feat: adding a module for networking/iam requirements and example for composer-v2 (#60)

* initial

* test

* test

* integration test

* changed for each

* broken by module

* added outputs

* test

* added fixtures

* linting

* added outputs

* added headers

* fixed linting

* fixing lint

* fixing lint

* fixing lint

* adding README files

* incorporating feedback from bharath

* fixed service account iam

* renamed files

* moved out of fixtures

* moved out of fixtures

* changed package name

* removed invalid code from example

* testing

* resolving errors

* adding variables

* adding variables

* Revert "adding variables"

This reverts commit 6ab5156.

* fixed variables.tf

* formatted properly

* added documentation

* resolved fmt errors

* fixed bharath's comments

* fixed bharath's comments

* fixed bharath's comments

* fixed bharath's comments

* fixed bharath's comments

* fixed bharath's comments

* added network

* added network

* added iam

* added dns

* added dns

* added dns

* added dns

* added shared vpc iam

* added shared vpc iam

* shared vpc stuff

* fix lint

* fixing fmt errors

* fixing fmt errors

* using custom service account

* cleaned up shared vpc iam

* cleaned up shared vpc iam

* fixing based on bharath's inputs

* fixed some linting

* fixing based on bharath's inputs

* fixed some linting

* fixed some linting

* added container googleapis.com

* added container googleapis.com

* only trying shared vpc module

* adding new vpc name

* ran generate docs

* added back other integration tests

* resolved bharaths final comments

* bharath's inputs

Author: sanmaym

build/int.cloudbuild.yaml

@@ -111,6 +111,28 @@ steps:
 #   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
 #   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy airflow-pool-local']
 
+  # ----- SUITE composer-v2-sharedvpc-prereq-local
+
+- id: init-composer-v2-sharedvpc-prereq
+  waitFor:
+    - prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2SharedVpcModule --stage init --verbose']
+- id: apply-composer-v2-sharedvpc-prereq
+  waitFor:
+    - init-composer-v2-sharedvpc-prereq
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2SharedVpcModule --stage apply --verbose']
+- id: verify-composer-v2-sharedvpc-prereq
+  waitFor:
+    - apply-composer-v2-sharedvpc-prereq
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2SharedVpcModule --stage verify --verbose']
+- id: destroy-composer-v2-sharedvpc-prereq
+  waitFor:
+    - verify-composer-v2-sharedvpc-prereq
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2SharedVpcModule --stage destroy --verbose']
 tags:
 - 'ci'
 - 'integration'

