From 6753845c9ff1d09ad32d54056753e8e8f2ee06fb Mon Sep 17 00:00:00 2001 From: Faizan J <49913297+faizando@users.noreply.github.com> Date: Fri, 13 Aug 2021 11:06:19 +0100 Subject: [PATCH 1/9] NAP-275 add dns config --- experimental/terraform/outputs.tf | 3 ++- .../terraform/resource_event_handler.tf | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/experimental/terraform/outputs.tf b/experimental/terraform/outputs.tf index fae958a0..7c128a40 100644 --- a/experimental/terraform/outputs.tf +++ b/experimental/terraform/outputs.tf @@ -3,7 +3,8 @@ output "event_handler_endpoint" { } output "event_handler_dns" { - value = try(google_cloud_run_domain_mapping.event_handler[0].status[0]["resource_records"][0], null) + # value = try(google_cloud_run_domain_mapping.event_handler[0].status[0]["resource_records"][0], null) + value = try(module.event_hander_dns.name_servers, null) } output "event_handler_secret" { diff --git a/experimental/terraform/resource_event_handler.tf b/experimental/terraform/resource_event_handler.tf index 0ec3d06e..4dda0a6f 100644 --- a/experimental/terraform/resource_event_handler.tf +++ b/experimental/terraform/resource_event_handler.tf @@ -2,6 +2,10 @@ resource "google_project_service" "sm_api" { service = "secretmanager.googleapis.com" } +resource "google_project_service" "dns_api" { + service = "dns.googleapis.com" +} + resource "google_cloud_run_service" "event_handler" { name = "event-handler" location = length(var.mapped_domain) > 0 ? var.google_domain_mapping_region : var.google_region @@ -53,6 +57,20 @@ resource "google_cloud_run_domain_mapping" "event_handler" { } } +module "event_hander_dns" { + source = "terraform-google-modules/cloud-dns/google" + version = "3.1.0" + count = length(var.mapped_domain) > 0 ? 1 : 0 + + project_id = var.google_project_id + name = replace(replace(lower(trimspace(var.mapped_domain)), ".", "-"), "/[^a-z0-9\\-]/", "") + domain = "${var.mapped_domain}." + + recordsets = google_cloud_run_domain_mapping.event_handler[0].status[0]["resource_records"] + + depends_on = [google_project_service.dns_api] +} + resource "google_cloud_run_service_iam_binding" "noauth" { count = var.make_event_handler_public ? 1 : 0 location = length(var.mapped_domain) > 0 ? var.google_domain_mapping_region : var.google_region From 73964679c4773e501da0a2c31605509b812c566d Mon Sep 17 00:00:00 2001 From: Faizan J <49913297+faizando@users.noreply.github.com> Date: Fri, 13 Aug 2021 11:24:19 +0100 Subject: [PATCH 2/9] NAP-275 add recordsets --- experimental/terraform/resource_event_handler.tf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/experimental/terraform/resource_event_handler.tf b/experimental/terraform/resource_event_handler.tf index 4dda0a6f..d10dd5ac 100644 --- a/experimental/terraform/resource_event_handler.tf +++ b/experimental/terraform/resource_event_handler.tf @@ -66,7 +66,16 @@ module "event_hander_dns" { name = replace(replace(lower(trimspace(var.mapped_domain)), ".", "-"), "/[^a-z0-9\\-]/", "") domain = "${var.mapped_domain}." - recordsets = google_cloud_run_domain_mapping.event_handler[0].status[0]["resource_records"] + recordsets = [ + { + name = google_cloud_run_domain_mapping.event_handler[0].status[0]["resource_records"][0]["name"] + type = google_cloud_run_domain_mapping.event_handler[0].status[0]["resource_records"][0]["type"] + ttl = 3600 + records = [ + google_cloud_run_domain_mapping.event_handler[0].status[0]["resource_records"][0]["rrdata"] + ] + } + ] depends_on = [google_project_service.dns_api] } From c9879032400c0878d30d7332cd561e65714399c4 Mon Sep 17 00:00:00 2001 From: Faizan J <49913297+faizando@users.noreply.github.com> Date: Fri, 13 Aug 2021 16:18:58 +0100 Subject: [PATCH 3/9] NAP-275 update eventhandler dns --- experimental/terraform/resource_event_handler.