terraform: move authentication out to env vars (#49)

* terraform: move authentication out to env vars * not that it is project id
2026-02-06 10:56:56 +00:00 · 2019-12-10 21:31:35 -05:00 · 2019-12-10 21:31:35 -05:00 · 7f05d506ee
commit 7f05d506ee
parent 4c96aab79a
18 changed files with 138 additions and 93 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,3 +1,4 @@
+.env
 install
 terraform
 terraform.tfvars
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
+.env
 .terraform
 coverage.txt
--- a/install/README.md
+++ b/install/README.md
@ -2,11 +2,11 @@

 Convox uses [Terraform](https://www.terraform.io/) for installation.

-Go into the relevant subdirectory of this repository and follow the instructions in the README.
+Go into the relevant subdirectory of this repository and follow the instructions in the README

 | Cloud Provider      | Subdirectory     |
 |:--------------------|:-----------------|
-| Amazon Web Services | [aws](aws)      |
-| Digital Ocean       | [do](do)        |
-| Google Cloud        | [gcp](gcp)      |
-| Microsoft Azure     | [azure](azure)  |
+| Amazon Web Services | [aws](aws)       |
+| Digital Ocean       | [do](do)         |
+| Google Cloud        | [gcp](gcp)       |
+| Microsoft Azure     | [azure](azure)   |
--- a/install/aws/README.md
+++ b/install/aws/README.md
@ -1,10 +1,18 @@
-# Convox Rack on AWS
+# Convox on AWS

 ## Initial Setup

 - [Install the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)
 - [Configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html)

+## Configuration
+
+### Environment Variables
+
+- `AWS_DEFAULT_REGION` (required)
+- `AWS_ACCESS_KEY_ID` (required)
+- `AWS_SECRET_ACCESS_KEY` (required)
+
 ## Install Convox

 - Clone this repository and switch to the directory containing this `README`
--- a/install/do/README.md
+++ b/install/do/README.md
@ -1,4 +1,4 @@
-# Convox Rack on Digital Ocean
+# Convox on Digital Ocean

 ## Initial Setup

@ -7,6 +7,14 @@
 - Generate a new **Personal Access Token** and **Spaces Access Key**
 - Note these credentials

+## Configuration
+
+### Template Variables
+
+- `access_id` (required)
+- `secret_key` (required)
+- `token` (required)
+
 ## Install Convox

 - Clone this repository and switch to the directory containing this `README`
--- a/install/gcp/README.md
+++ b/install/gcp/README.md
@ -12,7 +12,15 @@
 - Give it the **Project Owner** role
 - Select key type **JSON**
 - Click **Create**
- Download the credential file to `~/.config/gcloud/terraform.json`
+- Download the credential file
+
+## Configuration
+
+### Environment Variables
+
+- `GOOGLE_CREDENTIALS` (path or contents of the credentials file)
+- `GOOGLE_PROJECT` (project id in which to install)
+- `GOOGLE_REGION` (required)

 ## Install Convox

--- a/install/gcp/main.tf
+++ b/install/gcp/main.tf
@ -1,8 +1,3 @@
-variable "credentials" {
-  description = "path to credentials, create at https://console.cloud.google.com/apis/credentials/serviceaccountkey"
-  default     = "~/.config/gcloud/terraform.json"
-}
-
 variable "name" {
  description = "rack name"
  default     = "convox"
@ -13,48 +8,17 @@ variable "node_type" {
  default     = "n1-standard-1"
 }

-variable "project" {
-  description = "id of gcp project in which to install the rack"
-  type        = string
-}
-
 variable "release" {
  description = "convox release version to install"
  default     = ""
 }

-variable "region" {
-  description = "gcp region in which to install the rack"
-  default     = "us-east1"
-}
-
-provider "google" {
-  version = "~> 2.19"
-
-  credentials = pathexpand(var.credentials)
-  project     = var.project
-  region      = var.region
-}
-
-provider "google-beta" {
-  version = "~> 2.19"
-
-  credentials = pathexpand(var.credentials)
-  project     = var.project
-  region      = var.region
-}
-
 module "system" {
  source = "../../terraform/system/gcp"

  name      = var.name
  node_type = var.node_type
  release   = var.release
-
-  providers = {
-    google      = google
-    google-beta = google-beta
-  }
 }

 output "rack_url" {
--- a/terraform/api/k8s/atom.tf
+++ b/terraform/api/k8s/atom.tf
@ -39,6 +39,11 @@ resource "kubernetes_deployment" "atom" {
  metadata {
    namespace = var.namespace
    name      = "atom"
+
+    labels = {
+      service = "atom"
+      system  = "convox"
+    }
  }

  spec {
--- a/terraform/cluster/aws/iam.tf
+++ b/terraform/cluster/aws/iam.tf
@ -1,7 +1,7 @@
 resource "aws_iam_openid_connect_provider" "cluster" {
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
-  url             = "${aws_eks_cluster.cluster.identity.0.oidc.0.issuer}"
+  url             = aws_eks_cluster.cluster.identity.0.oidc.0.issuer
 }

 data "aws_iam_policy_document" "assume_ec2" {
--- a/terraform/cluster/aws/main.tf
+++ b/terraform/cluster/aws/main.tf
@ -10,7 +10,27 @@ provider "local" {
  version = "~> 1.3"
 }

