diff --git a/fast/stages/1-resman/branch-sandbox.tf b/fast/stages/1-resman/branch-sandbox.tf index 01ce09b3..89b6b2dc 100644 --- a/fast/stages/1-resman/branch-sandbox.tf +++ b/fast/stages/1-resman/branch-sandbox.tf @@ -62,7 +62,7 @@ module "branch-sandbox-sa" { } resource "google_organization_iam_member" "org_policy_admin_sandbox" { - count = var.fast_features.project_factory ? 1 : 0 + count = var.fast_features.sandbox ? 1 : 0 org_id = var.organization.id role = "roles/orgpolicy.policyAdmin" member = module.branch-sandbox-sa.0.iam_email diff --git a/fast/stages/1-resman/data/org-policies/compute.yaml b/fast/stages/1-resman/data/org-policies/compute.yaml index a3f96b1b..81ad8518 100644 --- a/fast/stages/1-resman/data/org-policies/compute.yaml +++ b/fast/stages/1-resman/data/org-policies/compute.yaml @@ -4,11 +4,11 @@ compute.disableGuestAttributesAccess: rules: - - enforce: true + - enforce: false compute.requireOsLogin: rules: - - enforce: true + - enforce: false compute.restrictLoadBalancerCreationForTypes: rules: @@ -22,10 +22,9 @@ compute.skipDefaultNetworkCreation: compute.vmExternalIpAccess: rules: - - deny: + - allow: all: true - # compute.disableInternetNetworkEndpointGroup: # rules: # - enforce: true diff --git a/fast/stages/1-resman/data/org-policies/iam.yaml b/fast/stages/1-resman/data/org-policies/iam.yaml index 58e0032c..14fb2ac4 100644 --- a/fast/stages/1-resman/data/org-policies/iam.yaml +++ b/fast/stages/1-resman/data/org-policies/iam.yaml @@ -13,3 +13,8 @@ iam.disableServiceAccountKeyCreation: iam.disableServiceAccountKeyUpload: rules: - enforce: true + +iam.allowServiceAccountCredentialLifetimeExtension: + rules: + - allow: + all: true \ No newline at end of file diff --git a/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml index 67386c44..7c8e250e 100644 --- a/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml +++ b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml @@ -15,3 +15,39 @@ ingress: rules: - protocol: tcp ports: [12345, 12346] + ingress-allow-ssh: + description: "Allow ssh connections to all instances" + # TODO: just allow ssh to specific instances + # targets: + # - composer-worker + rules: + - protocol: tcp + ports: [22] + + ingress-allow-zebrad-ports: + description: "Allow traffic to Zebra nodes." + # TODO: just allow zebra to CD instances, not CI instances + # targets: + # - release + # - cd + rules: + - protocol: tcp + ports: [8233, 18233] + +allow-all-ssh: # descriptive name, naming convention is adjusted by the module + allow: # `allow` or `deny` + - ports: ['22'] # ports for a specific protocol, keep empty list `[]` for all ports + protocol: tcp # protocol, put `all` for any protocol + direction: INGRESS # EGRESS or INGRESS + disabled: true # `false` or `true`, FW rule is disabled when `true`, default value is `false` + source_ranges: # list of source ranges, should be specified only for `INGRESS` rule + - 0.0.0.0/0 + +allow-zebrad-ports: # descriptive name, naming convention is adjusted by the module + allow: # `allow` or `deny` + - ports: ['8233', '18233'] + protocol: tcp # protocol, put `all` for any protocol + direction: INGRESS # EGRESS or INGRESS + disabled: false + source_ranges: # list of source ranges, should be specified only for `INGRESS` rule + - 0.0.0.0/0 diff --git a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml deleted file mode 100644 index 2c682405..00000000 --- a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# skip boilerplate check - -region: europe-west1 -description: Default subnet for dev Data Platform -ip_cidr_range: 10.128.48.0/24 -secondary_ip_ranges: - pods: 100.128.48.0/20 - services: 100.255.48.0/24 diff --git a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ue1.yaml similarity index 81% rename from fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ew1.yaml rename to fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ue1.yaml index 8b066ba7..b4ab606c 100644 --- a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ew1.yaml +++ b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ue1.yaml @@ -1,5 +1,5 @@ # skip boilerplate check -region: europe-west1 +region: us-east1 ip_cidr_range: 10.128.32.0/24 description: Default subnet for dev diff --git a/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ue1.yaml similarity index 81% rename from fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ew1.yaml rename to fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ue1.yaml index 0052eff9..950b70bb 100644 --- a/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ew1.yaml +++ b/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ue1.yaml @@ -1,5 +1,5 @@ # skip boilerplate check -region: europe-west1 +region: us-east1 ip_cidr_range: 10.128.64.0/24 description: Default subnet for prod diff --git a/fast/stages/3-project-factory/dev/data/defaults.yaml b/fast/stages/3-project-factory/dev/data/defaults.yaml