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/experimental/terraform/resource_event_handler.tf b/experimental/terraform/resource_event_handler.tf index d10dd5ac..a996c2bc 100644 --- a/experimental/terraform/resource_event_handler.tf +++ b/experimental/terraform/resource_event_handler.tf @@ -65,6 +65,8 @@ module "event_hander_dns" { project_id = var.google_project_id name = replace(replace(lower(trimspace(var.mapped_domain)), ".", "-"), "/[^a-z0-9\\-]/", "") domain = "${var.mapped_domain}." + type = "public" + dnssec_config = { state : "on" } recordsets = [ { From cabc4c1aecd920f84b7c8da1bc91fed3d895567e Mon Sep 17 00:00:00 2001 From: Faizan J <49913297+faizando@users.noreply.github.com> Date: Mon, 16 Aug 2021 10:38:46 +0100 Subject: [PATCH 4/9] NAP-275 add nandos specific instructions Co-authored-by: Matthew Green Co-authored-by: Marco Hernandez --- experimental/terraform/README.md | 123 ++++++++++++++++++++++++++++--- 1 file changed, 112 insertions(+), 11 deletions(-) diff --git a/experimental/terraform/README.md b/experimental/terraform/README.md index 9cda4a67..ea88cdf7 100644 --- a/experimental/terraform/README.md +++ b/experimental/terraform/README.md @@ -1,24 +1,28 @@ # Experimental Terraform setup -This folder contains terraform scripts to provision all of the infrastructure in a Four Keys GCP project. +This folder contains terraform scripts to provision all of the infrastructure in a Four Keys GCP project. **DO NOT USE!** This isn't ready for production yet (though it's close!) ## How to use + 1. run `setup.sh`; this will: - * create a project for Four Keys - * purge all terraform state [useful during tf development] - * build containers using Cloud Build - * create a `terraform.tfvars` file - * invoke terraform + +- create a project for Four Keys +- purge all terraform state [useful during tf development] +- build containers using Cloud Build +- create a `terraform.tfvars` file +- invoke terraform + 1. run the following commands to retrieve values needed for your SCM: - * ``` - echo `terraform output -raw event_handler_endpoint` - echo `terraform output -raw event_handler_secret` - ``` +- ``` + echo `terraform output -raw event_handler_endpoint` + echo `terraform output -raw event_handler_secret` + ``` Current functionality: + - Create a GCP project (outside of terraform) - Build the event-handler container image and push to GCR [TODO: use AR instead] - Deploy the event-handler container as a Cloud Run service @@ -35,8 +39,105 @@ Current functionality: - Allow user to choose whether to generate test data Open questions: + - Should we create a service account and run TF as that, or keep the current process of using application default credentials of the user who invokes the script? Answered questions: + - What's an elegant way to support those user inputs (VCS, CI/CD) as conditionals in the TF? (see implementation: generate a list of parsers to create) -- Should we create the GCP project in terraform? No. The auth gets really complicated, especially when considering that the project may or may not be in an organization and/or folder \ No newline at end of file +- Should we create the GCP project in terraform? No. The auth gets really complicated, especially when considering that the project may or may not be in an organization and/or folder + +**Following is Nando's specific!