+provider "null" {
+  version = "~> 2.1"
+}
+
+resource "null_resource" "delay_cluster" {
+  provisioner "local-exec" {
+    command = "sleep 15"
+  }
+  triggers = {
+    "eks_cluster" = aws_iam_role_policy_attachment.cluster_eks_cluster.id,
+    "eks_service" = aws_iam_role_policy_attachment.cluster_eks_service.id,
+  }
+}
+
 resource "aws_eks_cluster" "cluster" {
+  depends_on = [
+    aws_iam_role_policy_attachment.cluster_eks_cluster,
+    aws_iam_role_policy_attachment.cluster_eks_service,
+    null_resource.delay_cluster,
+  ]
+
  name     = var.name
  role_arn = aws_iam_role.cluster.arn

@ -20,18 +40,23 @@ resource "aws_eks_cluster" "cluster" {
    security_group_ids      = [aws_security_group.cluster.id]
    subnet_ids              = concat(aws_subnet.public.*.id)
  }
-
-  depends_on = [
-    "aws_iam_role_policy_attachment.cluster_eks_cluster",
-    "aws_iam_role_policy_attachment.cluster_eks_service",
-  ]
 }

 resource "aws_eks_node_group" "cluster" {
  depends_on = [
-    "aws_iam_role_policy_attachment.nodes_ecr",
-    "aws_iam_role_policy_attachment.nodes_eks_cni",
-    "aws_iam_role_policy_attachment.nodes_eks_worker",
+    aws_eks_cluster.cluster,
+    aws_iam_openid_connect_provider.cluster,
+    aws_iam_role_policy_attachment.cluster_eks_cluster,
+    aws_iam_role_policy_attachment.cluster_eks_service,
+    aws_iam_role_policy_attachment.nodes_ecr,
+    aws_iam_role_policy_attachment.nodes_eks_cni,
+    aws_iam_role_policy_attachment.nodes_eks_worker,
+    aws_route.private-default,
+    aws_route.public-default,
+    aws_route_table.private,
+    aws_route_table.public,
+    aws_route_table_association.private,
+    aws_route_table_association.public,
  ]

  count = 3
@ -56,17 +81,6 @@ resource "aws_eks_node_group" "cluster" {
 resource "local_file" "kubeconfig" {
  depends_on = [
    aws_eks_node_group.cluster,
-    aws_iam_role_policy_attachment.cluster_eks_cluster,
-    aws_iam_role_policy_attachment.cluster_eks_service,
-    aws_iam_role_policy_attachment.nodes_ecr,
-    aws_iam_role_policy_attachment.nodes_eks_cni,
-    aws_iam_role_policy_attachment.nodes_eks_worker,
-    aws_route.private-default,
-    aws_route.public-default,
-    aws_route_table.private,
-    aws_route_table.public,
-    aws_route_table_association.private,
-    aws_route_table_association.public,
  ]

  filename = pathexpand("~/.kube/config.aws.${var.name}")
--- a/terraform/cluster/aws/outputs.tf
+++ b/terraform/cluster/aws/outputs.tf
@ -1,22 +1,24 @@
 output "ca" {
-  depends_on = [kubernetes_config_map.auth]
+  depends_on = [aws_eks_node_group.cluster]
  value      = base64decode(aws_eks_cluster.cluster.certificate_authority.0.data)
 }

 output "endpoint" {
-  depends_on = [kubernetes_config_map.auth]
+  depends_on = [aws_eks_node_group.cluster]
  value      = aws_eks_cluster.cluster.endpoint
 }

 output "id" {
-  depends_on = [kubernetes_config_map.auth]
+  depends_on = [aws_eks_node_group.cluster]
  value      = aws_eks_cluster.cluster.id
 }

 output "oidc_arn" {
-  value = aws_iam_openid_connect_provider.cluster.arn
+  depends_on = [aws_eks_node_group.cluster]
+  value      = aws_iam_openid_connect_provider.cluster.arn
 }

 output "oidc_sub" {
-  value = "${replace(aws_iam_openid_connect_provider.cluster.url, "https://", "")}:sub"
+  depends_on = [aws_eks_node_group.cluster]
+  value      = "${replace(aws_iam_openid_connect_provider.cluster.url, "https://", "")}:sub"
 }
--- a/terraform/cluster/aws/vpc.tf
+++ b/terraform/cluster/aws/vpc.tf
@ -47,14 +47,14 @@ resource "aws_route_table" "public" {
 }

 resource "aws_route" "public-default" {
+  depends_on = [
+    aws_internet_gateway.nodes,
+    aws_route_table.public,
+  ]
+
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = aws_internet_gateway.nodes.id
  route_table_id         = aws_route_table.public.id
-
-  depends_on = [
-    "aws_internet_gateway.nodes",
-    "aws_route_table.public",
-  ]
 }

 resource "aws_route_table_association" "public" {
@ -110,16 +110,16 @@ resource "aws_route_table" "private" {
 }

 resource "aws_route" "private-default" {
+  depends_on = [
+    aws_internet_gateway.nodes,
+    aws_route_table.private,
+  ]
+
  count = 3