index e52bb132..bf466fe0 100644 --- a/fast/stages/3-project-factory/dev/data/defaults.yaml +++ b/fast/stages/3-project-factory/dev/data/defaults.yaml @@ -1,24 +1,23 @@ # skip boilerplate check -billing_account_id: 012345-67890A-BCDEF0 +billing_account_id: 01EBC4-8CD936-3108EA # [opt] Setup for billing alerts billing_alert: amount: 1000 thresholds: current: [0.5, 0.8] - forecasted: [0.5, 0.8] + forecasted: [1.2, 1.5] credit_treatment: INCLUDE_ALL_CREDITS # [opt] Contacts for billing alerts and important notifications -essential_contacts: ["team-contacts@example.com"] +essential_contacts: ["admin@zfnd.org"] # [opt] Labels set for all projects labels: environment: dev - department: accounting - application: example-app - foo: bar + department: engineering + # [opt] Additional notification channels for billing notification_channels: [] diff --git a/fast/stages/3-project-factory/dev/data/projects/dev-zebra.yaml b/fast/stages/3-project-factory/dev/data/projects/dev-zebra.yaml new file mode 100644 index 00000000..a6160b72 --- /dev/null +++ b/fast/stages/3-project-factory/dev/data/projects/dev-zebra.yaml @@ -0,0 +1,133 @@ +# skip boilerplate check + +# [opt] Billing alerts config - overrides default if set +billing_alert: + amount: 5000 + thresholds: + current: + - 0.8 + - 1.0 + forecasted: [] + credit_treatment: INCLUDE_ALL_CREDITS + +# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults +dns_zones: [] + +# [opt] Contacts for billing alerts and important notifications +essential_contacts: + - devops@zfnd.org + +# Folder the project will be created as children of +folder_id: folders/319341746722 + +# [opt] Authoritative IAM bindings in group => [roles] format +group_iam: + engineers@zfnd.org: + - roles/editor + +# [opt] Authoritative IAM bindings in role => [principals] format +# Generally used to grant roles to service accounts external to the project +iam: + roles/iam.workloadIdentityUser: + - principalSet://iam.googleapis.com/projects/771011584009/locations/global/workloadIdentityPools/zfnd-bootstrap/* + roles/editor: + - serviceAccount:1059680692020@cloudservices.gserviceaccount.com + +# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter +# in service => [keys] format +# kms_service_agents: +# compute: [key1, key2] +# storage: [key1, key2] + +# [opt] Labels for the project - merged with the ones defined in defaults +labels: + environment: dev + application: zebra + +# [opt] Org policy overrides defined at project level +org_policies: + compute.disableGuestAttributesAccess: + rules: + - enforce: false + compute.trustedImageProjects: + rules: + - allow: + all: true + # values: + # - projects/zfnd-prod-iac-core-0 + # - projects/zebra-zealous + # - projects/cos-cloud + # - projects/dataflow-service-producer-prod + # - projects/serverless-vpc-access-images + # - projects/windows-cloud + compute.vmExternalIpAccess: + rules: + - allow: + all: true + compute.requireOsLogin: + rules: + - enforce: false + iam.allowServiceAccountCredentialLifetimeExtension: + rules: + - allow: + all: true + iam.allowedPolicyMemberDomains: + rules: + - allow: + all: true + +# [opt] Service account to create for the project and their roles on the project +# in name => [roles] format +service_accounts: + instance-deployer: + - roles/compute.instanceAdmin + - roles/compute.storageAdmin + - roles/compute.loadBalancerAdmin + - roles/errorreporting.user + - roles/logging.logWriter + - roles/monitoring.metricWriter + - roles/artifactregistry.reader + - roles/iam.serviceAccountUser + - roles/iam.workloadIdentityUser + artifact-publisher: + - roles/artifactregistry.writer + - roles/iam.workloadIdentityUser + +# [opt] APIs to enable on the project. +services: + - artifactregistry.googleapis.com + - compute.googleapis.com + - clouddebugger.googleapis.com + - clouderrorreporting.googleapis.com + - cloudresourcemanager.googleapis.com + - containeranalysis.googleapis.com + - logging.googleapis.com + - monitoring.googleapis.com + - osconfig.googleapis.com + - networkmanagement.googleapis.com + - stackdriver.googleapis.com + - storage.googleapis.com + - iap.googleapis.com + +# [opt] Roles to assign to the service identities in service => [roles] format +service_identities_iam: + compute: + - roles/storage.objectViewer + + # [opt] VPC setup. + # If set enables the `compute.googleapis.com` service and configures + # service project attachment + +vpc: + # [opt] If set, enables the container API + gke_setup: null + + # Host project the project will be service project of + host_project: zfnd-dev-net-spoke-0 + + # [opt] Subnets in the host project where principals will be granted networkUser + # in region/subnet-name => [principals] + subnets_iam: + us-east1/dev-default-ue1: + - user:gustavo@zfnd.org + - serviceAccount:instance-deployer@zfnd-dev-zebra.iam.gserviceaccount.com diff --git a/fast/stages/3-project-factory/dev/main.tf