Replace Docker's `gcplogs` driver with the GCP COS logging agent (#977)

This commit is contained in:
Sebastian Kunze 2022-11-15 13:19:52 +01:00 committed by GitHub
parent f3a000d32c
commit 5125a5ad03
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
33 changed files with 105 additions and 181 deletions

View File

@ -151,7 +151,8 @@ module "squid-vm" {
service_account = module.service-account-squid.email service_account = module.service-account-squid.email
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
metadata = { metadata = {
user-data = module.cos-squid.cloud_config user-data = module.cos-squid.cloud_config
google-logging-enabled = true
} }
} }

View File

@ -25,7 +25,6 @@ locals {
Environment="HOME=/home/opsagent" Environment="HOME=/home/opsagent"
ExecStartPre=/usr/bin/docker-credential-gcr configure-docker ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
ExecStart=/usr/bin/docker run --rm --name=monitoring-agent \ ExecStart=/usr/bin/docker run --rm --name=monitoring-agent \
--log-driver=gcplogs \
--network host \ --network host \
-v /etc/google-cloud-ops-agent/config.yaml:/etc/google-cloud-ops-agent/config.yaml \ -v /etc/google-cloud-ops-agent/config.yaml:/etc/google-cloud-ops-agent/config.yaml \
${var.ops_agent_image} ${var.ops_agent_image}
@ -305,7 +304,8 @@ module "proxy-vm" {
} }
create_template = true create_template = true
metadata = { metadata = {
user-data = !var.tls ? module.cos-nginx.0.cloud_config : module.cos-nginx-tls.0.cloud_config user-data = !var.tls ? module.cos-nginx.0.cloud_config : module.cos-nginx-tls.0.cloud_config
google-logging-enabled = true
} }
service_account = module.service-account-proxy.email service_account = module.service-account-proxy.email
service_account_create = false service_account_create = false

View File

@ -21,8 +21,6 @@ These modules are designed for several use cases:
All modules are designed to be as lightweight as possible, so that specialized modules like [compute-vm](../compute-vm) can be leveraged to manage instances or instance templates, and to allow simple forking to create custom derivatives. All modules are designed to be as lightweight as possible, so that specialized modules like [compute-vm](../compute-vm) can be leveraged to manage instances or instance templates, and to allow simple forking to create custom derivatives.
Modules use Docker's [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) by default, so projects need to have the logging API enabled. If that's not desirable simply remove `--log-driver=gcplogs` from the relevant systemd unit in `cloud-config.yaml`.
To use the modules with instances or instance templates, simply set use their `cloud_config` output for the `user-data` metadata. When updating the metadata after a variable change remember to manually restart the instances that use a module's output, or the changes won't effect the running system. To use the modules with instances or instance templates, simply set use their `cloud_config` output for the `user-data` metadata. When updating the metadata after a variable change remember to manually restart the instances that use a module's output, or the changes won't effect the running system.
For convenience when developing or prototyping infrastructure, an optional test instance is included in all modules. If it's not needed, the linked `*instance.tf` files can be removed from the modules without harm. For convenience when developing or prototyping infrastructure, an optional test instance is included in all modules. If it's not needed, the linked `*instance.tf` files can be removed from the modules without harm.

