From 7744d2b142ee1933a98d839e4e63f40faa9670c2 Mon Sep 17 00:00:00 2001 From: Drew Goya Date: Fri, 31 Jan 2020 16:04:24 -0800 Subject: [PATCH 1/3] Updating the way Forseti Server Configuration is retrieved from GCS Moved away from `google_storage_object_signed_url` as it requires a local json keyfile and I am deploying using service account impersonation. https://github.com/terraform-providers/terraform-provider-google/issues/3558 --- modules/on_gke/main.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/on_gke/main.tf b/modules/on_gke/main.tf index f3691a1cd..4763482ce 100644 --- a/modules/on_gke/main.tf +++ b/modules/on_gke/main.tf @@ -124,20 +124,20 @@ data "tls_public_key" "git_sync_public_ssh_key" { // Obtain Forseti Server Configuration //***************************************** -data "google_storage_object_signed_url" "file_url" { - bucket = module.server_gcs.forseti-server-storage-bucket - path = "configs/forseti_conf_server.yaml" - content_md5 = module.server_config.forseti-server-config-md5 +data "google_storage_bucket_object" "server_config_contents" { + bucket = module.server_gcs.forseti-server-storage-bucket + name = "configs/forseti_conf_server.yaml" } +data "google_client_config" "current" {} + data "http" "server_config_contents" { - url = data.google_storage_object_signed_url.file_url.signed_url + url = format("%s?alt=media", data.google_storage_bucket_object.server_config_contents.self_link) + # Optional request headers request_headers = { - "Content-MD5" = module.server_config.forseti-server-config-md5 + "Authorization" = "Bearer ${data.google_client_config.current.access_token}" } - - depends_on = ["data.google_storage_object_signed_url.file_url"] } //***************************************** From 6890c14a999f48a53be4c9be238d0275b289846a Mon Sep 17 00:00:00 2001 From: Drew Goya Date: Wed, 5 Feb 2020 14:48:27 -0800 Subject: [PATCH 2/3] Pinning version of helm provider to ~> v0.10 --- examples/on_gke_end_to_end/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/on_gke_end_to_end/main.tf b/examples/on_gke_end_to_end/main.tf index 712d8ba12..a1719b458 100644 --- a/examples/on_gke_end_to_end/main.tf +++ b/examples/on_gke_end_to_end/main.tf @@ -59,6 +59,7 @@ provider "helm" { debug = true automount_service_account_token = true install_tiller = true + version = "~> v0.10" } #--------------------# From a0ed507bc0856e1737151548edbfed5e539ba441 Mon Sep 17 00:00:00 2001 From: Drew Goya Date: Wed, 5 Feb 2020 14:57:38 -0800 Subject: [PATCH 3/3] Passing helm chart version through the on_gke_end_to_end example to the on_gke module --- examples/on_gke_end_to_end/main.tf | 1 + examples/on_gke_end_to_end/variables.tf | 5 +++++ modules/on_gke/main.tf | 11 ++++++++--- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/examples/on_gke_end_to_end/main.tf b/examples/on_gke_end_to_end/main.tf index a1719b458..7448367a1 100644 --- a/examples/on_gke_end_to_end/main.tf +++ b/examples/on_gke_end_to_end/main.tf @@ -189,6 +189,7 @@ module "forseti" { k8s_forseti_server_image_tag = var.k8s_forseti_server_image_tag k8s_forseti_orchestrator_image_tag = var.k8s_forseti_orchestrator_image_tag helm_repository_url = var.helm_repository_url + helm_chart_version = var.helm_chart_version policy_library_repository_url = var.policy_library_repository_url policy_library_repository_branch = var.policy_library_repository_branch policy_library_sync_enabled = var.policy_library_sync_enabled diff --git a/examples/on_gke_end_to_end/variables.tf b/examples/on_gke_end_to_end/variables.tf index c322c3f45..c7524dcbc 100644 --- a/examples/on_gke_end_to_end/variables.tf +++ b/examples/on_gke_end_to_end/variables.tf @@ -114,6 +114,11 @@ variable "helm_repository_url" { default = "https://forseti-security-charts.storage.googleapis.com/release/" } +variable "helm_chart_version" { + description = "The version of the Helm chart to use" + default = "2.2.1" +} + variable "k8s_forseti_namespace" { description = "The Kubernetes namespace in which to deploy Forseti." default = "forseti" diff --git a/modules/on_gke/main.tf b/modules/on_gke/main.tf index 4763482ce..7ac14f400 100644 --- a/modules/on_gke/main.tf +++ b/modules/on_gke/main.tf @@ -27,7 +27,7 @@ resource "null_resource" "org_id_and_folder_id_are_both_empty" { count = length(var.composite_root_resources) == 0 && var.org_id == "" && var.folder_id == "" ? 1 : 0 provisioner "local-exec" { - command = "echo 'composite_root_resources=${var.composite_root_resources} org_id=${var.org_id} folder_id=${var.org_id}' >&2; false" + command = "echo 'composite_root_resources=${var.composite_root_resources} org_id=${var.org_id} folder_id=${var.folder_id}' >&2; false" interpreter = ["bash", "-c"] } } @@ -127,6 +127,9 @@ data "tls_public_key" "git_sync_public_ssh_key" { data "google_storage_bucket_object" "server_config_contents" { bucket = module.server_gcs.forseti-server-storage-bucket name = "configs/forseti_conf_server.yaml" + depends_on = [ + module.server_config.forseti-server-config-md5 + ] } data "google_client_config" "current" {} @@ -234,10 +237,12 @@ resource "helm_release" "forseti-security" { version = var.helm_chart_version chart = "forseti-security" recreate_pods = var.recreate_pods - depends_on = ["kubernetes_role_binding.tiller", + depends_on = [ + "kubernetes_role_binding.tiller", "kubernetes_namespace.forseti", "google_service_account_iam_binding.forseti_server_workload_identity", - "google_service_account_iam_binding.forseti_client_workload_identity"] + "google_service_account_iam_binding.forseti_client_workload_identity" + ] set { name = "database.username"