examples/composer_v2_sharedvpc_prereq/README.md

@@ -0,0 +1,117 @@
+# Cloud Composer Example within VPC SC and Shared VPC
+
+This guide provides the infrastructure as code as a reference point for users/ customers
+who want to perform all the steps documented in these links through Terraform
+- Shared VPC : https://cloud.google.com/composer/docs/composer-2/configure-shared-vpc
+- Firewall rules : https://cloud.google.com/composer/docs/composer-2/configure-private-ip#step_3_configure_firewall_rules
+- Cloud DNS rules: https://cloud.google.com/composer/docs/composer-2/configure-vpc-sc#connectivity_to_the_restrictedgoogleapiscom_endpoint
+
+## Compatibility
+
+This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+.
+
+## Usage
+
+
+```hcl
+
+
+module "composer_env" {
+  source = "terraform-google-modules/composer/google//modules/create_environment_v2"
+  project_id = var.service_project_id
+  network_project_id = var.network_project_id
+  composer_env_name                = var.composer_env_name
+  region                           = var.region
+  composer_service_account         = google_service_account.composer_sa.email
+  network                          = var.network
+  subnetwork                       = var.subnetwork
+  pod_ip_allocation_range_name     = var.pod_ip_allocation_range_name
+  service_ip_allocation_range_name = var.service_ip_allocation_range_name
+  grant_sa_agent_permission        = true
+  use_private_environment          = true
+  enable_private_endpoint          = true
+  environment_size                 = "ENVIRONMENT_SIZE_SMALL"
+  scheduler = {
+    cpu        = 1
+    memory_gb  = 1.875
+    storage_gb = 1
+    count      = 1
+  }
+  web_server = {
+    cpu        = 1
+    memory_gb  = 2
+    storage_gb = 10
+  }
+  worker = {
+    cpu        =1
+    memory_gb  = 2
+    storage_gb = 1
+    min_count  = 1
+    max_count  = 6
+  }
+}
+
+```
+
+
+## Requirements
+
+Before this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:
+
+1. The projects (host and service) are added within a VPC Service Control Perimeter and have the Cloud DNS/ routes configured appropriately for for Restricted VIP.
+2. The Service Account you execute the module with has the right [permissions](#configure-a-service-account).
+3. The Compute Engine and Kubernetes Engine APIs are [active](#enable-apis) on the project you will launch the cluster in.
+4. If you are using a Shared VPC, the APIs must also be activated on the Shared VPC host project and your service account needs the proper permissions there.
+5. As Composer uses GKE under the hood, certain networking configurations such as creation of network, subnets, GKE IP ranges are done before hand. This code only configures composer specific firewall rules and DNS entry.
+
+
+
+### Configure a Service Account
+In order to execute this module you must have a Service Account with the
+following project roles in the Service Project:
+- roles/viewer - to get the service project
+- roles/composer.admin - to create the composer environment
+- roles/iam.serviceAccountCreator- to create the Service account attached to the composer environment
+- roles/resourcemanager.projectIamAdmin - to make iam bindings in service project for composer worker
+- roles/serviceaccountuser - If you do not assign this, you get the User not authorized to act as service account 'xxxx. The user must be granted iam.serviceAccounts.actAs permission
+
+Roles needed in the Network project (where host vpc resides)
+- roles/dns.admin - Create DNS Zone that contains records to access Airflow UI
+- roles/compute.securityAdmin - You can explore custom roles as well to compute.firewalls.create in network project (Compute Security Admin)
+- roles/resourcemanager.projectIamAdmin - to make iam bindings in host project for Compute Network user
+
+As the project's are within VPC SC, you may need to allow list the orchestrator service account that has these permissions
+### Destroy
+When destroying, destroy the composer resource first through targeted operation
+
+terraform destroy -target=module.composer_env
+
+Then proceed to destroying everything else
+### Enable APIs
+In order to operate with the Service Account you must activate the following APIs on the project where the Service Account was created:
+
+- Cloud Composer - composer.googleapis.com
+- Kubernetes Engine API - container.googleapis.com
+- Service Usage API - serviceusage.googleapis.com
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| network | The name of the network being created | `string` | n/a | yes |
+| project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | n/a | yes |
+| service\_project\_id | Project ID where Cloud Composer Environment is created. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| airflow\_uri | URI of the Apache Airflow Web UI hosted within the Cloud Composer Environment. |
+| composer\_env\_id | ID of Cloud Composer Environment. |
+| composer\_env\_name | Name of the Cloud Composer Environment. |
+| gcs\_bucket | Google Cloud Storage bucket which hosts DAGs for the Cloud Composer Environment. |
+| gke\_cluster | Google Kubernetes Engine cluster used to run the Cloud Composer Environment. |
+| service\_project\_id | The id of the project where cloud composer was created. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/composer_v2_sharedvpc_prereq/composer.tf

@@ -0,0 +1,68 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "composer_net" {
+  source                                 = "../../modules/composer_net"
+  service_project_id                     = var.service_project_id
+  network_project_id                     = var.project_id
+  composer_env_name                      = "san-composer-2"
+  region                                 = "us-central1"
+  network                                = var.network
+  subnetwork                             = "composer-subnet"
+  cloud_composer_network_ipv4_cidr_block = "192.168.192.0/24"
+  master_ipv4_cidr                       = "192.168.193.0/28"
+  cloud_sql_ipv4_cidr                    = "192.168.0.0/17"
+  gke_subnet_ip_range                    = ["10.100.232.0/27"]
+  gke_pods_services_ip_ranges            = ["10.1.0.0/16", "10.4.0.0/16", "10.10.10.0/24", "10.10.14.0/24"]
+}
+module "composer_env" {
+  depends_on = [
+    module.composer_net
+  ]
+  source                                 = "../../modules/create_environment_v2"
+  project_id                             = var.service_project_id
+  network_project_id                     = var.project_id
+  composer_env_name                      = "san-composer-2"
+  composer_service_account               = module.composer_net.composer_sa_email
+  region                                 = "us-central1"
+  network                                = var.network
+  subnetwork                             = "composer-subnet"
+  cloud_composer_network_ipv4_cidr_block = "192.168.192.0/24"
+  master_ipv4_cidr                       = "192.168.193.0/28"
+  cloud_sql_ipv4_cidr                    = "192.168.0.0/17"
+  pod_ip_allocation_range_name           = "composer-pods-1"
+  service_ip_allocation_range_name       = "composer-services-1"
+  grant_sa_agent_permission              = true
+  use_private_environment                = true
+  enable_private_endpoint                = true
+  environment_size                       = "ENVIRONMENT_SIZE_SMALL"
+  scheduler = {
+    cpu        = 1
+    memory_gb  = 1.875
+    storage_gb = 1
+    count      = 1
+  }
+  web_server = {
+    cpu        = 1
+    memory_gb  = 2
+    storage_gb = 10
+  }
+  worker = {
+    cpu        = 1
+    memory_gb  = 2
+    storage_gb = 1
+    min_count  = 1
+    max_count  = 6
+  }
+}

