From 2a18ce78de3b0ce30909ef78b4dcb2349ca5fa98 Mon Sep 17 00:00:00 2001 From: Pierre Bastianelli Date: Wed, 21 Feb 2024 13:18:49 -0800 Subject: [PATCH] chore: use the terraform chart --- chart/cas-cif/Chart.yaml | 3 + .../templates/terraform/terraform-apply.yaml | 78 --------------- .../terraform/terraform-modules.yaml | 13 --- .../terraform/terraform-role-binding.yaml | 15 --- .../templates/terraform/terraform-role.yaml | 21 ---- .../terraform/terraform-service-account.yaml | 7 -- chart/cas-cif/terraform/main.tf | 98 ------------------- chart/cas-cif/terraform/variables.tf | 33 ------- chart/cas-cif/values.yaml | 5 + 9 files changed, 8 insertions(+), 265 deletions(-) delete mode 100644 chart/cas-cif/templates/terraform/terraform-apply.yaml delete mode 100644 chart/cas-cif/templates/terraform/terraform-modules.yaml delete mode 100644 chart/cas-cif/templates/terraform/terraform-role-binding.yaml delete mode 100644 chart/cas-cif/templates/terraform/terraform-role.yaml delete mode 100644 chart/cas-cif/templates/terraform/terraform-service-account.yaml delete mode 100644 chart/cas-cif/terraform/main.tf delete mode 100644 chart/cas-cif/terraform/variables.tf diff --git a/chart/cas-cif/Chart.yaml b/chart/cas-cif/Chart.yaml index 8a80b29d45..274ceb31ea 100644 --- a/chart/cas-cif/Chart.yaml +++ b/chart/cas-cif/Chart.yaml @@ -5,6 +5,9 @@ type: application version: 0.1.0 appVersion: "0.1.0" dependencies: + - name: terraform-bucket-provision + version: "0.1.2" + repository: https://bcgov.github.io/cas-pipeline/ - name: cas-airflow-dag-trigger version: 1.0.7 repository: https://bcgov.github.io/cas-airflow diff --git a/chart/cas-cif/templates/terraform/terraform-apply.yaml b/chart/cas-cif/templates/terraform/terraform-apply.yaml deleted file mode 100644 index dce35d35ea..0000000000 --- a/chart/cas-cif/templates/terraform/terraform-apply.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: terraform-apply - labels: - component: backend - annotations: - "helm.sh/hook": pre-install, pre-upgrade - "helm.sh/hook-weight": "5" - "helm.sh/hook-delete-policy": before-hook-creation -spec: - backoffLimit: 0 - activeDeadlineSeconds: 900 - template: - spec: - serviceAccountName: "terraform-kubernetes-service-account" - containers: - - name: terraform-apply - resources: {{ toYaml .Values.devops.resources | nindent 12 }} - image: "{{ .Values.devops.image.repository }}:{{ .Values.devops.sourceRepoImageTag | default .Values.devops.image.tag }}" - imagePullPolicy: {{ .Values.devops.image.pullPolicy }} - volumeMounts: - - mountPath: /etc/gcp - name: service-account-credentials-volume - readOnly: True - - mountPath: /etc/tf - name: terraform-backend-config-volume - readOnly: True - - name: tf-working-dir - mountPath: /working - readOnly: False - - name: terraform-modules - mountPath: /terraform - readOnly: False - env: - - name: TF_VAR_project_id - valueFrom: - secretKeyRef: - name: gcp-credentials-secret - key: gcp_project_id - - name: TF_VAR_openshift_namespace - value: {{ .Release.Namespace | quote }} - - name: TF_VAR_apps - value: '["cif-backups", "cif-documents"]' - - name: kubernetes_host - value: "https://api.silver.devops.gov.bc.ca:6443" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: "/etc/gcp/credentials.json" - # Terraform was having an issue pulling kubernetes_host in as a TF_VAR, so we add it as a attribute to the command - command: - - /bin/sh - - -c - - | - set -euo pipefail; - cp -r /terraform/. /working; - cd working; - export TF_VAR_kubernetes_token=$( cat /var/run/secrets/kubernetes.io/serviceaccount/token ); - terraform init -backend-config=/etc/tf/gcs.tfbackend; - terraform apply -var="kubernetes_host=$kubernetes_host" -auto-approve; - restartPolicy: Never - volumes: - - name: service-account-credentials-volume - secret: - secretName: gcp-credentials-secret - items: - - key: sa_json - path: credentials.json - - name: terraform-backend-config-volume - secret: - secretName: gcp-credentials-secret - items: - - key: tf_backend - path: gcs.tfbackend - - name: tf-working-dir - emptyDir: {} - - name: terraform-modules - configMap: - name: terraform-modules diff --git a/chart/cas-cif/templates/terraform/terraform-modules.yaml b/chart/cas-cif/templates/terraform/terraform-modules.yaml deleted file mode 100644 index f343aeb44d..0000000000 --- a/chart/cas-cif/templates/terraform/terraform-modules.