github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Clean up terraform module for gateway (#2474)

Browse Source 
Switched back to `cos-105` to reduce attack surface and generally have
less maintenance and cleaned up the module to be more reusable for our
customers.
This commit is contained in:
Andrew Dryga
2023-10-20 12:29:54 -06:00
committed by GitHub
parent 423fbbfe44
commit 428eddd570
11 changed files with 91 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/terraform.yml vendored
View File

@@ -26,6 +26,7 @@ jobs:
sudo apt-get install -y cloud-init
sudo cloud-init schema --config-file terraform/modules/relay-app/templates/cloud-init.yaml
sudo cloud-init schema --config-file terraform/modules/elixir-app/templates/cloud-init.yaml
sudo cloud-init schema --config-file terraform/modules/gateway-app/templates/cloud-init.yaml
- name: Check Formatting
working-directory: terraform
run: |

2
terraform/environments/production/gateways.tf
View File

@@ -34,7 +34,7 @@ resource "google_compute_subnetwork" "gateways" {
module "gateways" {
count = var.gateway_portal_token != null ? 1 : 0
source = "../../modules/gateway-app"
source = "../../modules/gateway-google-cloud-compute"
project_id = module.google-cloud-project.project.project_id
compute_network = google_compute_network.gateways.self_link

4
terraform/modules/elixir-app/templates/cloud-init.yaml
View File

@@ -53,8 +53,8 @@ write_files:
[Service]
TimeoutStartSec=0
Restart=always
ExecStartPre=/usr/bin/docker pull otel/opentelemetry-collector-contrib:0.85.0
ExecStart=/usr/bin/docker run --rm -u 2000 --name=otel-collector --network host --volume /etc/otelcol-contrib/:/etc/otelcol-contrib/ otel/opentelemetry-collector-contrib:0.85.0
ExecStartPre=/usr/bin/docker pull otel/opentelemetry-collector-contrib:0.87.0
ExecStart=/usr/bin/docker run --rm -u 2000 --name=otel-collector --network host --volume /etc/otelcol-contrib/:/etc/otelcol-contrib/ otel/opentelemetry-collector-contrib:0.87.0
ExecStop=/usr/bin/docker stop otel-collector
ExecStopPost=/usr/bin/docker rm otel-collector

7
terraform/modules/gateway-app/outputs.tf
View File

@@ -1,7 +0,0 @@
output "service_account" {
value = google_service_account.application
}
output "target_tags" {
value = ["app-${local.application_name}"]
}

63
terraform/modules/gateway-google-cloud-compute/iam.tf Normal file
View File

@@ -0,0 +1,63 @@
# Create IAM role for the application instances
resource "google_service_account" "application" {
project = var.project_id
account_id = "app-${local.application_name}"
display_name = "${local.application_name} app"
description = "Service account for ${local.application_name} application instances."
}
## Allow application service account to pull images from the container registry
resource "google_project_iam_member" "artifacts" {
project = var.project_id
role = "roles/artifactregistry.reader"
member = "serviceAccount:${google_service_account.application.email}"
}
## Allow fluentbit to injest logs
resource "google_project_iam_member" "logs" {
project = var.project_id
role = "roles/logging.logWriter"
member = "serviceAccount:${google_service_account.application.email}"
}
## Allow reporting application errors
resource "google_project_iam_member" "errors" {
project = var.project_id
role = "roles/errorreporting.writer"
member = "serviceAccount:${google_service_account.application.email}"
}
## Allow reporting metrics
resource "google_project_iam_member" "metrics" {
project = var.project_id
role = "roles/monitoring.metricWriter"
member = "serviceAccount:${google_service_account.application.email}"
}
## Allow reporting metrics
resource "google_project_iam_member" "service_management" {
project = var.project_id
role = "roles/servicemanagement.reporter"
member = "serviceAccount:${google_service_account.application.email}"
}
## Allow appending traces
resource "google_project_iam_member" "cloudtrace" {
project = var.project_id
role = "roles/cloudtrace.agent"
member = "serviceAccount:${google_service_account.application.email}"
}

71
terraform/modules/gateway-app/main.tf → terraform/modules/gateway-google-cloud-compute/main.tf
View File

