From 60c21c498bbbcf91d920f6bd43e80ec3581335d4 Mon Sep 17 00:00:00 2001 From: Gus Narea Date: Thu, 18 Jan 2024 22:01:42 +0000 Subject: [PATCH] Frankfurt: Clean up --- .github/workflows/ci.yml | 8 +- .terraformignore | 2 - LICENSE | 2 +- README.md | 2 - charts/README.md | 9 - charts/gateway-crds/Chart.yaml | 6 - charts/gateway-crds/templates/NOTES.txt | 1 - charts/gateway-crds/templates/_helpers.tpl | 8 - .../templates/cogrpc-backendconfig.yml | 11 - .../templates/managed-certificate.yml | 11 - charts/gateway-crds/values.yaml | 4 - charts/gateway-crds/values.yml.gotmpl | 7 - charts/gateway/values.yml.gotmpl | 237 ------------------ charts/helmfile.yaml | 44 ---- charts/nats/values.yml | 38 --- charts/scripts/_helmfile_hook_error.sh | 6 - charts/scripts/helmfile.sh | 38 --- charts/scripts/retrieve-secrets.sh | 19 -- charts/stan/values.yml.gotmpl | 42 ---- charts/values-testing.yml | 0 charts/values.yml | 1 - environments/README.md | 2 +- environments/_modules/cd_secret/README.md | 1 - environments/_modules/cd_secret/main.tf | 20 -- environments/_modules/cd_secret/outputs.tf | 7 - environments/_modules/cd_secret/variables.tf | 9 - .../_modules/gateway-serverless/dns.tf | 68 ----- .../_modules/gateway-serverless/gateway.tf | 33 --- .../_modules/gateway-serverless/mongodb.tf | 36 --- .../_modules/gateway-serverless/monitoring.tf | 60 ----- .../_modules/gateway-serverless/variables.tf | 20 -- .../{gateway-serverless => gateway}/README.md | 0 environments/_modules/gateway/dns.tf | 45 ++-- environments/_modules/gateway/gateway.tf | 45 ++-- environments/_modules/gateway/gcb.tf | 216 ---------------- environments/_modules/gateway/gcb_builders.tf | 104 -------- environments/_modules/gateway/gcp.tf | 2 - environments/_modules/gateway/gcp_services.tf | 47 ---- environments/_modules/gateway/gcs.tf | 36 --- environments/_modules/gateway/gke.tf | 156 ------------ environments/_modules/gateway/keystores.tf | 89 ------- environments/_modules/gateway/main.tf | 27 +- environments/_modules/gateway/mongodb.tf | 78 ++---- environments/_modules/gateway/monitoring.tf | 71 ++---- environments/_modules/gateway/networking.tf | 24 -- .../outputs.tf | 0 environments/_modules/gateway/postgresql.tf | 60 ----- .../services.tf | 0 environments/_modules/gateway/stan.tf | 24 -- environments/_modules/gateway/variables.tf | 70 +----- environments/_modules/gateway/versions.tf | 17 -- environments/belgium/gateway.tf | 2 +- environments/frankfurt/.terraform.lock.hcl | 75 ------ environments/frankfurt/README.md | 5 - environments/frankfurt/main.tf | 27 -- environments/frankfurt/providers.tf | 10 - environments/frankfurt/variables.tf | 6 - environments/frankfurt/versions.tf | 21 -- .../gcb-helmfile-set-versions.sh | 20 -- .../environment_workspace}/main.tf | 0 .../mongodb.tf | 0 tf-modules/environment_workspace/tfe.tf | 25 ++ .../README.md | 9 - .../serverless_environment_workspace/gcp.tf | 55 ---- .../serverless_environment_workspace/main.tf | 7 - .../outputs.tf | 3 - .../serverless_environment_workspace/tfe.tf | 96 ------- .../variables.tf | 37 --- tf-workspace/dns.tf | 13 - tf-workspace/environments.tf | 2 +- 70 files changed, 130 insertions(+), 2146 deletions(-) delete mode 100644 charts/README.md delete mode 100644 charts/gateway-crds/Chart.yaml delete mode 100644 charts/gateway-crds/templates/NOTES.txt delete mode 100644 charts/gateway-crds/templates/_helpers.tpl delete mode 100644 charts/gateway-crds/templates/cogrpc-backendconfig.yml delete mode 100644 charts/gateway-crds/templates/managed-certificate.yml delete mode 100644 charts/gateway-crds/values.yaml delete mode 100644 charts/gateway-crds/values.yml.gotmpl delete mode 100644 charts/gateway/values.yml.gotmpl delete mode 100644 charts/helmfile.yaml delete mode 100644 charts/nats/values.yml delete mode 100644 charts/scripts/_helmfile_hook_error.sh delete mode 100755 charts/scripts/helmfile.sh delete mode 100755 charts/scripts/retrieve-secrets.sh delete mode 100644 charts/stan/values.yml.gotmpl delete mode 100644 charts/values-testing.yml delete mode 100644 charts/values.yml delete mode 100644 environments/_modules/cd_secret/README.md delete mode 100644 environments/_modules/cd_secret/main.tf delete mode 100644 environments/_modules/cd_secret/outputs.tf delete mode 100644 environments/_modules/cd_secret/variables.tf delete mode 100644 environments/_modules/gateway-serverless/dns.tf delete mode 100644 environments/_modules/gateway-serverless/gateway.tf delete mode 100644 environments/_modules/gateway-serverless/mongodb.tf delete mode 100644 environments/_modules/gateway-serverless/monitoring.tf delete mode 100644 environments/_modules/gateway-serverless/variables.tf rename environments/_modules/{gateway-serverless => gateway}/README.md (100%) delete mode 100644 environments/_modules/gateway/gcb.tf delete mode 100644 environments/_modules/gateway/gcb_builders.tf delete mode 100644 environments/_modules/gateway/gcp.tf delete mode 100644 environments/_modules/gateway/gcp_services.tf delete mode 100644 environments/_modules/gateway/gcs.tf delete mode 100644 environments/_modules/gateway/gke.tf delete mode 100644 environments/_modules/gateway/keystores.tf delete mode 100644 environments/_modules/gateway/networking.tf rename environments/_modules/{gateway-serverless => gateway}/outputs.tf (100%) delete mode 100644 environments/_modules/gateway/postgresql.tf rename environments/_modules/{gateway-serverless => gateway}/services.tf (100%) delete mode 100644 environments/_modules/gateway/stan.tf delete mode 100644 environments/_modules/gateway/versions.tf delete mode 100644 environments/frankfurt/.terraform.lock.hcl delete mode 100644 environments/frankfurt/README.md delete mode 100644 environments/frankfurt/main.tf delete mode 100644 environments/frankfurt/providers.tf delete mode 100644 environments/frankfurt/variables.tf delete mode 100644 environments/frankfurt/versions.tf delete mode 100755 gcb-builder-scripts/gcb-helmfile-set-versions.sh rename {environments/_modules/gateway-serverless => tf-modules/environment_workspace}/main.tf (100%) rename tf-modules/{serverless_environment_workspace => environment_workspace}/mongodb.tf (100%) delete mode 100644 tf-modules/serverless_environment_workspace/README.md delete mode 100644 tf-modules/serverless_environment_workspace/gcp.tf delete mode 100644 tf-modules/serverless_environment_workspace/main.tf delete mode 100644 tf-modules/serverless_environment_workspace/outputs.tf delete mode 100644 tf-modules/serverless_environment_workspace/tfe.tf delete mode 100644 tf-modules/serverless_environment_workspace/variables.tf diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 616a37e9..5cf2a063 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,8 +5,14 @@ on: branches: [main] jobs: - ci: + ci-main: uses: relaycorp/shared-workflows/.github/workflows/tfmodule-ci.yml@main with: path: tf-workspace terraform_version: 1.1.2 + + ci-belgium: + uses: relaycorp/shared-workflows/.github/workflows/tfmodule-ci.yml@main + with: + path: environments/belgium + terraform_version: 1.6.6 diff --git a/.terraformignore b/.terraformignore index 95d690d3..cef95d44 100644 --- a/.terraformignore +++ b/.terraformignore @@ -1,5 +1,3 @@ .idea/ .git/ .github/ -charts/ -gcb-builder-scripts/ diff --git a/LICENSE b/LICENSE index 23b9c000..61b54636 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2020-2022 Relaycorp, Inc. +Copyright (c) 2020-2024 Relaycorp, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index f437b4a5..acaecce9 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,6 @@ This repository contains the code and configuration for the cloud and Kubernetes The cloud resources are defined in Terraform modules managed on Terraform Cloud. Shared resources can be found in [`tf-workspace/`](./tf-workspace), whilst environment-specific resources can be found under [`environments/`](./environments). -The Kubernetes resources are defined in Helm charts ([`charts/`](./charts)), which are automatically deployed by Google Cloud Build. - # Architecture Gateways are entirely hosted on Google Cloud Platform (GCP). Each instance is deployed to a highly-available, independent environment under its own GCP project. The following diagram offers a simplified view of the key cloud and Kubernetes resources in each environment: diff --git a/charts/README.md b/charts/README.md deleted file mode 100644 index e1809a6e..00000000 --- a/charts/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Helm charts - -This directory contains the Helm chart configuration for each Kubernetes-based service under our control. Charts are released together using [Helmfile](https://github.com/roboll/helmfile). Changes to this directory in the `main` branch will be deployed automatically by [Google Cloud Build](https://cloud.google.com/cloud-build/). - -We currently manage the following services in Kubernetes: - -- [NATS](./nats). -- [NATS Streaming (aka Stan)](./stan). -- [Relaynet-Internet Gateway](./gateway) and [its CRDs](./gateway-crds). diff --git a/charts/gateway-crds/Chart.yaml b/charts/gateway-crds/Chart.yaml deleted file mode 100644 index fbb8c86e..00000000 --- a/charts/gateway-crds/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: gateway-crds -description: CRDs for the Relaynet-Internet Gateway on GCP -type: application -version: 1.0.0 -appVersion: 1.0.0 diff --git a/charts/gateway-crds/templates/NOTES.txt b/charts/gateway-crds/templates/NOTES.txt deleted file mode 100644 index 529b7e68..00000000 --- a/charts/gateway-crds/templates/NOTES.txt +++ /dev/null @@ -1 +0,0 @@ -You're good to go! diff --git a/charts/gateway-crds/templates/_helpers.tpl b/charts/gateway-crds/templates/_helpers.tpl deleted file mode 100644 index 89aa27e4..00000000 --- a/charts/gateway-crds/templates/_helpers.tpl +++ /dev/null @@ -1,8 +0,0 @@ -{{/* -Common labels -*/}} -{{- define "gateway-crds.labels" -}} -app.kubernetes.io/name: gateway-crds -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} diff --git a/charts/gateway-crds/templates/cogrpc-backendconfig.yml b/charts/gateway-crds/templates/cogrpc-backendconfig.yml deleted file mode 100644 index 30d199d9..00000000 --- a/charts/gateway-crds/templates/cogrpc-backendconfig.yml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: cloud.google.com/v1 -kind: BackendConfig -metadata: - name: cogrpc - labels: - project: {{ .Values.gcpProjectId | quote }} - {{- include "gateway-crds.labels" . | nindent 4 }} -spec: - healthCheck: - type: HTTP - port: 8082 diff --git a/charts/gateway-crds/templates/managed-certificate.yml b/charts/gateway-crds/templates/managed-certificate.yml deleted file mode 100644 index fc7f12ea..00000000 --- a/charts/gateway-crds/templates/managed-certificate.yml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: networking.gke.io/v1beta2 -kind: ManagedCertificate -metadata: - name: {{ .Values.managedCertificate.name | quote }} - labels: - {{- include "gateway-crds.labels" . | nindent 4 }} -spec: - domains: - {{- range (sortAlpha .Values.managedCertificate.domains) }} - - {{ . }} - {{- end }} diff --git a/charts/gateway-crds/values.yaml b/charts/gateway-crds/values.yaml deleted file mode 100644 index a24bc3f9..00000000 --- a/charts/gateway-crds/values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -gcpProjectId: -managedCertificate: - name: - domains: [] diff --git a/charts/gateway-crds/values.yml.gotmpl b/charts/gateway-crds/values.yml.gotmpl deleted file mode 100644 index aec2812c..00000000 --- a/charts/gateway-crds/values.yml.gotmpl +++ /dev/null @@ -1,7 +0,0 @@ -gcpProjectId: {{ requiredEnv "CLOUDSDK_CORE_PROJECT" | quote }} -managedCertificate: - name: {{ requiredEnv "GW_MANAGED_CERT_NAME" | quote }} - domains: - - {{ requiredEnv "GW_POWEB_DOMAIN" | quote }} - - {{ requiredEnv "GW_POHTTP_DOMAIN" | quote }} - - {{ requiredEnv "GW_COGRPC_DOMAIN" | quote }} diff --git a/charts/gateway/values.yml.gotmpl b/charts/gateway/values.yml.gotmpl deleted file mode 100644 index 729b7f84..00000000 --- a/charts/gateway/values.yml.gotmpl +++ /dev/null @@ -1,237 +0,0 @@ -#image: -# repository: relaycorp/gateway-test -# tag: debug2308-03 - -fullnameOverride: public-gateway - -internetAddress: {{ requiredEnv "GW_INTERNET_ADDRESS" | quote }} -gatewayKeyId: {{ requiredEnv "GW_KEY_ID_B64" | quote }} - -logging: - level: debug - target: gcp - envName: {{ requiredEnv "ENVIRONMENT_NAME" }}-gateway - -proxyRequestIdHeader: X-Cloud-Trace-Context - -ingress: - enabled: true - annotations: - kubernetes.io/ingress.allow-http: "false" - kubernetes.io/ingress.global-static-ip-name: {{ requiredEnv "GW_GLOBAL_IP_NAME" | quote }} - networking.gke.io/managed-certificates: {{ requiredEnv "GW_MANAGED_CERT_NAME" | quote }} - serviceDomains: - poweb: {{ requiredEnv "GW_POWEB_DOMAIN" | quote }} - pohttp: {{ requiredEnv "GW_POHTTP_DOMAIN" | quote }} - cogrpc: {{ requiredEnv "GW_COGRPC_DOMAIN" | quote }} - -service: - annotations: - cloud.google.com/neg: '{"ingress": true}' - type: NodePort - -poweb: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [ relaynet-internet-gateway ] - - key: app.kubernetes.io/component - operator: In - values: [ poweb ] - topologyKey: "kubernetes.io/hostname" - weight: 80 - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [ relaynet-internet-gateway ] - - key: app.kubernetes.io/component - operator: In - values: [ poweb ] - topologyKey: "topology.kubernetes.io/zone" - weight: 100 - replicas: 3 - resources: - requests: - cpu: 250m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi - -pohttp: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [ relaynet-internet-gateway ] - - key: app.kubernetes.io/component - operator: In - values: [ pohttp ] - topologyKey: "kubernetes.io/hostname" - weight: 80 - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [ relaynet-internet-gateway ] - - key: app.kubernetes.io/component - operator: In - values: [ pohttp ] - topologyKey: "topology.kubernetes.io/zone" - weight: 100 - replicas: 3 - resources: - requests: - cpu: 250m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi - -cogrpc: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [ relaynet-internet-gateway ] - - key: app.kubernetes.io/component - operator: In - values: [ cogrpc ] - topologyKey: "kubernetes.io/hostname" - weight: 80 - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [ relaynet-internet-gateway ] - - key: app.kubernetes.io/component - operator: In - values: [ cogrpc ] - topologyKey: "topology.kubernetes.io/zone" - weight: 100 - serviceAnnotations: - cloud.google.com/app-protocols: '{"cogrpc":"HTTP2"}' - service.alpha.kubernetes.io/app-protocols: '{"cogrpc":"HTTP2"}' - cloud.google.com/neg: '{"ingress": true}' - beta.cloud.google.com/backend-config: '{"ports":{"cogrpc":"cogrpc"}, "default": "cogrpc"}' - replicas: 3 - resources: - requests: - cpu: 250m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi - -pdcQueue: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [ relaynet-internet-gateway ] - - key: app.kubernetes.io/component - operator: In - values: [ pdcout ] - topologyKey: "kubernetes.io/hostname" - weight: 80 - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [ relaynet-internet-gateway ] - - key: app.kubernetes.io/component - operator: In - values: [ pdcout ] - topologyKey: "topology.kubernetes.io/zone" - weight: 100 - replicas: 3 - resources: - requests: - cpu: 30m - memory: 200Mi - limits: - cpu: 50m - memory: 250Mi - -crcQueue: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [ relaynet-internet-gateway ] - - key: app.kubernetes.io/component - operator: In - values: [ crcin ] - topologyKey: "kubernetes.io/hostname" - weight: 80 - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [ relaynet-internet-gateway ] - - key: app.kubernetes.io/component - operator: In - values: [ crcin ] - topologyKey: "topology.kubernetes.io/zone" - weight: 100 - replicas: 6 - resources: - requests: - cpu: 20m - memory: 64Mi - limits: - cpu: 30m - memory: 80Mi - -serviceAccountAnnotations: - iam.gke.io/gcp-service-account: {{ requiredEnv "GW_GCP_SERVICE_ACCOUNT" | quote }} - -# Backing services - -objectStore: - backend: gcs - bucket: {{ requiredEnv "GW_MESSAGES_BUCKET" | quote }} - -keystore: - adapter: gcp - location: {{ requiredEnv "CLOUDSDK_COMPUTE_REGION" | quote }} - kmsKeyring: {{ requiredEnv "GW_KS_KEYRING" | quote }} - kmsIdKey: {{ requiredEnv "GW_KS_ID_KEY" | quote }} - kmsSessionEncryptionKey: {{ requiredEnv "GW_KS_SESSION_ENC_KEY" | quote }} - -mongo: - uri: '{{ requiredEnv "GW_MONGODB_CONNECTION_URI" }}/?retryWrites=true&w=majority' - db: {{ requiredEnv "GW_MONGODB_DB_NAME" | quote }} - user: {{ requiredEnv "GW_MONGODB_USER_NAME" | quote }} - password: {{ readFile "/workspace/secrets/gw-mongodb-password" | quote }} - -nats: - serverUrl: nats://nats:4222 - clusterId: stan diff --git a/charts/helmfile.yaml b/charts/helmfile.yaml deleted file mode 100644 index 80c041cd..00000000 --- a/charts/helmfile.yaml +++ /dev/null @@ -1,44 +0,0 @@ -repositories: - - name: nats - url: https://nats-io.github.io/k8s/helm/charts - - name: relaycorp - url: https://h.cfcr.io/relaycorp/public - -helmDefaults: - wait: true - -releases: - - name: stan - chart: nats/stan - version: 0.7.4 - values: - - stan/values.yml.gotmpl - labels: - tier: backingService - - name: nats - chart: nats/nats - version: 0.7.5 - values: - - nats/values.yml - labels: - tier: backingService - - - name: gateway-crds - chart: ./gateway-crds - values: - - gateway-crds/values.yml.gotmpl - - - name: gateway - chart: relaycorp/relaynet-internet-gateway - version: "{{ .Values.gatewayVersion }}" - values: - - gateway/values.yml.gotmpl - -environments: - production: - values: - - values.yml - testing: - values: - - values.yml - - values-testing.yml diff --git a/charts/nats/values.yml b/charts/nats/values.yml deleted file mode 100644 index 92a00757..00000000 --- a/charts/nats/values.yml +++ /dev/null @@ -1,38 +0,0 @@ -nameOverride: nats -nats: - terminationGracePeriodSeconds: 30 - resources: - requests: - cpu: 200m - memory: 64Mi - limits: - cpu: 300m - memory: 100Mi -cluster: - enabled: true -natsbox: - enabled: false - -securityContext: - fsGroup: 1000 - runAsUser: 1000 - runAsNonRoot: true -affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: [ nats ] - topologyKey: "kubernetes.io/hostname" - weight: 80 - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: [ nats ] - topologyKey: "topology.kubernetes.io/zone" - weight: 100 diff --git a/charts/scripts/_helmfile_hook_error.sh b/charts/scripts/_helmfile_hook_error.sh deleted file mode 100644 index a5ce61af..00000000 --- a/charts/scripts/_helmfile_hook_error.sh +++ /dev/null @@ -1,6 +0,0 @@ -if [[ -f /tmp/failed-helmfile-hooks ]]; then - echo "A helmfile hook has already failed" >&2 - exit 1 -fi - -trap '(( $? != 0 )) && echo "${BASH_SOURCE[0]}" >> /tmp/failed-helmfile-hooks' INT TERM EXIT diff --git a/charts/scripts/helmfile.sh b/charts/scripts/helmfile.sh deleted file mode 100755 index 1bf9fc69..00000000 --- a/charts/scripts/helmfile.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash - -# Bypass the helmfile wrapper in the community builder with something reliable. -# Works around https://github.com/GoogleCloudPlatform/cloud-builders-community/pull/462 -# and other issues. - -set -o nounset -set -o errexit -set -o pipefail - -# Configuration - -HELM_DIFF_VERSION="3.1.3" - -# Main - -# Make `gcloud` available where the kube config expects to find it -mkdir -p /usr/lib/google-cloud-sdk/bin -ln -s /builder/google-cloud-sdk/bin/gcloud /usr/lib/google-cloud-sdk/bin/gcloud - -if helm plugin list | grep -E '^diff\s' --quiet; then - echo "Helm Diff is already installed (presumably because ${BASH_SOURCE[0]} was run earlier)" -else - echo "Installing Helm Diff..." - helm plugin install https://github.com/databus23/helm-diff --version "${HELM_DIFF_VERSION}" \ - >>/dev/null -fi - -helmfile "$@" - -# helmfile ignores hook errors so we have to implement our own error handling :( -# See: https://github.com/roboll/helmfile/issues/1272 and -# https://github.com/roboll/helmfile/issues/764 -if [[ -f /tmp/failed-helmfile-hooks ]]; then - echo "The following helmfile hooks failed:" >&2 - cat >&2 < /tmp/failed-helmfile-hooks - exit 1 -fi diff --git a/charts/scripts/retrieve-secrets.sh b/charts/scripts/retrieve-secrets.sh deleted file mode 100755 index b03a91e0..00000000 --- a/charts/scripts/retrieve-secrets.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -set -o nounset -set -o errexit -set -o pipefail - -# Constants and functions - -retrieve_secret_version() { - local secret_version="$1" - - gcloud secrets versions access "${secret_version}" -} - -# Main - -mkdir secrets -cd secrets -retrieve_secret_version "${STAN_DB_PASSWORD_SECRET_VERSION}" >stan-db-password -retrieve_secret_version "${GW_MONGODB_PASSWORD_SECRET_VERSION}" >gw-mongodb-password diff --git a/charts/stan/values.yml.gotmpl b/charts/stan/values.yml.gotmpl deleted file mode 100644 index 306eab12..00000000 --- a/charts/stan/values.yml.gotmpl +++ /dev/null @@ -1,42 +0,0 @@ -nameOverride: stan -stan: - replicas: 3 - nats: - url: nats://nats:4222 -store: - type: sql - ft: - group: gateway - sql: - driver: postgres - initdb: - enabled: true - image: postgres:12 - dbHost: {{ requiredEnv "STAN_DB_HOST" | quote }} - dbName: {{ requiredEnv "STAN_DB_NAME" | quote }} - dbUser: {{ requiredEnv "STAN_DB_USER" | quote }} - dbPassword: {{ readFile "/workspace/secrets/stan-db-password" | quote }} - source: host={{ requiredEnv "STAN_DB_HOST" }} dbname={{ requiredEnv "STAN_DB_NAME" }} user={{ requiredEnv "STAN_DB_USER" }} password={{ readFile "/workspace/secrets/stan-db-password" }} sslmode=require - limits: - max_bytes: 2KB - max_channels: 10000 - channels: - # See: https://docs.relaycorp.tech/relaynet-internet-gateway/architecture#nats-streaming - pdc-parcel.