feat(dev): add `zfnd` organization rules and `zfnd-dev-zebra` project

2023-08-07 17:50:43 +01:00 · 2023-08-07 17:50:43 +01:00 · e43743e33a
parent d245088fa1
commit e43743e33a
12 changed files with 344 additions and 21 deletions
--- a/fast/stages/1-resman/branch-sandbox.tf
+++ b/fast/stages/1-resman/branch-sandbox.tf
@ -62,7 +62,7 @@ module "branch-sandbox-sa" {
 }

 resource "google_organization_iam_member" "org_policy_admin_sandbox" {
-  count  = var.fast_features.project_factory ? 1 : 0
+  count  = var.fast_features.sandbox ? 1 : 0
  org_id = var.organization.id
  role   = "roles/orgpolicy.policyAdmin"
  member = module.branch-sandbox-sa.0.iam_email
--- a/fast/stages/1-resman/data/org-policies/compute.yaml
+++ b/fast/stages/1-resman/data/org-policies/compute.yaml
@ -4,11 +4,11 @@

 compute.disableGuestAttributesAccess:
  rules:
-  - enforce: true
+  - enforce: false

 compute.requireOsLogin:
  rules:
-  - enforce: true
+  - enforce: false

 compute.restrictLoadBalancerCreationForTypes:
  rules:
@ -22,10 +22,9 @@ compute.skipDefaultNetworkCreation:

 compute.vmExternalIpAccess:
  rules:
-  - deny:
+  - allow:
      all: true

-
 # compute.disableInternetNetworkEndpointGroup:
 #   rules:
 #   - enforce: true
--- a/fast/stages/1-resman/data/org-policies/iam.yaml
+++ b/fast/stages/1-resman/data/org-policies/iam.yaml
@ -13,3 +13,8 @@ iam.disableServiceAccountKeyCreation:
 iam.disableServiceAccountKeyUpload:
  rules:
  - enforce: true
+
+iam.allowServiceAccountCredentialLifetimeExtension:
+  rules:
+    - allow:
+        all: true
--- a/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml
@ -15,3 +15,39 @@ ingress:
    rules:
      - protocol: tcp
        ports: [12345, 12346]
+  ingress-allow-ssh:
+    description: "Allow ssh connections to all instances"
+    # TODO: just allow ssh to specific instances
+    # targets:
+    #   - composer-worker
+    rules:
+      - protocol: tcp
+        ports: [22]
+
+  ingress-allow-zebrad-ports:
+    description: "Allow traffic to Zebra nodes."
+    # TODO: just allow zebra to CD instances, not CI instances
+    # targets:
+    #   - release
+    #   - cd
+    rules:
+      - protocol: tcp
+        ports: [8233, 18233]
+
+allow-all-ssh: # descriptive name, naming convention is adjusted by the module
+  allow:  # `allow` or `deny`
+  - ports: ['22'] # ports for a specific protocol, keep empty list `[]` for all ports
+    protocol: tcp # protocol, put `all` for any protocol
+  direction: INGRESS # EGRESS or INGRESS
+  disabled: true # `false` or `true`, FW rule is disabled when `true`, default value is `false`
+  source_ranges: # list of source ranges, should be specified only for `INGRESS` rule
+  - 0.0.0.0/0
+
+allow-zebrad-ports: # descriptive name, naming convention is adjusted by the module
+  allow:  # `allow` or `deny`
+  - ports: ['8233', '18233'] 
+    protocol: tcp # protocol, put `all` for any protocol
+  direction: INGRESS # EGRESS or INGRESS
+  disabled: false
+  source_ranges: # list of source ranges, should be specified only for `INGRESS` rule
+  - 0.0.0.0/0
--- a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml
@ -1,8 +0,0 @@
-# skip boilerplate check
-
-region: europe-west1
-description: Default subnet for dev Data Platform
-ip_cidr_range: 10.128.48.0/24
-secondary_ip_ranges:
-   pods: 100.128.48.0/20
-   services: 100.255.48.0/24
--- a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ue1.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ue1.yaml
@ -1,5 +1,5 @@
 # skip boilerplate check

-region: europe-west1
+region: us-east1
 ip_cidr_range: 10.128.32.0/24
 description: Default subnet for dev
--- a/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ue1.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ue1.yaml
@ -1,5 +1,5 @@
 # skip boilerplate check

-region: europe-west1
+region: us-east1
 ip_cidr_range: 10.128.64.0/24
 description: Default subnet for prod
--- a/fast/stages/3-project-factory/dev/data/defaults.yaml
+++ b/fast/stages/3-project-factory/dev/data/defaults.yaml
@ -1,24 +1,23 @@
 # skip boilerplate check

-billing_account_id: 012345-67890A-BCDEF0
+billing_account_id: 01EBC4-8CD936-3108EA

 # [opt] Setup for billing alerts
 billing_alert:
  amount: 1000
  thresholds:
    current: [0.5, 0.8]
-    forecasted: [0.5, 0.8]
+    forecasted: [1.2, 1.5]
  credit_treatment: INCLUDE_ALL_CREDITS