** WIP + +## Set Up + +We recommend the use of [tfenv](https://github.com/tfutils/tfenv) to install and use the version defined in the code. + +### Terraform Service Account + +This code is set up to use a terraform service account with the least privileges to create the resources needed, therefore you will need to create one in your project (TODO: move to setup.sh): + +``` +gcloud init # To select existing email and project + +# The follow unset command clear any old credentials that may get in the way of impersonation +unset GOOGLE_OAUTH_ACCESS_TOKEN +unset GOOGLE_APPLICATION_CREDENTIALS +unset GOOGLE_CREDENTIALS + +gcloud auth application-default login # login as you to allow service account impersonation. +PROJECT_ID=$(gcloud config get-value project) +TF_SA_NAME=terraform +gcloud iam service-accounts create ${TF_SA_NAME} \ + --description "Infrastructure Provisioner" \ + --display-name "Terraform" +# grant service account permission to view Admin Project & Manage Cloud Storage +for ROLE in 'viewer' 'storage.admin' 'cloudbuild.builds.builder' 'artifactregistry.admin' 'bigquery.dataEditor' 'bigquery.jobUser' 'containerregistry.ServiceAgent' 'dns.admin' 'iam.serviceAccountCreator' 'iam.serviceAccountDeleter' 'iam.serviceAccountUser' 'pubsub.admin' 'resourcemanager.projectIamAdmin' 'run.admin' 'secretmanager.admin' 'serviceusage.apiKeysAdmin'; do + gcloud projects add-iam-policy-binding ${PROJECT_ID} \ + --member serviceAccount:${TF_SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \ + --role roles/${ROLE} +done + +for API in 'cloudbuild.googleapis.com' 'cloudresourcemanager.googleapis.com' 'iamcredentials.googleapis.com' 'artifactregistry.googleapis.com' 'bigquery.googleapis.com' 'bigquerydatatransfer.googleapis.com' 'containerregistry.googleapis.com' 'dns.googleapis.com' 'iam.googleapis.com' 'run.googleapis.com' 'secretmanager.googleapis.com' 'serviceusage.googleapis.com'; do + gcloud services enable "${API}" +done +``` + +#### Terraform Files + +You will need to create a backend in an environment folder (experimental/terraform): + +``` +PROJECT_REGION=europe-west2 +cat > backend.tf < environment.auto.tfvars < Date: Mon, 16 Aug 2021 10:44:57 +0100 Subject: [PATCH 5/9] NAP-275 add cloud-dns Co-authored-by: Matthew Green Co-authored-by: Marco Hernandez --- experimental/terraform/cloud-dns/main.tf | 153 ++++++++++++++++++ experimental/terraform/cloud-dns/outputs.tf | 61 +++++++ experimental/terraform/cloud-dns/variables.tf | 108 +++++++++++++ experimental/terraform/cloud-dns/versions.tf | 39 +++++ .../terraform/resource_event_handler.tf | 2 +- 5 files changed, 362 insertions(+), 1 deletion(-) create mode 100644 experimental/terraform/cloud-dns/main.tf create mode 100644 experimental/terraform/cloud-dns/outputs.tf create mode 100644 experimental/terraform/cloud-dns/variables.tf create mode 100644 experimental/terraform/cloud-dns/versions.tf diff --git a/experimental/terraform/cloud-dns/main.tf b/experimental/terraform/cloud-dns/main.tf new file mode 100644 index 00000000..9ecc0e5c --- /dev/null +++ b/experimental/terraform/cloud-dns/main.tf @@ -0,0 +1,153 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + is_static_zone = var.type == "public" || var.type == "private" +} + +resource "google_dns_managed_zone" "peering" { + count = var.type == "peering" ? 1 : 0 + provider = google-beta + project = var.project_id + name = var.name + dns_name = var.domain + description = var.description + labels = var.labels + visibility = "private" + force_destroy = var.force_destroy + + private_visibility_config { + dynamic "networks" { + for_each = var.private_visibility_config_networks + content { + network_url = networks.value + } + } + } + + peering_config { + target_network { + network_url = var.target_network + } + } +} + +resource "google_dns_managed_zone" "forwarding" { + count = var.type == "forwarding" ? 1 : 0 + provider = google-beta + project = var.project_id + name = var.name + dns_name = var.domain + description = var.description + labels = var.labels + visibility = "private" + force_destroy = var.force_destroy + + private_visibility_config { + dynamic "networks" { + for_each = var.private_visibility_config_networks + content { + network_url = networks.value + } + } + } + + forwarding_config { + dynamic "target_name_servers" { + for_each = var.target_name_server_addresses + content { + ipv4_address = target_name_servers.value.ipv4_address + forwarding_path = target_name_servers.value.forwarding_path + } + } + } +} + +resource "google_dns_managed_zone" "private" { + count = var.type == "private" ? 