Merge pull request #36 from iron-security/fix/apply

fix: run in multiple plans
iron-security · Jun 29, 2022 · c74bc0a · c74bc0a
2 parents 03c0174 + 180c7b1
commit c74bc0a
Show file tree

Hide file tree

Showing 15 changed files with 129 additions and 48 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -28,9 +28,8 @@ jobs:
       name: Authenticate to Google Cloud
       uses: google-github-actions/[email protected]
       with:
-        token_format: access_token
         access_token_lifetime: 900s
-        workload_identity_provider: projects/1049058775616/locations/global/workloadIdentityPools/main-pool/providers/github
+        workload_identity_provider: projects/1049058775616/locations/global/workloadIdentityPools/main-pool/providers/github-sa-provider
         service_account: [email protected]
         create_credentials_file: true
     -

diff --git a/.github/workflows/test.infra.yml b/.github/workflows/test.infra.yml
@@ -0,0 +1,56 @@
+name: test
+
+on:
+  pull_request:
+    paths-ignore:
+    - helm/
+    - kubernetes/
+
+env:
+  TF_LOG: INFO
+  TF_VAR_cf_email: ${{ secrets.TF_VAR_CF_EMAIL }}
+  TF_VAR_cf_api_key: ${{ secrets.TF_VAR_CF_API_KEY }}
+  TF_VAR_github_token: ${{ secrets.TF_VAR_GITHUB_TOKEN }}
+
+jobs:
+
+  test-infra:
+
+    name: terraform infrastructure
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps: 
+    -
+      uses: actions/checkout@v3
+    -
+      uses: hashicorp/setup-terraform@v2
+    -
+      name: Terraform fmt
+      run: terraform fmt -check=true
+    -
+      name: Authenticate to Google Cloud
+      uses: google-github-actions/[email protected]
+      with:
+        access_token_lifetime: 900s
+        workload_identity_provider: projects/1049058775616/locations/global/workloadIdentityPools/main-pool/providers/github-sa-provider
+        service_account: [email protected]
+        create_credentials_file: true
+    -
+      name: Terraform Init
+      run: terraform init
+    -
+      name: Terraform Validate
+      run: terraform validate -no-color
+    -
+      name: Terraform Plan
+      run: terraform plan -no-color -lock=false -input=false
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    -
+      name: Cleanup
+      if: always()
+      run: rm "${GOOGLE_APPLICATION_CREDENTIALS}" || true
diff --git a/.github/workflows/test.yml → .github/workflows/test.kube.yml b/.github/workflows/test.yml → .github/workflows/test.kube.yml
@@ -1,5 +1,10 @@
 name: test
-on: [pull_request]
+
+on:
+  pull_request:
+    paths:
+    - helm/
+    - kubernetes/
 
 env:
   TF_LOG: INFO
@@ -9,9 +14,9 @@ env:
 
 jobs:
 
-  test:
+  test-kube:
 
-    name: terraform
+    name: terraform kubernetes
     runs-on: ubuntu-latest
 
     permissions:
@@ -46,4 +51,4 @@ jobs:
     -
       name: Cleanup
       if: always()
-      run: rm "${GOOGLE_APPLICATION_CREDENTIALS}" || true
+      run: rm "${GOOGLE_APPLICATION_CREDENTIALS}" || true
diff --git a/Makefile b/Makefile
@@ -75,21 +75,44 @@ validate:
 	terraform -chdir=$(TERRAFORM_DIR) validate .
 
 plan:
+	echo "Planning infrastructure..."
 	@if [ -f dev.env ]; then source dev.env; fi; \
 	GOOGLE_APPLICATION_CREDENTIALS=$(TERRAFORM_AUTH) \
 	terraform -chdir=$(TERRAFORM_DIR) plan \
 		-lock=false \
-		-input=false
-
+		-input=false \
+		-target='module.cloudflare' -target='module.github' -target='module.google'
+
+	echo "Planning kubernetes/helm..."
+	@if [ -f dev.env ]; then source dev.env; fi; \
+	GOOGLE_APPLICATION_CREDENTIALS=$(TERRAFORM_AUTH) \
+	terraform -chdir=$(TERRAFORM_DIR) plan \
+		-lock=false \
+		-input=false \
+		-target='module.kubernetes' -target='module.helm'
+
 apply:
+	echo "Applying infrastructure..."
+	@if [ -f dev.env ]; then source dev.env; fi; \
+	TF_LOG=DEBUG \
+	GOOGLE_APPLICATION_CREDENTIALS=$(TERRAFORM_AUTH) \
+	terraform -chdir=$(TERRAFORM_DIR) apply \
+		-auto-approve \
+		-lock=false \
+		-input=false \
+		-refresh=true \
+		-target='module.cloudflare' -target='module.github' -target='module.google'
+
+	echo "Applying kubernetes/helm..."
 	@if [ -f dev.env ]; then source dev.env; fi; \
 	TF_LOG=DEBUG \
 	GOOGLE_APPLICATION_CREDENTIALS=$(TERRAFORM_AUTH) \
 	terraform -chdir=$(TERRAFORM_DIR) apply \
 		-auto-approve \
 		-lock=false \
 		-input=false \
-		-refresh=true -target=module.kubernetes
+		-refresh=true \
+		-target='module.kubernetes' -target='module.helm'
 
 TARGET="foo"
 destroy:

diff --git a/github/providers.tf b/github/providers.tf
@@ -1,5 +1,7 @@
 terraform {
   required_providers {
-    github = {}
+    github = {
+      source = "integrations/github"
+    }
   }
 }
diff --git a/google/clusters.tf b/google/clusters.tf
@@ -10,6 +10,9 @@ module "dev_cluster" {
   nat_egress_address_id = google_compute_address.nat_egress_address.id
   gke_min_node_count    = 1
   gke_max_node_count    = 1
+  resource_labels = {
+    "env" : "dev"
+  }
 }
 