View File

@ -10,7 +10,7 @@ The resulting `cloud-config` can be customized in a number of ways:
The default instance configuration inserts iptables rules to allow traffic on the DNS TCP and UDP ports, and the 8080 port for the optional HTTP health check that can be enabled via the CoreDNS [health plugin](https://coredns.io/plugins/health/). The default instance configuration inserts iptables rules to allow traffic on the DNS TCP and UDP ports, and the 8080 port for the optional HTTP health check that can be enabled via the CoreDNS [health plugin](https://coredns.io/plugins/health/).
Logging and monitoring are enabled via the [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) configured for the CoreDNS container, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service is started by default on boot. Logging and monitoring are enabled via the [Google Cloud Logging agent](https://cloud.google.com/container-optimized-os/docs/how-to/logging) configured for the instance via the `google-logging-enabled` metadata property, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service is started by default on boot.
The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata. The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
@ -28,10 +28,13 @@ module "cos-coredns" {
} }
# use it as metadata in a compute instance or template # use it as metadata in a compute instance or template
resource "google_compute_instance" "default" { module "vm-coredns" {
source = "./fabric/modules/compute-vm"
metadata = { metadata = {
user-data = module.cos-coredns.cloud_config user-data = module.cos-coredns.cloud_config
google-logging-enabled = true
} }
}
``` ```
### Custom CoreDNS configuration ### Custom CoreDNS configuration
@ -77,9 +80,8 @@ module "cos-coredns" {
| [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> | | [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
| [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config and CoreDNS templates. | <code>map&#40;any&#41;</code> | | <code>&#123;&#125;</code> | | [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config and CoreDNS templates. | <code>map&#40;any&#41;</code> | | <code>&#123;&#125;</code> |
| [coredns_config](variables.tf#L29) | CoreDNS configuration path, if null default will be used. | <code>string</code> | | <code>null</code> | | [coredns_config](variables.tf#L29) | CoreDNS configuration path, if null default will be used. | <code>string</code> | | <code>null</code> |
| [docker_logging](variables.tf#L35) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> | | [file_defaults](variables.tf#L35) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; owner &#61; &#34;root&#34;&#10; permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [file_defaults](variables.tf#L41) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; owner &#61; &#34;root&#34;&#10; permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | | [files](variables.tf#L47) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [files](variables.tf#L53) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10; zone &#61; string&#10; name &#61; string&#10; type &#61; string&#10; network &#61; string&#10; subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | | [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10; zone &#61; string&#10; name &#61; string&#10; type &#61; string&#10; network &#61; string&#10; subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object&#40;&#123;&#10; disks &#61; map&#40;object&#40;&#123;&#10; read_only &#61; bool&#10; size &#61; number&#10; &#125;&#41;&#41;&#10; image &#61; string&#10; metadata &#61; map&#40;string&#41;&#10; nat &#61; bool&#10; service_account_roles &#61; list&#40;string&#41;&#10; tags &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; disks &#61; &#123;&#125;&#10; image &#61; null&#10; metadata &#61; &#123;&#125;&#10; nat &#61; false&#10; service_account_roles &#61; &#91;&#10; &#34;roles&#47;logging.logWriter&#34;,&#10; &#34;roles&#47;monitoring.metricWriter&#34;&#10; &#93;&#10; tags &#61; &#91;&#34;ssh&#34;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> | | [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object&#40;&#123;&#10; disks &#61; map&#40;object&#40;&#123;&#10; read_only &#61; bool&#10; size &#61; number&#10; &#125;&#41;&#41;&#10; image &#61; string&#10; metadata &#61; map&#40;string&#41;&#10; nat &#61; bool&#10; service_account_roles &#61; list&#40;string&#41;&#10; tags &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; disks &#61; &#123;&#125;&#10; image &#61; null&#10; metadata &#61; &#123;&#125;&#10; nat &#61; false&#10; service_account_roles &#61; &#91;&#10; &#34;roles&#47;logging.logWriter&#34;,&#10; &#34;roles&#47;monitoring.metricWriter&#34;&#10; &#93;&#10; tags &#61; &#91;&#34;ssh&#34;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |

View File

@ -17,8 +17,6 @@
# https://hub.docker.com/r/coredns/coredns/ # https://hub.docker.com/r/coredns/coredns/
# https://coredns.io/manual/toc/#installation # https://coredns.io/manual/toc/#installation
# TODO: switch to the gcplogs logging driver, and set driver labels
write_files: write_files:
- path: /var/lib/docker/daemon.json - path: /var/lib/docker/daemon.json
permissions: 0644 permissions: 0644
@ -58,9 +56,6 @@ write_files:
Wants=gcr-online.target docker.socket docker-events-collector.service Wants=gcr-online.target docker.socket docker-events-collector.service
[Service] [Service]
ExecStart=/usr/bin/docker run --rm --name=coredns \ ExecStart=/usr/bin/docker run --rm --name=coredns \
%{~ if docker_logging ~}
--log-driver=gcplogs \
%{~ endif ~}
--network host \ --network host \
-v /etc/coredns:/etc/coredns \ -v /etc/coredns:/etc/coredns \
coredns/coredns -conf /etc/coredns/Corefile coredns/coredns -conf /etc/coredns/Corefile
@ -83,4 +78,4 @@ runcmd:
- iptables -I INPUT 1 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -I INPUT 1 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
- systemctl daemon-reload - systemctl daemon-reload
- systemctl restart systemd-resolved.service - systemctl restart systemd-resolved.service
- systemctl start coredns - systemctl start coredns

View File

@ -16,9 +16,8 @@
locals { locals {
cloud_config = templatefile(local.template, merge(var.config_variables, { cloud_config = templatefile(local.template, merge(var.config_variables, {
corefile = templatefile(local.corefile, var.config_variables) corefile = templatefile(local.corefile, var.config_variables)
docker_logging = var.docker_logging files = local.files
files = local.files
})) }))
corefile = ( corefile = (
var.coredns_config == null ? "${path.module}/Corefile" : var.coredns_config var.coredns_config == null ? "${path.module}/Corefile" : var.coredns_config

View File

@ -32,12 +32,6 @@ variable "coredns_config" {
default = null default = null
} }
variable "docker_logging" {
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
type = bool
default = true
}
variable "file_defaults" { variable "file_defaults" {
description = "Default owner and permissions for files." description = "Default owner and permissions for files."
type = object({ type = object({

View File

@ -2,8 +2,6 @@
This helper module manages a `cloud-config` configuration that can start a container on [Container Optimized OS](https://cloud.google.com/container-optimized-os/docs) (COS). Either a complete `cloud-config` template can be provided via the `cloud_config` variable with optional template variables via the `config_variables`, or a generic `cloud-config` can be generated based on typical parameters needed to start a container. This helper module manages a `cloud-config` configuration that can start a container on [Container Optimized OS](https://cloud.google.com/container-optimized-os/docs) (COS). Either a complete `cloud-config` template can be provided via the `cloud_config` variable with optional template variables via the `config_variables`, or a generic `cloud-config` can be generated based on typical parameters needed to start a container.
Logging can be enabled via the [Google Cloud Logging docker driver](https://docs.docker.com/config/containers/logging/gcplogs/) using the `gcp_logging` variable. This is enabled by default, but requires that the service account running the COS instance have the `roles/logging.logWriter` IAM role or equivalent permissions on the project. If it doesn't, the container will fail to start unless this is disabled.
The module renders the generated cloud config in the `cloud_config` output, which can be directly used in instances or instance templates via the `user-data` metadata attribute. The module renders the generated cloud config in the `cloud_config` output, which can be directly used in instances or instance templates via the `user-data` metadata attribute.
## Examples ## Examples
@ -64,7 +62,7 @@ module "cos-envoy" {
| name | description | type | required | default | | name | description | type | required | default |
|---|---|:---:|:---:|:---:| |---|---|:---:|:---:|:---:|
| [container_image](variables.tf#L42) | Container image. | <code>string</code> | ✓ | | | [container_image](variables.tf#L42) | Container image. | <code>string</code> | ✓ | |
| [authenticate_gcr](variables.tf#L124) | Setup docker to pull images from private GCR. Requires at least one user since the token is stored in the home of the first user defined. | <code>bool</code> | | <code>false</code> | | [authenticate_gcr](variables.tf#L112) | Setup docker to pull images from private GCR. Requires at least one user since the token is stored in the home of the first user defined. | <code>bool</code> | | <code>false</code> |
| [boot_commands](variables.tf#L17) | List of cloud-init `bootcmd`s. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> | | [boot_commands](variables.tf#L17) | List of cloud-init `bootcmd`s. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [cloud_config](variables.tf#L23) | Cloud config template path. If provided, takes precedence over all other arguments. | <code>string</code> | | <code>null</code> | | [cloud_config](variables.tf#L23) | Cloud config template path. If provided, takes precedence over all other arguments. | <code>string</code> | | <code>null</code> |
| [config_variables](variables.tf#L29) | Additional variables used to render the template passed via `cloud_config`. | <code>map&#40;any&#41;</code> | | <code>&#123;&#125;</code> | | [config_variables](variables.tf#L29) | Additional variables used to render the template passed via `cloud_config`. | <code>map&#40;any&#41;</code> | | <code>&#123;&#125;</code> |
@ -72,13 +70,11 @@ module "cos-envoy" {
| [container_name](variables.tf#L47) | Name of the container to be run. | <code>string</code> | | <code>&#34;container&#34;</code> | | [container_name](variables.tf#L47) | Name of the container to be run. | <code>string</code> | | <code>&#34;container&#34;</code> |
| [container_volumes](variables.tf#L53) | List of volumes. | <code title="list&#40;object&#40;&#123;&#10; host &#61; string,&#10; container &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> | | [container_volumes](variables.tf#L53) | List of volumes. | <code title="list&#40;object&#40;&#123;&#10; host &#61; string,&#10; container &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [docker_args](variables.tf#L62) | Extra arguments to be passed for docker. | <code>string</code> | | <code>null</code> | | [docker_args](variables.tf#L62) | Extra arguments to be passed for docker. | <code>string</code> | | <code>null</code> |
