diff --git a/.tool-versions b/.tool-versions index 835d4c052..2a8d07f08 100644 --- a/.tool-versions +++ b/.tool-versions @@ -3,7 +3,7 @@ nodejs 18.16.0 elixir 1.15.2-otp-26 erlang 26.0.2 -terraform 1.5.0 +terraform 1.5.6 # Used for static analysis python 3.9.13 diff --git a/terraform/environments/staging/.terraform.lock.hcl b/terraform/environments/staging/.terraform.lock.hcl index a2d48084c..bf1a9e8c7 100644 --- a/terraform/environments/staging/.terraform.lock.hcl +++ b/terraform/environments/staging/.terraform.lock.hcl @@ -2,40 +2,42 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/google" { - version = "4.66.0" + version = "4.81.0" + constraints = "~> 4.66" hashes = [ - "h1:rN7iHu/t+Xps0D4RUM2ZkgLdXAY6ftey+o/5osP9jKE=", - "zh:141cddc714dec246957a47cb4103b34302222fc93a87b64de88116b22ebb0ea1", - "zh:276ebd75cb7c265d12b2c611a5f8d38fd6b892ef3edec1b845a934721db794e5", - "zh:574ae7b4808c1560b5a55a75ca2ad5d8ff6b5fb9dad6dffce3fae7ff8ccf78a9", - "zh:65309953f79827c23cc800fc093619a1e0e51a53e2429e9b04e537a11012f989", - "zh:6d67d3edea47767a873c38f1ff519d4450d8e1189a971bda7b0ffde9c9c65a86", - "zh:7fb116be869e30ee155c27f122d415f34d1d5de735d1fa9c4280cac71a42e8f4", - "zh:8a95ed92bb4547f4a40c953a6bd1db659b739f67adcacd798b11fafaec55ee67", - "zh:94f0179e84eb74823d8be4781b0a15f7f34ee39a7b158075504c882459f1ab23", - "zh:a58a7c5ace957cb4395f4b3bb11687e3a5c79362a744107f16623118cffc9370", - "zh:ab38b66f3c5c00df64c86fb4e47caef8cf451d5ed1f76845fd8b2c59628dc18a", - "zh:cc6bb1799e38912affc2a5b6f1c52b08f286d3751206532c04482b5ca0418eb6", + "h1:TKydY88LYRsHJ05icwCU0NNy8ANWinWcs5teuSXVF2k=", + "zh:29f5ca33cba63fb8dd96a0074317295bb99708a8d5bc124efe41406f25e967cd", + "zh:3a1fd6da193a62777c2e83d7449df9990f78b3638a9b99ca2410fb678bd2dbba", + "zh:3d251ff3d83b3e877543a7638eb6953fcd4002328e2d32611acc4ca647f3a162", + "zh:4711bc9a2957368de9f333bb458cf85a769fd14313cb34c4bb56c472acaf7cca", + "zh:4f6acd5645b395a7a7f6991b91a2bf8d19a303232dc630fe8e7c7857c980445b", + "zh:54ad3f0745a9ecfb725a1d7627461fc9ec98f4b4f0930011137b828a93fe5c21", + "zh:8134b287fc0b8b88e50b4e082071163f7465077f7433a5ca13b7d2fa68c57f73", + "zh:848d9d30eb8360c993e96e1871b0cfecadfcf6f9669e52c1f3d5d4bc16afbd67", + "zh:851199bde801acbb90e262c01959f721e8c31853e1c8ad6478c70ae326b8544e", + "zh:883102ec2d28193ea036cf3db9f93355b3e2c69dc66eacc40aa958b4a3c30f47", + "zh:c09200ef6722f27e1f12165082c7eb137e622cea60fcf201c21609564d0e91d0", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } provider "registry.terraform.io/hashicorp/google-beta" { - version = "4.66.0" + version = "4.81.0" + constraints = "~> 4.66" hashes = [ - "h1:z8dx8fWyjpymy5nzJGhEq9IJ+K8vVaWPawZTOhL7NuU=", - "zh:253391f3b3cc9c6908b9fcbb8704e423071121fef476d5de824a187df76924a0", - "zh:2fb223b4fba1fcccb02cc3d0d5103fdf687a722b461828b3885043dd643f8efd", - "zh:6ca0094c20f4e9f25f11ab016f0b54fcfd62076ea30bb43d4c69d52633a0cfb8", - "zh:757ffff89a521073c8fa7f663cf3d9d20629d6e72b837b74c0221bcf34531cfd", - "zh:7d1459b9b3bd9e0dc887b9c476cfa58e2cbb7d56d5ffdeaec0fdd535a38373d4", - "zh:92ad7a5489cd3f51b69c0136095d94f3092c8c7e0d5c8befe1ff53c18761aade", - "zh:9f477e3dbaac8302160bfcfb9c064de72eb6776130a5671380066ac2e84ceae8", - "zh:d1580b146b16d56ccd18a1bbc4a4cac2607e37ed5baf6290cc929f5c025bf526", - "zh:d30d5b3ebd6c4123a53cef4c7c6606b06d27f1cb798b387b9a65b55f8c7b6b9f", - "zh:e3cdc92f111499702f7a807fe6cf8873714939efc05b774cfbde76b8a199da46", - "zh:f2cd44444b6d7760a8a6deaf54ca67ae3696d3f5640b107ad7be91dde8a60c25", + "h1:ccLmnfXRD7NgTmoezt29Z+Kj46vFfbvJBwlwI+Bv/fE=", + "zh:2177e06b4f6e7ea85bf475bc7c7012f94835f85237b8880fced6ede60279559d", + "zh:28c6e6b214218617273f38174b18ac8