1 : 0 + project = var.project_id + name = var.name + dns_name = var.domain + description = var.description + labels = var.labels + visibility = "private" + force_destroy = var.force_destroy + + private_visibility_config { + dynamic "networks" { + for_each = var.private_visibility_config_networks + content { + network_url = networks.value + } + } + } +} + +resource "google_dns_managed_zone" "public" { + count = var.type == "public" ? 1 : 0 + project = var.project_id + name = var.name + dns_name = var.domain + description = var.description + labels = var.labels + visibility = "public" + force_destroy = var.force_destroy + + dynamic "dnssec_config" { + for_each = var.dnssec_config == {} ? [] : [var.dnssec_config] + iterator = config + content { + kind = lookup(config.value, "kind", "dns#managedZoneDnsSecConfig") + non_existence = lookup(config.value, "non_existence", "nsec3") + state = lookup(config.value, "state", "off") + + default_key_specs { + algorithm = lookup(var.default_key_specs_key, "algorithm", "rsasha256") + key_length = lookup(var.default_key_specs_key, "key_length", 2048) + key_type = lookup(var.default_key_specs_key, "key_type", "keySigning") + kind = lookup(var.default_key_specs_key, "kind", "dns#dnsKeySpec") + } + default_key_specs { + algorithm = lookup(var.default_key_specs_zone, "algorithm", "rsasha256") + key_length = lookup(var.default_key_specs_zone, "key_length", 1024) + key_type = lookup(var.default_key_specs_zone, "key_type", "zoneSigning") + kind = lookup(var.default_key_specs_zone, "kind", "dns#dnsKeySpec") + } + } + } + +} + +resource "google_dns_record_set" "cloud-static-records" { + project = var.project_id + managed_zone = var.name + + for_each = { for record in var.recordsets : join("/", [record.name, record.type]) => record } + name = ( + each.value.name != "" ? + "${each.value.name}.${var.domain}" : + var.domain + ) + type = each.value.type + ttl = each.value.ttl + + rrdatas = each.value.records + + depends_on = [ + google_dns_managed_zone.private, + google_dns_managed_zone.public, + ] +} diff --git a/experimental/terraform/cloud-dns/outputs.tf b/experimental/terraform/cloud-dns/outputs.tf new file mode 100644 index 00000000..de200d97 --- /dev/null +++ b/experimental/terraform/cloud-dns/outputs.tf @@ -0,0 +1,61 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "type" { + description = "The DNS zone type." + value = var.type +} + +output "name" { + description = "The DNS zone name." + + value = element( + concat( + google_dns_managed_zone.peering.*.name, + google_dns_managed_zone.forwarding.*.name, + google_dns_managed_zone.private.*.name, + google_dns_managed_zone.public.*.name, + ), + 0, + ) +} + +output "domain" { + description = "The DNS zone domain." + + value = element( + concat( + google_dns_managed_zone.peering.*.dns_name, + google_dns_managed_zone.forwarding.*.dns_name, + google_dns_managed_zone.private.*.dns_name, + google_dns_managed_zone.public.*.dns_name, + ), + 0, + ) +} + +output "name_servers" { + description = "The DNS zone name servers." + + value = flatten( + concat( + google_dns_managed_zone.peering.*.name_servers, + google_dns_managed_zone.forwarding.*.name_servers, + google_dns_managed_zone.private.*.name_servers, + google_dns_managed_zone.public.