| [docker_logging](variables.tf#L68) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> | | [file_defaults](variables.tf#L68) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; owner &#61; &#34;root&#34;&#10; permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [file_defaults](variables.tf#L74) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; owner &#61; &#34;root&#34;&#10; permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | | [files](variables.tf#L80) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [files](variables.tf#L86) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | | [run_as_first_user](variables.tf#L106) | Run as the first user if users are specified. | <code>bool</code> | | <code>true</code> |
| [gcp_logging](variables.tf#L96) | Should container logs be sent to Google Cloud Logging. | <code>bool</code> | | <code>true</code> | | [run_commands](variables.tf#L90) | List of cloud-init `runcmd`s. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [run_as_first_user](variables.tf#L118) | Run as the first user if users are specified. | <code>bool</code> | | <code>true</code> | | [users](variables.tf#L96) | List of usernames to be created. If provided, first user will be used to run the container. | <code title="list&#40;object&#40;&#123;&#10; username &#61; string,&#10; uid &#61; number,&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#91;&#10;&#93;">&#91;&#8230;&#93;</code> |
| [run_commands](variables.tf#L102) | List of cloud-init `runcmd`s. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [users](variables.tf#L108) | List of usernames to be created. If provided, first user will be used to run the container. | <code title="list&#40;object&#40;&#123;&#10; username &#61; string,&#10; uid &#61; number,&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#91;&#10;&#93;">&#91;&#8230;&#93;</code> |
## Outputs ## Outputs

View File

@ -52,9 +52,6 @@ write_files:
%{~ if length(users) > 0 && run_as_first_user ~} %{~ if length(users) > 0 && run_as_first_user ~}
--user=${users[0].uid} \ --user=${users[0].uid} \
%{~ endif ~} %{~ endif ~}
%{~ if docker_logging ~}
--log-driver=gcplogs \
%{~ endif ~}
%{~ if docker_args != null ~} %{~ if docker_args != null ~}
${docker_args} \ ${docker_args} \
%{~ endif ~} %{~ endif ~}

View File

@ -22,9 +22,7 @@ locals {
container_name = var.container_name container_name = var.container_name
container_volumes = var.container_volumes container_volumes = var.container_volumes
docker_args = var.docker_args docker_args = var.docker_args
docker_logging = var.docker_logging
files = local.files files = local.files
gcp_logging = var.gcp_logging
run_commands = var.run_commands run_commands = var.run_commands
users = var.users users = var.users
authenticate_gcr = var.authenticate_gcr authenticate_gcr = var.authenticate_gcr

View File

@ -65,12 +65,6 @@ variable "docker_args" {
default = null default = null
} }
variable "docker_logging" {
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
type = bool
default = true
}
variable "file_defaults" { variable "file_defaults" {
description = "Default owner and permissions for files." description = "Default owner and permissions for files."
type = object({ type = object({
@ -93,12 +87,6 @@ variable "files" {
default = {} default = {}
} }
variable "gcp_logging" {
description = "Should container logs be sent to Google Cloud Logging."
type = bool
default = true
}
variable "run_commands" { variable "run_commands" {
description = "List of cloud-init `runcmd`s." description = "List of cloud-init `runcmd`s."
type = list(string) type = list(string)

View File

@ -28,10 +28,11 @@ module "vm-cos" {
nat = false, nat = false,
addresses = null addresses = null
}] }]
tags = ["ssh", "http"] tags = ["ssh", "http"]
metadata = { metadata = {
user-data = module.cos-envoy-td.cloud_config user-data = module.cos-envoy-td.cloud_config
google-logging-enabled = true
} }
boot_disk = { boot_disk = {
@ -49,7 +50,6 @@ module "vm-cos" {
| name | description | type | required | default | | name | description | type | required | default |
|---|---|:---:|:---:|:---:| |---|---|:---:|:---:|:---:|
| [docker_logging](variables.tf#L23) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> |
| [envoy_image](variables.tf#L17) | Envoy Proxy container image to use. | <code>string</code> | | <code>&#34;envoyproxy&#47;envoy:v1.15.5&#34;</code> | | [envoy_image](variables.tf#L17) | Envoy Proxy container image to use. | <code>string</code> | | <code>&#34;envoyproxy&#47;envoy:v1.15.5&#34;</code> |
## Outputs ## Outputs

View File

@ -44,8 +44,6 @@ module "cos-envoy-td" {
} }
} }
gcp_logging = var.docker_logging
run_commands = [ run_commands = [
"iptables -t nat -N ENVOY_IN_REDIRECT", "iptables -t nat -N ENVOY_IN_REDIRECT",
"iptables -t nat -A ENVOY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15001", "iptables -t nat -A ENVOY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15001",

View File

@ -19,9 +19,3 @@ variable "envoy_image" {
type = string type = string
default = "envoyproxy/envoy:v1.15.5" default = "envoyproxy/envoy:v1.15.5"
} }
variable "docker_logging" {
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
type = bool
default = true
}

View File

@ -12,7 +12,7 @@ The resulting `cloud-config` can be customized in a number of ways:
The default instance configuration inserts a sngle iptables rule to allow traffic on the default MySQL port. The default instance configuration inserts a sngle iptables rule to allow traffic on the default MySQL port.
Logging and monitoring are enabled via the [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) configured for the CoreDNS container, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot. Logging and monitoring are enabled via the [Google Cloud Logging agent](https://cloud.google.com/container-optimized-os/docs/how-to/logging) configured for the instance via the `google-logging-enabled` metadata property, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata. The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
@ -31,10 +31,13 @@ module "cos-mysql" {
} }
# use it as metadata in a compute instance or template # use it as metadata in a compute instance or template
resource "google_compute_instance" "default" { module "vm-mysql" {
source = "./fabric/modules/compute-vm"
metadata = { metadata = {
user-data = module.cos-mysql.cloud_config user-data = module.cos-mysql.cloud_config
google-logging-enabled = true
} }
}
``` ```
### Custom MySQL configuration and KMS encrypted password ### Custom MySQL configuration and KMS encrypted password
@ -79,14 +82,13 @@ module "cos-mysql" {
| name | description | type | required | default | | name | description | type | required | default |
|---|---|:---:|:---:|:---:| |---|---|:---:|:---:|:---:|
| [mysql_password](variables.tf#L64) | MySQL root password. If an encrypted password is set, use the kms_config variable to specify KMS configuration. | <code>string</code> | ✓ | | | [mysql_password](variables.tf#L58) | MySQL root password. If an encrypted password is set, use the kms_config variable to specify KMS configuration. | <code>string</code> | ✓ | |
| [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> | | [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
| [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config template. | <code>map&#40;any&#41;</code> | | <code>&#123;&#125;</code> | | [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config template. | <code>map&#40;any&#41;</code> | | <code>&#123;&#125;</code> |
| [docker_logging](variables.tf#L29) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> | | [image](variables.tf#L29) | MySQL container image. | <code>string</code> | | <code>&#34;mysql:5.7&#34;</code> |
| [image](variables.tf#L35) | MySQL container image. | <code>string</code> | | <code>&#34;mysql:5.7&#34;</code> | | [kms_config](variables.tf#L35) | Optional KMS configuration to decrypt passed-in password. Leave null if a plaintext password is used. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10; keyring &#61; string&#10; location &#61; string&#10; key &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [kms_config](variables.tf#L41) | Optional KMS configuration to decrypt passed-in password. Leave null if a plaintext password is used. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10; keyring &#61; string&#10; location &#61; string&#10; key &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | | [mysql_config](variables.tf#L46) | MySQL configuration file content, if null container default will be used. | <code>string</code> | | <code>null</code> |
| [mysql_config](variables.tf#L52) | MySQL configuration file content, if null container default will be used. | <code>string</code> | | <code>null</code> | | [mysql_data_disk](variables.tf#L52) | MySQL data disk name in /dev/disk/by-id/ including the google- prefix. If null the boot disk will be used for data. | <code>string</code> | | <code>null</code> |
| [mysql_data_disk](variables.tf#L58) | MySQL data disk name in /dev/disk/by-id/ including the google- prefix. If null the boot disk will be used for data. | <code>string</code> | | <code>null</code> |
| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10; zone &#61; string&#10; name &#61; string&#10; type &#61; string&#10; network &#61; string&#10; subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | | [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10; zone &#61; string&#10; name &#61; string&#10; type &#61; string&#10; network &#61; string&#10; subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object&#40;&#123;&#10; disks &#61; map&#40;object&#40;&#123;&#10; read_only &#61; bool&#10; size &#61; number&#10; &#125;&#41;&#41;&#10; image &#61; string&#10; metadata &#61; map&#40;string&#41;&#10; nat &#61; bool&#10; service_account_roles &#61; list&#40;string&#41;&#10; tags &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; disks &#61; &#123;&#125;&#10; image &#61; null&#10; metadata &#61; &#123;&#125;&#10; nat &#61; false&#10; service_account_roles &#61; &#91;&#10; &#34;roles&#47;logging.logWriter&#34;,&#10; &#34;roles&#47;monitoring.metricWriter&#34;&#10; &#93;&#10; tags &#61; &#91;&#34;ssh&#34;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> | | [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object&#40;&#123;&#10; disks &#61; map&#40;object&#40;&#123;&#10; read_only &#61; bool&#10; size &#61; number&#10; &#125;&#41;&#41;&#10; image &#61; string&#10; metadata &#61; map&#40;string&#41;&#10; nat &#61; bool&#10; service_account_roles &#61; list&#40;string&#41;&#10; tags &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; disks &#61; &#123;&#125;&#10; image &#61; null&#10; metadata &#61; &#123;&#125;&#10; nat &#61; false&#10; service_account_roles &#61; &#91;&#10; &#34;roles&#47;logging.logWriter&#34;,&#10; &#34;roles&#47;monitoring.metricWriter&#34;&#10; &#93;&#10; tags &#61; &#91;&#34;ssh&#34;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |

View File

@ -96,9 +96,6 @@ write_files:
ExecStartPre=/bin/chown -R 2000 /run/mysql/secrets /run/mysql/data ExecStartPre=/bin/chown -R 2000 /run/mysql/secrets /run/mysql/data
ExecStart=/usr/bin/docker run --rm --name=mysql \ ExecStart=/usr/bin/docker run --rm --name=mysql \
--user 2000:2000 \ --user 2000:2000 \
%{~ if docker_logging ~}
--log-driver=gcplogs \
%{~ endif ~}
--network host \ --network host \
-e MYSQL_ROOT_PASSWORD_FILE=/etc/secrets/mysql-passwd.txt \ -e MYSQL_ROOT_PASSWORD_FILE=/etc/secrets/mysql-passwd.txt \
-v /run/mysql/secrets:/etc/secrets \ -v /run/mysql/secrets:/etc/secrets \
@ -116,4 +113,4 @@ bootcmd:
runcmd: runcmd:
- iptables -I INPUT 1 -p tcp -m tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -I INPUT 1 -p tcp -m tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
- systemctl daemon-reload - systemctl daemon-reload
- systemctl start mysql - systemctl start mysql

View File

@ -16,7 +16,6 @@
locals { locals {
cloud_config = templatefile(local.template, merge(var.config_variables, { cloud_config = templatefile(local.template, merge(var.config_variables, {
docker_logging = var.docker_logging
image = var.image image = var.image
kms_config = var.kms_config kms_config = var.kms_config
mysql_config = var.mysql_config mysql_config = var.mysql_config

