Mirror from monorepo 4bafe172 (#694)

Automated mirror from monorepo commit
`4bafe1726b8a45018bef789ae5d25b57124c3cc0`.

This PR was automatically generated by the terraform provider mirroring
workflow.

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: formal-bot[bot]

examples/deployments/gcp/gke-bigquery-connector/README.md

@@ -58,27 +58,22 @@ terraform apply
 
 You should now be able to connect to BigQuery using the Connector.
 
-For example, using the `bq` CLI:
-
-```bash
-CONNECTOR_IP=$(terraform output -raw kubernetes_service_external_ip)
-bq query --api http://${CONNECTOR_IP}:7777 'SELECT 1'
-```
-
-Or from within your GKE cluster, using the internal hostname:
+By default, the Connector is deployed with an internal load balancer, which is only accessible from within the VPC. You can connect from within your GKE cluster using the internal hostname:
 
 ```bash
 CONNECTOR_HOSTNAME=$(terraform output -raw kubernetes_service_internal_hostname)
 bq query --api http://${CONNECTOR_HOSTNAME}:7777 'SELECT 1'
 ```
 
-Or using port forward:
+For local development or testing, you can use port forwarding:
 
 ```bash
 kubectl port-forward services/formal-connector 7777
 bq query --api http://localhost:7777 'SELECT 1'
 ```
 
+If you need external access from outside the VPC, you can modify the service configuration in `helm/values.yaml` to use an external load balancer by removing the `cloud.google.com/load-balancer-type` annotation.
+
 > 💡 **Note:** If you don't want Terraform to manage the Connector deployment in your GKE cluster, you can remove the `helm_release` resource from `main.tf`. You will need to run Terraform first, then Helm configured with the appropriate values.
 
 

examples/deployments/gcp/gke-bigquery-connector/outputs.tf

@@ -1,5 +1,5 @@
-output "kubernetes_service_external_ip" {
-  description = "External IP address of the connector"
+output "kubernetes_service_ip" {
+  description = "Load balancer IP address of the connector (internal by default)"
   value       = data.kubernetes_service.formal_connector.status[0].load_balancer[0].ingress[0].ip
 }
 

