From a6e9a660839f3cddf871b7e3549cfd0fed3f469a Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleenmurphy@google.com>
Date: Mon, 6 May 2024 16:30:24 -0700
Subject: [PATCH] Add database for rekor search indexes

Update the mysql and rekor modules to instantiate a new database in the
primary SQL instance for search index storage.

The rekor IAM service accounts are bound to their GKE equivalents and
given permission to access the Cloud SQL instance, which makes the
cloud-sql-proxy sidecar in the Rekor deployment work.

The "trillian" database instance resource is renamed to "sigstore" since
the instance now encompasses two databases, one of which is not for
trillian.

The mysql module creates a trillian mysql user, which is not an IAM
user. This user already has effectively admin grants on the SQL
instance, so it is capable of connecting to the new instance and
creating a new user named for the new database would not reduce the
overall privileges, so we reuse the trillian mysql user for the new
database.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
---
 terraform/gcp/modules/mysql/mysql.tf          | 32 +++++++++++++------
 terraform/gcp/modules/mysql/outputs.tf        |  4 +--
 terraform/gcp/modules/mysql/variables.tf      |  6 ++++
 .../gcp/modules/rekor/service_accounts.tf     | 14 ++++++++
 4 files changed, 44 insertions(+), 12 deletions(-)

diff --git a/terraform/gcp/modules/mysql/mysql.tf b/terraform/gcp/modules/mysql/mysql.tf
index 022fdf274..f525222c3 100644
--- a/terraform/gcp/modules/mysql/mysql.tf
+++ b/terraform/gcp/modules/mysql/mysql.tf
@@ -102,7 +102,7 @@ resource "random_id" "db_name_suffix" {
   byte_length = 4
 }
 
-resource "google_sql_database_instance" "trillian" {
+resource "google_sql_database_instance" "sigstore" {
   project          = var.project_id
   name             = var.instance_name != "" ? var.instance_name : format("%s-mysql-%s", var.cluster_name, random_id.db_name_suffix.hex)
   database_version = var.database_version
@@ -142,11 +142,16 @@ resource "google_sql_database_instance" "trillian" {
   }
 }
 
+moved {
+  from = google_sql_database_instance.trillian
+  to   = google_sql_database_instance.sigstore
+}
+
 resource "google_sql_database_instance" "read_replica" {
   for_each = toset(var.replica_zones)
 
-  name                 = "${google_sql_database_instance.trillian.name}-replica-${each.key}"
-  master_instance_name = google_sql_database_instance.trillian.name
+  name                 = "${google_sql_database_instance.sigstore.name}-replica-${each.key}"
+  master_instance_name = google_sql_database_instance.sigstore.name
   region               = var.region
   database_version     = var.database_version
 
@@ -174,27 +179,35 @@ resource "google_sql_database_instance" "read_replica" {
 resource "google_sql_database" "trillian" {
   name       = var.db_name
   project    = var.project_id
-  instance   = google_sql_database_instance.trillian.name
+  instance   = google_sql_database_instance.sigstore.name
   collation  = "utf8_general_ci"
-  depends_on = [google_sql_database_instance.trillian]
+  depends_on = [google_sql_database_instance.sigstore]
+}
+
+resource "google_sql_database" "searchindexes" {
+  name       = var.index_db_name
+  project    = var.project_id
+  instance   = google_sql_database_instance.sigstore.name
+  collation  = "utf8_general_ci"
+  depends_on = [google_sql_database_instance.sigstore]
 }
 
 resource "random_id" "user-password" {
   keepers = {
-    name = google_sql_database_instance.trillian.name
+    name = google_sql_database_instance.sigstore.name
   }
 
   byte_length = 8
-  depends_on  = [google_sql_database_instance.trillian]
+  depends_on  = [google_sql_database_instance.sigstore]
 }
 
 resource "google_sql_user" "trillian" {
   name       = "trillian"
   project    = var.project_id
-  instance   = google_sql_database_instance.trillian.name
+  instance   = google_sql_database_instance.sigstore.name
   password   = random_id.user-password.hex
   host       = "%"
-  depends_on = [google_sql_database_instance.trillian]
+  depends_on = [google_sql_database_instance.sigstore]
 }
 
 resource "google_secret_manager_secret" "mysql-password" {
@@ -239,4 +252,3 @@ resource "google_secret_manager_secret_version" "mysql-database" {
   secret      = google_secret_manager_secret.mysql-database.id
   secret_data = google_sql_database.trillian.name
 }
-
diff --git a/terraform/gcp/modules/mysql/outputs.tf b/terraform/gcp/modules/mysql/outputs.tf
index 4e59a983b..40bc9c513 100644
--- a/terraform/gcp/modules/mysql/outputs.tf
+++ b/terraform/gcp/modules/mysql/outputs.tf
@@ -22,13 +22,13 @@ output "trillian_serviceaccount" {
 // Used when setting up the GKE cluster to talk to MySQL.
 output "mysql_instance" {
   description = "The generated name of the Cloud SQL instance"
-  value       = google_sql_database_instance.trillian.name
+  value       = google_sql_database_instance.sigstore.name
 }
 
 // Full connection string for the MySQL DB>
 output "mysql_connection" {
   description = "The connection string dynamically generated for storage inside the Kubernetes configmap"
-  value       = format("%s:%s:%s", var.project_id, var.region, google_sql_database_instance.trillian.name)
+  value       = format("%s:%s:%s", var.project_id, var.region, google_sql_database_instance.sigstore.name)
 }
 
 // MySQL DB username.
diff --git a/terraform/gcp/modules/mysql/variables.tf b/terraform/gcp/modules/mysql/variables.tf
index 0f2e79f96..23cab47f0 100644
--- a/terraform/gcp/modules/mysql/variables.tf
+++ b/terraform/gcp/modules/mysql/variables.tf
@@ -104,6 +104,12 @@ variable "db_name" {
   default     = "trillian"
 }
 
+variable "index_db_name" {
+  type        = string
+  description = "Name for the MySQL database for search indexes."
+  default     = "searchindexes"
+}
+
 variable "database_version" {
   type        = string
   description = "MySQL database version."
diff --git a/terraform/gcp/modules/rekor/service_accounts.tf b/terraform/gcp/modules/rekor/service_accounts.tf
index cf02c4b79..510460df4 100644
--- a/terraform/gcp/modules/rekor/service_accounts.tf
+++ b/terraform/gcp/modules/rekor/service_accounts.tf
@@ -48,3 +48,17 @@ resource "google_project_iam_member" "rekor_profiler_agent" {
   member     = "serviceAccount:${google_service_account.rekor-sa.email}"
   depends_on = [google_service_account.rekor-sa]
 }
+
+resource "google_service_account_iam_member" "gke_sa_iam_member_rekor_server" {
+  service_account_id = google_service_account.rekor-sa.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[rekor-system/rekor-server]"
+  depends_on         = [google_service_account.rekor-sa]
+}
+
+resource "google_project_iam_member" "db_admin_member_rekor" {
+  project    = var.project_id
+  role       = "roles/cloudsql.client"
+  member     = "serviceAccount:${google_service_account.rekor-sa.email}"
+  depends_on = [google_service_account.rekor-sa]
+}