From 9e5276e2ea010870301ad8d387b2fcd0612df330 Mon Sep 17 00:00:00 2001
From: Andrew Dryga <andrew@dryga.com>
Date: Wed, 3 Apr 2024 18:57:28 -0600
Subject: [PATCH] chore(portal): Allow rolling back cloud component versions

---
 terraform/environments/production/gateways.tf |  2 +-
 terraform/environments/production/main.tf     |  4 ++++
 terraform/environments/production/outputs.tf  | 12 ++++++++++
 terraform/environments/production/portal.tf   | 20 ++++++++--------
 terraform/environments/production/relays.tf   |  4 ++--
 .../environments/production/variables.tf      | 23 +++++++++++++++++++
 6 files changed, 52 insertions(+), 13 deletions(-)

diff --git a/terraform/environments/production/gateways.tf b/terraform/environments/production/gateways.tf
index 9e0e759b9..9316dea6e 100644
--- a/terraform/environments/production/gateways.tf
+++ b/terraform/environments/production/gateways.tf
@@ -23,7 +23,7 @@ module "gateways" {
 
   image_repo = module.google-artifact-registry.repo
   image      = "gateway"
-  image_tag  = var.image_tag
+  image_tag  = local.gateway_image_tag
 
   observability_log_level = "debug"
 
diff --git a/terraform/environments/production/main.tf b/terraform/environments/production/main.tf
index c4567fa19..459d45ac6 100644
--- a/terraform/environments/production/main.tf
+++ b/terraform/environments/production/main.tf
@@ -15,6 +15,10 @@ locals {
   iap_ipv4_ranges = [
     "35.235.240.0/20"
   ]
+
+  gateway_image_tag = var.gateway_image_tag != null ? var.gateway_image_tag : var.image_tag
+  relay_image_tag   = var.relay_image_tag != null ? var.relay_image_tag : var.image_tag
+  portal_image_tag  = var.portal_image_tag != null ? var.portal_image_tag : var.image_tag
 }
 
 terraform {
diff --git a/terraform/environments/production/outputs.tf b/terraform/environments/production/outputs.tf
index 8c01ebc5b..ddf59d326 100644
--- a/terraform/environments/production/outputs.tf
+++ b/terraform/environments/production/outputs.tf
@@ -5,3 +5,15 @@ output "dns_name_servers" {
 output "image_tag" {
   value = var.image_tag
 }
+
+output "gateway_image_tag" {
+  value = local.gateway_image_tag
+}
+
+output "relay_image_tag" {
+  value = local.relay_image_tag
+}
+
+output "portal_image_tag" {
+  value = local.portal_image_tag
+}
diff --git a/terraform/environments/production/portal.tf b/terraform/environments/production/portal.tf
index b3baab209..0227f1c3b 100644
--- a/terraform/environments/production/portal.tf
+++ b/terraform/environments/production/portal.tf
@@ -268,7 +268,7 @@ locals {
         cluster_name          = local.cluster.name
         cluster_name_label    = "cluster_name"
         cluster_version_label = "cluster_version"
-        cluster_version       = split(".", var.image_tag)[0]
+        cluster_version       = split(".", local.portal_image_tag)[0]
         node_name_label       = "application"
         polling_interval_ms   = 7000
       })
@@ -370,7 +370,7 @@ module "domain" {
 
   image_repo = module.google-artifact-registry.repo
   image      = "domain"
-  image_tag  = var.image_tag
+  image_tag  = local.portal_image_tag
 
   scaling_horizontal_replicas = 1
 
@@ -380,7 +380,7 @@ module "domain" {
   erlang_cluster_cookie = random_password.erlang_cluster_cookie.result
 
   application_name    = "domain"
-  application_version = replace(var.image_tag, ".", "-")
+  application_version = replace(local.portal_image_tag, ".", "-")
 
   application_ports = [
     {
@@ -413,7 +413,7 @@ module "domain" {
 
   application_labels = {
     "cluster_name"    = local.cluster.name
-    "cluster_version" = split(".", var.image_tag)[0]
+    "cluster_version" = split(".", local.portal_image_tag)[0]
   }
 }
 
@@ -434,7 +434,7 @@ module "web" {
 
   image_repo = module.google-artifact-registry.repo
   image      = "web"
-  image_tag  = var.image_tag
+  image_tag  = local.portal_image_tag
 
   scaling_horizontal_replicas     = 2
   scaling_max_horizontal_replicas = 4
@@ -445,7 +445,7 @@ module "web" {
   erlang_cluster_cookie = random_password.erlang_cluster_cookie.result
 
   application_name    = "web"
-  application_version = replace(var.image_tag, ".", "-")
+  application_version = replace(local.portal_image_tag, ".", "-")
 
   application_dns_tld = "app.${local.tld}"
 
@@ -490,7 +490,7 @@ module "web" {
 
   application_labels = {
     "cluster_name"    = local.cluster.name
-    "cluster_version" = split(".", var.image_tag)[0]
+    "cluster_version" = split(".", local.portal_image_tag)[0]
   }
 }
 
@@ -511,7 +511,7 @@ module "api" {
 
   image_repo = module.google-artifact-registry.repo
   image      = "api"
-  image_tag  = var.image_tag
+  image_tag  = local.portal_image_tag
 
   scaling_horizontal_replicas     = 2
   scaling_max_horizontal_replicas = 4
@@ -522,7 +522,7 @@ module "api" {
   erlang_cluster_cookie = random_password.erlang_cluster_cookie.result
 
   application_name    = "api"
-  application_version = replace(var.image_tag, ".", "-")
+  application_version = replace(local.portal_image_tag, ".", "-")
 
   application_dns_tld = "api.${local.tld}"
 
@@ -565,7 +565,7 @@ module "api" {
 
   application_labels = {
     "cluster_name"    = local.cluster.name
-    "cluster_version" = split(".", var.image_tag)[0]
+    "cluster_version" = split(".", local.portal_image_tag)[0]
   }
 
   application_token_scopes = [
diff --git a/terraform/environments/production/relays.tf b/terraform/environments/production/relays.tf
index b7df0d997..537e17418 100644
--- a/terraform/environments/production/relays.tf
+++ b/terraform/environments/production/relays.tf
@@ -94,12 +94,12 @@ module "relays" {
 
   image_repo = module.google-artifact-registry.repo
   image      = "relay"
-  image_tag  = var.image_tag
+  image_tag  = local.relay_image_tag
 
   observability_log_level = "info,hyper=off,h2=warn,tower=warn"
 
   application_name    = "relay"
-  application_version = replace(var.image_tag, ".", "-")
+  application_version = replace(local.relay_image_tag, ".", "-")
 
   health_check = {
     name     = "health"
diff --git a/terraform/environments/production/variables.tf b/terraform/environments/production/variables.tf
index 8305f1ef9..7abee999f 100644
--- a/terraform/environments/production/variables.tf
+++ b/terraform/environments/production/variables.tf
@@ -60,3 +60,26 @@ variable "stripe_webhook_signing_secret" {
 variable "stripe_default_price_id" {
   type = string
 }
+
+# Version overrides
+#
+# This section should be used to bind a specific version of the Firezone component
+# (eg. during rollback) to ensure it's not replaced by a new one untill a manual action
+#
+# To update them go to Terraform Cloud and change/delete the following variables,
+# if they are unset `var.image_tag` will be used.
+
+variable "relay_image_tag" {
+  type    = string
+  default = null
+}
+
+variable "gateway_image_tag" {
+  type    = string
+  default = null
+}
+
+variable "portal_image_tag" {
+  type    = string
+  default = null
+}