 # [opt] Contacts for billing alerts and important notifications
-essential_contacts: ["team-contacts@example.com"]
+essential_contacts: ["admin@zfnd.org"]

 # [opt] Labels set for all projects
 labels:
  environment: dev
-  department: accounting
-  application: example-app
-  foo: bar
+  department: engineering
+

 # [opt] Additional notification channels for billing
 notification_channels: []
--- a/fast/stages/3-project-factory/dev/data/projects/dev-zebra.yaml
+++ b/fast/stages/3-project-factory/dev/data/projects/dev-zebra.yaml
@ -0,0 +1,133 @@
+# skip boilerplate check
+
+# [opt] Billing alerts config - overrides default if set
+billing_alert:
+  amount: 5000
+  thresholds:
+    current:
+      - 0.8
+      - 1.0
+    forecasted: []
+  credit_treatment: INCLUDE_ALL_CREDITS
+
+# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults
+dns_zones: []
+
+# [opt] Contacts for billing alerts and important notifications
+essential_contacts:
+  - devops@zfnd.org
+
+# Folder the project will be created as children of
+folder_id: folders/319341746722
+
+# [opt] Authoritative IAM bindings in group => [roles] format
+group_iam:
+  engineers@zfnd.org:
+    - roles/editor
+
+# [opt] Authoritative IAM bindings in role => [principals] format
+# Generally used to grant roles to service accounts external to the project
+iam:
+  roles/iam.workloadIdentityUser:
+    - principalSet://iam.googleapis.com/projects/771011584009/locations/global/workloadIdentityPools/zfnd-bootstrap/*
+  roles/editor:
+    - serviceAccount:1059680692020@cloudservices.gserviceaccount.com
+
+# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter
+# in service => [keys] format
+# kms_service_agents:
+#   compute: [key1, key2]
+#   storage: [key1, key2]
+
+# [opt] Labels for the project - merged with the ones defined in defaults
+labels:
+  environment: dev
+  application: zebra
+
+# [opt] Org policy overrides defined at project level
+org_policies:
+  compute.disableGuestAttributesAccess:
+    rules:
+    - enforce: false
+  compute.trustedImageProjects:
+    rules:
+    - allow:
+        all: true
+        # values:
+        # - projects/zfnd-prod-iac-core-0
+        # - projects/zebra-zealous
+        # - projects/cos-cloud
+        # - projects/dataflow-service-producer-prod
+        # - projects/serverless-vpc-access-images
+        # - projects/windows-cloud
+  compute.vmExternalIpAccess:
+    rules:
+      - allow:
+          all: true
+  compute.requireOsLogin:
+    rules:
+      - enforce: false
+  iam.allowServiceAccountCredentialLifetimeExtension:
+    rules:
+      - allow:
+          all: true
+  iam.allowedPolicyMemberDomains:
+    rules:
+    - allow:
+        all: true
+
+# [opt] Service account to create for the project and their roles on the project
+# in name => [roles] format
+service_accounts:
+  instance-deployer:
+    - roles/compute.instanceAdmin
+    - roles/compute.storageAdmin
+    - roles/compute.loadBalancerAdmin
+    - roles/errorreporting.user
+    - roles/logging.logWriter
+    - roles/monitoring.metricWriter
+    - roles/artifactregistry.reader
+    - roles/iam.serviceAccountUser
+    - roles/iam.workloadIdentityUser
+  artifact-publisher:
+    - roles/artifactregistry.writer
+    - roles/iam.workloadIdentityUser
+
+# [opt] APIs to enable on the project.
+services:
+  - artifactregistry.googleapis.com
+  - compute.googleapis.com
+  - clouddebugger.googleapis.com
+  - clouderrorreporting.googleapis.com
+  - cloudresourcemanager.googleapis.com
+  - containeranalysis.googleapis.com
+  - logging.googleapis.com
+  - monitoring.googleapis.com
+  - osconfig.googleapis.com
+  - networkmanagement.googleapis.com
+  - stackdriver.googleapis.com
+  - storage.googleapis.com
+  - iap.googleapis.com
+
+# [opt] Roles to assign to the service identities in service => [roles] format
+service_identities_iam:
+  compute:
+    - roles/storage.objectViewer
+
+  # [opt] VPC setup.
+  # If set enables the `compute.googleapis.com` service and configures
+  # service project attachment
+
+vpc:
+  # [opt] If set, enables the container API
+  gke_setup: null
+
+  # Host project the project will be service project of
+  host_project: zfnd-dev-net-spoke-0
+
+  # [opt] Subnets in the host project where principals will be granted networkUser
+  # in region/subnet-name => [principals]
+  subnets_iam:
+    us-east1/dev-default-ue1:
+      - user:gustavo@zfnd.org
+      - serviceAccount:instance-deployer@zfnd-dev-zebra.iam.gserviceaccount.com
--- a/fast/stages/3-project-factory/dev/main.tf
+++ b/fast/stages/3-project-factory/dev/main.tf
@ -55,4 +55,87 @@ module "projects" {
  vpc                    = try(each.value.vpc, null)
 }