*.name_servers, + ), + ) +} diff --git a/experimental/terraform/cloud-dns/variables.tf b/experimental/terraform/cloud-dns/variables.tf new file mode 100644 index 00000000..6adbbaad --- /dev/null +++ b/experimental/terraform/cloud-dns/variables.tf @@ -0,0 +1,108 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +############################################################################### +# zone variables # +############################################################################### + +variable "domain" { + description = "Zone domain, must end with a period." + type = string +} + +variable "name" { + description = "Zone name, must be unique within the project." + type = string +} + +variable "private_visibility_config_networks" { + description = "List of VPC self links that can see this zone." + default = [] + type = list(string) +} + +variable "project_id" { + description = "Project id for the zone." + type = string +} + +variable "target_name_server_addresses" { + description = "List of target name servers for forwarding zone." + default = [] + type = list(map(any)) +} + +variable "target_network" { + description = "Peering network." + default = "" +} + +variable "description" { + description = "zone description (shown in console)" + default = "Managed by Terraform" + type = string +} + +variable "type" { + description = "Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering'." + default = "private" + type = string +} + +variable "dnssec_config" { + description = "Object containing : kind, non_existence, state. Please see https://www.terraform.io/docs/providers/google/r/dns_managed_zone.html#dnssec_config for futhers details" + type = any + default = {} +} + +variable "labels" { + type = map(any) + description = "A set of key/value label pairs to assign to this ManagedZone" + default = {} +} + +variable "default_key_specs_key" { + description = "Object containing default key signing specifications : algorithm, key_length, key_type, kind. Please see https://www.terraform.io/docs/providers/google/r/dns_managed_zone.html#dnssec_config for futhers details" + type = any + default = {} +} + +variable "default_key_specs_zone" { + description = "Object containing default zone signing specifications : algorithm, key_length, key_type, kind. Please see https://www.terraform.io/docs/providers/google/r/dns_managed_zone.html#dnssec_config for futhers details" + type = any + default = {} +} + +variable "force_destroy" { + description = "Set this true to delete all records in the zone." + default = false + type = bool +} + +############################################################################### +# record variables # +############################################################################### + +variable "recordsets" { + type = list(object({ + name = string + type = string + ttl = number + records = list(string) + })) + description = "List of DNS record objects to manage, in the standard terraform dns structure." + default = [] +} diff --git a/experimental/terraform/cloud-dns/versions.tf b/experimental/terraform/cloud-dns/versions.tf new file mode 100644 index 00000000..21759652 --- /dev/null +++ b/experimental/terraform/cloud-dns/versions.tf @@ -0,0 +1,39 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 0.13" + required_providers { + + google = { + source = "hashicorp/google" + version = "~> 3.53" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 3.53" + } + } + + provider_meta "google" { + module_name = "blueprints/terraform/terraform-google-cloud-dns/v1.0.0" + } + + provider_meta "google-beta" { + module_name = "blueprints/terraform/terraform-google-cloud-dns/v1.0.0" + } + +} diff --git a/experimental/terraform/resource_event_handler.tf b/experimental/terraform/resource_event_handler.tf index a996c2bc..f466d03b 100644 --- a/experimental/terraform/resource_event_handler.tf +++ b/experimental/terraform/resource_event_handler.tf @@ -58,7 +58,7 @@ resource "google_cloud_run_domain_mapping" "event_handler" { } module "event_hander_dns" { - source = "terraform-google-modules/cloud-dns/google" + source = "./cloud-dns" version = "3.1.0" count = length(var.mapped_domain) > 0 ? 