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: terraform-modules - # Because terraform-apply.yaml is pre-install, pre-upgrade, this configmap needs to be in place before it - annotations: - "helm.sh/hook": pre-install, pre-upgrade - "helm.sh/hook-weight": "-10" -binaryData: -{{- range $path, $data := .Files.Glob "terraform/**.tf" }} -{{ $path | base | indent 2 }}: >- -{{- $data | toString | b64enc | nindent 4 }} -{{ end }} diff --git a/chart/cas-cif/templates/terraform/terraform-role-binding.yaml b/chart/cas-cif/templates/terraform/terraform-role-binding.yaml deleted file mode 100644 index ecd60a354e..0000000000 --- a/chart/cas-cif/templates/terraform/terraform-role-binding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: "terraform-kubernetes-service-account-secret-admin-binding" - annotations: - "helm.sh/hook": pre-install, pre-upgrade - "helm.sh/hook-weight": "-5" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "terraform-secret-admin" -subjects: - - kind: ServiceAccount - name: "terraform-kubernetes-service-account" - namespace: {{ .Release.Namespace }} diff --git a/chart/cas-cif/templates/terraform/terraform-role.yaml b/chart/cas-cif/templates/terraform/terraform-role.yaml deleted file mode 100644 index 2410006e13..0000000000 --- a/chart/cas-cif/templates/terraform/terraform-role.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: "terraform-secret-admin" - annotations: - "helm.sh/hook": pre-install, pre-upgrade - "helm.sh/hook-weight": "-10" -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: - [ - "create", - "delete", - "deletecollection", - "get", - "list", - "patch", - "update", - "watch", - ] diff --git a/chart/cas-cif/templates/terraform/terraform-service-account.yaml b/chart/cas-cif/templates/terraform/terraform-service-account.yaml deleted file mode 100644 index d7ee980faa..0000000000 --- a/chart/cas-cif/templates/terraform/terraform-service-account.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "terraform-kubernetes-service-account" - annotations: - "helm.sh/hook": pre-install, pre-upgrade - "helm.sh/hook-weight": "-10" diff --git a/chart/cas-cif/terraform/main.tf b/chart/cas-cif/terraform/main.tf deleted file mode 100644 index a0ad2584d1..0000000000 --- a/chart/cas-cif/terraform/main.tf +++ /dev/null @@ -1,98 +0,0 @@ -terraform { - required_version = ">=1.4.6" - - required_providers { - kubernetes = { - source = "hashicorp/kubernetes" - version = "~> 2.23" - } - google = { - source = "hashicorp/google" - version = "~> 5.2.0" - } - } - - backend "gcs" {} -} - -# Configure OCP infrastructure to setup the host and authentication token -provider "kubernetes" { - host = var.kubernetes_host - token = var.kubernetes_token -} - -# Configure GCP infrastructure to setup the credentials, default project and location (zone and/or region) for your resources -provider "google" { - project = var.project_id - region = local.region -} - -# Create GCS buckets -resource "google_storage_bucket" "bucket" { - for_each = { for v in var.apps : v => v } - name = "${var.openshift_namespace}-${each.value}" - location = local.region -} - -# Create GCP service accounts for each GCS bucket -resource "google_service_account" "account" { - for_each = { for v in var.apps : v => v } - account_id = "sa-${var.openshift_namespace}-${each.value}" - display_name = "${var.openshift_namespace}-${each.value} Service Account" - depends_on = [google_storage_bucket.bucket] -} - -# Assign Storage Admin role for the corresponding service accounts -resource "google_storage_bucket_iam_member" "admin" { - for_each = { for v in var.apps : v => v } - bucket = "${var.openshift_namespace}-${each.value}" - role = "roles/storage.admin" - member = "serviceAccount:${google_service_account.account[each.key].email}" - depends_on = [google_service_account.account] -} - -# Create viewer GCP service accounts for each GCS bucket -resource "google_service_account" "viewer_account" { - for_each = { for v in var.apps : v => v } - account_id = "ro-${var.openshift_namespace}-${each.value}" - display_name = "${var.openshift_namespace}-${each.value} Viewer Service Account" - depends_on = [google_storage_bucket.bucket] -} - -# Assign (manually created) Storage Viewer role for the corresponding service accounts -resource "google_storage_bucket_iam_member" "viewer" { - for_each = { for v in var.apps : v => v } - bucket = "${var.openshift_namespace}-${each.value}" - role = "projects/${var.project_id}/roles/${var.iam_storage_role_template_id}" - member = "serviceAccount:${google_service_account.viewer_account[each.key].email}" - depends_on = [google_service_account.viewer_account] -} - -# Create keys for the service accounts -resource "google_service_account_key" "key" { - for_each = { for v in var.apps : v => v } - service_account_id = google_service_account.account[each.key].name -} - -# Create keys for the viewer service accounts -resource "google_service_account_key" "viewer_key" { - for_each = { for v in var.apps : v => v } - service_account_id = google_service_account.viewer_account[each.key].name -} - -resource "kubernetes_secret" "secret_sa" { - for_each = { for v in var.apps : v => v } - metadata { - name = "gcp-${var.openshift_namespace}-${each.value}-service-account-key" - namespace = var.openshift_namespace - labels = { - created-by = "Terraform" - } - } - - data = { - "bucket_name" = "${var.openshift_namespace}-${each.value}" - "credentials.json" = base64decode(google_service_account_key.key[each.key].private_key) - "viewer_credentials.json" = base64decode(google_service_account_key.viewer_key[each.key].private_key) - } -} diff --git a/chart/cas-cif/terraform/variables.tf b/chart/cas-cif/terraform/variables.tf deleted file mode 100644 index d1919e69a1..0000000000 --- a/chart/cas-cif/terraform/variables.tf +++ /dev/null @@ -1,33 +0,0 @@ -# Since variables could be overridden via environment variables, use local values to define immutable values -locals { - # The GCP region to create things in. https://cloud.google.com/compute/docs/regions-zones" - region = "northamerica-northeast1" # Montreal -} - -variable "project_id" { - description = "The ID of the GCP project" -} - -variable "kubernetes_host" { - description = "The hostname of the OCP cluster" -} - -variable "kubernetes_token" { - description = "The authentication token of the OCP cluster" -} - -variable "apps" { - type = list(string) - description = "The list of app names for the OCP project in a namespace" -} - -variable "openshift_namespace" { - type = string - description = "The OCP project namespace" -} - -variable "iam_storage_role_template_id" { - type = string - description = "ID for a custom IAM role template we manually created in GCP for Storage Viewers" - default = "casStorageViewer" -} diff --git a/chart/cas-cif/values.yaml b/chart/cas-cif/values.yaml index 0fd973fe93..7053289922 100644 --- a/chart/cas-cif/values.yaml +++ b/chart/cas-cif/values.yaml @@ -92,3 +92,8 @@ devops: requests: cpu: 100m memory: 64Mi + +terraform-bucket-provision: + terraform: + namespace_apps: '["cif-backups", "cif-documents"]' +