>: - max_age: 2160h # 90 days - internet-parcels: - max_age: 1h - crc-cargo: - max_bytes: 10MB - -securityContext: - fsGroup: 1000 - runAsUser: 1000 - runAsNonRoot: true -resources: - requests: - cpu: 200m - memory: 64Mi - limits: - cpu: 300m - memory: 100Mi diff --git a/charts/values-testing.yml b/charts/values-testing.yml deleted file mode 100644 index e69de29b..00000000 diff --git a/charts/values.yml b/charts/values.yml deleted file mode 100644 index e7ae2658..00000000 --- a/charts/values.yml +++ /dev/null @@ -1 +0,0 @@ -gatewayVersion: 3.2.4 diff --git a/environments/README.md b/environments/README.md index eaff97f1..84b59d93 100644 --- a/environments/README.md +++ b/environments/README.md @@ -1,6 +1,6 @@ # Gateway environments -We currently manage one environment: [Frankfurt](./frankfurt). +We currently manage one environment: [Belgium](./belgium). ## Provision a new environment diff --git a/environments/_modules/cd_secret/README.md b/environments/_modules/cd_secret/README.md deleted file mode 100644 index 4518a577..00000000 --- a/environments/_modules/cd_secret/README.md +++ /dev/null @@ -1 +0,0 @@ -# Secret value to be read by a service account diff --git a/environments/_modules/cd_secret/main.tf b/environments/_modules/cd_secret/main.tf deleted file mode 100644 index 42261f70..00000000 --- a/environments/_modules/cd_secret/main.tf +++ /dev/null @@ -1,20 +0,0 @@ -resource "google_secret_manager_secret" "main" { - secret_id = var.secret_id - - replication { - automatic = true - } - - labels = var.gcp_labels -} - -resource "google_secret_manager_secret_version" "main" { - secret = google_secret_manager_secret.main.id - secret_data = var.secret_value -} - -resource "google_secret_manager_secret_iam_binding" "main" { - secret_id = google_secret_manager_secret.main.secret_id - role = "roles/secretmanager.secretAccessor" - members = ["serviceAccount:${var.accessor_service_account_email}"] -} diff --git a/environments/_modules/cd_secret/outputs.tf b/environments/_modules/cd_secret/outputs.tf deleted file mode 100644 index 1ae0945a..00000000 --- a/environments/_modules/cd_secret/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "secret_id" { - value = var.secret_id -} - -output "secret_version" { - value = google_secret_manager_secret_version.main.id -} diff --git a/environments/_modules/cd_secret/variables.tf b/environments/_modules/cd_secret/variables.tf deleted file mode 100644 index 09d2d572..00000000 --- a/environments/_modules/cd_secret/variables.tf +++ /dev/null @@ -1,9 +0,0 @@ -variable "secret_id" {} - -variable "secret_value" {} - -variable "accessor_service_account_email" {} - -variable "gcp_labels" { - type = object({}) -} diff --git a/environments/_modules/gateway-serverless/dns.tf b/environments/_modules/gateway-serverless/dns.tf deleted file mode 100644 index 9b79f825..00000000 --- a/environments/_modules/gateway-serverless/dns.tf +++ /dev/null @@ -1,68 +0,0 @@ -data "google_dns_managed_zone" "main" { - project = var.gcp_shared_infra_project_id - - name = var.gcp_dns_managed_zone -} - -resource "google_dns_record_set" "poweb" { - project = var.gcp_shared_infra_project_id - - name = "${var.instance_name}-poweb.${data.google_dns_managed_zone.main.dns_name}" - managed_zone = data.google_dns_managed_zone.main.name - type = "A" - ttl = 300 - - rrdatas = [module.gateway.load_balancer_ip_address] -} - -resource "google_dns_record_set" "pohttp" { - project = var.gcp_shared_infra_project_id - - name = "${var.instance_name}-pohttp.${data.google_dns_managed_zone.main.dns_name}" - managed_zone = data.google_dns_managed_zone.main.name - type = "A" - ttl = 300 - - rrdatas = [module.gateway.load_balancer_ip_address] -} - -resource "google_dns_record_set" "cogrpc" { - project = var.gcp_shared_infra_project_id - - name = "${var.instance_name}-cogrpc.${data.google_dns_managed_zone.main.dns_name}" - managed_zone = data.google_dns_managed_zone.main.name - type = "A" - ttl = 300 - - rrdatas = [module.gateway.load_balancer_ip_address] -} - -resource "google_dns_record_set" "awala_gsc_srv" { - project = var.gcp_shared_infra_project_id - - name = "_awala-gsc._tcp.${var.instance_name}.${data.google_dns_managed_zone.main.dns_name}" - managed_zone = data.google_dns_managed_zone.main.name - type = "SRV" - ttl = 300 - rrdatas = ["0 1 443 ${google_dns_record_set.poweb.name}"] -} - -resource "google_dns_record_set" "awala_pdc_srv" { - project = var.gcp_shared_infra_project_id - - name = "_awala-pdc._tcp.${var.instance_name}.${data.google_dns_managed_zone.main.dns_name}" - managed_zone = data.google_dns_managed_zone.main.name - type = "SRV" - ttl = 300 - rrdatas = ["0 1 443 ${google_dns_record_set.pohttp.name}"] -} - -resource "google_dns_record_set" "awala_crc_srv" { - project = var.gcp_shared_infra_project_id - - name = "_awala-crc._tcp.${var.instance_name}.${data.google_dns_managed_zone.main.dns_name}" - managed_zone = data.google_dns_managed_zone.main.name - type = "SRV" - ttl = 300 - rrdatas = ["0 1 443 ${google_dns_record_set.cogrpc.name}"] -} diff --git a/environments/_modules/gateway-serverless/gateway.tf b/environments/_modules/gateway-serverless/gateway.tf deleted file mode 100644 index 43b2a92d..00000000 --- a/environments/_modules/gateway-serverless/gateway.tf +++ /dev/null @@ -1,33 +0,0 @@ -module "gateway" { - source = "relaycorp/awala-gateway/google" - version = "1.5.6" - - project_id = var.gcp_project_id - region = var.gcp_region - - docker_image_tag = var.docker_image_tag - - sre_iam_uri = var.sre_iam_uri - - instance_name = var.instance_name - internet_address = "${var.instance_name}.${data.google_dns_managed_zone.main.dns_name}" - - // See https://github.com/relaycorp/cloud-gateway/issues/64 - parcel_retention_days = 2 - - pohttp_server_domain = google_dns_record_set.pohttp.name - - poweb_server_domain = google_dns_record_set.poweb.name - - cogrpc_server_domain = google_dns_record_set.cogrpc.name - cogrpc_server_min_instance_count = 0 # https://github.com/relaycorp/cloud-gateway/issues/96 - - mongodb_db = local.gateway_db_name - mongodb_password = random_password.mongodb_gateway_user_password.result - mongodb_uri = local.mongodb_uri - mongodb_user = mongodbatlas_database_user.gateway.username - - kms_protection_level = "HSM" - - depends_on = [time_sleep.wait_for_services] -} diff --git a/environments/_modules/gateway-serverless/mongodb.tf b/environments/_modules/gateway-serverless/mongodb.tf deleted file mode 100644 index 3d094e2d..00000000 --- a/environments/_modules/gateway-serverless/mongodb.tf +++ /dev/null @@ -1,36 +0,0 @@ -locals { - mongodb_uri = "${mongodbatlas_serverless_instance.main.connection_strings_standard_srv}/?retryWrites=true&w=majority" - gateway_db_name = "awala-gateway" -} - -resource "mongodbatlas_serverless_instance" "main" { - project_id = var.mongodbatlas_project_id - name = "gateway" - - provider_settings_backing_provider_name = "GCP" - provider_settings_provider_name = "SERVERLESS" - provider_settings_region_name = var.mongodbatlas_region -} - -resource "mongodbatlas_project_ip_access_list" "main" { - project_id = var.mongodbatlas_project_id - comment = "See https://github.com/relaycorp/cloud-gateway/issues/95" - cidr_block = "0.0.0.0/0" -} - -resource "mongodbatlas_database_user" "gateway" { - project_id = var.mongodbatlas_project_id - - username = "awala-gateway" - password = random_password.mongodb_gateway_user_password.result - auth_database_name = "admin" - - roles { - role_name = "readWrite" - database_name = local.gateway_db_name - } -} - -resource "random_password" "mongodb_gateway_user_password" { - length = 32 -} diff --git a/environments/_modules/gateway-serverless/monitoring.tf b/environments/_modules/gateway-serverless/monitoring.tf deleted file mode 100644 index 79388af5..00000000 --- a/environments/_modules/gateway-serverless/monitoring.tf +++ /dev/null @@ -1,60 +0,0 @@ -resource "google_project_iam_binding" "monitoring_viewer_sre" { - project = var.gcp_project_id - role = "roles/monitoring.viewer" - members = [var.sre_iam_uri] -} - -resource "google_project_iam_binding" "dashboard_viewer_sre" { - project = var.gcp_project_id - role = "roles/monitoring.dashboardViewer" - members = [var.sre_iam_uri] -} - -resource "google_monitoring_group" "main" { - display_name = "gateway" - - filter = "resource.metadata.tag.environment=\"${var.instance_name}\"" - - depends_on = [google_project_service.services] -} - -resource "google_monitoring_notification_channel" "sres_email" { - for_each = toset(var.alert_email_addresses) - - display_name = "Notify SREs (managed by Terraform workspace ${terraform.workspace})" - type = "email" - - labels = { - email_address = each.value - } - - depends_on = [google_project_service.services] -} - -module "poweb_lb_uptime" { - source = "../host_uptime_monitor" - - name = "gateway-${var.instance_name}-poweb" - host_name = google_dns_record_set.poweb.name - notification_channels = [for c in google_monitoring_notification_channel.sres_email : c.name] - gcp_project_id = var.gcp_project_id -} - -module "pohttp_lb_uptime" { - source = "../host_uptime_monitor" - - name = "gateway-${var.instance_name}-pohttp" - host_name = google_dns_record_set.pohttp.name - notification_channels = [for c in google_monitoring_notification_channel.sres_email : c.name] - gcp_project_id = var.gcp_project_id -} - -module "cogrpc_lb_uptime" { - source = "../host_uptime_monitor" - - name = "gateway-${var.instance_name}-cogrpc" - probe_type = "tcp" - host_name = google_dns_record_set.cogrpc.name - notification_channels = [for c in google_monitoring_notification_channel.sres_email : c.name] - gcp_project_id = var.gcp_project_id -} diff --git a/environments/_modules/gateway-serverless/variables.tf b/environments/_modules/gateway-serverless/variables.tf deleted file mode 100644 index 901df1c5..00000000 --- a/environments/_modules/gateway-serverless/variables.tf +++ /dev/null @@ -1,20 +0,0 @@ -variable "instance_name" {} - -variable "docker_image_tag" {} - -variable "sre_iam_uri" {} -variable "alert_email_addresses" { - type = list(string) -} - -variable "gcp_shared_infra_project_id" {} -variable "gcp_project_id" {} -variable "gcp_region" { - description = "Google region" -} -variable "gcp_dns_managed_zone" { - default = "relaycorp-services" -} - -variable "mongodbatlas_project_id" {} -variable "mongodbatlas_region" {} diff --git a/environments/_modules/gateway-serverless/README.md b/environments/_modules/gateway/README.md similarity index 100% rename from environments/_modules/gateway-serverless/README.md rename to environments/_modules/gateway/README.md diff --git a/environments/_modules/gateway/dns.tf b/environments/_modules/gateway/dns.tf index 11f98f8a..9b79f825 100644 --- a/environments/_modules/gateway/dns.tf +++ b/environments/_modules/gateway/dns.tf @@ -1,57 +1,46 @@ data "google_dns_managed_zone" "main" { - project = var.shared_infra_gcp_project_id + project = var.gcp_shared_infra_project_id - name = var.dns_managed_zone -} - -resource "google_dns_record_set" "status_page" { - project = var.shared_infra_gcp_project_id - - name = "${var.name}.${data.google_dns_managed_zone.main.dns_name}" - managed_zone = data.google_dns_managed_zone.main.name - type = "CNAME" - ttl = 300 - - rrdatas = ["stats.uptimerobot.com."] + name = var.gcp_dns_managed_zone } resource "google_dns_record_set" "poweb" { - project = var.shared_infra_gcp_project_id + project = var.gcp_shared_infra_project_id - name = "poweb-${var.name}.