b/fast/stages/3-project-factory/dev/main.tf index e0deb248..b55eafa2 100644 --- a/fast/stages/3-project-factory/dev/main.tf +++ b/fast/stages/3-project-factory/dev/main.tf @@ -55,4 +55,87 @@ module "projects" { vpc = try(each.value.vpc, null) } +module "zebra_caching_artifact_registry" { + source = "../../../../modules/artifact-registry" + project_id = "zfnd-dev-zebra" + location = "us" + format = "DOCKER" + id = "zebra" + description = "Docker repository storing the Zebra application for testing purposes" + iam = { + "roles/artifactregistry.reader" = ["allUsers"] + } +} +module "zebra_artifact_registry" { + source = "../../../../modules/artifact-registry" + project_id = "zfnd-dev-zebra" + location = "us" + format = "DOCKER" + id = "zebra-caching" + description = "Docker repository storing Zebra's build layers for caching" + iam = { + "roles/artifactregistry.reader" = ["allUsers"] + } +} + +module "lwd_caching_artifact_registry" { + source = "../../../../modules/artifact-registry" + project_id = "zfnd-dev-zebra" + location = "us" + format = "DOCKER" + id = "lightwalletd" + description = "Docker repository storing the Zebra application for testing purposes" + iam = { + "roles/artifactregistry.reader" = ["allUsers"] + } +} + +module "lwd_artifact_registry" { + source = "../../../../modules/artifact-registry" + project_id = "zfnd-dev-zebra" + location = "us" + format = "DOCKER" + id = "lightwalletd-caching" + description = "Docker repository storing Zebra's build layers for caching" + iam = { + "roles/artifactregistry.reader" = ["allUsers"] + } +} + +resource "google_compute_health_check" "http-health-check" { + name = "zebrad-tracing-filter" + description = "Health check via http" + project = "zfnd-dev-zebra" + + timeout_sec = 10 + check_interval_sec = 30 + healthy_threshold = 2 + unhealthy_threshold = 3 + + http_health_check { + port = "3000" + port_specification = "USE_FIXED_PORT" + request_path = "/filter" + proxy_header = "NONE" + # TODO: we should validate a specific response, not ANY response + # response = "I AM HEALTHY" + } +} + +module "runner-mig-dind" { + source = "github.com/terraform-google-modules/terraform-google-github-actions-runners?ref=v3.1.1//modules/gh-runner-mig-container-vm" + create_network = true + subnetwork_project = var.subnetwork_project + subnet_name = var.subnet_name + subnet_ip = var.subnet_ip + service_account = null + project_id = var.project_id + image = var.image + repo_name = var.repo_name + repo_url = var.repo_url + repo_owner = var.repo_owner + gh_token = var.gh_token + region = var.region + dind = true +} diff --git a/fast/stages/3-project-factory/dev/outputs.tf b/fast/stages/3-project-factory/dev/outputs.tf index 59ecff95..55515eae 100644 --- a/fast/stages/3-project-factory/dev/outputs.tf +++ b/fast/stages/3-project-factory/dev/outputs.tf @@ -18,3 +18,15 @@ output "projects" { description = "Created projects and service accounts." value = module.projects } + +# self-hosted runners outputs + +output "mig_instance_group" { + description = "The instance group url of the created MIG" + value = module.runner-mig-dind.mig_instance_group +} + +output "mig_name" { + description = "The name of the MIG" + value = module.runner-mig-dind.mig_name +} diff --git a/fast/stages/3-project-factory/dev/variables.tf b/fast/stages/3-project-factory/dev/variables.tf index 5ad49f77..a318b097 100644 --- a/fast/stages/3-project-factory/dev/variables.tf +++ b/fast/stages/3-project-factory/dev/variables.tf @@ -76,3 +76,67 @@ variable "vpc_self_links" { }) default = null } + +# self-hosted runners variables + +variable "project_id" { + type = string + description = "The project id to deploy Github Runner MIG" +} + +variable "image" { + type = string + description = "The github runner image" +} + +variable "repo_url" { + type = string + description = "Repo URL for the Github Action" +} + + +variable "repo_name" { + type = string + description = "Name of the repo for the Github Action" +} + + +variable "repo_owner" { + type = string + description = "Owner of the repo for the Github Action" +} + +variable "gh_token" { + type = string + description = "Github token that is used for generating Self Hosted Runner Token" +} + +variable "region" { + type = string + description = "The GCP region to deploy instances into" + default = "us-east1" +} + +variable "subnetwork_project" { + type = string + description = "The ID of the project in which the subnetwork belongs. If it is not provided, the project_id is used." + default = "" +} + +variable "subnet_name" { + type = string + description = "Name for the subnet" + default = "" +} + +variable "subnet_ip" { + type = string + description = "IP range for the subnet" + default = "" +} + +variable "service_account" { + description = "Service account email address" + type = string + default = "" +} \ No newline at end of file