950af03908991a05fed860ddcefc16c2d", + "zh:417fa45c9edb1dd77a4360aa092cd47154076647f4e86c2b524ee83c59b22b3b", + "zh:42d56cbb13f1eaccfd681bc0fa6a249a926720334544bd352694888425e41a3c", + "zh:66048b36642eef5d019e58dbdc34b04e0c25cd3636e671d270f6be92d316021c", + "zh:6b2e42a53c04dbeb9519887ffd1da888b5049e774614daf47dd5ff169b323ab7", + "zh:8c9b6d6c58e4a2eec03ab16313c08f5d77f86ffdda5dcd19eaf5b3f619bf66f6", + "zh:ac3fe4990fa43beea23c9743b570c4e6da9b23f3ad73d96eb8c6bb81c534c649", + "zh:c2420e48a7a6d323d9ebc2f184c65734f70e73e2e0ade70ba5ce67f56c26dd41", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f6b3a64d62c1f459a814f9eaccec176a95140b707a9bc0cdc5826086075c571f", + "zh:fc58563042edf6a5fe3f7ce3efed21ae9a532b9b860653368028d6921ab17cdf", ] } diff --git a/terraform/environments/staging/main.tf b/terraform/environments/staging/main.tf index 21bf48a35..a66c0b4f8 100644 --- a/terraform/environments/staging/main.tf +++ b/terraform/environments/staging/main.tf @@ -199,10 +199,14 @@ resource "google_compute_subnetwork" "apps" { name = "app" + stack_type = "IPV4_IPV6" + ip_cidr_range = "10.128.0.0/20" region = local.region network = module.google-cloud-vpc.id + ipv6_access_type = "EXTERNAL" + private_ip_google_access = true } @@ -606,8 +610,6 @@ module "relays" { } } - vpc_network = "projects/${module.google-cloud-project.project.project_id}/global/networks/default" - container_registry = module.google-artifact-registry.url image_repo = module.google-artifact-registry.repo diff --git a/terraform/environments/staging/versions.tf b/terraform/environments/staging/versions.tf index ead8f80fa..3ed3e3def 100644 --- a/terraform/environments/staging/versions.tf +++ b/terraform/environments/staging/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = "1.5.0" + required_version = "1.5.6" required_providers { random = { @@ -14,12 +14,12 @@ terraform { google = { source = "hashicorp/google" - version = "~> 4.66" + version = "~> 4.81" } google-beta = { source = "hashicorp/google-beta" - version = "~> 4.66" + version = "~> 4.81" } tls = { diff --git a/terraform/modules/elixir-app/main.tf b/terraform/modules/elixir-app/main.tf index 3c3571e9d..de149923c 100644 --- a/terraform/modules/elixir-app/main.tf +++ b/terraform/modules/elixir-app/main.tf @@ -146,24 +146,35 @@ resource "google_compute_instance_template" "application" { network_interface { subnetwork = var.vpc_subnetwork + stack_type = "IPV4_IPV6" + + ipv6_access_config { + network_tier = "PREMIUM" + } } service_account { email = google_service_account.application.email scopes = [ - # Those are copying gke-default scopes - "storage-ro", - "logging-write", - "monitoring", - "service-management", - "service-control", - "trace", + # Those are default scopes + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append", # Required to discover the other instances in the Erlang Cluster - "compute-ro", + "https://www.googleapis.com/auth/compute.readonly" ] } + shielded_instance_config { + enable_integrity_monitoring = true + enable_secure_boot = false + enable_vtpm = true + } + metadata = merge({ gce-container-declaration = yamlencode({ spec = { diff --git a/terraform/modules/relay-app/main.tf b/terraform/modules/relay-app/main.tf index 0259a3879..b6dc8b4ad 100644 --- a/terraform/modules/relay-app/main.tf +++ b/terraform/modules/relay-app/main.tf @@ -110,6 +110,37 @@ resource "google_project_iam_member" "cloudtrace" { member = "serviceAccount:${google_service_account.application.email}" } +# Create network +resource "google_compute_network" "network" { + project = var.project_id + name = "relays" + + routing_mode = "GLOBAL" + + auto_create_subnetworks = false + + depends_on = [ + google_project_service.compute + ] +} + +resource "google_compute_subnetwork" "subnetwork" { + for_each = var.instances + + project = var.project_id + + name = "relays-${each.key}" + region = each.key + + network = google_compute_network.network.self_link + + stack_type = "IPV4_IPV6" + ip_cidr_range = "10.128.0.0/20" + ipv6_access_type = "EXTERNAL" + private_ip_google_access = true +} + +# Deploy app resource "google_compute_instance_template" "application" { for_each = var.instances @@ -142,7 +173,14 @@ resource "google_compute_instance_template" "application" { } network_interface { - network = var.vpc_network + subnetwork = google_compute_subnetwork.subnetwork[each.key].self_link + + stack_type = "IPV4_IPV6" + + ipv6_access_config { + network_tier = "PREMIUM" + # Ephimerical IP address + } access_config { network_tier = "PREMIUM" @@ -154,18 +192,22 @@ resource "google_compute_instance_template" "application" { email = google_service_account.application.email scopes = [ - # Those are copying gke-default scopes - "storage-ro", - "logging-write", - "monitoring", - "service-management", - "service-control", - "trace", - # Required to discover the other instances in the Erlang Cluster - "compute-ro", + # Those are default scopes + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append", ] } + shielded_instance_config { + enable_integrity_monitoring = true + enable_secure_boot = false + enable_vtpm = true + } + metadata = merge({ gce-container-declaration = yamlencode({ spec = { @@ -312,7 +354,7 @@ resource "google_compute_firewall" "stun-turn" { project = var.project_id name = "${local.application_name}-firewall-lb-to-instances" - network = var.vpc_network + network = google_compute_network.network.self_link source_ranges = ["0.0.0.0/0"] target_tags = ["app-${local.application_name}"] @@ -333,7 +375,7 @@ resource "google_compute_firewall" "http-health-checks" { project = var.project_id name = "${local.application_name}-healthcheck" - network = var.vpc_network + network = google_compute_network.network.self_link source_ranges = local.google_health_check_ip_ranges target_tags = ["app-${local.application_name}"] @@ -349,7 +391,7 @@ resource "google_compute_firewall" "egress-ipv4" { project = var.project_id name = "${local.application_name}-egress-ipv4" - network = var.vpc_network + network = google_compute_network.network.self_link direction = "EGRESS" target_tags = ["app-${local.application_name}"] @@ -364,7 +406,7 @@ resource "google_compute_firewall" "egress-ipv6" { project = var.project_id name = "${local.application_name}-egress-ipv6" - network = var.vpc_network + network = google_compute_network.network.self_link direction = "EGRESS" target_tags = ["app-${local.application_name}"] diff --git a/terraform/modules/relay-app/variables.tf b/terraform/modules/relay-app/variables.tf index 588154ae4..03f0d0e46 100644 --- a/terraform/modules/relay-app/variables.tf +++ b/terraform/modules/relay-app/variables.tf @@ -23,15 +23,6 @@ variable "instances" { description = "List deployment locations for the application." } -################################################################################ -## VPC -################################################################################ - -variable "vpc_network" { - description = "ID of a VPC which will be used to deploy the application." - type = string -} - ################################################################################ ## Container Registry ################################################################################