 // our GKE prod cluster with multi-zone/regional preemtible nodes

diff --git a/google/gke/gke.tf b/google/gke/gke.tf
@@ -14,10 +14,7 @@ resource "google_container_cluster" "gke_cluster" {
   name     = "${var.cluster_name}-cluster"
   location = var.cluster_location
 
-  resource_labels = {
-    cluster = "main"
-    stage   = "prd"
-  }
+  resource_labels = var.resource_labels
 
   # kubernetes release channel
   min_master_version = var.k8s_min_version

diff --git a/google/gke/gke_nodepool.tf b/google/gke/gke_nodepool.tf
@@ -16,9 +16,11 @@ resource "google_container_node_pool" "system_preemptible_nodes" {
     }
 
     # enable gvisor kernel sandboxing
+    /*
     sandbox_config {
-      sandbox_type = "gvisor"
+      sandbox_type = var.enable_kernel_sandbox ? "gvisor" : null
     }
+    */
 
     # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
     service_account = google_service_account.gke_node_sa.email

diff --git a/google/gke/variables.tf b/google/gke/variables.tf
@@ -58,4 +58,14 @@ variable "enable_istio" {
 variable "allow_spot_nodes" {
   type    = bool
   default = true
+}
+
+variable "enable_kernel_sandbox" {
+  type    = bool
+  default = false
+}
+
+variable "resource_labels" {
+  type    = map(any)
+  default = {}
 }
diff --git a/google/gke/vpc.tf b/google/gke/vpc.tf
@@ -47,16 +47,16 @@ resource "google_compute_route" "egress_internet" {
 }
 
 resource "google_compute_router" "gke_vpc_router" {
-  project = var.project_id
-  depends_on = [ google_compute_subnetwork.gke_cluster_subnet ]
-  name    = "gke-${var.cluster_name}-router"
-  region  = google_compute_subnetwork.gke_cluster_subnet.region
-  network = google_compute_network.gke_cluster_vpc.name
+  project    = var.project_id
+  depends_on = [google_compute_subnetwork.gke_cluster_subnet]
+  name       = "gke-${var.cluster_name}-router"
+  region     = google_compute_subnetwork.gke_cluster_subnet.region
+  network    = google_compute_network.gke_cluster_vpc.name
 }
 
 resource "google_compute_router_nat" "nat_router" {
-  project = var.project_id
-  depends_on = [ google_compute_router.gke_vpc_router ]
+  project    = var.project_id
+  depends_on = [google_compute_router.gke_vpc_router]
 
   name                   = "${google_compute_subnetwork.gke_cluster_subnet.name}-nat-router"
   router                 = google_compute_router.gke_vpc_router.name

diff --git a/google/outputs.tf b/google/outputs.tf
@@ -2,15 +2,6 @@ output "dev_cluster_ca_certificate" {
   value = module.dev_cluster.cluster_ca_certificate
 }
 
-output "dev_cluster_client_certificate" {
-  value = module.dev_cluster.cluster_client_certificate
-}
-
-output "dev_cluster_client_key" {
-  sensitive = true
-  value     = module.dev_cluster.cluster_client_key
-}
-
 output "dev_cluster_endpoint" {
   value = module.dev_cluster.cluster_endpoint
 }

diff --git a/modules.dev.tf b/modules.dev.tf
@@ -21,12 +21,13 @@ provider "helm" {
 #
 
 module "kubernetes" {
-  depends_on = [module.google]
+  depends_on = [
+    module.google,
+    module.google.dev_cluster_endpoint
+  ]
 
   source = "./kubernetes"
 
-  //count = var.skip_kubernetes_deploy == true ? 0 : 1
-
   providers = {
     kubernetes = kubernetes.dev
   }
@@ -43,8 +44,6 @@ module "helm_dev" {
 
   source = "./helm/dev"
 
-  //count = var.skip_kubernetes_deploy == true ? 0 : 1
-
   providers = {
     kubernetes = kubernetes.dev
     helm       = helm.dev

diff --git a/modules.main.tf b/modules.main.tf
@@ -1,7 +1,7 @@
 module "cloudflare" {
   source = "./cloudflare"
 
-  account_id = var.cf_account_id
+  account_id    = var.cf_account_id
   account_admin = var.cf_email
 }
 

diff --git a/providers.tf b/providers.tf
@@ -37,13 +37,13 @@ terraform {
 }
 
 provider "cloudflare" {
-  email      = var.cf_email
-  api_key    = var.cf_api_key
+  email   = var.cf_email
+  api_key = var.cf_api_key
 }
 
 provider "github" {
   token = var.github_token
-  organization = var.github_owner
+  owner = var.github_org
 }
 
 provider "google" {

diff --git a/variables.tf b/variables.tf
@@ -13,7 +13,7 @@ variable "cf_account_id" {
 variable "github_token" {}
 
 # github org/owner slug
-variable "github_owner" {
+variable "github_org" {
   default = "iron-security"
 }
 
@@ -30,10 +30,4 @@ variable "gcloud_region" {
 # the full email address of the terraform service account
 variable "gcp_serviceaccount_email" {
   default = "[email protected]"
-}
-
-# this indicates that we skip the helm/kubernetes providers and only run the google one
-# this fixes a nasty limitation of Terraform where you can't plan/apply on things that are
-# not known yet, like the kubernetes cluster credentials/hostname, resulting
-# in errors like "Error: Get "http://localhost/api/v1/namespaces": dial tcp [::1]:80: connect: connection refused"
-//variable "skip_kubernetes_deploy" {default = false}
+}