View File

@ -26,12 +26,6 @@ variable "config_variables" {
default = {} default = {}
} }
variable "docker_logging" {
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
type = bool
default = true
}
variable "image" { variable "image" {
description = "MySQL container image." description = "MySQL container image."
type = string type = string

View File

@ -31,7 +31,8 @@ module "vm-nginx-tls" {
}] }]
metadata = { metadata = {
user-data = module.cos-nginx-tls.cloud_config user-data = module.cos-nginx-tls.cloud_config
google-logging-enabled = true
} }
boot_disk = { boot_disk = {
@ -49,12 +50,11 @@ module "vm-nginx-tls" {
| name | description | type | required | default | | name | description | type | required | default |
|---|---|:---:|:---:|:---:| |---|---|:---:|:---:|:---:|
| [docker_logging](variables.tf#L23) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> | | [files](variables.tf#L35) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>null</code> |
| [files](variables.tf#L41) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>null</code> |
| [nginx_image](variables.tf#L17) | Nginx container image to use. | <code>string</code> | | <code>&#34;nginx:1.23.1&#34;</code> | | [nginx_image](variables.tf#L17) | Nginx container image to use. | <code>string</code> | | <code>&#34;nginx:1.23.1&#34;</code> |
| [runcmd_post](variables.tf#L35) | Extra commands to run after starting nginx. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> | | [runcmd_post](variables.tf#L29) | Extra commands to run after starting nginx. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [runcmd_pre](variables.tf#L29) | Extra commands to run before starting nginx. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> | | [runcmd_pre](variables.tf#L23) | Extra commands to run before starting nginx. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [users](variables.tf#L51) | Additional list of usernames to be created. | <code title="list&#40;object&#40;&#123;&#10; username &#61; string,&#10; uid &#61; number,&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#91;&#10;&#93;">&#91;&#8230;&#93;</code> | | [users](variables.tf#L45) | Additional list of usernames to be created. | <code title="list&#40;object&#40;&#123;&#10; username &#61; string,&#10; uid &#61; number,&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#91;&#10;&#93;">&#91;&#8230;&#93;</code> |
## Outputs ## Outputs

View File

@ -59,8 +59,6 @@ module "cos-envoy-td" {
files = local.files files = local.files
gcp_logging = var.docker_logging
run_commands = concat(var.runcmd_pre, [ run_commands = concat(var.runcmd_pre, [
"iptables -I INPUT 1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT", "iptables -I INPUT 1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT",
"iptables -I INPUT 1 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT", "iptables -I INPUT 1 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT",

View File

@ -20,12 +20,6 @@ variable "nginx_image" {
default = "nginx:1.23.1" default = "nginx:1.23.1"
} }
variable "docker_logging" {
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
type = bool
default = true
}
variable "runcmd_pre" { variable "runcmd_pre" {
description = "Extra commands to run before starting nginx." description = "Extra commands to run before starting nginx."
type = list(string) type = list(string)