examples/deployments/gcp/gke-cloudsqlproxy-connector/README.md

@@ -0,0 +1,139 @@
+# Formal Connector GKE / Cloud SQL Setup
+
+This directory contains a demonstration of how to set up a Formal Connector in GKE, connecting to Cloud SQL for PostgreSQL using the Cloud SQL Auth Proxy with IAM authentication.
+
+It contains:
+* A Terraform configuration to set up the required GCP and Formal resources
+* Deployment of the official Formal Helm charts (`formal/connector` and `formal/ecr-cred`)
+* Cloud SQL Proxy configured as a sidecar container for secure connectivity
+* GCP IAM authentication handled by the Formal Connector
+
+You can use it as-is to set up a Formal Connector in your GKE cluster, or as a starting point to integrate the Connector in your existing deployment pipeline.
+
+Formal general purpose documentation is available at [docs.joinformal.com](https://docs.joinformal.com).
+
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│  GKE Pod                                                        │
+│  ┌─────────────────────┐      ┌─────────────────────────────┐  │
+│  │  Formal Connector   │      │  Cloud SQL Auth Proxy       │  │
+│  │                     │      │                             │  │
+│  │  Listens on :5432   │─────▶│  Connects to Cloud SQL via  │  │
+│  │  (client-facing)    │      │  localhost:5433             │  │
+│  │  (IAM auth via WI)  │      │                             │  │
+│  └─────────────────────┘      └─────────────────────────────┘  │
+└─────────────────────────────────────────────────────────────────┘
+                                            │
+                                            ▼
+                                  ┌─────────────────────┐
+                                  │  Cloud SQL          │
+                                  │  (PostgreSQL)       │
+                                  └─────────────────────┘
+```
+
+The Cloud SQL Proxy runs as a sidecar and handles secure connectivity to Cloud SQL.
+The Formal Connector handles GCP IAM authentication using Workload Identity to generate IAM tokens.
+
+
+## Prerequisites
+
+On your side, you need:
+* Helm, Terraform and `gcloud` CLI installed.
+* `gcloud` CLI configured and authenticated. You (or your Terraform runner) need to have write access to both the GCP project and the GKE cluster.
+* Cloud SQL Admin API enabled (`gcloud services enable sqladmin.googleapis.com`).
+* A GKE cluster with Workload Identity enabled.
+* A Cloud SQL for PostgreSQL instance with IAM database authentication enabled.
+
+On the Formal side, you need:
+* A Formal API key, that you can create in the Formal Console.
+* Formal ECR credentials (ask your Formal contact for access).
+
+
+## Setup
+
+1. Create a `terraform.tfvars` file:
+```hcl
+# Required variables
+project_id                    = "your-project-id"
+region                        = "your-region"
+cluster_name                  = "your-cluster-name"
+cloud_sql_instance_connection = "your-project:your-region:your-instance"
+formal_api_key                = "your-formal-api-key"
+ecr_access_key_id             = "your-ecr-access-key-id"
+ecr_secret_access_key         = "your-ecr-secret-access-key"
+
+# Optional variables
+namespace      = "default"
+connector_name = "cloudsql-connector"
+postgres_port  = 5432
+```
+
+2. Initialize and apply the Terraform configuration:
+```bash
+terraform init
+terraform apply
+```
+
+The Terraform configuration automatically creates:
+* A GCP service account with the necessary IAM roles
+* Workload Identity binding for the Kubernetes service account
+* The Cloud SQL IAM database user
+
+You should now be able to connect to Cloud SQL via the Connector.
+
+By default, the Connector is deployed with an internal load balancer, which is only accessible from within the VPC. You can connect from within your GKE cluster using the internal hostname:
+
+```bash
+CONNECTOR_HOSTNAME=$(terraform output -raw kubernetes_service_internal_hostname)
+psql "host=${CONNECTOR_HOSTNAME} port=5432 user=<formal-user> dbname=<database>@cloudsql-connector-postgres"
+```
+
+For local development or testing, you can use port forwarding:
+
+```bash
+kubectl port-forward services/formal-connector 5432
+psql "host=localhost port=5432 user=<formal-user> dbname=<database>@cloudsql-connector-postgres"
+```
+
+If you need external access from outside the VPC, you can modify the service configuration in `main.tf` to use an external load balancer by removing the `cloud.google.com/load-balancer-type` annotation.
+
+> **Note:** If you don't want Terraform to manage the Connector deployment in your GKE cluster, you can remove the `helm_release` resources from `main.tf`. You will need to run Terraform first, then Helm configured with the appropriate values.
+
+
+## Customization
+
+### Using Private IP
+
+By default, this example uses Cloud SQL's public IP. If your Cloud SQL instance has a private IP and your GKE cluster can reach it (e.g., same VPC or VPC peering), add the `--private-ip` flag to the `sidecars` configuration in `main.tf`:
+
+```hcl
+args = [
+  var.cloud_sql_instance_connection,
+  "--port=5433",
+  "--private-ip"
+]
+```
+
+### Adjusting Resources
+
+You can adjust the Connector and Cloud SQL Proxy resources by modifying the `values` block in `main.tf`.
+
+
+## Troubleshooting
+
+If you encounter issues, here are a few things you can check:
+
+* Check the Connector pod status for any issues (e.g. `kubectl describe pod ...`)
+* Check the logs of both containers:
+  * Connector logs: `kubectl logs <pod-name> -c connector`
+  * Cloud SQL Proxy logs: `kubectl logs <pod-name> -c cloud-sql-proxy`
+* Check Kubernetes events (e.g. `kubectl get events`)
+* Verify the GCP service account has the correct IAM roles:
+  * `roles/cloudsql.client`
+  * `roles/cloudsql.instanceUser`
+* Verify the Workload Identity binding is correctly configured
+
+If you still encounter issues, please reach out to us!