${data.google_dns_managed_zone.main.dns_name}" + name = "${var.instance_name}-poweb.${data.google_dns_managed_zone.main.dns_name}" managed_zone = data.google_dns_managed_zone.main.name type = "A" ttl = 300 - rrdatas = [google_compute_global_address.managed_tls_cert.address] + rrdatas = [module.gateway.load_balancer_ip_address] } resource "google_dns_record_set" "pohttp" { - project = var.shared_infra_gcp_project_id + project = var.gcp_shared_infra_project_id - name = "pohttp-${var.name}.${data.google_dns_managed_zone.main.dns_name}" + name = "${var.instance_name}-pohttp.${data.google_dns_managed_zone.main.dns_name}" managed_zone = data.google_dns_managed_zone.main.name type = "A" ttl = 300 - rrdatas = [google_compute_global_address.managed_tls_cert.address] + rrdatas = [module.gateway.load_balancer_ip_address] } resource "google_dns_record_set" "cogrpc" { - project = var.shared_infra_gcp_project_id + project = var.gcp_shared_infra_project_id - name = "cogrpc-${var.name}.${data.google_dns_managed_zone.main.dns_name}" + name = "${var.instance_name}-cogrpc.${data.google_dns_managed_zone.main.dns_name}" managed_zone = data.google_dns_managed_zone.main.name type = "A" ttl = 300 - rrdatas = [google_compute_global_address.managed_tls_cert.address] + rrdatas = [module.gateway.load_balancer_ip_address] } resource "google_dns_record_set" "awala_gsc_srv" { - project = var.shared_infra_gcp_project_id + project = var.gcp_shared_infra_project_id - name = "_awala-gsc._tcp.${var.name}.${data.google_dns_managed_zone.main.dns_name}" + name = "_awala-gsc._tcp.${var.instance_name}.${data.google_dns_managed_zone.main.dns_name}" managed_zone = data.google_dns_managed_zone.main.name type = "SRV" ttl = 300 @@ -59,9 +48,9 @@ resource "google_dns_record_set" "awala_gsc_srv" { } resource "google_dns_record_set" "awala_pdc_srv" { - project = var.shared_infra_gcp_project_id + project = var.gcp_shared_infra_project_id - name = "_awala-pdc._tcp.${var.name}.${data.google_dns_managed_zone.main.dns_name}" + name = "_awala-pdc._tcp.${var.instance_name}.${data.google_dns_managed_zone.main.dns_name}" managed_zone = data.google_dns_managed_zone.main.name type = "SRV" ttl = 300 @@ -69,9 +58,9 @@ resource "google_dns_record_set" "awala_pdc_srv" { } resource "google_dns_record_set" "awala_crc_srv" { - project = var.shared_infra_gcp_project_id + project = var.gcp_shared_infra_project_id - name = "_awala-crc._tcp.${var.name}.${data.google_dns_managed_zone.main.dns_name}" + name = "_awala-crc._tcp.${var.instance_name}.${data.google_dns_managed_zone.main.dns_name}" managed_zone = data.google_dns_managed_zone.main.name type = "SRV" ttl = 300 diff --git a/environments/_modules/gateway/gateway.tf b/environments/_modules/gateway/gateway.tf index 3477e4ae..43b2a92d 100644 --- a/environments/_modules/gateway/gateway.tf +++ b/environments/_modules/gateway/gateway.tf @@ -1,26 +1,33 @@ -resource "random_id" "gateway_key_id" { - byte_length = 12 -} +module "gateway" { + source = "relaycorp/awala-gateway/google" + version = "1.5.6" -resource "google_service_account" "gateway" { - project = var.gcp_project_id + project_id = var.gcp_project_id + region = var.gcp_region - account_id = "gateway-app" - display_name = "GCP SA bound to K8S SA ${local.gateway.k8s.serviceAccount}" -} + docker_image_tag = var.docker_image_tag -resource "google_service_account_iam_member" "gateway_workload_identity" { - service_account_id = google_service_account.gateway.name - role = "roles/iam.workloadIdentityUser" - member = "serviceAccount:${local.workload_identity_pool}[${local.gateway.k8s.namespace}/${local.gateway.k8s.serviceAccount}]" + sre_iam_uri = var.sre_iam_uri - depends_on = [google_container_cluster.main] -} + instance_name = var.instance_name + internet_address = "${var.instance_name}.${data.google_dns_managed_zone.main.dns_name}" + + // See https://github.com/relaycorp/cloud-gateway/issues/64 + parcel_retention_days = 2 + + pohttp_server_domain = google_dns_record_set.pohttp.name + + poweb_server_domain = google_dns_record_set.poweb.name + + cogrpc_server_domain = google_dns_record_set.cogrpc.name + cogrpc_server_min_instance_count = 0 # https://github.com/relaycorp/cloud-gateway/issues/96 + + mongodb_db = local.gateway_db_name + mongodb_password = random_password.mongodb_gateway_user_password.result + mongodb_uri = local.mongodb_uri + mongodb_user = mongodbatlas_database_user.gateway.username -resource "google_service_account_iam_member" "gateway_workload_identity_keygen" { - service_account_id = google_service_account.gateway.name - role = "roles/iam.workloadIdentityUser" - member = "serviceAccount:${local.workload_identity_pool}[${local.gateway.k8s.namespace}/${local.gateway.k8s.serviceAccount}-keygen]" + kms_protection_level = "HSM" - depends_on = [google_container_cluster.main] + depends_on = [time_sleep.wait_for_services] } diff --git a/environments/_modules/gateway/gcb.tf b/environments/_modules/gateway/gcb.tf deleted file mode 100644 index 45e31ba1..00000000 --- a/environments/_modules/gateway/gcb.tf +++ /dev/null @@ -1,216 +0,0 @@ -locals { - gcb_service_account_email = "${data.google_project.main.number}@cloudbuild.gserviceaccount.com" - - gcb_gcloud_image = "gcr.io/google.com/cloudsdktool/cloud-sdk:319.0.0-slim" - - gcb = { - secret_retrieval_env = [ - "STAN_DB_PASSWORD_SECRET_VERSION=${module.stan_db_password.secret_version}", - - "GW_MONGODB_PASSWORD_SECRET_VERSION=${module.mongodb_password.secret_version}", - ] - - helmfile_env = [ - "CLOUDSDK_CORE_PROJECT=${var.gcp_project_id}", - "CLOUDSDK_COMPUTE_REGION=${var.gcp_region}", - - "ENVIRONMENT_NAME=${var.name}", - - "STAN_DB_HOST=${google_sql_database_instance.postgresql.private_ip_address}", - "STAN_DB_NAME=${google_sql_database.postgresql_stan.name}", - "STAN_DB_USER=${google_sql_user.postgresql_stan.name}", - - "GW_INTERNET_ADDRESS=${local.gateway.internet_address}", - "GW_KEY_ID_B64=${random_id.gateway_key_id.b64_std}", - "GW_MONGODB_CONNECTION_URI=${lookup(mongodbatlas_cluster.main.connection_strings[0], "private_srv")}", - "GW_MONGODB_DB_NAME=${local.mongodb_db_name}", - "GW_MONGODB_USER_NAME=${mongodbatlas_database_user.main.username}", - "GW_MONGODB_PASSWORD_SECRET_VERSION=${module.mongodb_password.secret_version}", - "GW_POWEB_DOMAIN=${trimsuffix(google_dns_record_set.poweb.name, ".")}", - "GW_POHTTP_DOMAIN=${trimsuffix(google_dns_record_set.pohttp.name, ".")}", - "GW_COGRPC_DOMAIN=${trimsuffix(google_dns_record_set.cogrpc.name, ".")}", - "GW_GLOBAL_IP_NAME=${google_compute_global_address.managed_tls_cert.name}", - "GW_MANAGED_CERT_NAME=gateway", - "GW_GCP_SERVICE_ACCOUNT=${google_service_account.gateway.email}", - "GW_MESSAGES_BUCKET=${google_storage_bucket.gateway_messages.name}", - "GW_KS_KEYRING=${google_kms_key_ring.keystores.name}", - "GW_KS_ID_KEY=${google_kms_crypto_key.awala_identity_keys.name}", - "GW_KS_SESSION_ENC_KEY=${google_kms_crypto_key.awala_session_keys.name}", - ] - } -} - -resource "google_project_iam_member" "gcb_editor" { - // Grants SREs permission to start and cancel builds - project = var.gcp_project_id - role = "roles/cloudbuild.builds.editor" - member = var.sre_iam_uri -} - -resource "google_cloudbuild_trigger" "gke_deployment" { - name = "gateway-gke-deployment" - description = "Deploy and configure Kubernetes resources in environment ${var.name}" - - github { - owner = var.github_repo.organisation - name = var.github_repo.name - push { - branch = "^${var.github_repo.branch}$" - } - } - - included_files = ["charts/**"] - ignored_files = var.type == "production" ? ["charts/values-testing.yml"] : [] - - build { - step { - id = "cluster-credentials-retrieval" - - name = local.gcb_gcloud_image - args = [ - "gcloud", - "container", - "clusters", - "get-credentials", - google_container_cluster.main.name, - ] - env = [ - "CLOUDSDK_CORE_PROJECT=${var.gcp_project_id}", - "CLOUDSDK_COMPUTE_REGION=${var.gcp_region}", - ] - } - - step { - id = "secrets-retrieval" - wait_for = ["cluster-credentials-retrieval"] - - name = local.gcb_gcloud_image - entrypoint = "bash" - args = ["charts/scripts/retrieve-secrets.sh"] - env = local.gcb.secret_retrieval_env - } - - step { - id = "helmfile-backing-services-apply" - wait_for = ["secrets-retrieval"] - - name = "gcr.io/$PROJECT_ID/helmfile" - dir = "charts" - entrypoint = "scripts/helmfile.sh" - args = ["--selector", "tier=backingService", "--environment", var.type, "apply"] - env = local.gcb.helmfile_env - } - - step { - id = "helmfile-apply" - wait_for = ["helmfile-backing-services-apply"] - - name = "gcr.io/$PROJECT_ID/helmfile" - dir = "charts" - entrypoint = "scripts/helmfile.sh" - args = ["--selector", "tier!=backingService", "--environment", var.type, "apply"] - env = local.gcb.helmfile_env - } - - logs_bucket = "gs://${google_storage_bucket.gcb_build_logs.name}/main" - } - - tags = [var.name] - - provider = google-beta -} - -resource "google_cloudbuild_trigger" "gke_deployment_preview" { - // This trigger should ideally be run with a limited service account. See: - // https://github.com/relaycorp/cloud-gateway/issues/16 - - name = "gateway-gke-deployment-preview" - description = "Preview a potential deployment to ${var.name}" - - github { - owner = var.github_repo.organisation - name = var.github_repo.name - pull_request { - branch = "^${var.github_repo.branch}$" - - # NEVER, EVER change this. It prevents PRs from external contributors from being triggered - # automatically. - comment_control = "COMMENTS_ENABLED_FOR_EXTERNAL_CONTRIBUTORS_ONLY" - } - } - - included_files = ["charts/**"] - ignored_files = var.type == "production" ? ["charts/values-testing.yml"] : [] - - build { - step { - id = "cluster-credentials-retrieval" - - name = local.gcb_gcloud_image - args = [ - "gcloud", - "container", - "clusters", - "get-credentials", - google_container_cluster.main.name, - ] - env = [ - "CLOUDSDK_CORE_PROJECT=${var.gcp_project_id}", - "CLOUDSDK_COMPUTE_REGION=${var.gcp_region}", - ] - } - - step { - id = "secrets-retrieval" - wait_for = ["cluster-credentials-retrieval"] - - name = local.gcb_gcloud_image - entrypoint = "bash" - args = ["charts/scripts/retrieve-secrets.sh"] - env = local.gcb.secret_retrieval_env - } - - step { - id = "helmfile-diff" - wait_for = ["secrets-retrieval"] - - name = "gcr.io/$PROJECT_ID/helmfile" - dir = "charts" - entrypoint = "scripts/helmfile.sh" - args = ["--environment", var.type, "diff"] - env = local.gcb.helmfile_env - } - - logs_bucket = "gs://${google_storage_bucket.gcb_build_logs.name}/preview" - } - - tags = [var.name] - - provider = google-beta -} - -resource "random_id" "gcb_build_logs_bucket_suffix" { - byte_length = 3 -} - -resource "google_storage_bucket" "gcb_build_logs" { - name = "gateway-${var.name}-gcb-logs-${random_id.gcb_build_logs_bucket_suffix.hex}" - storage_class = "REGIONAL" - location = upper(var.gcp_region) - - uniform_bucket_level_access = true - - versioning { - enabled = false - } - - force_destroy = !var.prevent_destruction - - labels = local.gcp_resource_labels -} - -resource "google_storage_bucket_iam_member" "gcb_build_logs" { - bucket = google_storage_bucket.gcb_build_logs.name - role = "roles/storage.objectAdmin" - member = "serviceAccount:${local.gcb_service_account_email}" -} diff --git a/environments/_modules/gateway/gcb_builders.tf b/environments/_modules/gateway/gcb_builders.tf deleted file mode 100644 index 0e46cee0..00000000 --- a/environments/_modules/gateway/gcb_builders.tf +++ /dev/null @@ -1,104 +0,0 @@ -locals { - gcb_community_builders_repo = "https://github.com/GoogleCloudPlatform/cloud-builders-community.git" - gcb_community_builders_revision = "82588e81d18a0f2bd6fd1177257875d0601a542e" -} - -resource "google_cloudbuild_trigger" "gcb_builder_helmfile" { - name = "gcb-builder-helmfile" - - github { - owner = "relaycorp" - name = "cloud-gateway" - push { - branch = "^main$" - } - } - // Only run this manually - ignored_files = ["**"] - - build { - step { - id = "clone" - - name = "gcr.io/cloud-builders/git" - args = ["clone", local.gcb_community_builders_repo] - } - - step { - id = "checkout" - wait_for = ["clone"] - - name = "gcr.io/cloud-builders/git" - entrypoint = "bash" - args = [ - "-c", - "cd cloud-builders-community && git reset --hard $${_GIT_REVISION}", - ] - } - - step { - id = "upgrades" - wait_for = ["checkout"] - - name = "gcr.io/cloud-builders/git" - entrypoint = "bash" - args = [ - "gcb-builder-scripts/gcb-helmfile-set-versions.sh", - "cloud-builders-community/helmfile/cloudbuild.yaml", - ] - } - - step { - wait_for = ["upgrades"] - - name = "gcr.io/google.com/cloudsdktool/cloud-sdk:319.0.0-alpine" - entrypoint = "bash" - args = [ - "-o", - "nounset", - "-o", - "errexit", - "-o", - "pipefail", - "-c", - "cd cloud-builders-community/helmfile && gcloud builds submit .", - ] - } - - logs_bucket = "gs://${google_storage_bucket.gcb_builder_logs.name}/helmfile" - } - - substitutions = { - _GIT_REVISION = local.gcb_community_builders_revision - } - - provider = google-beta -} - -resource "random_id" "gcb_builder_logs_suffix" { - byte_length = 3 -} - -resource "google_storage_bucket" "gcb_builder_logs" { - name = "relaycorp-gcb-builder-logs-${random_id.gcb_builder_logs_suffix.hex}" - storage_class = "REGIONAL" - location = "europe-west2" - - uniform_bucket_level_access = true - - force_destroy = !var.prevent_destruction - - versioning { - enabled = false - } - - labels = { - stage : "deployment" - } -} - -resource "google_storage_bucket_iam_member" "gcb_builder_logs" { - bucket = google_storage_bucket.gcb_builder_logs.name - role = "roles/storage.objectAdmin" - member = "serviceAccount:${local.gcb_service_account_email}" -} diff --git a/environments/_modules/gateway/gcp.tf b/environments/_modules/gateway/gcp.tf deleted file mode 100644 index fc26931b..00000000 --- a/environments/_modules/gateway/gcp.tf +++ /dev/null @@ -1,2 +0,0 @@ -data "google_project" "main" { -} diff --git a/environments/_modules/gateway/gcp_services.tf b/environments/_modules/gateway/gcp_services.tf deleted file mode 100644 index 3aa2db6b..00000000 --- a/environments/_modules/gateway/gcp_services.tf +++ /dev/null @@ -1,47 +0,0 @@ -resource "google_project_service" "logging" { - project = data.google_project.main.id - service = "logging.googleapis.com" - disable_dependent_services = true -} - -resource "google_project_service" "compute" { - project = data.google_project.main.id - service = "compute.googleapis.com" - disable_dependent_services = true -} - -resource "google_project_service" "container" { - project = data.google_project.main.id - service = "container.googleapis.com" - disable_dependent_services = true -} - -resource "google_project_service" "cloudkms" { - project = data.google_project.main.id - service = "cloudkms.googleapis.com" - disable_dependent_services = true -} - -resource "google_project_service" "servicenetworking" { - project = data.google_project.main.id - service = "servicenetworking.googleapis.com" - disable_dependent_services = true -} - -resource "google_project_service" "sqladmin" { - project = data.google_project.main.id - service = "sqladmin.googleapis.com" - disable_dependent_services = true -} - -resource "google_project_service" "secretmanager" { - project = data.google_project.main.id - service = "secretmanager.googleapis.com" - disable_dependent_services = true -} - -resource "google_project_service" "cloudbuild" { - project = data.google_project.main.id - service = "cloudbuild.googleapis.com" - disable_dependent_services = true -} diff --git a/environments/_modules/gateway/gcs.tf b/environments/_modules/gateway/gcs.tf deleted file mode 100644 index a7e2d90c..00000000 --- a/environments/_modules/gateway/gcs.tf +++ /dev/null @@ -1,36 +0,0 @@ -resource "random_id" "gateway_messages_bucket_suffix" { - byte_length = 3 -} - -resource "google_storage_bucket" "gateway_messages" { - name = "gateway-${var.name}-messages-${random_id.gateway_messages_bucket_suffix.hex}" - storage_class = "REGIONAL" - location = upper(var.gcp_region) - - uniform_bucket_level_access = true - - versioning { - // Whilst the app may never use an older version of the message, we may find it useful to get - // those versions during troubleshooting. - enabled = true - } - - lifecycle_rule { - condition { - age = 2 // https://github.com/relaycorp/cloud-gateway/issues/64 - } - action { - type = "Delete" - } - } - - force_destroy = !var.prevent_destruction - - labels = local.gcp_resource_labels -} - -resource "google_storage_bucket_iam_member" "gateway_gcs_bucket" { - bucket = google_storage_bucket.gateway_messages.name - role = "roles/storage.objectAdmin" - member = "serviceAccount:${google_service_account.gateway.email}" -} diff --git a/environments/_modules/gateway/gke.tf b/environments/_modules/gateway/gke.tf deleted file mode 100644 index 877a3d93..00000000 --- a/environments/_modules/gateway/gke.tf +++ /dev/null @@ -1,156 +0,0 @@ -resource "google_project_iam_binding" "gke_developers" { - project = data.google_project.main.id - role = "roles/container.developer" - members = [var.sre_iam_uri, "serviceAccount:${local.gcb_service_account_email}"] -} - -resource "random_id" "gke_suffix" { - byte_length = 3 -} - -resource "google_container_cluster" "main" { - name = "gateway-${random_id.gke_suffix.hex}" - - # We can't create a cluster with no node pool defined, but we want to only use - # separately managed node pools. So we create the smallest possible default - # node pool and immediately delete it. - remove_default_node_pool = true - initial_node_count = 1 - - min_master_version = var.kubernetes_min_version - release_channel { - channel = "STABLE" - } - - maintenance_policy { - recurring_window { - # Only do maintenance in the mornings (UK time). - start_time = "2020-12-01T08:00:00Z" - end_time = "2020-12-01T12:00:00Z" - recurrence = "FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR" - } - maintenance_exclusion { - start_time = "2021-12-24T00:00:00Z" - end_time = "2022-01-04T00:00:00Z" - exclusion_name = "No-drama Christmas and New Year" - } - } - - master_auth { - username = "" - password = "" - - client_certificate_config { - issue_client_certificate = false - } - } - - # Make cluster VPC-native (alias IP) so we can connect to GCP services - ip_allocation_policy {} - - workload_identity_config { - identity_namespace = local.workload_identity_pool - } - - network = google_compute_network.main.self_link - - location = var.gcp_region - - resource_labels = local.gcp_resource_labels - - provider = google-beta -} - -resource "random_id" "gke_pool_suffix" { - byte_length = 3 - - keepers = { - pool_instance_type = var.gke_instance_type - } -} - -resource "google_container_node_pool" "main" { - name = "gateway-${random_id.gke_pool_suffix.hex}" - location = google_container_cluster.main.location - cluster = google_container_cluster.main.name - node_count = 1 # Per availability zone - - node_config { - machine_type = var.gke_instance_type - image_type = "COS_CONTAINERD" - disk_size_gb = 10 - - metadata = { - disable-legacy-endpoints = "true" - } - - workload_metadata_config { - node_metadata = "GKE_METADATA_SERVER" - } - - oauth_scopes = [ - "https://www.googleapis.com/auth/logging.write", - "https://www.googleapis.com/auth/monitoring", - ] - - labels = local.gcp_resource_labels - } - - management { - auto_repair = true - auto_upgrade = true # Required when using the REGULAR channel - } - - upgrade_settings { - max_surge = 3 - max_unavailable = 3 - } - - lifecycle { - create_before_destroy = true - } -} - -resource "google_project_iam_custom_role" "gke_limited_admin" { - project = var.gcp_project_id - - role_id = "gateway.gke_limited_admin" - title = "Limited permissions to manage the GKE cluster" - permissions = [ - "container.mutatingWebhookConfigurations.create", - "container.mutatingWebhookConfigurations.get", - "container.mutatingWebhookConfigurations.list", - "container.mutatingWebhookConfigurations.update", - "container.mutatingWebhookConfigurations.delete", - "container.clusterRoles.create", - "container.clusterRoles.get", - "container.clusterRoles.list", - "container.clusterRoles.bind", - "container.clusterRoles.update", - "container.clusterRoles.delete", - "container.clusterRoles.escalate", - "container.clusterRoleBindings.create", - "container.clusterRoleBindings.get", - "container.clusterRoleBindings.list", - "container.clusterRoleBindings.update", - "container.clusterRoleBindings.delete", - "container.roleBindings.create", - "container.roleBindings.get", - "container.roleBindings.list", - "container.roleBindings.update", - "container.roleBindings.delete", - "container.roles.create", - "container.roles.get", - "container.roles.list", - "container.roles.update", - "container.roles.delete", - "container.roles.bind", - "container.roles.escalate", - ] -} - -resource "google_project_iam_binding" "gke_limited_admin" { - role = google_project_iam_custom_role.gke_limited_admin.id - - members = ["serviceAccount:${local.gcb_service_account_email}"] -} diff --git a/environments/_modules/gateway/keystores.tf b/environments/_modules/gateway/keystores.tf deleted file mode 100644 index a10f601d..00000000 --- a/environments/_modules/gateway/keystores.tf +++ /dev/null @@ -1,89 +0,0 @@ -// See https://docs.relaycorp.tech/awala-keystore-cloud-js/gcp - -locals { - kms_protection_level = var.type == "production" ? "HSM" : "SOFTWARE" -} - -// KMS - -resource "random_id" "kms_key_ring_suffix" { - byte_length = 3 -} - -resource "google_kms_key_ring" "keystores" { - project = var.gcp_project_id - - # Key rings can be deleted from the Terraform state but not GCP, so let's add a suffix in case - # we need to recreate it. - name = "gateway-keystores-${random_id.kms_key_ring_suffix.hex}" - - location = var.gcp_region -} - -resource "google_kms_crypto_key" "awala_identity_keys" { - name = "awala-identity-keys" - key_ring = google_kms_key_ring.keystores.self_link - purpose = "ASYMMETRIC_SIGN" - - skip_initial_version_creation = true - - version_template { - algorithm = "RSA_SIGN_PSS_2048_SHA256" - protection_level = local.kms_protection_level - } - - lifecycle { - prevent_destroy = false - } -} - -resource "google_kms_crypto_key" "awala_session_keys" { - name = "awala-session-keys" - key_ring = google_kms_key_ring.keystores.self_link - rotation_period = "2592000s" // 30 days - purpose = "ENCRYPT_DECRYPT" - - version_template { - algorithm = "GOOGLE_SYMMETRIC_ENCRYPTION" - protection_level = local.kms_protection_level - } - - lifecycle { - prevent_destroy = false - } -} - -// IAM -// https://docs.relaycorp.tech/awala-keystore-cloud-js/gcp#iam-permissions - -resource "google_project_iam_custom_role" "keystore_kms_admin" { - project = var.gcp_project_id - - role_id = "gateway.keystore_kms_manager" - title = "Permissions to manage KMS resources related to the Awala keystore" - permissions = [ - "cloudkms.cryptoKeys.get", - "cloudkms.cryptoKeyVersions.create", - ] -} - -resource "google_project_iam_binding" "keystore_kms_admin" { - role = google_project_iam_custom_role.keystore_kms_admin.id - - members = ["serviceAccount:${google_service_account.gateway.email}"] - - condition { - title = "Limit app access to KMS key ring" - expression = "resource.name.startsWith(\"${google_kms_key_ring.keystores.id}\")" - } -} - -resource "google_project_iam_member" "keystore_kms_user" { - role = "roles/cloudkms.cryptoOperator" - member = "serviceAccount:${google_service_account.gateway.email}" - - condition { - title = "Limit app access to KMS key ring" - expression = "resource.name.startsWith(\"${google_kms_key_ring.keystores.id}\")" - } -} diff --git a/environments/_modules/gateway/main.tf b/environments/_modules/gateway/main.tf index 555fad2a..4443a7d6 100644 --- a/environments/_modules/gateway/main.tf +++ b/environments/_modules/gateway/main.tf @@ -1,26 +1,7 @@ -data "terraform_remote_state" "root" { - backend = "remote" - - config = { - organization = var.root_workspace.organization - workspaces = { - name = var.root_workspace.name +terraform { + required_providers { + mongodbatlas = { + source = "mongodb/mongodbatlas" } } } - -locals { - gateway = { - k8s = { - namespace = "default" - serviceAccount = "public-gateway" - } - internet_address = "${var.name}.${trimsuffix(data.google_dns_managed_zone.main.dns_name, ".")}" - } - - workload_identity_pool = "${data.google_project.main.project_id}.svc.id.goog" - - gcp_resource_labels = { - environment = var.name - } -} diff --git a/environments/_modules/gateway/mongodb.tf b/environments/_modules/gateway/mongodb.tf index c4b69abd..3d094e2d 100644 --- a/environments/_modules/gateway/mongodb.tf +++ b/environments/_modules/gateway/mongodb.tf @@ -1,78 +1,36 @@ locals { - mongodb_db_name = "main" + mongodb_uri = "${mongodbatlas_serverless_instance.main.connection_strings_standard_srv}/?retryWrites=true&w=majority" + gateway_db_name = "awala-gateway" } -# Create one Atlas project per environment due to a limitation in GCP/Atlas peering connections -# which would prevent us from creating a second connection to the same Atlas project (all the -# clusters in the same Atlas project share the same GCP VPC, so trying to connect a second -# GCP VPC will fail because routes will clash). -resource "mongodbatlas_project" "main" { - name = "gateway-${var.name}" - org_id = var.mongodb_atlas_org_id -} - -resource "mongodbatlas_network_peering" "main" { - project_id = mongodbatlas_project.main.id - - container_id = mongodbatlas_cluster.main.container_id - atlas_cidr_block = "192.168.0.0/16" - - provider_name = "GCP" - gcp_project_id = var.gcp_project_id - network_name = google_compute_network.main.name -} - -resource "google_compute_network_peering" "mongodb_atlas" { - name = "gateway-mongodb-atlas" - network = google_compute_network.main.self_link - peer_network = "https://www.googleapis.com/compute/v1/projects/${mongodbatlas_network_peering.main.atlas_gcp_project_id}/global/networks/${mongodbatlas_network_peering.main.atlas_vpc_name}" -} - -resource "mongodbatlas_project_ip_whitelist" "gcp_vpc" { - project_id = mongodbatlas_project.main.id - cidr_block = "10.0.0.0/8" - comment = "Allow connections from GCP VPCs" -} - -resource "mongodbatlas_cluster" "main" { - project_id = mongodbatlas_project.main.id - +resource "mongodbatlas_serverless_instance" "main" { + project_id = var.mongodbatlas_project_id name = "gateway" - num_shards = 1 - replication_factor = 3 - provider_backup_enabled = true - auto_scaling_disk_gb_enabled = true - mongo_db_major_version = "4.4" + provider_settings_backing_provider_name = "GCP" + provider_settings_provider_name = "SERVERLESS" + provider_settings_region_name = var.mongodbatlas_region +} - provider_name = "GCP" - disk_size_gb = 10 - provider_instance_size_name = "M10" - provider_region_name = var.mongodb_atlas_region +resource "mongodbatlas_project_ip_access_list" "main" { + project_id = var.mongodbatlas_project_id + comment = "See https://github.com/relaycorp/cloud-gateway/issues/95" + cidr_block = "0.0.0.0/0" } -resource "mongodbatlas_database_user" "main" { - project_id = mongodbatlas_project.main.id +resource "mongodbatlas_database_user" "gateway" { + project_id = var.mongodbatlas_project_id - username = "gateway" - password = random_password.mongodb_user_password.result + username = "awala-gateway" + password = random_password.mongodb_gateway_user_password.result auth_database_name = "admin" roles { role_name = "readWrite" - database_name = local.mongodb_db_name + database_name = local.gateway_db_name } } -resource "random_password" "mongodb_user_password" { +resource "random_password" "mongodb_gateway_user_password" { length = 32 } - -module "mongodb_password" { - source = "../cd_secret" - - secret_id = "gateway-mongodb-connection-uri" - secret_value = random_password.mongodb_user_password.result - accessor_service_account_email = local.gcb_service_account_email - gcp_labels = local.gcp_resource_labels -} diff --git a/environments/_modules/gateway/monitoring.tf b/environments/_modules/gateway/monitoring.tf index bc547028..79388af5 100644 --- a/environments/_modules/gateway/monitoring.tf +++ b/environments/_modules/gateway/monitoring.tf @@ -1,97 +1,60 @@ -resource "google_project_iam_binding" "monitoring_admin_sre" { - // TODO: Remove - role = "roles/monitoring.admin" - members = [var.sre_iam_uri] -} - resource "google_project_iam_binding" "monitoring_viewer_sre" { + project = var.gcp_project_id role = "roles/monitoring.viewer" members = [var.sre_iam_uri] } resource "google_project_iam_binding" "dashboard_viewer_sre" { + project = var.gcp_project_id role = "roles/monitoring.dashboardViewer" members = [var.sre_iam_uri] } -resource "google_project_iam_binding" "error_reporting_sre_access" { - role = "roles/errorreporting.user" - members = [var.sre_iam_uri] -} - resource "google_monitoring_group" "main" { display_name = "gateway" - filter = "resource.metadata.tag.environment=\"${var.name}\"" + filter = "resource.metadata.tag.environment=\"${var.instance_name}\"" + + depends_on = [google_project_service.services] } -resource "google_monitoring_notification_channel" "sre_email" { - for_each = toset(data.terraform_remote_state.root.outputs.sre_email_addresses) +resource "google_monitoring_notification_channel" "sres_email" { + for_each = toset(var.alert_email_addresses) + display_name = "Notify SREs (managed by Terraform workspace ${terraform.workspace})" type = "email" - display_name = each.value + labels = { email_address = each.value } + + depends_on = [google_project_service.services] } module "poweb_lb_uptime" { source = "../host_uptime_monitor" - name = "gateway-poweb" + name = "gateway-${var.instance_name}-poweb" host_name = google_dns_record_set.poweb.name - notification_channels = [for c in google_monitoring_notification_channel.sre_email : c.name] + notification_channels = [for c in google_monitoring_notification_channel.sres_email : c.name] gcp_project_id = var.gcp_project_id } -// TODO: Restore when the following has been fixed: -// https://console.cloud.google.com/support/cases/detail/26799183?project=relaycorp-cloud-gateway -//resource "google_monitoring_custom_service" "poweb_deployment" { -// display_name = "${local.env_full_name}-poweb-deployment" -// -// telemetry { -// resource_name = "//container.googleapis.com/projects/${var.gcp_project_id}/locations/${var.gcp_region}/clusters/${google_container_cluster.main.name}/k8s/namespaces/default/apps/deployments/public-gateway-poweb" -// } -//} -// -//resource "google_monitoring_slo" "poweb_service_uptime" { -// service = google_monitoring_custom_service.poweb_deployment.service_id -// display_name = "${local.env_full_name}-poweb-deployment: 99% uptime (calendar month)" -// -// goal = 0.99 -// calendar_period = "MONTH" -// -// windows_based_sli { -// window_period = "300s" -// metric_mean_in_range { -// time_series = join(" AND ", [ -// "metric.type=\"kubernetes.io/container/uptime\"", -// "resource.type=\"k8s_container\"", -// ]) -// -// range { -// min = 299 -// max = 300 -// } -// } -// } -//} - module "pohttp_lb_uptime" { source = "../host_uptime_monitor" - name = "gateway-pohttp" + name = "gateway-${var.instance_name}-pohttp" host_name = google_dns_record_set.pohttp.name - notification_channels = [for c in google_monitoring_notification_channel.sre_email : c.name] + notification_channels = [for c in google_monitoring_notification_channel.sres_email : c.name] gcp_project_id = var.gcp_project_id } module "cogrpc_lb_uptime" { source = "../host_uptime_monitor" - name = "gateway-cogrpc" + name = "gateway-${var.instance_name}-cogrpc" probe_type = "tcp" host_name = google_dns_record_set.cogrpc.name - notification_channels = [for c in google_monitoring_notification_channel.sre_email : c.name] + notification_channels = [for c in google_monitoring_notification_channel.sres_email : c.name] gcp_project_id = var.gcp_project_id } diff --git a/environments/_modules/gateway/networking.tf b/environments/_modules/gateway/networking.tf deleted file mode 100644 index 6bf2c3db..00000000 --- a/environments/_modules/gateway/networking.tf +++ /dev/null @@ -1,24 +0,0 @@ -resource "google_compute_network" "main" { - name = "gateway" -} - -resource "google_compute_global_address" "managed_tls_cert" { - name = "gateway" - - labels = local.gcp_resource_labels - - provider = google-beta -} - -resource "google_compute_firewall" "neg_backend_workaround" { - // Workaround for https://github.com/kubernetes/ingress-gce/issues/18#issuecomment-658765449 - name = "gateway-neg-backend-workaround" - network = google_compute_network.main.name - - allow { - protocol = "tcp" - ports = ["8082"] - } - - source_ranges = ["130.211.0.0/22", "35.191.0.0/16"] -} diff --git a/environments/_modules/gateway-serverless/outputs.tf b/environments/_modules/gateway/outputs.tf similarity index 100% rename from environments/_modules/gateway-serverless/outputs.tf rename to environments/_modules/gateway/outputs.tf diff --git a/environments/_modules/gateway/postgresql.tf b/environments/_modules/gateway/postgresql.tf deleted