View File

@ -10,7 +10,7 @@ The resulting `cloud-config` can be customized in a number of ways:
The default instance configuration inserts iptables rules to allow traffic on port 80. The default instance configuration inserts iptables rules to allow traffic on port 80.
Logging and monitoring are enabled via the [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) configured for the CoreDNS container, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot. Logging and monitoring are enabled via the [Google Cloud Logging agent](https://cloud.google.com/container-optimized-os/docs/how-to/logging) configured for the instance via the `google-logging-enabled` metadata property, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata. The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
@ -28,10 +28,13 @@ module "cos-nginx" {
} }
# use it as metadata in a compute instance or template # use it as metadata in a compute instance or template
resource "google_compute_instance" "default" { module "vm-nginx" {
source = "./fabric/modules/compute-vm"
metadata = { metadata = {
user-data = module.cos-nginx.cloud_config user-data = module.cos-nginx.cloud_config
google-logging-enabled = true
} }
}
``` ```
### Nginx instance ### Nginx instance
@ -59,16 +62,15 @@ module "cos-nginx" {
|---|---|:---:|:---:|:---:| |---|---|:---:|:---:|:---:|
| [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> | | [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
| [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config and Nginx templates. | <code>map&#40;any&#41;</code> | | <code>&#123;&#125;</code> | | [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config and Nginx templates. | <code>map&#40;any&#41;</code> | | <code>&#123;&#125;</code> |
| [docker_logging](variables.tf#L29) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> | | [file_defaults](variables.tf#L41) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; owner &#61; &#34;root&#34;&#10; permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [file_defaults](variables.tf#L47) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; owner &#61; &#34;root&#34;&#10; permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | | [files](variables.tf#L53) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [files](variables.tf#L59) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | | [image](variables.tf#L29) | Nginx container image. | <code>string</code> | | <code>&#34;nginxdemos&#47;hello:plain-text&#34;</code> |
| [image](variables.tf#L35) | Nginx container image. | <code>string</code> | | <code>&#34;nginxdemos&#47;hello:plain-text&#34;</code> | | [nginx_config](variables.tf#L35) | Nginx configuration path, if null container default will be used. | <code>string</code> | | <code>null</code> |
| [nginx_config](variables.tf#L41) | Nginx configuration path, if null container default will be used. | <code>string</code> | | <code>null</code> | | [runcmd_post](variables.tf#L69) | Extra commands to run after starting nginx. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [runcmd_post](variables.tf#L75) | Extra commands to run after starting nginx. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> | | [runcmd_pre](variables.tf#L63) | Extra commands to run before starting nginx. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [runcmd_pre](variables.tf#L69) | Extra commands to run before starting nginx. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10; zone &#61; string&#10; name &#61; string&#10; type &#61; string&#10; network &#61; string&#10; subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | | [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10; zone &#61; string&#10; name &#61; string&#10; type &#61; string&#10; network &#61; string&#10; subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object&#40;&#123;&#10; disks &#61; map&#40;object&#40;&#123;&#10; read_only &#61; bool&#10; size &#61; number&#10; &#125;&#41;&#41;&#10; image &#61; string&#10; metadata &#61; map&#40;string&#41;&#10; nat &#61; bool&#10; service_account_roles &#61; list&#40;string&#41;&#10; tags &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; disks &#61; &#123;&#125;&#10; image &#61; null&#10; metadata &#61; &#123;&#125;&#10; nat &#61; false&#10; service_account_roles &#61; &#91;&#10; &#34;roles&#47;logging.logWriter&#34;,&#10; &#34;roles&#47;monitoring.metricWriter&#34;&#10; &#93;&#10; tags &#61; &#91;&#34;ssh&#34;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> | | [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object&#40;&#123;&#10; disks &#61; map&#40;object&#40;&#123;&#10; read_only &#61; bool&#10; size &#61; number&#10; &#125;&#41;&#41;&#10; image &#61; string&#10; metadata &#61; map&#40;string&#41;&#10; nat &#61; bool&#10; service_account_roles &#61; list&#40;string&#41;&#10; tags &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; disks &#61; &#123;&#125;&#10; image &#61; null&#10; metadata &#61; &#123;&#125;&#10; nat &#61; false&#10; service_account_roles &#61; &#91;&#10; &#34;roles&#47;logging.logWriter&#34;,&#10; &#34;roles&#47;monitoring.metricWriter&#34;&#10; &#93;&#10; tags &#61; &#91;&#34;ssh&#34;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [users](variables.tf#L81) | List of additional usernames to be created. | <code title="list&#40;object&#40;&#123;&#10; username &#61; string,&#10; uid &#61; number,&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#91;&#10;&#93;">&#91;&#8230;&#93;</code> | | [users](variables.tf#L75) | List of additional usernames to be created. | <code title="list&#40;object&#40;&#123;&#10; username &#61; string,&#10; uid &#61; number,&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#91;&#10;&#93;">&#91;&#8230;&#93;</code> |
## Outputs ## Outputs

View File

@ -59,9 +59,6 @@ write_files:
Environment="HOME=/home/nginx" Environment="HOME=/home/nginx"
ExecStartPre=/usr/bin/docker-credential-gcr configure-docker ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
ExecStart=/usr/bin/docker run --rm --name=nginx \ ExecStart=/usr/bin/docker run --rm --name=nginx \
%{~ if docker_logging ~}
--log-driver=gcplogs \
%{~ endif ~}
--network host \ --network host \
%{~ if etc_mount ~} %{~ if etc_mount ~}
-v /etc/nginx/conf.d:/etc/nginx/conf.d \ -v /etc/nginx/conf.d:/etc/nginx/conf.d \

View File

@ -16,7 +16,6 @@
locals { locals {
cloud_config = templatefile(local.template, merge(var.config_variables, { cloud_config = templatefile(local.template, merge(var.config_variables, {
docker_logging = var.docker_logging
etc_mount = ( etc_mount = (
var.nginx_config != null || length([ var.nginx_config != null || length([
for name in keys(var.files) : for name in keys(var.files) :

View File

@ -26,12 +26,6 @@ variable "config_variables" {
default = {} default = {}
} }
variable "docker_logging" {
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
type = bool
default = true
}
variable "image" { variable "image" {
description = "Nginx container image." description = "Nginx container image."
type = string type = string

View File

@ -10,7 +10,7 @@ The resulting `cloud-config` can be customized in a number of ways:
The default instance configuration inserts iptables rules to allow traffic on TCP port 3128. With the default `squid.conf`, deny rules take precedence over allow rules. The default instance configuration inserts iptables rules to allow traffic on TCP port 3128. With the default `squid.conf`, deny rules take precedence over allow rules.
Logging and monitoring are enabled via the [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) configured for the Squid container, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot. Logging and monitoring are enabled via the [Google Cloud Logging agent](https://cloud.google.com/container-optimized-os/docs/how-to/logging) configured for the instance via the `google-logging-enabled` metadata property, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata. The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
@ -30,10 +30,13 @@ module "cos-squid" {
} }
# use it as metadata in a compute instance or template # use it as metadata in a compute instance or template
resource "google_compute_instance" "default" { module "vm-squid" {
source = "./fabric/modules/compute-vm"
metadata = { metadata = {
user-data = module.cos-squid.cloud_config user-data = module.cos-squid.cloud_config
google-logging-enabled = true
} }
}
``` ```
### Test Squid instance ### Test Squid instance
@ -61,16 +64,15 @@ module "cos-squid" {
| name | description | type | required | default | | name | description | type | required | default |
|---|---|:---:|:---:|:---:| |---|---|:---:|:---:|:---:|
| [allow](variables.tf#L63) | List of domains Squid will allow connections to. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> | | [allow](variables.tf#L57) | List of domains Squid will allow connections to. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [clients](variables.tf#L75) | List of CIDR ranges from which Squid will allow connections. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> | | [clients](variables.tf#L69) | List of CIDR ranges from which Squid will allow connections. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> | | [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
| [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config and Squid templates. | <code>map&#40;any&#41;</code> | | <code>&#123;&#125;</code> | | [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config and Squid templates. | <code>map&#40;any&#41;</code> | | <code>&#123;&#125;</code> |
| [default_action](variables.tf#L81) | Default action for domains not matching neither the allow or deny lists. | <code>string</code> | | <code>&#34;deny&#34;</code> | | [default_action](variables.tf#L75) | Default action for domains not matching neither the allow or deny lists. | <code>string</code> | | <code>&#34;deny&#34;</code> |
| [deny](variables.tf#L69) | List of domains Squid will deny connections to. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> | | [deny](variables.tf#L63) | List of domains Squid will deny connections to. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [docker_logging](variables.tf#L29) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> | | [file_defaults](variables.tf#L35) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; owner &#61; &#34;root&#34;&#10; permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [file_defaults](variables.tf#L41) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; owner &#61; &#34;root&#34;&#10; permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | | [files](variables.tf#L47) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [files](variables.tf#L53) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | | [squid_config](variables.tf#L29) | Squid configuration path, if null default will be used. | <code>string</code> | | <code>null</code> |
| [squid_config](variables.tf#L35) | Squid configuration path, if null default will be used. | <code>string</code> | | <code>null</code> |
| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10; zone &#61; string&#10; name &#61; string&#10; type &#61; string&#10; network &#61; string&#10; subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | | [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10; zone &#61; string&#10; name &#61; string&#10; type &#61; string&#10; network &#61; string&#10; subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object&#40;&#123;&#10; disks &#61; map&#40;object&#40;&#123;&#10; read_only &#61; bool&#10; size &#61; number&#10; &#125;&#41;&#41;&#10; image &#61; string&#10; metadata &#61; map&#40;string&#41;&#10; nat &#61; bool&#10; service_account_roles &#61; list&#40;string&#41;&#10; tags &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; disks &#61; &#123;&#125;&#10; image &#61; null&#10; metadata &#61; &#123;&#125;&#10; nat &#61; false&#10; service_account_roles &#61; &#91;&#10; &#34;roles&#47;logging.logWriter&#34;,&#10; &#34;roles&#47;monitoring.metricWriter&#34;&#10; &#93;&#10; tags &#61; &#91;&#34;ssh&#34;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> | | [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object&#40;&#123;&#10; disks &#61; map&#40;object&#40;&#123;&#10; read_only &#61; bool&#10; size &#61; number&#10; &#125;&#41;&#41;&#10; image &#61; string&#10; metadata &#61; map&#40;string&#41;&#10; nat &#61; bool&#10; service_account_roles &#61; list&#40;string&#41;&#10; tags &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; disks &#61; &#123;&#125;&#10; image &#61; null&#10; metadata &#61; &#123;&#125;&#10; nat &#61; false&#10; service_account_roles &#61; &#91;&#10; &#34;roles&#47;logging.logWriter&#34;,&#10; &#34;roles&#47;monitoring.metricWriter&#34;&#10; &#93;&#10; tags &#61; &#91;&#34;ssh&#34;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |

View File

@ -14,8 +14,6 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
# TODO: switch to the gcplogs logging driver, and set driver labels
users: users:
- name: squid - name: squid
uid: 2000 uid: 2000
@ -71,9 +69,6 @@ write_files:
Environment="HOME=/home/squid" Environment="HOME=/home/squid"
ExecStartPre=/usr/bin/docker-credential-gcr configure-docker ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
ExecStart=/usr/bin/docker run --rm --name=squid \ ExecStart=/usr/bin/docker run --rm --name=squid \
%{~ if docker_logging ~}
--log-driver=gcplogs \
%{~ endif ~}
--network host \ --network host \
-v /etc/squid:/etc/squid \ -v /etc/squid:/etc/squid \
gcr.io/pso-cft-fabric/squid:0.10 gcr.io/pso-cft-fabric/squid:0.10

View File

@ -16,9 +16,8 @@
locals { locals {
cloud_config = templatefile(local.template, merge(local.config_variables, { cloud_config = templatefile(local.template, merge(local.config_variables, {
docker_logging = var.docker_logging squid_config = templatefile(local.squid_config, local.config_variables)
squid_config = templatefile(local.squid_config, local.config_variables) files = local.files
files = local.files
})) }))
squid_config = ( squid_config = (
var.squid_config == null ? "${path.module}/squid.conf" : var.squid_config var.squid_config == null ? "${path.module}/squid.conf" : var.squid_config

View File

@ -26,12 +26,6 @@ variable "config_variables" {
default = {} default = {}
} }
variable "docker_logging" {
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
type = bool
default = true
}
variable "squid_config" { variable "squid_config" {
description = "Squid configuration path, if null default will be used." description = "Squid configuration path, if null default will be used."
type = string type = string

View File

@ -19,7 +19,7 @@ module "nginx-template" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
project_id = var.project_id project_id = var.project_id
name = "nginx-template" name = "nginx-template"
zone = "europe-west1-b" zone = "europe-west1-b"
tags = ["http-server", "ssh"] tags = ["http-server", "ssh"]
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link network = var.vpc.self_link
@ -62,7 +62,7 @@ module "nginx-template" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
project_id = var.project_id project_id = var.project_id
name = "nginx-template" name = "nginx-template"
zone = "europe-west1-b" zone = "europe-west1-b"
tags = ["http-server", "ssh"] tags = ["http-server", "ssh"]
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link network = var.vpc.self_link
@ -75,7 +75,7 @@ module "nginx-template" {
type = "pd-ssd" type = "pd-ssd"
size = 10 size = 10
} }
create_template = true create_template = true
metadata = { metadata = {
user-data = module.cos-nginx.cloud_config user-data = module.cos-nginx.cloud_config
} }
@ -113,7 +113,7 @@ module "nginx-template" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
project_id = var.project_id project_id = var.project_id
name = "nginx-template" name = "nginx-template"
zone = "europe-west1-b" zone = "europe-west1-b"
tags = ["http-server", "ssh"] tags = ["http-server", "ssh"]
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link, network = var.vpc.self_link,
@ -126,7 +126,7 @@ module "nginx-template" {
type = "pd-ssd" type = "pd-ssd"
size = 10 size = 10
} }
create_template = true create_template = true
metadata = { metadata = {
user-data = module.cos-nginx.cloud_config user-data = module.cos-nginx.cloud_config
} }
@ -165,7 +165,7 @@ module "nginx-template" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
project_id = var.project_id project_id = var.project_id
name = "nginx-template" name = "nginx-template"
zone = "europe-west1-b" zone = "europe-west1-b"
tags = ["http-server", "ssh"] tags = ["http-server", "ssh"]
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link network = var.vpc.self_link
@ -178,7 +178,7 @@ module "nginx-template" {
type = "pd-ssd" type = "pd-ssd"
size = 10 size = 10
} }
create_template = true create_template = true
metadata = { metadata = {
user-data = module.cos-nginx.cloud_config user-data = module.cos-nginx.cloud_config
} }
@ -216,7 +216,7 @@ module "nginx-template" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
project_id = var.project_id project_id = var.project_id
name = "nginx-template" name = "nginx-template"
zone = "europe-west1-b" zone = "europe-west1-b"
tags = ["http-server", "ssh"] tags = ["http-server", "ssh"]
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link network = var.vpc.self_link
@ -229,7 +229,7 @@ module "nginx-template" {
type = "pd-ssd" type = "pd-ssd"
size = 10 size = 10
} }
create_template = true create_template = true
metadata = { metadata = {
user-data = module.cos-nginx.cloud_config user-data = module.cos-nginx.cloud_config
} }
@ -273,7 +273,7 @@ module "nginx-template" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
project_id = var.project_id project_id = var.project_id
name = "nginx-template" name = "nginx-template"
zone = "europe-west1-b" zone = "europe-west1-b"
tags = ["http-server", "ssh"] tags = ["http-server", "ssh"]
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link network = var.vpc.self_link
@ -297,7 +297,7 @@ module "nginx-template" {
type = "PERSISTENT" type = "PERSISTENT"
} }
}] }]
create_template = true create_template = true
metadata = { metadata = {
user-data = module.cos-nginx.cloud_config user-data = module.cos-nginx.cloud_config
} }
@ -343,7 +343,7 @@ module "nginx-template" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
project_id = var.project_id project_id = var.project_id
name = "nginx-template" name = "nginx-template"
zone = "europe-west1-b" zone = "europe-west1-b"
tags = ["http-server", "ssh"] tags = ["http-server", "ssh"]
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link network = var.vpc.self_link
@ -367,7 +367,7 @@ module "nginx-template" {
type = "PERSISTENT" type = "PERSISTENT"
} }
}] }]
create_template = true create_template = true
metadata = { metadata = {
user-data = module.cos-nginx.cloud_config user-data = module.cos-nginx.cloud_config
} }
@ -398,7 +398,7 @@ module "nginx-mig" {
preserved_state = { preserved_state = {
disks = { disks = {
persistent-disk-1 = { persistent-disk-1 = {
source = "test-disk", source = "test-disk",
} }
} }
metadata = { metadata = {