1 : 0 From 8191eee37bb0cd5efcfa9c3c0dc89fc10fb0684b Mon Sep 17 00:00:00 2001 From: Faizan J <49913297+faizando@users.noreply.github.com> Date: Mon, 16 Aug 2021 10:52:08 +0100 Subject: [PATCH 6/9] NAP-275 remove version from cloud-dns Co-authored-by: Matthew Green Co-authored-by: Marco Hernandez --- experimental/terraform/resource_event_handler.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/experimental/terraform/resource_event_handler.tf b/experimental/terraform/resource_event_handler.tf index f466d03b..eb2f115b 100644 --- a/experimental/terraform/resource_event_handler.tf +++ b/experimental/terraform/resource_event_handler.tf @@ -59,7 +59,6 @@ resource "google_cloud_run_domain_mapping" "event_handler" { module "event_hander_dns" { source = "./cloud-dns" - version = "3.1.0" count = length(var.mapped_domain) > 0 ? 1 : 0 project_id = var.google_project_id From 8c402811e4cc3a9b9ff9f50d71c91dc7eee1ffe9 Mon Sep 17 00:00:00 2001 From: Faizan J <49913297+faizando@users.noreply.github.com> Date: Mon, 16 Aug 2021 11:06:11 +0100 Subject: [PATCH 7/9] Revert "NAP-275 add nandos specific instructions" This reverts commit cabc4c1aecd920f84b7c8da1bc91fed3d895567e. --- experimental/terraform/README.md | 123 +++---------------------------- 1 file changed, 11 insertions(+), 112 deletions(-) diff --git a/experimental/terraform/README.md b/experimental/terraform/README.md index ea88cdf7..9cda4a67 100644 --- a/experimental/terraform/README.md +++ b/experimental/terraform/README.md @@ -1,28 +1,24 @@ # Experimental Terraform setup -This folder contains terraform scripts to provision all of the infrastructure in a Four Keys GCP project. +This folder contains terraform scripts to provision all of the infrastructure in a Four Keys GCP project. **DO NOT USE!** This isn't ready for production yet (though it's close!) ## How to use - 1. run `setup.sh`; this will: - -- create a project for Four Keys -- purge all terraform state [useful during tf development] -- build containers using Cloud Build -- create a `terraform.tfvars` file -- invoke terraform - + * create a project for Four Keys + * purge all terraform state [useful during tf development] + * build containers using Cloud Build + * create a `terraform.tfvars` file + * invoke terraform 1. run the following commands to retrieve values needed for your SCM: + * ``` + echo `terraform output -raw event_handler_endpoint` + echo `terraform output -raw event_handler_secret` + ``` -- ``` - echo `terraform output -raw event_handler_endpoint` - echo `terraform output -raw event_handler_secret` - ``` Current functionality: - - Create a GCP project (outside of terraform) - Build the event-handler container image and push to GCR [TODO: use AR instead] - Deploy the event-handler container as a Cloud Run service @@ -39,105 +35,8 @@ Current functionality: - Allow user to choose whether to generate test data Open questions: - - Should we create a service account and run TF as that, or keep the current process of using application default credentials of the user who invokes the script? Answered questions: - - What's an elegant way to support those user inputs (VCS, CI/CD) as conditionals in the TF? (see implementation: generate a list of parsers to create) -- Should we create the GCP project in terraform? No. The auth gets really complicated, especially when considering that the project may or may not be in an organization and/or folder - -**Following is Nando's specific!