From 7f05d506ee189ba8af0b37254f568c0bb9cde3ef Mon Sep 17 00:00:00 2001 From: David Dollar Date: Tue, 10 Dec 2019 21:31:35 -0500 Subject: [PATCH] terraform: move authentication out to env vars (#49) * terraform: move authentication out to env vars * not that it is project id --- .dockerignore | 1 + .gitignore | 1 + install/README.md | 10 ++--- install/aws/README.md | 10 ++++- install/do/README.md | 10 ++++- install/gcp/README.md | 10 ++++- install/gcp/main.tf | 36 ----------------- terraform/api/k8s/atom.tf | 5 +++ terraform/cluster/aws/iam.tf | 2 +- terraform/cluster/aws/main.tf | 52 ++++++++++++++++--------- terraform/cluster/aws/outputs.tf | 12 +++--- terraform/cluster/aws/vpc.tf | 20 +++++----- terraform/cluster/gcp/main.tf | 8 ++-- terraform/elasticsearch/k8s/main.tf | 2 +- terraform/router/k8s/main.tf | 5 +++ terraform/system/gcp/main.tf | 15 +++---- terraform/system/gcp/project/main.tf | 16 ++++++++ terraform/system/gcp/project/outputs.tf | 16 +++++++- 18 files changed, 138 insertions(+), 93 deletions(-) diff --git a/.dockerignore b/.dockerignore index 85ef960..2799f68 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,3 +1,4 @@ +.env install terraform terraform.tfvars diff --git a/.gitignore b/.gitignore index 598837a..b78de12 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ +.env .terraform coverage.txt diff --git a/install/README.md b/install/README.md index f73e3eb..1cfb257 100644 --- a/install/README.md +++ b/install/README.md @@ -2,11 +2,11 @@ Convox uses [Terraform](https://www.terraform.io/) for installation. -Go into the relevant subdirectory of this repository and follow the instructions in the README. +Go into the relevant subdirectory of this repository and follow the instructions in the README | Cloud Provider | Subdirectory | |:--------------------|:-----------------| -| Amazon Web Services | [aws](aws) | -| Digital Ocean | [do](do) | -| Google Cloud | [gcp](gcp) | -| Microsoft Azure | [azure](azure) | \ No newline at end of file +| Amazon Web Services | [aws](aws) | +| Digital Ocean | [do](do) | +| Google Cloud | [gcp](gcp) | +| Microsoft Azure | [azure](azure) | \ No newline at end of file diff --git a/install/aws/README.md b/install/aws/README.md index cfb2558..9d5ebfd 100644 --- a/install/aws/README.md +++ b/install/aws/README.md @@ -1,10 +1,18 @@ -# Convox Rack on AWS +# Convox on AWS ## Initial Setup - [Install the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) - [Configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) +## Configuration + +### Environment Variables + +- `AWS_DEFAULT_REGION` (required) +- `AWS_ACCESS_KEY_ID` (required) +- `AWS_SECRET_ACCESS_KEY` (required) + ## Install Convox - Clone this repository and switch to the directory containing this `README` diff --git a/install/do/README.md b/install/do/README.md index 5ba35be..720a046 100644 --- a/install/do/README.md +++ b/install/do/README.md @@ -1,4 +1,4 @@ -# Convox Rack on Digital Ocean +# Convox on Digital Ocean ## Initial Setup @@ -7,6 +7,14 @@ - Generate a new **Personal Access Token** and **Spaces Access Key** - Note these credentials +## Configuration + +### Template Variables + +- `access_id` (required) +- `secret_key` (required) +- `token` (required) + ## Install Convox - Clone this repository and switch to the directory containing this `README` diff --git a/install/gcp/README.md b/install/gcp/README.md index 606bca8..8c5957a 100644 --- a/install/gcp/README.md +++ b/install/gcp/README.md @@ -12,7 +12,15 @@ - Give it the **Project Owner** role - Select key type **JSON** - Click **Create** -- Download the credential file to `~/.config/gcloud/terraform.json` +- Download the credential file + +## Configuration + +### Environment Variables + +- `GOOGLE_CREDENTIALS` (path or contents of the credentials file) +- `GOOGLE_PROJECT` (project id