View File

@ -17,7 +17,7 @@ The simplest example leverages defaults for the boot disk image and size, and us
module "simple-vm-example" { module "simple-vm-example" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
project_id = var.project_id project_id = var.project_id
zone = "europe-west1-b" zone = "europe-west1-b"
name = "test" name = "test"
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link network = var.vpc.self_link
@ -37,11 +37,11 @@ module "simple-vm-example" {
module "spot-vm-example" { module "spot-vm-example" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
project_id = var.project_id project_id = var.project_id
zone = "europe-west1-b" zone = "europe-west1-b"
name = "test" name = "test"
options = { options = {
spot = true spot = true
termination_action = "STOP" termination_action = "STOP"
} }
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link network = var.vpc.self_link
@ -68,7 +68,7 @@ This is an example of attaching a pre-existing regional PD to a new instance:
module "simple-vm-example" { module "simple-vm-example" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
project_id = var.project_id project_id = var.project_id
zone = "${var.region}-b" zone = "${var.region}-b"
name = "test" name = "test"
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link network = var.vpc.self_link
@ -94,7 +94,7 @@ And the same example for an instance template (where not using the full self lin
module "simple-vm-example" { module "simple-vm-example" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
project_id = var.project_id project_id = var.project_id
zone = "${var.region}-b" zone = "${var.region}-b"
name = "test" name = "test"
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link network = var.vpc.self_link
@ -110,7 +110,7 @@ module "simple-vm-example" {
} }
}] }]
service_account_create = true service_account_create = true
create_template = true create_template = true
} }
# tftest modules=1 resources=2 # tftest modules=1 resources=2
``` ```
@ -137,11 +137,11 @@ module "kms-vm-example" {
] ]
service_account_create = true service_account_create = true
boot_disk = { boot_disk = {
image = "projects/debian-cloud/global/images/family/debian-10" image = "projects/debian-cloud/global/images/family/debian-10"
} }
encryption = { encryption = {
encrypt_boot = true encrypt_boot = true
kms_key_self_link = var.kms_key.self_link kms_key_self_link = var.kms_key.self_link
} }
} }
# tftest modules=1 resources=3 # tftest modules=1 resources=3
@ -199,7 +199,7 @@ module "vm-with-gvnic" {
project_id = "my-project" project_id = "my-project"
zone = "europe-west1-b" zone = "europe-west1-b"
name = "test" name = "test"
boot_disk = { boot_disk = {
image = google_compute_image.cos-gvnic.self_link image = google_compute_image.cos-gvnic.self_link
type = "pd-ssd" type = "pd-ssd"
} }
@ -221,23 +221,23 @@ This example shows how to use the module to manage an instance template that def
module "cos-test" { module "cos-test" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
project_id = "my-project" project_id = "my-project"
zone = "europe-west1-b" zone = "europe-west1-b"
name = "test" name = "test"
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link network = var.vpc.self_link
subnetwork = var.subnet.self_link subnetwork = var.subnet.self_link
}] }]
boot_disk = { boot_disk = {
image = "projects/cos-cloud/global/images/family/cos-stable" image = "projects/cos-cloud/global/images/family/cos-stable"
} }
attached_disks = [ attached_disks = [
{ {
name = "disk-1" name = "disk-1"
size = 10 size = 10
} }
] ]
service_account = "vm-default@my-project.iam.gserviceaccount.com" service_account = "vm-default@my-project.iam.gserviceaccount.com"
create_template = true create_template = true
} }
# tftest modules=1 resources=1 # tftest modules=1 resources=1
``` ```
@ -254,7 +254,7 @@ locals {
module "instance-group" { module "instance-group" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
project_id = "my-project" project_id = "my-project"
zone = "europe-west1-b" zone = "europe-west1-b"
name = "ilb-test" name = "ilb-test"
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link network = var.vpc.self_link

View File

@ -282,5 +282,3 @@ variable "zone" {
description = "Compute zone." description = "Compute zone."
type = string type = string
} }

View File

@ -65,9 +65,9 @@ module "cos-nginx" {
module "instance-group" { module "instance-group" {
source = "./fabric/modules/compute-vm" source = "./fabric/modules/compute-vm"
for_each = toset(["b", "c"]) for_each = toset(["b", "c"])
project_id = var.project_id project_id = var.project_id
zone = "europe-west1-${each.key}" zone = "europe-west1-${each.key}"
name = "ilb-test-${each.key}" name = "ilb-test-${each.key}"
network_interfaces = [{ network_interfaces = [{
network = var.vpc.self_link network = var.vpc.self_link
@ -97,7 +97,7 @@ module "ilb" {
network = var.vpc.self_link network = var.vpc.self_link
subnetwork = var.subnet.self_link subnetwork = var.subnet.self_link
} }
ports = [80] ports = [80]
backends = [ backends = [
for z, mod in module.instance-group : { for z, mod in module.instance-group : {
group = mod.group.self_link group = mod.group.self_link