Add GCS bucket resource to GKE terraform module (#97)

Author: Jake Neyer

terraform/examples/gke-complete/app/main.tf

@@ -1,14 +1,15 @@
 locals {
-  project_id               = "project"
-  region                   = "us-east1"
-  url                      = "polytomic.example.com"
-  polytomic_deployment     = "deployment"
-  polytomic_deployment_key = "key"
-  polytomic_image          = "us.gcr.io/polytomic-container-distro/polytomic-onprem"
-  polytomic_image_tag      = "latest"
-  polytomic_root_user      = "user@example.com"
-  polytomic_bucket         = "polytomic-bucket"
-
+  project_id                     = "project"
+  region                         = "us-east1"
+  url                            = "polytomic.example.com"
+  polytomic_deployment           = "deployment"
+  polytomic_deployment_key       = "key"
+  polytomic_image                = "us.gcr.io/polytomic-container-distro/polytomic-onprem"
+  polytomic_image_tag            = "latest"
+  polytomic_root_user            = "user@example.com"
+  polytomic_bucket               = "polytomic-bucket"
+  polytomic_google_client_id     = "google-client-id"
+  polytomic_google_client_secret = "google-client-secret"
 }
 
 
@@ -49,21 +50,23 @@ data "google_container_cluster" "my_cluster" {
 module "gke_helm" {
   source = "github.com/polytomic/on-premises/terraform/modules/gke-helm"
 
-  polytomic_cert_name       = google_compute_managed_ssl_certificate.cert.name
-  polytomic_ip_name         = data.terraform_remote_state.gke.outputs.load_balancer_name
-  polytomic_url             = local.url
-  polytomic_deployment      = local.polytomic_deployment
-  polytomic_deployment_key  = local.polytomic_deployment_key
-  polytomic_image           = local.polytomic_image
-  polytomic_image_tag       = local.polytomic_image_tag
-  polytomic_root_user       = local.polytomic_root_user
-  redis_host                = data.terraform_remote_state.gke.outputs.redis_host
-  redis_port                = data.terraform_remote_state.gke.outputs.redis_port
-  redis_password            = data.terraform_remote_state.gke.outputs.redis_auth_string
-  postgres_host             = data.terraform_remote_state.gke.outputs.postgres_ip
-  postgres_password         = data.terraform_remote_state.gke.outputs.postgres_password
-  polytomic_bucket          = local.polytomic_bucket
-  polytomic_service_account = data.terraform_remote_state.gke.outputs.workload_identity_user_sa
+  polytomic_cert_name            = google_compute_managed_ssl_certificate.cert.name
+  polytomic_ip_name              = data.terraform_remote_state.gke.outputs.load_balancer_name
+  polytomic_url                  = local.url
+  polytomic_deployment           = local.polytomic_deployment
+  polytomic_deployment_key       = local.polytomic_deployment_key
+  polytomic_image                = local.polytomic_image
+  polytomic_image_tag            = local.polytomic_image_tag
+  polytomic_root_user            = local.polytomic_root_user
+  redis_host                     = data.terraform_remote_state.gke.outputs.redis_host
+  redis_port                     = data.terraform_remote_state.gke.outputs.redis_port
+  redis_password                 = data.terraform_remote_state.gke.outputs.redis_auth_string
+  postgres_host                  = data.terraform_remote_state.gke.outputs.postgres_ip
+  postgres_password              = data.terraform_remote_state.gke.outputs.postgres_password
+  polytomic_bucket               = data.terraform_remote_state.gke.outputs.bucket
+  polytomic_service_account      = data.terraform_remote_state.gke.outputs.workload_identity_user_sa
+  polytomic_google_client_id     = local.polytomic_google_client_id
+  polytomic_google_client_secret = local.polytomic_google_client_secret
 }
 
 resource "google_compute_managed_ssl_certificate" "cert" {

terraform/examples/gke-complete/cluster/main.tf

@@ -21,5 +21,6 @@ module "gke" {
   project_id              = local.project_id
   region                  = local.region
   cluster_service_account = module.gke_cluster_service_account.email
-
+  bucket_name             = local.polytomic_bucket
+  workload_identity_sa    = module.gke_cluster_service_account.workload_identity_user_sa_email
 }

terraform/examples/gke-complete/cluster/outputs.tf

@@ -53,3 +53,8 @@ output "postgres_host" {
 output "postgres_ip" {
   value = module.gke.postgres_ip
 }
+
+
+output "bucket" {
+  value = module.gke.bucket
+}

terraform/modules/gke-helm/main.tf

@@ -27,8 +27,9 @@ image:
   repository: ${var.polytomic_image}
   tag: ${var.polytomic_image_tag}
 
