Merge pull request #2319 from minrk/terraform-up

Terraform updates

Author: minrk

terraform/README.md

@@ -19,6 +19,7 @@ Then, to deploy e.g. staging:
 
 ```bash
 cd staging
+terraform init
 terraform apply
 ```
 

terraform/modules/mybinder/resource.tf

@@ -121,12 +121,14 @@ resource "google_service_account" "sa" {
 }
 
 resource "google_project_iam_member" "iam" {
+  project  = data.google_client_config.provider.project
   for_each = local.service_accounts
   role     = each.value.role
   member   = "serviceAccount:${google_service_account.sa[each.key].email}"
 }
 
 resource "google_project_iam_member" "deploy-pusher" {
+  project = data.google_client_config.provider.project
   # deployer also gets storage admin
   role   = "roles/storage.admin"
   member = "serviceAccount:${google_service_account.sa["deployer"].email}"
@@ -169,6 +171,8 @@ resource "google_storage_bucket" "raw-export" {
 }
 
 resource "google_logging_project_sink" "events-archive" {
+  project = data.google_client_config.provider.project
+
   name                   = "binderhub-${var.name}-events-raw-text"
   filter                 = "resource.type=\"global\" AND logName=\"projects/${data.google_client_config.provider.project}/logs/${local.events_log_prefix}-events-text\""
   destination            = "storage.googleapis.com/${google_storage_bucket.raw-export.name}"
@@ -183,3 +187,32 @@ resource "google_storage_bucket_iam_binding" "event-log-sink" {
     google_logging_project_sink.events-archive.writer_identity
   ]
 }
+
+# events-archiver
+# create service accounts and keys for logging events to stackdriver
+resource "google_service_account" "events" {
+  for_each     = toset(var.federation_members)
+  account_id   = "${each.key}-events-archiver"
+  display_name = "${each.key} Events Archiver"
+}
+
+resource "google_project_iam_member" "events" {
+  project  = data.google_client_config.provider.project
+  for_each = toset(var.federation_members)
+  role     = "roles/logging.logWriter"
+  member   = "serviceAccount:${google_service_account.events[each.key].email}"
+}
+
+# create keys for each service account
+resource "google_service_account_key" "events" {
+  for_each           = toset(var.federation_members)
+  service_account_id = google_service_account.events[each.key].account_id
+}
+
+output "events_archiver_keys" {
+  value = {
+    for name in var.federation_members :
+    name => base64decode(google_service_account_key.events[name].private_key)
+  }
+  sensitive = true
+}

terraform/modules/mybinder/variables.tf

@@ -23,3 +23,9 @@ variable "sql_tier" {
   description = "SQL instance tier"
   default     = "db-f1-micro"
 }
+
+variable "federation_members" {
+  type        = list(any)
+  description = "List of federation members by name"
+  default     = []
+}

terraform/modules/mybinder/versions.tf

@@ -2,11 +2,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 3.44"
+      version = "~> 4.31"
     }
     random = {
       source  = "hashicorp/random"
-      version = "~> 3.0.0"
+      version = "~> 3.3.2"
     }
   }
   required_version = "~> 1.1"

terraform/prod/main.tf

@@ -14,7 +14,7 @@ provider "google" {
 locals {
   gke_version        = "1.19.14-gke.1900"
   location           = "us-central1" # for regional clusters
-  federation_members = ["gke-old", "gesis", "turing", "ovh"]
+  federation_members = ["gesis", "turing", "ovh"]
 }
 
 module "mybinder" {
@@ -25,6 +25,8 @@ module "mybinder" {
   gke_location       = local.location # regional cluster for better upgrades
 
   sql_tier = "db-n1-standard-1"
+
+  federation_members = ["gesis", "turing", "ovh"]
 }
 
 # define node pools here, too hard to encode with variables
@@ -135,24 +137,6 @@ resource "google_storage_bucket" "billing" {
   uniform_bucket_level_access = true
 }
 
-# create service accounts and keys for logging events to stackdriver
-resource "google_service_account" "events" {
-  for_each     = toset(local.federation_members)
-  account_id   = "${each.key}-events-archiver"
-  display_name = "${each.key} Events Archiver"
-}
-
-resource "google_project_iam_member" "events" {
-  for_each = toset(local.federation_members)
-  role     = "roles/logging.logWriter"
-  member   = "serviceAccount:${google_service_account.events[each.key].email}"
-}
-
-# create keys for each service account
-resource "google_service_account_key" "events" {
-  for_each           = toset(local.federation_members)
-  service_account_id = google_service_account.events[each.key].account_id
-}
 
 # outputs: things we want to be able to see and/or save to files
 # e.g. credentials for deployment / event logging
@@ -174,9 +158,6 @@ output "private_keys" {
 }
 
 output "events_archiver_keys" {
-  value = {
-    for name in local.federation_members :
-    name => base64decode(google_service_account_key.events[name].private_key)
-  }
+  value     = module.mybinder.events_archiver_keys
   sensitive = true
 }

terraform/staging/main.tf

@@ -16,10 +16,10 @@ locals {
 }
 
 module "mybinder" {
-  source = "../modules/mybinder"
-
+  source             = "../modules/mybinder"
   name               = "staging"
   gke_master_version = local.gke_version
+  federation_members = ["turing-staging"]
 }
 
 # define node pools here, too hard to encode with variables
@@ -53,7 +53,7 @@ resource "google_container_node_pool" "pool" {
 
   lifecycle {
     ignore_changes = [
-        version
+      version
     ]
   }
 }
@@ -73,3 +73,8 @@ output "matomo_password" {
   value     = module.mybinder.matomo_password
   sensitive = true
 }
+
+output "events_archiver_keys" {
+  value     = module.mybinder.events_archiver_keys
+  sensitive = true
+}