@@ -7,6 +7,8 @@ locals {
application = local.application_name
}, var.application_labels)
application_tags = ["app-${local.application_name}"]
google_health_check_ip_ranges = [
"130.211.0.0/22",
"35.191.0.0/16"
@@ -50,71 +52,8 @@ locals {
# Fetch most recent COS image
data "google_compute_image" "coreos" {
family = "ubuntu-2004-lts"
project = "ubuntu-os-cloud"
}
# Create IAM role for the application instances
resource "google_service_account" "application" {
project = var.project_id
account_id = "app-${local.application_name}"
display_name = "${local.application_name} app"
description = "Service account for ${local.application_name} application instances."
}
## Allow application service account to pull images from the container registry
resource "google_project_iam_member" "artifacts" {
project = var.project_id
role = "roles/artifactregistry.reader"
member = "serviceAccount:${google_service_account.application.email}"
}
## Allow fluentbit to injest logs
resource "google_project_iam_member" "logs" {
project = var.project_id
role = "roles/logging.logWriter"
member = "serviceAccount:${google_service_account.application.email}"
}
## Allow reporting application errors
resource "google_project_iam_member" "errors" {
project = var.project_id
role = "roles/errorreporting.writer"
member = "serviceAccount:${google_service_account.application.email}"
}
## Allow reporting metrics
resource "google_project_iam_member" "metrics" {
project = var.project_id
role = "roles/monitoring.metricWriter"
member = "serviceAccount:${google_service_account.application.email}"
}
## Allow reporting metrics
resource "google_project_iam_member" "service_management" {
project = var.project_id
role = "roles/servicemanagement.reporter"
member = "serviceAccount:${google_service_account.application.email}"
}
## Allow appending traces
resource "google_project_iam_member" "cloudtrace" {
project = var.project_id
role = "roles/cloudtrace.agent"
member = "serviceAccount:${google_service_account.application.email}"
family = "cos-109-lts"
project = "cos-cloud"
}
# Deploy app
@@ -129,7 +68,7 @@ resource "google_compute_instance_template" "application" {
can_ip_forward = true
tags = ["app-${local.application_name}"]
tags = local.application_tags
labels = merge({
container-vm = data.google_compute_image.coreos.name

15
terraform/modules/gateway-google-cloud-compute/outputs.tf Normal file
View File

@@ -0,0 +1,15 @@
output "service_account" {
value = google_service_account.application
}
output "target_tags" {
value = local.application_tags
}
output "instance_template" {
value = google_compute_instance_template.application
}
output "instance_group" {
value = google_compute_region_instance_group_manager.application
}

1
terraform/modules/gateway-app/services.tf → terraform/modules/gateway-google-cloud-compute/services.tf
View File

@@ -1,4 +1,3 @@
resource "google_project_service" "compute" {
project = var.project_id
service = "compute.googleapis.com"

25
terraform/modules/gateway-app/templates/cloud-init.yaml → terraform/modules/gateway-google-cloud-compute/templates/cloud-init.yaml
View File

@@ -1,29 +1,10 @@
#cloud-config
packages:
- apt-transport-https
- ca-certificates
- curl
- gnupg-agent
- software-properties-common
- docker.io
users:
- name: cloudservice
uid: 2000
groups:
- docker
system_info:
default_user:
groups: [docker]
write_files:
- path: /etc/sysctl.d/enabled_ipv4_forwarding.conf
content: |
net.ipv4.conf.all.forwarding=1
- path: /etc/otelcol-contrib/config.yaml
permissions: "0644"
owner: root
@@ -102,8 +83,8 @@ write_files:
[Service]
TimeoutStartSec=0
Restart=always
ExecStartPre=/usr/bin/docker pull otel/opentelemetry-collector-contrib:0.85.0
ExecStart=/usr/bin/docker run --rm -u 2000 --name=otel-collector --network host --volume /etc/otelcol-contrib/:/etc/otelcol-contrib/ otel/opentelemetry-collector-contrib:0.85.0
ExecStartPre=/usr/bin/docker pull otel/opentelemetry-collector-contrib:0.87.0
ExecStart=/usr/bin/docker run --rm -u 2000 --name=otel-collector --network host --volume /etc/otelcol-contrib/:/etc/otelcol-contrib/ otel/opentelemetry-collector-contrib:0.87.0
ExecStop=/usr/bin/docker stop otel-collector
ExecStopPost=/usr/bin/docker rm otel-collector
@@ -131,8 +112,6 @@ write_files:
ExecStopPost=/usr/bin/docker rm gateway
runcmd:
- sudo systemctl enable docker.service
- sudo systemctl enable containerd.service
- sudo systemctl daemon-reload
- sudo systemctl start otel-collector.service
- sudo systemctl start gateway.service

0
terraform/modules/gateway-app/variables.tf → terraform/modules/gateway-google-cloud-compute/variables.tf
View File

4
terraform/modules/relay-app/templates/cloud-init.yaml
View File

@@ -83,8 +83,8 @@ write_files:
[Service]
TimeoutStartSec=0
Restart=always
ExecStartPre=/usr/bin/docker pull otel/opentelemetry-collector-contrib:0.85.0
ExecStart=/usr/bin/docker run --rm -u 2000 --name=otel-collector --network host --volume /etc/otelcol-contrib/:/etc/otelcol-contrib/ otel/opentelemetry-collector-contrib:0.85.0
ExecStartPre=/usr/bin/docker pull otel/opentelemetry-collector-contrib:0.87.0
ExecStart=/usr/bin/docker run --rm -u 2000 --name=otel-collector --network host --volume /etc/otelcol-contrib/:/etc/otelcol-contrib/ otel/opentelemetry-collector-contrib:0.87.0
ExecStop=/usr/bin/docker stop otel-collector
ExecStopPost=/usr/bin/docker rm otel-collector