terraform cleanup, fix duplicate resource names

Author: jamalc

terraform/modules/cloudbuild/main.tf

@@ -93,7 +93,7 @@ resource "google_cloudbuild_trigger" "frontend" {
       name       = "gcr.io/cloud-builders/gsutil"
       entrypoint = "bash"
       # TODO the storage bucket should be a variable
-      args = ["-c", "gsutil -m cp -r public/* gs://dev-frontend-dev-sst-439514-static"]
+      args = ["-c", "gsutil -m cp -r public/* gs://${var.project}-${var.environment}-static"]
     }
     step {
       id         = "BUILD and PUSH with cloudpacks"

terraform/modules/iam/main.tf

@@ -19,7 +19,8 @@ resource "google_project_iam_member" "cloudrun_sa_invoker" {
 
 # TODO: Narrow down the permissions for the Cloud Build service account
 resource "google_service_account" "cloudbuild_sa" {
-  account_id = "cloudbuild-sa"
+  account_id = "${var.environment}-cloudbuild-sa"
+  display_name = "${var.environment} Cloud Build Service Account"
 }
 
 resource "google_project_iam_member" "act_as" {
@@ -67,19 +68,19 @@ resource "google_project_iam_member" "cloudbuild_run_invoker" {
 resource "google_project_iam_member" "cloudbuild_sa_viewer" {
   project = var.project
   role    = "roles/viewer"
-  member  = "serviceAccount:cloudbuild-sa@dev-sst-439514.iam.gserviceaccount.com"
+  member  = "serviceAccount:${google_service_account.cloudbuild_sa.email}"
 }
 
 resource "google_project_iam_member" "cloudbuild_sa_compute_network_admin" {
   project = var.project
   role    = "roles/compute.networkAdmin"
-  member  = "serviceAccount:cloudbuild-sa@dev-sst-439514.iam.gserviceaccount.com"
+  member  = "serviceAccount:${google_service_account.cloudbuild_sa.email}"
 }
 
 resource "google_project_iam_member" "cloudbuild_sa_compute_storage_admin" {
   project = var.project
   role    = "roles/compute.storageAdmin"
-  member  = "serviceAccount:cloudbuild-sa@dev-sst-439514.iam.gserviceaccount.com"
+  member  = "serviceAccount:${google_service_account.cloudbuild_sa.email}"
 }
 
 resource "google_project_iam_member" "cloudbuild_sa_secret_accessor" {

terraform/modules/load_balancer/main.tf

@@ -1,5 +1,5 @@
 resource "google_compute_global_address" "lb_ip" {
-  name         = "tf-cr-lb-1-address"
+  name         = "${var.environment}-tf-cr-lb-1-address"
   address_type = "EXTERNAL"
 }
 
@@ -8,15 +8,16 @@ module "lb-http" {
   version = "~> 12.0"
 
   project = var.project
-  name    = "tf-cr-lb-1"
+  name    = "${var.environment}-tf-cr-lb-1"
 
   address                         = google_compute_global_address.lb_ip.address
+  create_address                  = false
   ssl                             = true
   managed_ssl_certificate_domains = [var.domain]
   https_redirect                  = true
 
   backends = {
-    frontend = {
+    "${var.environment}-frontend" = {
       description = "Cloud Run frontend"
       groups      = []
       serverless_neg_backends = [{
@@ -36,7 +37,7 @@ module "lb-http" {
         enable = false
       }
     }
-    webapp = {
+    "${var.environment}-webapp" = {
       description = "Cloud Run webapp"
       groups      = []
       serverless_neg_backends = [{
@@ -62,8 +63,8 @@ module "lb-http" {
 }
 
 resource "google_compute_url_map" "url_map" {
-  name            = "tf-cr-url-map-1"
-  default_service = module.lb-http.backend_services["frontend"].self_link
+  name            = "${var.environment}-tf-cr-url-map-1"
+  default_service = module.lb-http.backend_services["${var.environment}-frontend"].self_link
 
   host_rule {
     hosts        = ["*"]
@@ -72,11 +73,11 @@ resource "google_compute_url_map" "url_map" {
 
   path_matcher {
     name            = "allpaths"
-    default_service = module.lb-http.backend_services["frontend"].self_link
+    default_service = module.lb-http.backend_services["${var.environment}-frontend"].self_link
 
     path_rule {
       paths   = ["/api", "/api/*"]
-      service = module.lb-http.backend_services["webapp"].self_link
+      service = module.lb-http.backend_services["${var.environment}-webapp"].self_link
     }
 
     path_rule {
@@ -89,9 +90,28 @@ resource "google_compute_url_map" "url_map" {
   }
 }
 
+
+resource "google_storage_bucket" "static_assets" {
+  name          = "${var.project}-${var.environment}-static"
+  location      = var.region
+  force_destroy = true
+
+  uniform_bucket_level_access = true
+}
+
+resource "google_storage_bucket_iam_binding" "public_rule" {
+  bucket = google_storage_bucket.static_assets.name
+
+  role = "roles/storage.objectViewer"
+
+  members = [
+    "allUsers",
+  ]
+}
+
 resource "google_compute_backend_bucket" "build" {
-  name        = "tf-cr-static-build-1"
-  bucket_name = "dev-frontend-dev-sst-439514-static"
+  name        = "${var.environment}-tf-cr-static-build-1"
+  bucket_name = google_storage_bucket.static_assets.name
   enable_cdn  = true
 }
 

terraform/modules/migrate/main.tf

@@ -1,6 +1,7 @@
 resource "google_cloud_run_v2_job" "migrate" {
   location = var.region
   name     = "${var.environment}-migrate"
+  deletion_protection = false
 
   template {
     task_count = 1

terraform/modules/service/main.tf

@@ -5,8 +5,20 @@ resource "google_project_service" "services" {
   disable_on_destroy = false
 }
 
+resource "google_secret_manager_secret" "env_file" {
+  secret_id = "${var.environment}-${var.name}-env-file"
+  replication {
+    auto {}
+  }
+}
+
+resource "google_secret_manager_secret_version" "env_file_secret_version" {
+  secret      = google_secret_manager_secret.env_file.id
+  secret_data = "APP_NAME=SST"
+}
+
 resource "google_secret_manager_secret_iam_member" "cloudrun_sa_env_file_access" {
-  secret_id = "projects/${var.project}/secrets/test-${var.name}-env-file"
+  secret_id = google_secret_manager_secret.env_file.secret_id
   role      = "roles/secretmanager.secretAccessor"
   member    = "serviceAccount:${var.cloudrun_service_account_email}"
 }