  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = aws_nat_gateway.private[count.index].id
  route_table_id         = aws_route_table.private[count.index].id
-
-  depends_on = [
-    "aws_internet_gateway.nodes",
-    "aws_route_table.private",
-  ]
 }

 resource "aws_route_table_association" "private" {
--- a/terraform/cluster/gcp/main.tf
+++ b/terraform/cluster/gcp/main.tf
@ -33,7 +33,7 @@ resource "random_string" "password" {
 }

 resource "google_container_cluster" "rack" {
-  provider = "google-beta"
+  provider = google-beta

  name     = var.name
  location = data.google_client_config.current.region
@ -61,7 +61,7 @@ resource "google_container_cluster" "rack" {
 }

 resource "google_container_node_pool" "rack" {
-  provider = "google-beta"
+  provider = google-beta

  name               = "${google_container_cluster.rack.name}-nodes-${var.node_type}"
  location           = google_container_cluster.rack.location
@ -126,14 +126,14 @@ provider "kubernetes" {

  load_config_file = false

-  cluster_ca_certificate = "${base64decode(google_container_cluster.rack.master_auth.0.cluster_ca_certificate)}"
+  cluster_ca_certificate = base64decode(google_container_cluster.rack.master_auth.0.cluster_ca_certificate)
  host                   = "https://${google_container_cluster.rack.endpoint}"
  username               = "gcloud"
  password               = random_string.password.result
 }

 resource "kubernetes_cluster_role_binding" "client" {
-  provider = "kubernetes.direct"
+  provider = kubernetes.direct

  metadata {
    name = "client-binding"
--- a/terraform/elasticsearch/k8s/main.tf
+++ b/terraform/elasticsearch/k8s/main.tf
@ -81,7 +81,7 @@ resource "kubernetes_stateful_set" "elasticsearch" {
        }

        container {
-          name  = "elasticsearch"
+          name  = "main"
          image = "docker.elastic.co/elasticsearch/elasticsearch:6.5.0"

          env {
--- a/terraform/router/k8s/main.tf
+++ b/terraform/router/k8s/main.tf
@ -77,6 +77,11 @@ resource "kubernetes_deployment" "router" {
  metadata {
    namespace = var.namespace
    name      = "router"
+
+    labels = {
+      service = "router"
+      system  = "convox"
+    }
  }

  spec {
--- a/terraform/system/gcp/main.tf
+++ b/terraform/system/gcp/main.tf
@ -3,11 +3,17 @@ terraform {
 }

 provider "google" {
-  version = "~> 2.18"
+  version = "~> 2.19"
+
+  project = module.project.id
+  region  = module.project.region
 }

 provider "google-beta" {
-  version = "~> 2.18"
+  version = "~> 2.19"
+
+  project = module.project.id
+  region  = module.project.region
 }

 provider "http" {
@ -27,10 +33,6 @@ provider "kubernetes" {

 module "project" {
  source = "./project"
-
-  providers = {
-    google = google
-  }
 }

 data "http" "releases" {
@ -52,7 +54,6 @@ module "cluster" {

  name      = var.name
  node_type = var.node_type
-  services  = module.project.services
 }

 module "rack" {
--- a/terraform/system/gcp/project/main.tf
+++ b/terraform/system/gcp/project/main.tf
@ -1,28 +1,44 @@
 provider "google" {
  version = "~> 2.18"
+
+  alias = "direct"
+}
+
+data "google_client_config" "current" {
+  provider = google.direct
 }

 resource "google_project_service" "cloudresourcemanager" {
+  provider = google.direct
+
  disable_on_destroy = false
  service            = "cloudresourcemanager.googleapis.com"
 }

 resource "google_project_service" "compute" {
+  provider = google.direct
+
  disable_on_destroy = false
  service            = "compute.googleapis.com"
 }

 resource "google_project_service" "container" {
+  provider = google.direct
+
  disable_on_destroy = false
  service            = "container.googleapis.com"
 }

 resource "google_project_service" "iam" {
+  provider = google.direct
+
  disable_on_destroy = false
  service            = "iam.googleapis.com"
 }

 resource "google_project_service" "redis" {
+  provider = google.direct
+
  disable_on_destroy = false
  service            = "redis.googleapis.com"
 }
--- a/terraform/system/gcp/project/outputs.tf
+++ b/terraform/system/gcp/project/outputs.tf
@ -1,4 +1,4 @@
-output "services" {
+output "id" {
  depends_on = [
    google_project_service.cloudresourcemanager,
    google_project_service.compute,
@ -7,5 +7,17 @@ output "services" {
    google_project_service.redis,
  ]

-  value = "services"
+  value = data.google_client_config.current.project
+}
+
+output "region" {
+  depends_on = [
+    google_project_service.cloudresourcemanager,
+    google_project_service.compute,
+    google_project_service.container,
+    google_project_service.iam,
+    google_project_service.redis,
+  ]
+
+  value = data.google_client_config.current.region
 }