in which to install) +- `GOOGLE_REGION` (required) ## Install Convox diff --git a/install/gcp/main.tf b/install/gcp/main.tf index f619e94..178096d 100644 --- a/install/gcp/main.tf +++ b/install/gcp/main.tf @@ -1,8 +1,3 @@ -variable "credentials" { - description = "path to credentials, create at https://console.cloud.google.com/apis/credentials/serviceaccountkey" - default = "~/.config/gcloud/terraform.json" -} - variable "name" { description = "rack name" default = "convox" @@ -13,48 +8,17 @@ variable "node_type" { default = "n1-standard-1" } -variable "project" { - description = "id of gcp project in which to install the rack" - type = string -} - variable "release" { description = "convox release version to install" default = "" } -variable "region" { - description = "gcp region in which to install the rack" - default = "us-east1" -} - -provider "google" { - version = "~> 2.19" - - credentials = pathexpand(var.credentials) - project = var.project - region = var.region -} - -provider "google-beta" { - version = "~> 2.19" - - credentials = pathexpand(var.credentials) - project = var.project - region = var.region -} - module "system" { source = "../../terraform/system/gcp" name = var.name node_type = var.node_type release = var.release - - providers = { - google = google - google-beta = google-beta - } } output "rack_url" { diff --git a/terraform/api/k8s/atom.tf b/terraform/api/k8s/atom.tf index 5f72948..cc0d035 100644 --- a/terraform/api/k8s/atom.tf +++ b/terraform/api/k8s/atom.tf @@ -39,6 +39,11 @@ resource "kubernetes_deployment" "atom" { metadata { namespace = var.namespace name = "atom" + + labels = { + service = "atom" + system = "convox" + } } spec { diff --git a/terraform/cluster/aws/iam.tf b/terraform/cluster/aws/iam.tf index 0cee53f..75c183c 100644 --- a/terraform/cluster/aws/iam.tf +++ b/terraform/cluster/aws/iam.tf @@ -1,7 +1,7 @@ resource "aws_iam_openid_connect_provider" "cluster" { client_id_list = ["sts.amazonaws.com"] thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"] - url = "${aws_eks_cluster.cluster.identity.0.oidc.0.issuer}" + url = aws_eks_cluster.cluster.identity.0.oidc.0.issuer } data "aws_iam_policy_document" "assume_ec2" { diff --git a/terraform/cluster/aws/main.tf b/terraform/cluster/aws/main.tf index d23a250..545fc66 100644 --- a/terraform/cluster/aws/main.tf +++ b/terraform/cluster/aws/main.tf @@ -10,7 +10,27 @@ provider "local" { version = "~> 1.3" } +provider "null" { + version = "~> 2.1" +} + +resource "null_resource" "delay_cluster" { + provisioner "local-exec" { + command = "sleep 15" + } + triggers = { + "eks_cluster" = aws_iam_role_policy_attachment.cluster_eks_cluster.id, + "eks_service" = aws_iam_role_policy_attachment.cluster_eks_service.id, + } +} + resource "aws_eks_cluster" "cluster" { + depends_on = [ + aws_iam_role_policy_attachment.cluster_eks_cluster, + aws_iam_role_policy_attachment.cluster_eks_service, + null_resource.delay_cluster, + ] + name = var.name role_arn = aws_iam_role.cluster.arn @@ -20,18 +40,23 @@ resource "aws_eks_cluster" "cluster" { security_group_ids = [aws_security_group.cluster.id] subnet_ids = concat(aws_subnet.public.*.id) } - - depends_on = [ - "aws_iam_role_policy_attachment.cluster_eks_cluster", - "aws_iam_role_policy_attachment.cluster_eks_service", - ] } resource "aws_eks_node_group" "cluster" { depends_on = [ - "aws_iam_role_policy_attachment.nodes_ecr", - "aws_iam_role_policy_attachment.nodes_eks_cni", - "aws_iam_role_policy_attachment.nodes_eks_worker", + aws_eks_cluster.cluster, + aws_iam_openid_connect_provider.cluster, + aws_iam_role_policy_attachment.cluster_eks_cluster, + aws_iam_role_policy_attachment.cluster_eks_service, + aws_iam_role_policy_attachment.nodes_ecr, + aws_iam_role_policy_attachment.nodes_eks_cni, + aws_iam_role_policy_attachment.nodes_eks_worker, + aws_route.private-default, + aws_route.public-default, + aws_route_table.private, + aws_route_table.public, + aws_route_table_association.private, + aws_route_table_association.public, ] count = 3 @@ -56,17 +81,6 @@ resource "aws_eks_node_group" "cluster" { resource "local_file" "kubeconfig" { depends_on = [ aws_eks_node_group.cluster, - aws_iam_role_policy_attachment.cluster_eks_cluster, - aws_iam_role_policy_attachment.cluster_eks_service, - aws_iam_role_policy_attachment.nodes_ecr, - aws_iam_role_policy_attachment.nodes_eks_cni, - aws_iam_role_policy_attachment.nodes_eks_worker, - aws_route.private-default, - aws_route.public-default, - aws_route_table.private, - aws_route_table.public, - aws_route_table_association.private, - aws_route_table_association.public, ] filename = pathexpand("~/.kube/config.aws.${var.name}") diff --git a/terraform/cluster/aws/outputs.tf b/terraform/cluster/aws/outputs.tf index a66ed99..129e8a8 100644 --- a/terraform/cluster/aws/outputs.tf +++ b/terraform/cluster/aws/outputs.tf @@ -1,22 +1,24 @@ output "ca" { - depends_on = [kubernetes_config_map.auth] + depends_on = [aws_eks_node_group.cluster] value = base64decode(aws_eks_cluster.cluster.certificate_authority.0.data) } output "endpoint" { - depends_on = [kubernetes_config_map.auth] + depends_on = [aws_eks_node_group.cluster] value = aws_eks_cluster.cluster.endpoint } output "id" { - depends_on = [kubernetes_config_map.auth] + depends_on = [aws_eks_node_group.cluster] value = aws_eks_cluster.cluster.id } output "oidc_arn" { - value = aws_iam_openid_connect_provider.cluster.arn + depends_on = [aws_eks_node_group.cluster] + value = aws_iam_openid_connect_provider.cluster.arn } output "oidc_sub" { - value = "${replace(aws_iam_openid_connect_provider.cluster.url, "https://", "")}:sub" + depends_on = [aws_eks_node_group.cluster] + value = "${replace(aws_iam_openid_connect_provider.cluster.url, "https://", "")}:sub" } diff --git a/terraform/cluster/aws/vpc.tf b/terraform/cluster/aws/vpc.tf index ccf24cc..b755b2d 100644 --- a/terraform/cluster/aws/vpc.tf +++ b/terraform/cluster/aws/vpc.tf @@ -47,14 +47,14 @@ resource "aws_route_table" "public" { } resource "aws_route" "public-default" { + depends_on = [ + aws_internet_gateway.nodes, + aws_route_table.public, + ] + destination_cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.nodes.id route_table_id = aws_route_table.public.id - - depends_on = [ - "aws_internet_gateway.nodes", - "aws_route_table.public", - ] } resource "aws_route_table_association" "public" { @@ -110,16 +110,16 @@ resource "aws_route_table" "private" { } resource "aws_route" "private-default" { + depends_on = [ + aws_internet_gateway.nodes, + aws_route_table.private, + ] + count = 3 destination_cidr_block = "0.0.0.0/0" nat_gateway_id = aws_nat_gateway.private[count.index].id route_table_id = aws_route_table.private[count.index].id - - depends_on = [ - "aws_internet_gateway.nodes", - "aws_route_table.private", - ] } resource "aws_route_table_association" "private" { diff --git a/terraform/cluster/gcp/main.tf b/terraform/cluster/gcp/main.tf index f9ec806..b85f3dc 100644 --- a/terraform/cluster/gcp/main.tf +++ b/terraform/cluster/gcp/main.tf @@ -33,7 +33,7 @@ resource "random_string" "password" { } resource "google_container_cluster" "rack" { - provider = "google-beta" + provider = google-beta name = var.name location = data.google_client_config.current.region @@ -61,7 +61,7 @@ resource "google_container_cluster" "rack" { } resource "google_container_node_pool" "rack" { - provider = "google-beta" + provider = google-beta name = "${google_container_cluster.rack.name}-nodes-${var.node_type}" location = google_container_cluster.rack.location @@ -126,14 +126,14 @@ provider "kubernetes" { load_config_file = false - cluster_ca_certificate = "${base64decode(google_container_cluster.rack.master_auth.0.cluster_ca_certificate)}" + cluster_ca_certificate = base64decode(google_container_cluster.rack.master_auth.0.cluster_ca_certificate) host = "https://${google_container_cluster.rack.endpoint}" username = "gcloud" password = random_string.password.result } resource "kubernetes_cluster_role_binding" "client" { - provider = "kubernetes.direct" + provider = kubernetes.direct metadata { name = "client-binding" diff --git a/terraform/elasticsearch/k8s/main.tf b/terraform/elasticsearch/k8s/main.tf index bf2a7d2..833c5b6 100644 --- a/terraform/elasticsearch/k8s/main.tf +++ b/terraform/elasticsearch/k8s/main.tf @@ -81,7 +81,7 @@ resource "kubernetes_stateful_set" "elasticsearch" { } container { - name = "elasticsearch" + name = "main" image = "docker.elastic.co/elasticsearch/elasticsearch:6.5.0" env { diff --git a/terraform/router/k8s/main.tf b/terraform/router/k8s/main.tf index 67fa478..309a34f 100644 --- a/terraform/router/k8s/main.tf +++ b/terraform/router/k8s/main.tf @@ -77,6 +77,11 @@ resource "kubernetes_deployment" "router" { metadata { namespace = var.namespace name = "router" + + labels = { + service = "router" + system = "convox" + } } spec { diff --git a/terraform/system/gcp/main.tf b/terraform/system/gcp/main.tf index 826b3a6..c0415be 100644 --- a/terraform/system/gcp/main.tf +++ b/terraform/system/gcp/main.tf @@ -3,11 +3,17 @@ terraform { } provider "google" { - version = "~> 2.18" + version = "~> 2.19" + + project = module.project.id + region = module.project.region } provider "google-beta" { - version = "~> 2.18" + version = "~> 2.19" + + project = module.project.id + region = module.project.region } provider "http" { @@ -27,10 +33,6 @@ provider "kubernetes" { module "project" { source = "./project" - - providers = { - google = google - } } data "http" "releases" { @@ -52,7 +54,6 @@ module "cluster" { name = var.name node_type = var.node_type - services = module.project.services } module "rack" { diff --git a/terraform/system/gcp/project/main.tf b/terraform/system/gcp/project/main.tf index 8935227..a34ee5f 100644 --- a/terraform/system/gcp/project/main.tf +++ b/terraform/system/gcp/project/main.tf @@ -1,28 +1,44 @@ provider "google" { version = "~> 2.18" + + alias = "direct" +} + +data "google_client_config" "current" { + provider = google.direct } resource "google_project_service" "cloudresourcemanager" { + provider = google.direct + disable_on_destroy = false service = "cloudresourcemanager.googleapis.com" } resource "google_project_service" "compute" { + provider = google.direct + disable_on_destroy = false service = "compute.googleapis.com" } resource "google_project_service" "container" { + provider = google.direct + disable_on_destroy = false service = "container.googleapis.com" } resource "google_project_service" "iam" { + provider = google.direct + disable_on_destroy = false service = "iam.googleapis.com" } resource "google_project_service" "redis" { + provider = google.direct + disable_on_destroy = false service = "redis.googleapis.com" } diff --git a/terraform/system/gcp/project/outputs.tf b/terraform/system/gcp/project/outputs.tf index 4bfdc61..4c92622 100644 --- a/terraform/system/gcp/project/outputs.tf +++ b/terraform/system/gcp/project/outputs.tf @@ -1,4 +1,4 @@ -output "services" { +output "id" { depends_on = [ google_project_service.cloudresourcemanager, google_project_service.compute, @@ -7,5 +7,17 @@ output "services" { google_project_service.redis, ] - value = "services" + value = data.google_client_config.current.project +} + +output "region" { + depends_on = [ + google_project_service.cloudresourcemanager, + google_project_service.compute, + google_project_service.container, + google_project_service.iam, + google_project_service.redis, + ] + + value = data.google_client_config.current.region }