fix: clean up sa identity

ctrlplanedev · Aug 29, 2024 · dd05352 · dd05352
1 parent d0b7849
commit dd05352
Show file tree

Hide file tree

Showing 8 changed files with 41 additions and 57 deletions.
diff --git a/main.tf b/main.tf
@@ -24,7 +24,7 @@ module "database" {
   source    = "./modules/database"
   namespace = var.namespace
 
-  network_connection_string = module.networking.network_connection_string
+  network_connection_string = module.networking.connection.network
 
   postgres_tier    = var.postgres_tier
   postgres_version = var.postgres_version
@@ -42,12 +42,9 @@ module "redis" {
   memory_size_gb      = var.redis_memory_size_gb
   rdb_snapshot_period = var.redis_rdb_snapshot_period
 
-  network_id = module.networking.network_id
-}
+  network_id = module.networking.network.id
 
-module "service_accounts" {
-  source    = "./modules/service_accounts"
-  namespace = var.namespace
+  depends_on = [module.networking]
 }
 
 module "gke" {
@@ -56,12 +53,17 @@ module "gke" {
 
   deletion_protection = var.deletion_protection
 
-  network_self_link    = module.networking.network_self_link
-  subnetwork_self_link = module.networking.subnetwork_self_link
+  network_self_link    = module.networking.network.self_link
+  subnetwork_self_link = module.networking.subnetwork.self_link
 
-  service_account_email = module.service_accounts.service_account_email
+  depends_on = [module.networking]
+}
+
+module "service_accounts" {
+  source    = "./modules/service_accounts"
+  namespace = var.namespace
 
-  depends_on = [module.networking, module.service_accounts]
+  depends_on = [module.gke]
 }
 
 resource "google_compute_global_address" "this" {
@@ -93,7 +95,7 @@ module "helm_release" {
   postgres_port     = 5432
   postgres_database = module.database.database_name
 
-  service_account_email = module.service_accounts.service_account_email
+  service_account_email = module.service_accounts.gke_service_account.email
 
   global_static_ip_name = google_compute_global_address.this.name
   pre_shared_cert       = google_compute_managed_ssl_certificate.this.name

diff --git a/modules/database/main.tf b/modules/database/main.tf
@@ -3,26 +3,20 @@ resource "random_string" "this" {
   special = false
 }
 
-resource "random_pet" "this" {
-  length = 2
-  keepers = {
-    namespace = var.postgres_version
-  }
-}
-
 locals {
-  database_name        = "ctrlplane"
-  master_username      = "ctrlplane"
-  master_password      = random_string.this.result
-  master_instance_name = "${var.namespace}-${random_pet.this.id}"
+  database_name   = "ctrlplane"
+  master_username = "ctrlplane"
+  master_password = random_string.this.result
 }
 
 resource "google_sql_database_instance" "this" {
-  name             = local.master_instance_name
+  name             = var.namespace
   database_version = var.postgres_version
 
   settings {
-    tier = var.postgres_tier
+    tier                        = var.postgres_tier
+    deletion_protection_enabled = var.deletion_protection
+
     ip_configuration {
       ipv4_enabled    = false
       private_network = var.network_connection_string

diff --git a/modules/database/variables.tf b/modules/database/variables.tf
@@ -22,5 +22,4 @@ variable "postgres_tier" {
 variable "deletion_protection" {
   description = "Whether to enable deletion protection for the database instance."
   type        = bool
-  default     = true
 }
diff --git a/modules/gke/main.tf b/modules/gke/main.tf
@@ -5,7 +5,7 @@ locals {
 }
 
 resource "google_container_cluster" "this" {
-  name = "${var.namespace}-cluster"
+  name = var.namespace
 
   network    = var.network_self_link
   subnetwork = var.subnetwork_self_link

diff --git a/modules/gke/variables.tf b/modules/gke/variables.tf
@@ -3,11 +3,6 @@ variable "namespace" {
   type        = string
 }
 
-variable "service_account_email" {
-  description = "The service account email associated with the GKE cluster instances to host Ctrlplane."
-  type        = string
-}
-
 variable "network_self_link" {
   description = "The network self link."
   type        = string

diff --git a/modules/networking/outputs.tf b/modules/networking/outputs.tf
@@ -1,19 +1,14 @@
-output "network_id" {
-  value       = google_compute_network.this.id
-  description = "The network id."
-}
-
-output "network_self_link" {
-  value       = google_compute_network.this.self_link
+output "network" {
+  value       = google_compute_network.this
   description = "The network self link."
 }
 
-output "subnetwork_self_link" {
-  value       = google_compute_subnetwork.this.self_link
+output "subnetwork" {
+  value       = google_compute_subnetwork.this
   description = "The subnetwork self link."
 }
 
-output "network_connection_string" {
+output "connection" {
   description = "The private connection string between the network and GCP services."
-  value       = google_service_networking_connection.this.network
+  value       = google_service_networking_connection.this
 }
diff --git a/modules/service_accounts/main.tf b/modules/service_accounts/main.tf
@@ -1,18 +1,13 @@
 data "google_client_config" "current" {}
 
-resource "random_id" "this" {
-  byte_length = 30
-  prefix      = "${var.namespace}-sa-"
-}
-
-resource "google_service_account" "this" {
-  account_id   = substr(random_id.this.dec, 0, 30)
+resource "google_service_account" "gke" {
+  account_id   = "${var.namespace}-gke"
   display_name = "${var.namespace} Ctrlplane"
   description  = "Service Account used by Ctrlplane."
 }
 
 locals {
-  sa_member  = "serviceAccount:${google_service_account.this.email}"
+  sa_member  = "serviceAccount:${google_service_account.gke.email}"
   project_id = data.google_client_config.current.project
 }
 
@@ -28,12 +23,16 @@ resource "google_project_iam_member" "sa_creator" {
   member  = local.sa_member
 }
 
-resource "google_service_account_iam_binding" "this" {
-  service_account_id = google_service_account.this.id
+locals {
+  gke_namespace = "default"
+}
+
+resource "google_service_account_iam_binding" "gke" {
+  service_account_id = google_service_account.gke.id
   role               = "roles/iam.workloadIdentityUser"
   members = [
-    "serviceAccount:${local.project_id}.svc.id.goog[default/ctrlplane-webservice]",
-    "serviceAccount:${local.project_id}.svc.id.goog[default/ctrlplane-job-policy-checker]",
-    "serviceAccount:${local.project_id}.svc.id.goog[default/ctrlplane-migrations]"
+    "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-webservice]",
+    "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-job-policy-checker]",
+    "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-migrations]"
   ]
 }
diff --git a/modules/service_accounts/outputs.tf b/modules/service_accounts/outputs.tf
@@ -1,4 +1,4 @@
-output "service_account_email" {
-  value       = google_service_account.this.email
+output "gke_service_account" {
+  value       = google_service_account.gke
   description = "The service account email."
 }