+module "zebra_caching_artifact_registry" {
+  source      = "../../../../modules/artifact-registry"
+  project_id  = "zfnd-dev-zebra"
+  location    = "us"
+  format      = "DOCKER"
+  id          = "zebra"
+  description = "Docker repository storing the Zebra application for testing purposes"
+  iam = {
+    "roles/artifactregistry.reader" = ["allUsers"]
+  }
+}

+module "zebra_artifact_registry" {
+  source      = "../../../../modules/artifact-registry"
+  project_id  = "zfnd-dev-zebra"
+  location    = "us"
+  format      = "DOCKER"
+  id          = "zebra-caching"
+  description = "Docker repository storing Zebra's build layers for caching"
+  iam = {
+    "roles/artifactregistry.reader" = ["allUsers"]
+  }
+}
+
+module "lwd_caching_artifact_registry" {
+  source      = "../../../../modules/artifact-registry"
+  project_id  = "zfnd-dev-zebra"
+  location    = "us"
+  format      = "DOCKER"
+  id          = "lightwalletd"
+  description = "Docker repository storing the Zebra application for testing purposes"
+  iam = {
+    "roles/artifactregistry.reader" = ["allUsers"]
+  }
+}
+
+module "lwd_artifact_registry" {
+  source      = "../../../../modules/artifact-registry"
+  project_id  = "zfnd-dev-zebra"
+  location    = "us"
+  format      = "DOCKER"
+  id          = "lightwalletd-caching"
+  description = "Docker repository storing Zebra's build layers for caching"
+  iam = {
+    "roles/artifactregistry.reader" = ["allUsers"]
+  }
+}
+
+resource "google_compute_health_check" "http-health-check" {
+  name        = "zebrad-tracing-filter"
+  description = "Health check via http"
+  project     = "zfnd-dev-zebra"
+
+  timeout_sec         = 10
+  check_interval_sec  = 30
+  healthy_threshold   = 2
+  unhealthy_threshold = 3
+
+  http_health_check {
+    port               = "3000"
+    port_specification = "USE_FIXED_PORT"
+    request_path       = "/filter"
+    proxy_header       = "NONE"
+    # TODO: we should validate a specific response, not ANY response
+    # response           = "I AM HEALTHY"
+  }
+}
+
+module "runner-mig-dind" {
+  source         = "github.com/terraform-google-modules/terraform-google-github-actions-runners?ref=v3.1.1//modules/gh-runner-mig-container-vm"
+  create_network = true
+  subnetwork_project = var.subnetwork_project
+  subnet_name    = var.subnet_name
+  subnet_ip     = var.subnet_ip
+  service_account = null
+  project_id     = var.project_id
+  image          = var.image
+  repo_name      = var.repo_name
+  repo_url       = var.repo_url
+  repo_owner     = var.repo_owner
+  gh_token       = var.gh_token
+  region         = var.region
+  dind           = true
+}
--- a/fast/stages/3-project-factory/dev/outputs.tf
+++ b/fast/stages/3-project-factory/dev/outputs.tf
@ -18,3 +18,15 @@ output "projects" {
  description = "Created projects and service accounts."
  value       = module.projects
 }
+
+# self-hosted runners outputs
+
+output "mig_instance_group" {
+  description = "The instance group url of the created MIG"
+  value       = module.runner-mig-dind.mig_instance_group
+}
+
+output "mig_name" {
+  description = "The name of the MIG"
+  value       = module.runner-mig-dind.mig_name
+}
--- a/fast/stages/3-project-factory/dev/variables.tf
+++ b/fast/stages/3-project-factory/dev/variables.tf
@ -76,3 +76,67 @@ variable "vpc_self_links" {
  })
  default = null
 }
+
+# self-hosted runners variables
+
+variable "project_id" {
+  type        = string
+  description = "The project id to deploy Github Runner MIG"
+}
+
+variable "image" {
+  type        = string
+  description = "The github runner image"
+}
+
+variable "repo_url" {
+  type        = string
+  description = "Repo URL for the Github Action"
+}
+
+
+variable "repo_name" {
+  type        = string
+  description = "Name of the repo for the Github Action"
+}
+
+
+variable "repo_owner" {
+  type        = string
+  description = "Owner of the repo for the Github Action"
+}
+
+variable "gh_token" {
+  type        = string
+  description = "Github token that is used for generating Self Hosted Runner Token"
+}
+
+variable "region" {
+  type        = string
+  description = "The GCP region to deploy instances into"
+  default     = "us-east1"
+}
+
+variable "subnetwork_project" {
+  type        = string
+  description = "The ID of the project in which the subnetwork belongs. If it is not provided, the project_id is used."
+  default     = ""
+}
+
+variable "subnet_name" {
+  type        = string
+  description = "Name for the subnet"
+  default     = ""
+}
+
+variable "subnet_ip" {
+  type        = string
+  description = "IP range for the subnet"
+  default     = ""
+}
+
+variable "service_account" {
+  description = "Service account email address"
+  type        = string
+  default     = ""
+}