examples/deployments/gcp/gke-cloudsqlproxy-connector/main.tf

@@ -0,0 +1,151 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 4.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.0"
+    }
+  }
+}
+
+provider "google" {
+  project = var.project_id
+  region  = var.region
+}
+
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  host                   = "https://${data.google_container_cluster.cluster.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(data.google_container_cluster.cluster.master_auth[0].cluster_ca_certificate)
+}
+
+provider "helm" {
+  kubernetes = {
+    host                   = "https://${data.google_container_cluster.cluster.endpoint}"
+    token                  = data.google_client_config.default.access_token
+    cluster_ca_certificate = base64decode(data.google_container_cluster.cluster.master_auth[0].cluster_ca_certificate)
+  }
+}
+
+data "google_container_cluster" "cluster" {
+  name     = var.cluster_name
+  location = var.region
+  project  = var.project_id
+}
+
+module "wif" {
+  source = "./modules/wif"
+
+  project_id                    = var.project_id
+  cluster_name                  = var.cluster_name
+  region                        = var.region
+  namespace                     = var.namespace
+  cloud_sql_instance_connection = var.cloud_sql_instance_connection
+}
+
+module "formal" {
+  source = "./modules/formal"
+
+  name                      = var.connector_name
+  formal_api_key            = var.formal_api_key
+  postgres_port             = var.postgres_port
+  gcp_service_account_email = module.wif.service_account_email
+}
+
+# ECR credentials job for pulling Formal Connector image from ECR
+resource "helm_release" "ecr_cred" {
+  name       = "formal-ecr-cred"
+  repository = "https://formalco.github.io/helm-charts"
+  chart      = "ecr-cred"
+  version    = "0.3.0"
+  namespace  = var.namespace
+
+  values = [yamlencode({
+    ecrAccessKeyId     = var.ecr_access_key_id
+    ecrSecretAccessKey = var.ecr_secret_access_key
+  })]
+}
+
+resource "helm_release" "formal_connector" {
+  name       = "formal-connector"
+  repository = "https://formalco.github.io/helm-charts"
+  chart      = "connector"
+  version    = "0.11.0"
+  namespace  = var.namespace
+
+  values = [yamlencode({
+    formalAPIKey        = module.formal.connector_api_key
+    pullWithCredentials = true
+
+    ports = [
+      {
+        name = "postgres"
+        port = var.postgres_port
+      }
+    ]
+
+    serviceAccount = {
+      create = true
+      name   = "formal-connector"
+      annotations = {
+        "iam.gke.io/gcp-service-account" = module.wif.service_account_email
+      }
+    }
+
+    service = {
+      type = "LoadBalancer"
+      annotations = {
+        "cloud.google.com/load-balancer-type" = "Internal"
+      }
+    }
+
+    # Cloud SQL Proxy sidecar for secure connectivity to Cloud SQL
+    # Uses port 5433 internally to avoid conflict with connector's port 5432
+    # Note: Do not use --auto-iam-authn - the Formal Connector handles IAM auth via iam_gcp
+    sidecars = [
+      {
+        name  = "cloud-sql-proxy"
+        image = "gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.2"
+        args = [
+          var.cloud_sql_instance_connection,
+          "--port=5433"
+        ]
+        securityContext = {
+          runAsNonRoot = true
+        }
+        resources = {
+          requests = {
+            cpu    = "100m"
+            memory = "128Mi"
+          }
+          limits = {
+            cpu    = "500m"
+            memory = "256Mi"
+          }
+        }
+      }
+    ]
+  })]
+
+  depends_on = [module.wif, helm_release.ecr_cred]
+}
+
+data "kubernetes_service" "formal_connector" {
+  metadata {
+    name      = "formal-connector"
+    namespace = var.namespace
+  }
+
+  depends_on = [helm_release.formal_connector]
+}

examples/deployments/gcp/gke-cloudsqlproxy-connector/modules/formal/main.tf

@@ -0,0 +1,61 @@
+terraform {
+  required_providers {
+    formal = {
+      source  = "formalco/formal"
+      version = "~> 4.12.8"
+    }
+  }
+}
+
+provider "formal" {
+  api_key = var.formal_api_key
+}
+
+resource "formal_connector" "main" {
+  name = var.name
+}
+
+# Cloud SQL Resource
+# The connector connects to Cloud SQL via the Cloud SQL Proxy sidecar on localhost:5433
+# (port 5433 avoids conflict with the connector's listener on port 5432)
+resource "formal_resource" "cloudsql" {
+  technology = "postgres"
+  name       = coalesce(var.resource_name, "${var.name}-postgres")
+  hostname   = "localhost"
+  port       = 5433
+}
+
+# Disable TLS for the resource since Cloud SQL Proxy handles encryption
+resource "formal_resource_tls_configuration" "cloudsql" {
+  resource_id = formal_resource.cloudsql.id
+  tls_config  = "disable"
+}
+
+# Native user for Cloud SQL IAM authentication
+# The IAM database user is the service account email with .iam instead of .iam.gserviceaccount.com
+# The connector generates the IAM token using iam_gcp auth type
+resource "formal_native_user" "cloudsql_iam" {
+  resource_id        = formal_resource.cloudsql.id
+  native_user_id     = replace(var.gcp_service_account_email, ".gserviceaccount.com", "")
+  native_user_secret = "iam_gcp"
+  use_as_default     = true
+}
+
+# Postgres Listener
+resource "formal_connector_listener" "postgres_listener" {
+  name         = "${var.name}-postgres-listener"
+  port         = var.postgres_port
+  connector_id = formal_connector.main.id
+}
+
+resource "formal_connector_listener_rule" "postgres_rule" {
+  connector_listener_id = formal_connector_listener.postgres_listener.id
+  type                  = "technology"
+  rule                  = "postgres"
+}
+
+# Listener Link
+resource "formal_connector_listener_link" "postgres_link" {
+  connector_id          = formal_connector.main.id
+  connector_listener_id = formal_connector_listener.postgres_listener.id
+}