file mode 100644 index 7b93845c..00000000 --- a/environments/_modules/gateway/postgresql.tf +++ /dev/null @@ -1,60 +0,0 @@ -# PostgreSQL instance used by NATS Streaming (aka Stan) - -resource "google_compute_global_address" "postgresql" { - provider = google-beta - project = var.gcp_project_id - - name = "gateway-postgresql" - purpose = "VPC_PEERING" - address_type = "INTERNAL" - network = google_compute_network.main.id - - # Set the address explicitly to avoid non-deterministic behaviour. - address = "10.101.0.0" - prefix_length = 16 # TODO: Reduce to 24 -} - -resource "google_service_networking_connection" "postgresql" { - provider = google-beta - - network = google_compute_network.main.id - service = "servicenetworking.googleapis.com" - reserved_peering_ranges = [google_compute_global_address.postgresql.name] -} - -resource "random_id" "postgresql_instance_suffix" { - byte_length = 3 -} - -resource "google_sql_database_instance" "postgresql" { - name = "gateway-${random_id.postgresql_instance_suffix.hex}" - database_version = "POSTGRES_12" - region = var.gcp_region - - settings { - tier = "db-f1-micro" - availability_type = "REGIONAL" - backup_configuration { - enabled = true - start_time = "07:30" # Should be shortly before maintenance - } - maintenance_window { - # Optimise for London, in case anything goes awry. - day = 1 # Monday - hour = 8 # Should be shortly after daily backup - } - ip_configuration { - ipv4_enabled = false - private_network = google_compute_network.main.self_link - require_ssl = false # Don't require client-side certificates - } - - user_labels = local.gcp_resource_labels - } - - deletion_protection = var.prevent_destruction - - depends_on = [google_service_networking_connection.postgresql] - - provider = google-beta -} diff --git a/environments/_modules/gateway-serverless/services.tf b/environments/_modules/gateway/services.tf similarity index 100% rename from environments/_modules/gateway-serverless/services.tf rename to environments/_modules/gateway/services.tf diff --git a/environments/_modules/gateway/stan.tf b/environments/_modules/gateway/stan.tf deleted file mode 100644 index 2fb5052b..00000000 --- a/environments/_modules/gateway/stan.tf +++ /dev/null @@ -1,24 +0,0 @@ -resource "google_sql_database" "postgresql_stan" { - name = "stan" - instance = google_sql_database_instance.postgresql.name -} - -resource "google_sql_user" "postgresql_stan" { - name = "stan" - instance = google_sql_database_instance.postgresql.name - password = random_password.postgresql_stan.result -} -// TODO: Use service accounts instead (https://github.com/relaycorp/cloud-gateway/issues/6) -resource "random_password" "postgresql_stan" { - length = 32 - special = false -} - -module "stan_db_password" { - source = "../cd_secret" - - secret_id = "gateway-stan-db-password" - secret_value = google_sql_user.postgresql_stan.password - accessor_service_account_email = local.gcb_service_account_email - gcp_labels = local.gcp_resource_labels -} diff --git a/environments/_modules/gateway/variables.tf b/environments/_modules/gateway/variables.tf index 1b53da07..901df1c5 100644 --- a/environments/_modules/gateway/variables.tf +++ b/environments/_modules/gateway/variables.tf @@ -1,66 +1,20 @@ -variable "name" {} +variable "instance_name" {} -variable "root_workspace" { - type = object({ - name = string, - organization = string, - }) - default = { - name = "cloud-gateway", - organization = "Relaycorp", - } -} - -variable "type" { - default = "production" - validation { - condition = contains(["production", "testing"], var.type) - error_message = "Environment type must be either 'production' or 'testing'." - } -} +variable "docker_image_tag" {} -variable "prevent_destruction" { - default = true - type = bool - description = "Turn off when preparing to destroy environment" -} - -variable "dns_managed_zone" { - default = "relaycorp-cloud" +variable "sre_iam_uri" {} +variable "alert_email_addresses" { + type = list(string) } -variable "shared_infra_gcp_project_id" {} - +variable "gcp_shared_infra_project_id" {} variable "gcp_project_id" {} -variable "gcp_region" {} - -variable "gke_instance_type" { - default = "n2-highcpu-4" +variable "gcp_region" { + description = "Google region" } - -variable "kubernetes_min_version" { - default = "1.20" - validation { - condition = can(regex("^\\d+\\.\\d+$", var.kubernetes_min_version)) - error_message = "Minimum Kubernetes version, excluding patch version (e.g., '1.21')." - } +variable "gcp_dns_managed_zone" { + default = "relaycorp-services" } -variable "mongodb_atlas_org_id" {} -variable "mongodb_atlas_region" {} - -variable "github_repo" { - type = object({ - organisation = string - name = string - branch = string - }) - - default = { - organisation = "relaycorp" - name = "cloud-gateway" - branch = "main" - } -} - -variable "sre_iam_uri" {} +variable "mongodbatlas_project_id" {} +variable "mongodbatlas_region" {} diff --git a/environments/_modules/gateway/versions.tf b/environments/_modules/gateway/versions.tf deleted file mode 100644 index d8c85f4b..00000000 --- a/environments/_modules/gateway/versions.tf +++ /dev/null @@ -1,17 +0,0 @@ -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - google-beta = { - source = "hashicorp/google-beta" - } - mongodbatlas = { - source = "mongodb/mongodbatlas" - } - random = { - source = "hashicorp/random" - } - } - required_version = ">= 0.13" -} diff --git a/environments/belgium/gateway.tf b/environments/belgium/gateway.tf index 97603611..e7b17e73 100644 --- a/environments/belgium/gateway.tf +++ b/environments/belgium/gateway.tf @@ -1,5 +1,5 @@ module "gateway" { - source = "../_modules/gateway-serverless" + source = "../_modules/gateway" docker_image_tag = "5.1.2" diff --git a/environments/frankfurt/.terraform.lock.hcl b/environments/frankfurt/.terraform.lock.hcl deleted file mode 100644 index 1b78ee6e..00000000 --- a/environments/frankfurt/.terraform.lock.hcl +++ /dev/null @@ -1,75 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "3.53.0" - constraints = "~> 3.53.0" - hashes = [ - "h1:0MYwK1KRNCc9lfF8vV9gDEuaylwEfSPws7ZJbLwY2FE=", - "zh:1408365b5f2ae508fce9b446bb9dbaf044aec81fa4c36fff39c2511b179bcc56", - "zh:1d53e978065feb6278bc8c88a70c3df7599c3b8bbcd77765bcd842a83bce6686", - "zh:5173a92249c8d06d0d2beca0e328df6e956becd789ebae9a064f022151415b8f", - "zh:5bd2ee6cd6baf2cb429f82140cbb5e6c90362b0ef4edaf63df30520e01507374", - "zh:65670355fddde75bfadc088627e2700dc14054a63aa5434d2759e7fe43b989c6", - "zh:97d4382855c50a2077d3ecd241a02324b8ba2cb8b8c76f8f896c40189260f6c1", - "zh:9a18ad92e062dcd2ef72ed9021d5827326a2fc13c2c442c54baf6a9298035873", - "zh:b4941a0f47f05c965af42821d51748ac326aea2843b123663dd50f7075fa1956", - "zh:f40bbb7046dfcd12ddef175acb1cfc4a8ae082f56a24ba413f0719747789915b", - "zh:f60769112a2e36beb762dc7f31916f818b5cacfb35d7d8ddeb40ea6bf8690e9e", - ] -} - -provider "registry.terraform.io/hashicorp/google-beta" { - version = "3.53.0" - constraints = "~> 3.53.0" - hashes = [ - "h1:htRRhAtu3Q3+w0vsjGoa/iZ/Q13I/VVVB8ntHKz/rBg=", - "zh:2d9c3e9becd1b5305d7e2dd54f80e27af7980781e5e236cc39d3c13e4dd6ec75", - "zh:2e0d96a477659ceb154fa8fe004df6e8e78a2d67658f7df2b5881ce223f42be4", - "zh:322125ee27762e0e61ac0cf859c8a0ed9998b798c7ed18bf2b4446bb76ebf24e", - "zh:4aef6c2cf0625ed8025833c42a4c050b7ca472ee9997b23f1e49cd3b12a7912e", - "zh:7d0a366699ed9441163062b14957a34b64dfb740b67fc7f7d0636336ba8f73ee", - "zh:b29bcabf1e44870dc2e8bbcf50c03dca8fc014b48d8c1e198b7e6157f785098e", - "zh:bbc2c6b8ff54a3c8fb050054d3eb0be7e63136607cdba8b8dcc94d8fe14ee3c2", - "zh:c2dee18679d74d0dc9aaec2af0af79759eabc3fe3b15fab54d2bdb159c544ca7", - "zh:d48981c41bcf1dcfbdc02a0df8f1f178caa00899b76b9c575292550cafe98628", - "zh:f03545b91c95a4c1a071e4e9c8f7faf2ed9c9bf6084257eefb7660a74d4f61da", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.0.1" - constraints = "~> 3.0.0" - hashes = [ - "h1:SzM8nt2wzLMI28A3CWAtW25g3ZCm1O4xD0h3Ps/rU1U=", - "zh:0d4f683868324af056a9eb2b06306feef7c202c88dbbe6a4ad7517146a22fb50", - "zh:4824b3c7914b77d41dfe90f6f333c7ac9860afb83e2a344d91fbe46e5dfbec26", - "zh:4b82e43712f3cf0d0cbc95b2cbcd409ba8f0dc7848fdfb7c13633c27468ed04a", - "zh:78b3a2b860c3ebc973a794000015f5946eb59b82705d701d487475406b2612f1", - "zh:88bc65197bd74ff408d147b32f0045372ae3a3f2a2fdd7f734f315d988c0e4a2", - "zh:91bd3c9f625f177f3a5d641a64e54d4b4540cb071070ecda060a8261fb6eb2ef", - "zh:a6818842b28d800f784e0c93284ff602b0c4022f407e4750da03f50b853a9a2c", - "zh:c4a1a2b52abd05687e6cfded4a789dcd7b43e7a746e4d02dd1055370cf9a994d", - "zh:cf65041bf12fc3bde709c1d267dbe94142bc05adcabc4feb17da3b12249132ac", - "zh:e385e00e7425dda9d30b74ab4ffa4636f4b8eb23918c0b763f0ffab84ece0c5c", - ] -} - -provider "registry.terraform.io/mongodb/mongodbatlas" { - version = "0.8.2" - constraints = "~> 0.6" - hashes = [ - "h1:ry6CGqesidcJXaWDeLtqjVMxOZ5bqqLOvOtQhLDriSs=", - "zh:17705b49166fc296aef7300534a5c964ea8d4f6cb6616bcb8e7d3186cd1cae50", - "zh:39b8fdcf3262f7b2faffa41b0aed2ffdcf5ed47b985429c7bb764945f9873637", - "zh:3d4dbbb6be68dfea4f84172d0db9fc52dbda6025ed424ea249fb1317968b28ac", - "zh:525ae17dc4c2607c4ee596450fba58f5101635b05a93de2cdcb2e550b6c46abc", - "zh:71759a108c1499b9538ae4d54faaf66077adce90b031fc1051f484118418e6c7", - "zh:7a42549360c6cfb4a4f8986c9e59f8533750de964f31d4bea09e758da460b994", - "zh:8869872ea9bedb5a2b46637d62aaed8c886dce4579133a6f84043f540aa927cd", - "zh:aa3b2f8c64c9a28e96e1d23c0b21092fa0c21fbbe6d56b7f92a7d40e7d4696b7", - "zh:e7c85f9baeb2fb234721b2b4fba4a9620af7a5bc138f2d6c9682178b6b24ba72", - "zh:fa0c84bfea33a7726ed29574e58a9666cf8a9e5882b9aabd0f1899965a0c4b18", - "zh:fd9b995f95e58391d592cfce078f98b5657dd58452f5d049ebd1be562314ed36", - ] -} diff --git a/environments/frankfurt/README.md b/environments/frankfurt/README.md deleted file mode 100644 index e3640889..00000000 --- a/environments/frankfurt/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Frankfurt environment - -Hallo! This Terraform workspace manages the cloud resources for the Relaynet-Internet Gateway in `europe-west3`, otherwise known as Frankfurt. - -This gateway is available at `frankfurt.relaycorp.cloud`. diff --git a/environments/frankfurt/main.tf b/environments/frankfurt/main.tf deleted file mode 100644 index 355d3eae..00000000 --- a/environments/frankfurt/main.tf +++ /dev/null @@ -1,27 +0,0 @@ -terraform { - backend "remote" { - organization = "Relaycorp" - - workspaces { - name = "gateway-frankfurt" - } - } -} - -module "gateway" { - source = "../_modules/gateway" - - name = "frankfurt" - - shared_infra_gcp_project_id = var.shared_infra_gcp_project_id - - prevent_destruction = false - - gcp_project_id = var.gcp_project_id - gcp_region = "europe-west3" - - mongodb_atlas_org_id = var.mongodb_atlas_org_id - mongodb_atlas_region = "EUROPE_WEST_3" - - sre_iam_uri = var.sre_iam_uri -} diff --git a/environments/frankfurt/providers.tf b/environments/frankfurt/providers.tf deleted file mode 100644 index 859bca2c..00000000 --- a/environments/frankfurt/providers.tf +++ /dev/null @@ -1,10 +0,0 @@ -provider "google" { - project = var.gcp_project_id -} - -provider "google-beta" { - project = var.gcp_project_id -} - -provider "mongodbatlas" { -} diff --git a/environments/frankfurt/variables.tf b/environments/frankfurt/variables.tf deleted file mode 100644 index 98e464b2..00000000 --- a/environments/frankfurt/variables.tf +++ /dev/null @@ -1,6 +0,0 @@ -variable "gcp_project_id" {} -variable "shared_infra_gcp_project_id" {} - -variable "mongodb_atlas_org_id" {} - -variable "sre_iam_uri" {} diff --git a/environments/frankfurt/versions.tf b/environments/frankfurt/versions.tf deleted file mode 100644 index 9586663d..00000000 --- a/environments/frankfurt/versions.tf +++ /dev/null @@ -1,21 +0,0 @@ -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = "~> 3.53.0" - } - google-beta = { - source = "hashicorp/google-beta" - version = "~> 3.53.0" - } - mongodbatlas = { - source = "mongodb/mongodbatlas" - version = "~> 0.6" - } - random = { - source = "hashicorp/random" - version = "~> 3.0.0" - } - } - required_version = ">= 0.13" -} diff --git a/gcb-builder-scripts/gcb-helmfile-set-versions.sh b/gcb-builder-scripts/gcb-helmfile-set-versions.sh deleted file mode 100755 index e61a31d5..00000000 --- a/gcb-builder-scripts/gcb-helmfile-set-versions.