1# Copyright 2018 The Go Cloud Development Kit Authors 2# 3# Licensed under the Apache License, Version 2.0 (the "License"); 4# you may not use this file except in compliance with the License. 5# You may obtain a copy of the License at 6# 7# https://www.apache.org/licenses/LICENSE-2.0 8# 9# Unless required by applicable law or agreed to in writing, software 10# distributed under the License is distributed on an "AS IS" BASIS, 11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12# See the License for the specific language governing permissions and 13# limitations under the License. 14 15terraform { 16 required_version = "~>0.12" 17} 18 19locals { 20 appengine_service_account = "${var.project}@appspot.gserviceaccount.com" 21} 22 23resource "google_project_service" "cloudbuild" { 24 service = "cloudbuild.googleapis.com" 25 project = var.project 26 disable_on_destroy = false 27} 28 29# Service account for the event worker 30 31resource "google_service_account" "worker" { 32 account_id = "contributebot" 33 project = var.project 34 display_name = "Contribute Bot Server" 35} 36 37resource "google_service_account_key" "worker" { 38 service_account_id = google_service_account.worker.name 39} 40 41# Stackdriver Tracing 42 43resource "google_project_service" "trace" { 44 service = "cloudtrace.googleapis.com" 45 project = var.project 46 disable_on_destroy = false 47} 48 49resource "google_project_iam_member" "worker_trace" { 50 role = "roles/cloudtrace.agent" 51 project = var.project 52 member = "serviceAccount:${google_service_account.worker.email}" 53} 54 55# Pub/Sub 56 57resource "google_pubsub_topic" "github_events" { 58 name = "contributebot-github-events" 59 project = var.project 60} 61 62data "google_iam_policy" "github_events" { 63 binding { 64 role = "roles/pubsub.publisher" 65 66 members = [ 67 "serviceAccount:${local.appengine_service_account}", 68 ] 69 } 70 71 binding { 72 role = "roles/pubsub.subscriber" 73 74 members = [ 75 "serviceAccount:${google_service_account.worker.email}", 76 ] 77 } 78} 79 80resource "google_pubsub_topic_iam_policy" "github_events" { 81 topic = google_pubsub_topic.github_events.name 82 project = var.project 83 policy_data = data.google_iam_policy.github_events.policy_data 84} 85 86resource "google_pubsub_subscription" "worker" { 87 name = "contributebot-github-events" 88 topic = google_pubsub_topic.github_events.id 89 project = var.project 90} 91 92data "google_iam_policy" "worker_subscription" { 93 binding { 94 role = "roles/pubsub.subscriber" 95 96 members = [ 97 "serviceAccount:${google_service_account.worker.email}", 98 ] 99 } 100 101 binding { 102 role = "roles/pubsub.viewer" 103 104 members = [ 105 "serviceAccount:${google_service_account.worker.email}", 106 ] 107 } 108} 109 110resource "google_pubsub_subscription_iam_policy" "worker" { 111 subscription = google_pubsub_subscription.worker.id 112 project = var.project 113 policy_data = data.google_iam_policy.worker_subscription.policy_data 114} 115 116# Kubernetes Engine 117 118resource "google_project_service" "container" { 119 service = "container.googleapis.com" 120 disable_on_destroy = false 121} 122 123resource "google_container_cluster" "contributebot" { 124 name = "contributebot-cluster" 125 project = var.project 126 zone = var.zone 127 initial_node_count = 3 128 129 node_config { 130 machine_type = "n1-standard-1" 131 disk_size_gb = 10 132 133 oauth_scopes = [ 134 "https://www.googleapis.com/auth/compute", 135 "https://www.googleapis.com/auth/devstorage.read_only", 136 "https://www.googleapis.com/auth/logging.write", 137 "https://www.googleapis.com/auth/monitoring", 138 ] 139 } 140 141 # Needed for Kubernetes provider below. 142 enable_legacy_abac = true 143 144 depends_on = [google_project_service.container] 145} 146 147provider "kubernetes" { 148 version = "~> 1.1" 149 150 host = "https://${google_container_cluster.contributebot.endpoint}" 151 152 client_certificate = base64decode( 153 google_container_cluster.contributebot.master_auth[0].client_certificate, 154 ) 155 client_key = base64decode( 156 google_container_cluster.contributebot.master_auth[0].client_key, 157 ) 158 cluster_ca_certificate = base64decode( 159 google_container_cluster.contributebot.master_auth[0].cluster_ca_certificate, 160 ) 161} 162 163resource "kubernetes_secret" "worker_service_account" { 164 metadata { 165 name = "worker-service-account" 166 } 167 168 data = { 169 "key.json" = base64decode(google_service_account_key.worker.private_key) 170 } 171} 172 173resource "kubernetes_secret" "github_app_key" { 174 metadata { 175 name = "github-app-key" 176 } 177 178 data = { 179 "key.pem" = var.github_app_key 180 } 181} 182 183