-serviceAccount.Annotations:
-  iam.gke.io/gcp-service-account: ${var.polytomic_service_account}
+serviceAccount:
+  annotations:
+    iam.gke.io/gcp-service-account: ${var.polytomic_service_account}
 
 polytomic:
   deployment:
@@ -40,6 +41,8 @@ polytomic:
   auth:
     methods:
       - google
+      - microsoft
+      - sso
     root_user: ${var.polytomic_root_user}
     url: https://${var.polytomic_url}
     single_player: false
@@ -60,6 +63,7 @@ polytomic:
   s3:
     operational_bucket: gs://${var.polytomic_bucket}
     record_log_bucket: ${var.polytomic_bucket}
+    region: ""
     gcs: true
   
   jobs:
@@ -71,6 +75,9 @@ redis:
 postgresql:
   enabled: false
 
+minio:
+  enabled: false
+
 EOF
   ]
 

terraform/modules/gke/README.md

@@ -25,13 +25,16 @@ No requirements.
 | [google_compute_global_address.private_ip_address](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_address) | resource |
 | [google_compute_network_peering_routes_config.peering_routes](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_peering_routes_config) | resource |
 | [google_service_networking_connection.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_networking_connection) | resource |
+| [google_storage_bucket.polytomic](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket) | resource |
+| [google_storage_bucket_iam_member.polytomic](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_client_config.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
 | [google_compute_zones.available](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_zones) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name of the bucket to create | `string` | `"polytomic-bucket"` | no |
 | <a name="input_cluster_service_account"></a> [cluster\_service\_account](#input\_cluster\_service\_account) | The service account to use for the cluster | `any` | n/a | yes |
 | <a name="input_create_postgres"></a> [create\_postgres](#input\_create\_postgres) | Whether to create a postgres instance | `bool` | `true` | no |
 | <a name="input_create_redis"></a> [create\_redis](#input\_create\_redis) | Whether to create a redis instance | `bool` | `true` | no |
@@ -41,11 +44,13 @@ No requirements.
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The project ID to host the cluster in | `any` | n/a | yes |
 | <a name="input_redis_size"></a> [redis\_size](#input\_redis\_size) | The size of the redis instance in GB | `string` | `"1"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to host the cluster in | `string` | `"us-east1"` | no |
+| <a name="input_workload_identity_sa"></a> [workload\_identity\_sa](#input\_workload\_identity\_sa) | The name of the workload identity user service account | `string` | `""` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
+| <a name="output_bucket"></a> [bucket](#output\_bucket) | n/a |
 | <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | Cluster name |
 | <a name="output_lb_ip"></a> [lb\_ip](#output\_lb\_ip) | Load balancer IP |
 | <a name="output_lb_name"></a> [lb\_name](#output\_lb\_name) | Load balancer IP Name |

terraform/modules/gke/main.tf

@@ -146,3 +146,16 @@ resource "google_compute_network_peering_routes_config" "peering_routes" {
   import_custom_routes = true
   export_custom_routes = true
 }
+
+resource "google_storage_bucket" "polytomic" {
+  name          = var.bucket_name
+  location      = var.region
+  force_destroy = true
+}
+
+
+resource "google_storage_bucket_iam_member" "polytomic" {
+  bucket = google_storage_bucket.polytomic.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${var.workload_identity_sa}"
+}

terraform/modules/gke/outputs.tf

@@ -41,3 +41,7 @@ output "postgres_host" {
 output "postgres_ip" {
   value = module.postgres[0].private_ip_address
 }
+
+output "bucket" {
+  value = google_storage_bucket.polytomic.name
+}

terraform/modules/gke/vars.tf

@@ -42,3 +42,14 @@ variable "postgres_instance_tier" {
   description = "The tier of the postgres instance"
   default     = "db-f1-micro"
 }
+
+variable "bucket_name" {
+  description = "The name of the bucket to create"
+  default     = "polytomic-bucket"
+}
+
+
+variable "workload_identity_sa" {
+  description = "The name of the workload identity user service account"
+  default     = ""
+}