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -set -o nounset -set -o errexit -set -o pipefail - -HELM_VERSION=3.4.1 -HELMFILE_VERSION=0.135.0 - -CLOUDBUILD_CONFIG_PATH="$1" - -sed -E \ - "s/HELM_VERSION=.+/HELM_VERSION=v${HELM_VERSION}\",/" \ - -i "${CLOUDBUILD_CONFIG_PATH}" - -sed -E \ - "s/HELMFILE_VERSION=.+/HELMFILE_VERSION=v${HELMFILE_VERSION}\",/" \ - -i "${CLOUDBUILD_CONFIG_PATH}" - -cat "${CLOUDBUILD_CONFIG_PATH}" diff --git a/environments/_modules/gateway-serverless/main.tf b/tf-modules/environment_workspace/main.tf similarity index 100% rename from environments/_modules/gateway-serverless/main.tf rename to tf-modules/environment_workspace/main.tf diff --git a/tf-modules/serverless_environment_workspace/mongodb.tf b/tf-modules/environment_workspace/mongodb.tf similarity index 100% rename from tf-modules/serverless_environment_workspace/mongodb.tf rename to tf-modules/environment_workspace/mongodb.tf diff --git a/tf-modules/environment_workspace/tfe.tf b/tf-modules/environment_workspace/tfe.tf index c0aae5de..3fa69758 100644 --- a/tf-modules/environment_workspace/tfe.tf +++ b/tf-modules/environment_workspace/tfe.tf @@ -69,3 +69,28 @@ resource "tfe_variable" "gcp_project_id" { key = "gcp_project_id" value = google_project.main.project_id } + +resource "tfe_variable" "mongodbatlas_project_id" { + workspace_id = tfe_workspace.main.id + + category = "terraform" + key = "mongodbatlas_project_id" + value = mongodbatlas_project.main.id +} + +resource "tfe_variable" "mongodbatlas_private_key" { + workspace_id = tfe_workspace.main.id + + category = "env" + sensitive = true + key = "MONGODB_ATLAS_PRIVATE_KEY" + value = mongodbatlas_project_api_key.main.private_key +} + +resource "tfe_variable" "mongodbatlas_public_key" { + workspace_id = tfe_workspace.main.id + + category = "env" + key = "MONGODB_ATLAS_PUBLIC_KEY" + value = mongodbatlas_project_api_key.main.public_key +} diff --git a/tf-modules/serverless_environment_workspace/README.md b/tf-modules/serverless_environment_workspace/README.md deleted file mode 100644 index b7f836e4..00000000 --- a/tf-modules/serverless_environment_workspace/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Terraform Cloud workspace for a single Public Gateway environment - -We're creating separate workspaces for each environment in order to: - -1. Be able to manipulate the Terraform state when things go awry. -1. Make it easier to review Terraform plans. -1. Speed up operations such as planning. - -Unfortunately, when creating an instance of this module, you have to manually enable the VCS connection to GitHub from the Terraform Cloud web console. diff --git a/tf-modules/serverless_environment_workspace/gcp.tf b/tf-modules/serverless_environment_workspace/gcp.tf deleted file mode 100644 index 5927391e..00000000 --- a/tf-modules/serverless_environment_workspace/gcp.tf +++ /dev/null @@ -1,55 +0,0 @@ -resource "random_id" "gcp_project_id_suffix" { - byte_length = 2 -} - -resource "google_project" "main" { - name = var.name - project_id = "gw-${var.name}-${random_id.gcp_project_id_suffix.hex}" // <= 30 chars long - folder_id = var.gcp_parent_folder - billing_account = var.gcp_billing_account -} - -resource "google_project_service" "cloudbilling" { - project = google_project.main.project_id - service = "cloudbilling.googleapis.com" - disable_dependent_services = true -} - -resource "google_project_service" "cloudresourcemanager" { - project = google_project.main.project_id - service = "cloudresourcemanager.googleapis.com" - disable_dependent_services = true -} - -resource "google_project_service" "serviceusage" { - project = google_project.main.project_id - service = "serviceusage.googleapis.com" - disable_dependent_services = true -} - -resource "google_service_account" "tfe" { - account_id = "tf-cloud" - project = google_project.main.project_id - - depends_on = [google_project_service.cloudbilling] -} - -resource "google_project_iam_binding" "tfe_owner" { - project = google_project.main.project_id - role = "roles/owner" - members = ["serviceAccount:${google_service_account.tfe.email}"] -} - -resource "google_project_iam_member" "tfe_shared_dns" { - project = var.shared_infra_gcp_project_id - role = "roles/dns.admin" - member = "serviceAccount:${google_service_account.tfe.email}" -} - -resource "google_service_account_key" "tfe" { - service_account_id = google_service_account.tfe.name -} - -resource "google_service_account_key" "main" { - service_account_id = google_service_account.tfe.name -} diff --git a/tf-modules/serverless_environment_workspace/main.tf b/tf-modules/serverless_environment_workspace/main.tf deleted file mode 100644 index 4443a7d6..00000000 --- a/tf-modules/serverless_environment_workspace/main.tf +++ /dev/null @@ -1,7 +0,0 @@ -terraform { - required_providers { - mongodbatlas = { - source = "mongodb/mongodbatlas" - } - } -} diff --git a/tf-modules/serverless_environment_workspace/outputs.tf b/tf-modules/serverless_environment_workspace/outputs.tf deleted file mode 100644 index fcb22bea..00000000 --- a/tf-modules/serverless_environment_workspace/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "tfe_workspace_id" { - value = tfe_workspace.main.id -} diff --git a/tf-modules/serverless_environment_workspace/tfe.tf b/tf-modules/serverless_environment_workspace/tfe.tf deleted file mode 100644 index 3fa69758..00000000 --- a/tf-modules/serverless_environment_workspace/tfe.tf +++ /dev/null @@ -1,96 +0,0 @@ -data "terraform_remote_state" "root" { - backend = "remote" - - config = { - organization = var.tfe_organization - workspaces = { - name = var.tfe_root_workspace - } - } -} - -data "tfe_oauth_client" "main" { - oauth_client_id = var.tfe_oauth_client_id -} - -resource "tfe_workspace" "main" { - name = "gateway-${var.name}" - organization = var.tfe_organization - - working_directory = "environments/${var.name}" - trigger_prefixes = ["environments/_modules"] - - auto_apply = true - - terraform_version = var.tfe_terraform_version - - vcs_repo { - identifier = var.github_repo - oauth_token_id = data.tfe_oauth_client.main.oauth_token_id - branch = var.github_branch - } -} - -data "tfe_organization_membership" "sres" { - for_each = toset(data.terraform_remote_state.root.outputs.sre_email_addresses) - - organization = var.tfe_organization - email = each.value -} - -resource "tfe_notification_configuration" "sres" { - name = "Notify SREs to anything that needs their attention" - enabled = true - destination_type = "email" - email_user_ids = [for sre in data.tfe_organization_membership.sres : sre.user_id] - triggers = ["run:needs_attention", "run:errored"] - workspace_id = tfe_workspace.main.id -} - -resource "tfe_variable" "gcp_credentials" { - workspace_id = tfe_workspace.main.id - - category = "env" - sensitive = true - key = "GOOGLE_CREDENTIALS" - description = google_service_account.tfe.email - - // Remove new line characters as a workaround for - // https://github.com/hashicorp/terraform/issues/22796 - value = jsonencode( - jsondecode(base64decode(google_service_account_key.main.private_key)) - ) -} - -resource "tfe_variable" "gcp_project_id" { - workspace_id = tfe_workspace.main.id - - category = "terraform" - key = "gcp_project_id" - value = google_project.main.project_id -} - -resource "tfe_variable" "mongodbatlas_project_id" { - workspace_id = tfe_workspace.main.id - - category = "terraform" - key = "mongodbatlas_project_id" - value = mongodbatlas_project.main.id -} - -resource "tfe_variable" "mongodbatlas_private_key" { - workspace_id = tfe_workspace.main.id - - category = "env" - sensitive = true - key = "MONGODB_ATLAS_PRIVATE_KEY" - value = mongodbatlas_project_api_key.main.private_key -} - -resource "tfe_variable" "mongodbatlas_public_key" { - workspace_id = tfe_workspace.main.id - - category = "env" - key = "MONGODB_ATLAS_PUBLIC_KEY" - value = mongodbatlas_project_api_key.main.public_key -} diff --git a/tf-modules/serverless_environment_workspace/variables.tf b/tf-modules/serverless_environment_workspace/variables.tf deleted file mode 100644 index 6f663cb4..00000000 --- a/tf-modules/serverless_environment_workspace/variables.tf +++ /dev/null @@ -1,37 +0,0 @@ -variable "name" { - description = "Environment name" -} - -variable "shared_infra_gcp_project_id" {} -variable "gcp_parent_folder" {} -variable "gcp_billing_account" {} - -variable "mongodb_atlas_org_id" { - default = null // Take from variable set -} -variable "env_mongodb_atlas_public_key" { - default = null // Take from variable set -} -variable "env_mongodb_atlas_private_key" { - default = null // Take from variable set -} - -variable "tfe_organization" { - default = "Relaycorp" -} -variable "tfe_root_workspace" { - default = "cloud-gateway" -} -variable "tfe_oauth_client_id" { - default = "oc-7jBF4Z5YhNc4QRSc" -} -variable "tfe_terraform_version" { - default = "1.2.4" -} - -variable "github_repo" { - default = "relaycorp/cloud-gateway" -} -variable "github_branch" { - default = "main" -} diff --git a/tf-workspace/dns.tf b/tf-workspace/dns.tf index b664ec96..6383c736 100644 --- a/tf-workspace/dns.tf +++ b/tf-workspace/dns.tf @@ -1,16 +1,3 @@ -resource "google_dns_managed_zone" "relaycorp_cloud" { - project = var.gcp_project_id - name = "relaycorp-cloud" - dns_name = "relaycorp.cloud." - description = "Relaycorp Cloud" - - dnssec_config { - state = "on" - } - - depends_on = [google_project_service.dns] -} - resource "google_dns_managed_zone" "relaycorp_services" { project = var.gcp_project_id name = "relaycorp-services" diff --git a/tf-workspace/environments.tf b/tf-workspace/environments.tf index c5064d77..bf8af087 100644 --- a/tf-workspace/environments.tf +++ b/tf-workspace/environments.tf @@ -1,5 +1,5 @@ module "env_belgium" { - source = "../tf-modules/serverless_environment_workspace" + source = "../tf-modules/environment_workspace" name = "belgium"