examples/composer_v2_sharedvpc_prereq/outputs.tf

@@ -0,0 +1,45 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "service_project_id" {
+  description = "The id of the project where cloud composer was created."
+  value       = var.service_project_id
+}
+
+output "composer_env_name" {
+  description = "Name of the Cloud Composer Environment."
+  value       = module.composer_env.composer_env_name
+}
+
+output "composer_env_id" {
+  description = "ID of Cloud Composer Environment."
+  value       = module.composer_env.composer_env_id
+}
+
+output "gke_cluster" {
+  description = "Google Kubernetes Engine cluster used to run the Cloud Composer Environment."
+  value       = module.composer_env.gke_cluster
+}
+
+output "gcs_bucket" {
+  description = "Google Cloud Storage bucket which hosts DAGs for the Cloud Composer Environment."
+  value       = module.composer_env.gcs_bucket
+}
+
+output "airflow_uri" {
+  description = "URI of the Apache Airflow Web UI hosted within the Cloud Composer Environment."
+  value       = module.composer_env.airflow_uri
+}

examples/composer_v2_sharedvpc_prereq/variables.tf

@@ -0,0 +1,31 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "service_project_id" {
+  description = "Project ID where Cloud Composer Environment is created."
+  type        = string
+}
+
+variable "project_id" {
+  type        = string
+  description = "The project ID of the shared VPC's host (for shared vpc support)"
+}
+
+variable "network" {
+  type        = string
+  description = "The name of the network being created"
+}
+

modules/composer_net/README.md

@@ -0,0 +1,34 @@
+# Composer Network Module Example
+
+This example illustrates how to use the `composer-net` module. Please see examples directory (Composer_v2_shared_vpc_prereq) on how this can be used.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| cloud\_composer\_network\_ipv4\_cidr\_block | The CIDR block from which IP range in tenant project will be reserved. | `string` | `null` | no |
+| cloud\_sql\_ipv4\_cidr | The CIDR block from which IP range in tenant project will be reserved for Cloud SQL. | `string` | `null` | no |
+| composer\_env\_name | Name of Cloud Composer Environment | `string` | n/a | yes |
+| gke\_pods\_services\_ip\_ranges | The secondary IP ranges for the GKE Pods and Services IP ranges | `list(string)` | n/a | yes |
+| gke\_subnet\_ip\_range | The GKE subnet IP range | `list(string)` | n/a | yes |
+| master\_ipv4\_cidr | The CIDR block from which IP range in tenant project will be reserved for the master. | `string` | `null` | no |
+| network | The VPC network to host the composer cluster. | `string` | n/a | yes |
+| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | n/a | yes |
+| region | Region where the Cloud Composer Environment is created. | `string` | `"us-central1"` | no |
+| service\_project\_id | Project ID where Cloud Composer Environment is created. | `string` | n/a | yes |
+| subnetwork | The subnetwork to host the composer cluster. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| composer\_sa\_email | n/a |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

modules/composer_net/dns.tf

@@ -0,0 +1,54 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+/***************************************
+composer.cloud.google.com
+***************************************/
+
+resource "google_dns_managed_zone" "composer_cloud_zone" {
+  name        = "composer-google-cloud-dns"
+  project     = var.network_project_id
+  dns_name    = "composer.cloud.google.com."
+  description = "composer.cloud.google.com zone"
+
+  visibility = "private"
+
+  private_visibility_config {
+    networks {
+      network_url = "https://www.googleapis.com/compute/v1/projects/${var.network_project_id}/global/networks/${var.network}"
+    }
+  }
+}
+
+resource "google_dns_record_set" "composer_cloud_zone-dev-A-record" {
+  name    = "composer.cloud.google.com."
+  project = var.network_project_id
+  type    = "A"
+  ttl     = 300
+
+  managed_zone = google_dns_managed_zone.composer_cloud_zone.name
+
+  rrdatas = ["199.36.153.4", "199.36.153.5", "199.36.153.6", "199.36.153.7"]
+}
+
+resource "google_dns_record_set" "composer_cloud_zone-CNAME" {
+  name    = "*.composer.cloud.google.com."
+  project = var.network_project_id
+  type    = "CNAME"
+  ttl     = 300
+
+  managed_zone = google_dns_managed_zone.composer_cloud_zone.name
+
+  rrdatas = ["composer.cloud.google.com."]
+}