diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 87bcb8c7c..91a8b7f35 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -26,6 +26,7 @@ jobs: sudo apt-get install -y cloud-init sudo cloud-init schema --config-file terraform/modules/relay-app/templates/cloud-init.yaml sudo cloud-init schema --config-file terraform/modules/elixir-app/templates/cloud-init.yaml + sudo cloud-init schema --config-file terraform/modules/gateway-app/templates/cloud-init.yaml - name: Check Formatting working-directory: terraform run: | diff --git a/terraform/environments/production/gateways.tf b/terraform/environments/production/gateways.tf index 6d634077d..4918a8760 100644 --- a/terraform/environments/production/gateways.tf +++ b/terraform/environments/production/gateways.tf @@ -34,7 +34,7 @@ resource "google_compute_subnetwork" "gateways" { module "gateways" { count = var.gateway_portal_token != null ? 1 : 0 - source = "../../modules/gateway-app" + source = "../../modules/gateway-google-cloud-compute" project_id = module.google-cloud-project.project.project_id compute_network = google_compute_network.gateways.self_link diff --git a/terraform/modules/elixir-app/templates/cloud-init.yaml b/terraform/modules/elixir-app/templates/cloud-init.yaml index 22384bae8..3d58c6a7b 100644 --- a/terraform/modules/elixir-app/templates/cloud-init.yaml +++ b/terraform/modules/elixir-app/templates/cloud-init.yaml @@ -53,8 +53,8 @@ write_files: [Service] TimeoutStartSec=0 Restart=always - ExecStartPre=/usr/bin/docker pull otel/opentelemetry-collector-contrib:0.85.0 - ExecStart=/usr/bin/docker run --rm -u 2000 --name=otel-collector --network host --volume /etc/otelcol-contrib/:/etc/otelcol-contrib/ otel/opentelemetry-collector-contrib:0.85.0 + ExecStartPre=/usr/bin/docker pull otel/opentelemetry-collector-contrib:0.87.0 + ExecStart=/usr/bin/docker run --rm -u 2000 --name=otel-collector --network host --volume /etc/otelcol-contrib/:/etc/otelcol-contrib/ otel/opentelemetry-collector-contrib:0.87.0 ExecStop=/usr/bin/docker stop otel-collector ExecStopPost=/usr/bin/docker rm otel-collector diff --git a/terraform/modules/gateway-app/outputs.tf b/terraform/modules/gateway-app/outputs.tf deleted file mode 100644 index ab8a7839b..000000000 --- a/terraform/modules/gateway-app/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "service_account" { - value = google_service_account.application -} - -output "target_tags" { - value = ["app-${local.application_name}"] -} diff --git a/terraform/modules/gateway-google-cloud-compute/iam.tf b/terraform/modules/gateway-google-cloud-compute/iam.tf new file mode 100644 index 000000000..e7f523d99 --- /dev/null +++ b/terraform/modules/gateway-google-cloud-compute/iam.tf @@ -0,0 +1,63 @@ + +# Create IAM role for the application instances +resource "google_service_account" "application" { + project = var.project_id + + account_id = "app-${local.application_name}" + display_name = "${local.application_name} app" + description = "Service account for ${local.application_name} application instances." +} + +## Allow application service account to pull images from the container registry +resource "google_project_iam_member" "artifacts" { + project = var.project_id + + role = "roles/artifactregistry.reader" + + member = "serviceAccount:${google_service_account.application.email}" +} + +## Allow fluentbit to injest logs +resource "google_project_iam_member" "logs" { + project = var.project_id + + role = "roles/logging.logWriter" + + member = "serviceAccount:${google_service_account.application.email}" +} + +## Allow reporting application errors +resource "google_project_iam_member" "errors" { + project = var.project_id + + role = "roles/errorreporting.writer" + + member = "serviceAccount:${google_service_account.application.email}" +} + +## Allow reporting metrics +resource "google_project_iam_member" "metrics" { + project = var.project_id + + role = "roles/monitoring.metricWriter" + + member = "serviceAccount:${google_service_account.application.email}" +} + +## Allow reporting metrics +resource "google_project_iam_member" "service_management" { + project = var.project_id + + role = "roles/servicemanagement.reporter" + + member = "serviceAccount:${google_service_account.application.email}" +} + +## Allow appending traces +resource "google_project_iam_member" "cloudtrace" { + project = var.project_id + + role = "roles/cloudtrace.agent" + + member = "serviceAccount:${google_service_account.application.email}" +} diff --git a/terraform/modules/gateway-app/main.tf b/terraform/modules/gateway-google-cloud-compute/main.tf similarity index 78% rename from terraform/modules/gateway-app/main.tf rename to terraform/modules/gateway-google-cloud-compute/main.tf index c852babbf..2c3a63ef2 100644 --- a/terraform/modules/gateway-app/main.tf +++ b/terraform/modules/gateway-google-cloud-compute/main.tf @@ -7,6 +7,8 @@ locals { application = local.application_name }, var.application_labels) + application_tags = ["app-${local.application_name}"] + google_health_check_ip_ranges = [ "130.211.0.0/22", "35.191.0.0/16" @@ -50,71 +52,8 @@ locals { # Fetch most recent COS image data "google_compute_image" "coreos" { - family = "ubuntu-2004-lts" - project = "ubuntu-os-cloud" -} - -# Create IAM role for the application instances -resource "google_service_account" "application" { - project = var.project_id - - account_id = "app-${local.application_name}" - display_name = "${local.application_name} app" - description = "Service account for ${local.application_name} application instances." -} - -## Allow application service account to pull images from the container registry -resource "google_project_iam_member" "artifacts" { - project = var.project_id - - role = "roles/artifactregistry.reader" - - member = "serviceAccount:${google_service_account.application.email}" -} - -## Allow fluentbit to injest logs -resource "google_project_iam_member" "logs" { - project = var.project_id - - role = "roles/logging.logWriter" - - member = "serviceAccount:${google_service_account.application.email}" -} - -## Allow reporting application errors -resource "google_project_iam_member" "errors" { - project = var.project_id - - role = "roles/errorreporting.writer" - - member = "serviceAccount:${google_service_account.application.email}" -} - -## Allow reporting metrics -resource "google_project_iam_member" "metrics" { - project = var.project_id - - role = "roles/monitoring.metricWriter" - - member = "serviceAccount:${google_service_account.application.email}" -} - -## Allow reporting metrics -resource "google_project_iam_member" "service_management" { - project = var.project_id - - role = "roles/servicemanagement.reporter" - - member = "serviceAccount:${google_service_account.application.email}" -} - -## Allow appending traces -resource "google_project_iam_member" "cloudtrace" { - project = var.project_id - - role = "roles/cloudtrace.agent" - - member = "serviceAccount:${google_service_account.application.email}" + family = "cos-109-lts" + project = "cos-cloud" } # Deploy app @@ -129,7 +68,7 @@ resource "google_compute_instance_template" "application" { can_ip_forward = true - tags = ["app-${local.application_name}"] + tags = local.application_tags labels = merge({ container-vm = data.google_compute_image.coreos.name diff --git a/terraform/modules/gateway-google-cloud-compute/outputs.tf b/terraform/modules/gateway-google-cloud-compute/outputs.tf new file mode 100644 index 000000000..7af44658a --- /dev/null +++ b/terraform/modules/gateway-google-cloud-compute/outputs.tf @@ -0,0 +1,15 @@ +output "service_account" { + value = google_service_account.application +} + +output "target_tags" { + value = local.application_tags +} + +output "instance_template" { + value = google_compute_instance_template.application +} + +output "instance_group" { + value = google_compute_region_instance_group_manager.application +} diff --git a/terraform/modules/gateway-app/services.tf b/terraform/modules/gateway-google-cloud-compute/services.tf similarity index 99% rename from terraform/modules/gateway-app/services.tf rename to terraform/modules/gateway-google-cloud-compute/services.tf index 76e80a208..f8ac4715e 100644 --- a/terraform/modules/gateway-app/services.tf +++ b/terraform/modules/gateway-google-cloud-compute/services.tf @@ -1,4 +1,3 @@ - resource "google_project_service" "compute" { project = var.project_id service = "compute.googleapis.com" diff --git a/terraform/modules/gateway-app/templates/cloud-init.yaml b/terraform/modules/gateway-google-cloud-compute/templates/cloud-init.yaml similarity index 90% rename from terraform/modules/gateway-app/templates/cloud-init.yaml rename to terraform/modules/gateway-google-cloud-compute/templates/cloud-init.yaml index db41bec7e..fd4732bdf 100644 --- a/terraform/modules/gateway-app/templates/cloud-init.yaml +++ b/terraform/modules/gateway-google-cloud-compute/templates/cloud-init.yaml @@ -1,29 +1,10 @@ #cloud-config -packages: - - apt-transport-https - - ca-certificates - - curl - - gnupg-agent - - software-properties-common - - docker.io - users: - name: cloudservice uid: 2000 -groups: - - docker - -system_info: - default_user: - groups: [docker] - write_files: - - path: /etc/sysctl.d/enabled_ipv4_forwarding.conf - content: | - net.ipv4.conf.all.forwarding=1 - - path: /etc/otelcol-contrib/config.yaml permissions: "0644" owner: root @@ -102,8 +83,8 @@ write_files: [Service] TimeoutStartSec=0 Restart=always - ExecStartPre=/usr/bin/docker pull otel/opentelemetry-collector-contrib:0.85.0 - ExecStart=/usr/bin/docker run --rm -u 2000 --name=otel-collector --network host --volume /etc/otelcol-contrib/:/etc/otelcol-contrib/ otel/opentelemetry-collector-contrib:0.85.0 + ExecStartPre=/usr/bin/docker pull otel/opentelemetry-collector-contrib:0.87.0 + ExecStart=/usr/bin/docker run --rm -u 2000 --name=otel-collector --network host --volume /etc/otelcol-contrib/:/etc/otelcol-contrib/ otel/opentelemetry-collector-contrib:0.87.0 ExecStop=/usr/bin/docker stop otel-collector ExecStopPost=/usr/bin/docker rm otel-collector @@ -131,8 +112,6 @@ write_files: ExecStopPost=/usr/bin/docker rm gateway runcmd: - - sudo systemctl enable docker.service - - sudo systemctl enable containerd.service - sudo systemctl daemon-reload - sudo systemctl start otel-collector.service - sudo systemctl start gateway.service diff --git a/terraform/modules/gateway-app/variables.tf b/terraform/modules/gateway-google-cloud-compute/variables.tf similarity index 100% rename from terraform/modules/gateway-app/variables.tf rename to terraform/modules/gateway-google-cloud-compute/variables.tf diff --git a/terraform/modules/relay-app/templates/cloud-init.yaml b/terraform/modules/relay-app/templates/cloud-init.yaml index b27dd018e..9e512ed7f 100644 --- a/terraform/modules/relay-app/templates/cloud-init.yaml +++ b/terraform/modules/relay-app/templates/cloud-init.yaml @@ -83,8 +83,8 @@ write_files: [Service] TimeoutStartSec=0 Restart=always - ExecStartPre=/usr/bin/docker pull otel/opentelemetry-collector-contrib:0.85.0 - ExecStart=/usr/bin/docker run --rm -u 2000 --name=otel-collector --network host --volume /etc/otelcol-contrib/:/etc/otelcol-contrib/ otel/opentelemetry-collector-contrib:0.85.0 + ExecStartPre=/usr/bin/docker pull otel/opentelemetry-collector-contrib:0.87.0 + ExecStart=/usr/bin/docker run --rm -u 2000 --name=otel-collector --network host --volume /etc/otelcol-contrib/:/etc/otelcol-contrib/ otel/opentelemetry-collector-contrib:0.87.0 ExecStop=/usr/bin/docker stop otel-collector ExecStopPost=/usr/bin/docker rm otel-collector