** WIP - -## Set Up - -We recommend the use of [tfenv](https://github.com/tfutils/tfenv) to install and use the version defined in the code. - -### Terraform Service Account - -This code is set up to use a terraform service account with the least privileges to create the resources needed, therefore you will need to create one in your project (TODO: move to setup.sh): - -``` -gcloud init # To select existing email and project - -# The follow unset command clear any old credentials that may get in the way of impersonation -unset GOOGLE_OAUTH_ACCESS_TOKEN -unset GOOGLE_APPLICATION_CREDENTIALS -unset GOOGLE_CREDENTIALS - -gcloud auth application-default login # login as you to allow service account impersonation. -PROJECT_ID=$(gcloud config get-value project) -TF_SA_NAME=terraform -gcloud iam service-accounts create ${TF_SA_NAME} \ - --description "Infrastructure Provisioner" \ - --display-name "Terraform" -# grant service account permission to view Admin Project & Manage Cloud Storage -for ROLE in 'viewer' 'storage.admin' 'cloudbuild.builds.builder' 'artifactregistry.admin' 'bigquery.dataEditor' 'bigquery.jobUser' 'containerregistry.ServiceAgent' 'dns.admin' 'iam.serviceAccountCreator' 'iam.serviceAccountDeleter' 'iam.serviceAccountUser' 'pubsub.admin' 'resourcemanager.projectIamAdmin' 'run.admin' 'secretmanager.admin' 'serviceusage.apiKeysAdmin'; do - gcloud projects add-iam-policy-binding ${PROJECT_ID} \ - --member serviceAccount:${TF_SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \ - --role roles/${ROLE} -done - -for API in 'cloudbuild.googleapis.com' 'cloudresourcemanager.googleapis.com' 'iamcredentials.googleapis.com' 'artifactregistry.googleapis.com' 'bigquery.googleapis.com' 'bigquerydatatransfer.googleapis.com' 'containerregistry.googleapis.com' 'dns.googleapis.com' 'iam.googleapis.com' 'run.googleapis.com' 'secretmanager.googleapis.com' 'serviceusage.googleapis.com'; do - gcloud services enable "${API}" -done -``` - -#### Terraform Files - -You will need to create a backend in an environment folder (experimental/terraform): - -``` -PROJECT_REGION=europe-west2 -cat > backend.tf < environment.auto.tfvars < Date: Mon, 16 Aug 2021 11:18:22 +0100 Subject: [PATCH 8/9] NAP-275 mapped domain config Co-authored-by: Matthew Green Co-authored-by: Marco Hernandez --- experimental/terraform/resource_event_handler.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/experimental/terraform/resource_event_handler.tf b/experimental/terraform/resource_event_handler.tf index eb2f115b..d5395dc7 100644 --- a/experimental/terraform/resource_event_handler.tf +++ b/experimental/terraform/resource_event_handler.tf @@ -46,7 +46,7 @@ resource "google_cloud_run_domain_mapping" "event_handler" { # conditionally use this module count = length(var.mapped_domain) > 0 ? 1 : 0 location = var.google_domain_mapping_region - name = var.mapped_domain + name = "dora.${var.mapped_domain}" metadata { namespace = var.google_project_id @@ -69,11 +69,11 @@ module "event_hander_dns" { recordsets = [ { - name = google_cloud_run_domain_mapping.event_handler[0].status[0]["resource_records"][0]["name"] - type = google_cloud_run_domain_mapping.event_handler[0].status[0]["resource_records"][0]["type"] + name = "dora" + type = "CNAME" ttl = 3600 records = [ - google_cloud_run_domain_mapping.event_handler[0].status[0]["resource_records"][0]["rrdata"] + "ghs.googlehosted.com." ] } ] From 2a27498be44a3de5ac33bf2bec953a5680022073 Mon Sep 17 00:00:00 2001 From: Faizan J <49913297+faizando@users.noreply.github.com> Date: Mon, 16 Aug 2021 11:42:55 +0100 Subject: [PATCH 9/9] NAP-275 update outputs Co-authored-by: Matthew Green Co-authored-by: Marco Hernandez --- experimental/terraform/outputs.tf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/experimental/terraform/outputs.tf b/experimental/terraform/outputs.tf index 7c128a40..b8fc734c 100644 --- a/experimental/terraform/outputs.tf +++ b/experimental/terraform/outputs.tf @@ -2,9 +2,8 @@ output "event_handler_endpoint" { value = google_cloud_run_service.event_handler.status[0]["url"] } -output "event_handler_dns" { - # value = try(google_cloud_run_domain_mapping.event_handler[0].status[0]["resource_records"][0], null) - value = try(module.event_hander_dns.name_servers, null) +output "event_handler_name_servers" { + value = try(module.event_hander_dns[0].name_servers, null) } output "event_handler_secret" {