cluster_location + location = var.cluster_location - node_count = var.node_pools[0].node_count + node_count = var.node_pools[0].node_count machine_type = var.node_pools[0].machine_type disk_size_gb = var.node_pools[0].disk_size_gb labels = var.node_pools[0].labels - tags = [ "k8s-${module.k8s-master.name}-node-${var.node_pools[0].name}" ] + tags = ["k8s-${module.k8s-master.name}-node-${var.node_pools[0].name}"] } diff --git a/terra-cluster/nat.tf b/terra-cluster/nat.tf index 83373342..93972103 100644 --- a/terra-cluster/nat.tf +++ b/terra-cluster/nat.tf @@ -1,7 +1,7 @@ # Create a NAT router for k8s so nodes can interact with external services as a static IP. resource "google_compute_router" "router" { - name = "${var.service}-${local.owner}" + name = "${local.service}-${local.owner}" project = var.google_project network = google_compute_network.k8s-cluster-network.self_link @@ -11,19 +11,19 @@ resource "google_compute_router" "router" { } resource "google_compute_address" "nat-address" { - count = 2 - name = "${var.service}-${local.owner}-${count.index}" - project = var.google_project + count = 2 + name = "${local.service}-${local.owner}-${count.index}" + project = var.google_project depends_on = [module.enable-services] } resource "google_compute_router_nat" "nat" { - name = "${var.service}-${local.owner}" + name = "${local.service}-${local.owner}" project = var.google_project - router = google_compute_router.router.name + router = google_compute_router.router.name nat_ip_allocate_option = "MANUAL_ONLY" - nat_ips = google_compute_address.nat-address[*].self_link + nat_ips = google_compute_address.nat-address[*].self_link source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" } diff --git a/terra-cluster/network.tf b/terra-cluster/network.tf index b938b661..36ed5446 100644 --- a/terra-cluster/network.tf +++ b/terra-cluster/network.tf @@ -1,7 +1,7 @@ -resource "google_compute_network" "k8s-cluster-network" { - provider = google-beta.target +resource "google_compute_network" "k8s-cluster-network" { + provider = google-beta.target project = var.google_project - name = local.cluster_network + name = local.cluster_network auto_create_subnetworks = true - depends_on = [ module.enable-services ] + depends_on = [module.enable-services] } diff --git a/terra-cluster/sa.tf b/terra-cluster/sa.tf index 9a5c4439..b5540bd4 100644 --- a/terra-cluster/sa.tf +++ b/terra-cluster/sa.tf @@ -9,8 +9,8 @@ resource "google_service_account" "ci" { display_name = "${local.owner}-ci-sa" } resource "google_project_iam_member" "ci" { - count = length(var.ci_sa_roles) + count = length(local.ci_sa_roles) project = var.google_project - role = element(var.ci_sa_roles, count.index) + role = element(local.ci_sa_roles, count.index) member = "serviceAccount:${google_service_account.ci.email}" } diff --git a/terra-cluster/variables.tf b/terra-cluster/variables.tf index 7006cb27..2d865dde 100644 --- a/terra-cluster/variables.tf +++ b/terra-cluster/variables.tf @@ -1,7 +1,7 @@ # See: https://github.com/hashicorp/terraform/issues/21418#issuecomment-495818852 variable dependencies { - type = any - default = [] + type = any + default = [] description = "Work-around for Terraform 0.12's lack of support for 'depends_on' in custom modules." } @@ -9,47 +9,42 @@ variable dependencies { # # General Vars # - variable "google_project" { description = "The google project" } variable "owner" { description = "Environment or developer" - default = "" + default = "" } locals { - owner = var.owner == "" ? terraform.workspace : var.owner -} -variable "service" { - description = "App name" - default = "terra" + owner = var.owner == "" ? terraform.workspace : var.owner + service = "terra" } # # k8s Vars # - variable "cluster_location" { - type = string + type = string default = "us-central1-a" } variable "cluster_name" { - type = string + type = string default = "" } locals { - cluster_name = var.cluster_name == "" ? "${var.service}-${local.owner}" : var.cluster_name + cluster_name = var.cluster_name == "" ? "${local.service}-${local.owner}" : var.cluster_name } variable "cluster_network" { - type = string + type = string default = "" } locals { - cluster_network = var.cluster_network == "" ? "${var.service}-${local.owner}" : var.cluster_network + cluster_network = var.cluster_network == "" ? "${local.service}-${local.owner}" : var.cluster_network } variable "k8s_version_prefix" { - default = "1.15.9" + default = "1.15.9" } variable "private_master_ipv4_cidr_block" { default = "10.128.18.0/28" @@ -57,8 +52,8 @@ variable "private_master_ipv4_cidr_block" { variable "node_pools" { default = [ { - name = "default", - node_count = 6, + name = "default", + node_count = 6, machine_type = "n1-standard-4", disk_size_gb = 200, labels = { @@ -69,14 +64,11 @@ variable "node_pools" { } - # # CI SA vars # - -variable "ci_sa_roles" { - type = list(string) - default = [ +locals { + ci_sa_roles = [ "roles/storage.admin", "roles/container.admin" ] diff --git a/terra-env/apps.tf b/terra-env/apps.tf index 40198d06..97acc88a 100644 --- a/terra-env/apps.tf +++ b/terra-env/apps.tf @@ -1,23 +1,23 @@ module "poc_service" { - source = "github.com/broadinstitute/terraform-ap-modules.git//poc-service?ref=poc-service-0.0.0" + source = "github.com/broadinstitute/terraform-ap-modules.git//poc-service?ref=poc-service-0.0.0" google_project = var.google_project cluster = var.cluster providers = { - google.target = google.target + google.target = google.target google-beta.target = google-beta.target } } module "identity_concentrator" { - source = "github.com/broadinstitute/terraform-ap-modules.git//identity-concentrator?ref=identity-concentrator-0.0.0" + source = "github.com/broadinstitute/terraform-ap-modules.git//identity-concentrator?ref=identity-concentrator-0.0.0" google_project = var.google_project cluster = var.cluster providers = { - google.target = google.target + google.target = google.target google-beta.target = google-beta.target } } diff --git a/terra-env/outputs.tf b/terra-env/outputs.tf index 55c71e6a..64396802 100644 --- a/terra-env/outputs.tf +++ b/terra-env/outputs.tf @@ -1,7 +1,6 @@ # # POC Service Outputs # - output "poc_sa_id" { value = module.poc_service.app_sa_id } @@ -13,11 +12,11 @@ output "poc_db_instance" { value = module.poc_service.cloudsql_instance_name } output "poc_db_root_pass" { - value = module.poc_service.cloudsql_root_user_password + value = module.poc_service.cloudsql_root_user_password sensitive = true } output "poc_db_creds" { - value = module.poc_service.cloudsql_app_db_creds + value = module.poc_service.cloudsql_app_db_creds sensitive = true } @@ -25,7 +24,6 @@ output "poc_db_creds" { # # Identity Concentrator Outputs # - output "ic_sa_id" { value = module.identity_concentrator.app_sa_id } @@ -37,10 +35,10 @@ output "ic_db_instance" { value = module.identity_concentrator.cloudsql_instance_name } output "ic_db_root_pass" { - value = module.identity_concentrator.cloudsql_root_user_password + value = module.identity_concentrator.cloudsql_root_user_password sensitive = true } output "ic_db_creds" { - value = module.identity_concentrator.cloudsql_app_db_creds + value = module.identity_concentrator.cloudsql_app_db_creds sensitive = true } diff --git a/terra-env/variables.tf b/terra-env/variables.tf index a82e40ae..c31903e8 100644 --- a/terra-env/variables.tf +++ b/terra-env/variables.tf @@ -1,7 +1,7 @@ # See: https://github.com/hashicorp/terraform/issues/21418#issuecomment-495818852 variable dependencies { - type = any - default = [] + type = any + default = [] description = "Work-around for Terraform 0.12's lack of support for 'depends_on' in custom modules." } @@ -9,7 +9,6 @@ variable dependencies { # # General Vars # - variable "google_project" { description = "The google project" } @@ -18,7 +17,7 @@ variable "cluster" { } variable "owner" { description = "Environment or developer" - default = "" + default = "" } locals { owner = var.owner == "" ? terraform.workspace : var.owner From 730f8c8c723d44c4883a5842a58f886af1a4fc7e Mon Sep 17 00:00:00 2001 From: Greg Malkov Date: Wed, 1 Apr 2020 13:36:47 -0400 Subject: [PATCH 7/8] add READMEs --- terra-cluster/README.md | 4 ++++ terra-env/README.md | 3 +++ 2 files changed, 7 insertions(+) create mode 100644 terra-cluster/README.md create mode 100644 terra-env/README.md diff --git a/terra-cluster/README.md b/terra-cluster/README.md new file mode 100644 index 00000000..08c5a424 --- /dev/null +++ b/terra-cluster/README.md @@ -0,0 +1,4 @@ +# terra-cluster deployment +This Terraform deployment definition manages Terra Framework clusters and cluster-level infrastructure configuration, such as the networks/NATs. +This configuration is namespaced by cluster with TF workspaces & Atlantis project definitions for each different Terra cluster it manages. +For more information and until this README is expanded, check out the [framework deployment doc](https://docs.dsp-devops.broadinstitute.org/framework-kernel-new-stack/framework-deployment). \ No newline at end of file diff --git a/terra-env/README.md b/terra-env/README.md new file mode 100644 index 00000000..f9b239e6 --- /dev/null +++ b/terra-env/README.md @@ -0,0 +1,3 @@ +# terra-env deployment +This Terraform deployment definition manages manages any resources for a single Terra framework environment. This configuration is namespaced by Terra environment, with Terraform workspaces & Atlantis project definitions for each one. +For more information and until this README is expanded, check out the [framework deployment doc](https://docs.dsp-devops.broadinstitute.org/framework-kernel-new-stack/framework-deployment). \ No newline at end of file From 97c0873524413d82558d2fcea8dd0ed454749c1b Mon Sep 17 00:00:00 2001 From: Greg Malkov Date: Wed, 1 Apr 2020 14:07:45 -0400 Subject: [PATCH 8/8] syntax --- identity-concentrator/variables.tf | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/identity-concentrator/variables.tf b/identity-concentrator/variables.tf index 196e170e..306dd085 100644 --- a/identity-concentrator/variables.tf +++ b/identity-concentrator/variables.tf @@ -30,10 +30,8 @@ locals { # # Service Account Vars # -variable "sa_roles" { - type = list(string) - description = "Service account roles" - default = [ +locals { + sa_roles = [ "roles/cloudsql.client", // To use cloudsql "roles/cloudkms.cryptoKeyEncrypterDecrypter", // To encrypt sensitive data to store in datastore "roles/cloudkms.publicKeyViewer", // To sign jwt with kms