Incorporate Terraform changes (#381)

* Rename database from contact-tracing to en Fixes GH-377 * Make GCS bucket public Fixes GH-373 * Create Cloud KMS KR and K, grant Exposure SA access Fixes GH-372 * Bump minimum specs for Cloud Run services Fixes GH-368 * Don't manage the full IAM policy for the Run instance * Fix SA name description * Re-run migrations when database changes
google · May 20, 2020 · 076993d · 076993d
1 parent 9ed43ac
commit 076993d
Show file tree

Hide file tree

Showing 10 changed files with 109 additions and 19 deletions.
diff --git a/terraform/database.tf b/terraform/database.tf
@@ -23,7 +23,7 @@ resource "google_sql_database_instance" "db-inst" {
  project = data.google_project.project.project_id
  region = var.region
  database_version = "POSTGRES_11"
- name = "contact-tracing-${random_string.db-name.result}"
+ name = "en-${random_string.db-name.result}"
 
  settings {
  tier = var.cloudsql_tier
@@ -185,6 +185,11 @@ resource "null_resource" "submit-update-schema" {
  provisioner "local-exec" {
  command = "gcloud builds submit ../ --config ../builders/schema.yaml --project ${data.google_project.project.project_id} --substitutions=_PORT=5432,_PASSWORD_SECRET=${google_secret_manager_secret.db-pwd.secret_id},_USER=${google_sql_user.user.name},_NAME=${google_sql_database.db.name},_SSLMODE=disable,_CLOUDSQLPATH=${data.google_project.project.project_id}:${var.region}:${google_sql_database_instance.db-inst.name}"
  }
+
+ triggers = {
+ database = google_sql_database_instance.db-inst.name,
+ }
+
  depends_on = [
  google_project_iam_member.cloudbuild-secrets,
  google_project_iam_member.cloudbuild-sql,

diff --git a/terraform/key_management.tf b/terraform/key_management.tf
@@ -0,0 +1,29 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "google_kms_key_ring" "export-signing" {
+ project = data.google_project.project.project_id
+ name = "export-signing"
+ location = var.region
+}
+
+resource "google_kms_crypto_key" "export-signer" {
+ key_ring = google_kms_key_ring.export-signing.self_link
+ name = "signer"
+ purpose = "ASYMMETRIC_SIGN"
+ version_template {
+ algorithm = "EC_SIGN_P256_SHA256"
+ protection_level = "HSM"
+ }
+}
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -32,8 +32,18 @@ data "google_project" "project" {
 
 resource "google_project_service" "services" {
  project = data.google_project.project.project_id
- for_each = toset(["run.googleapis.com", "cloudkms.googleapis.com", "secretmanager.googleapis.com", "storage-api.googleapis.com", "cloudscheduler.googleapis.com",
- "sql-component.googleapis.com", "cloudbuild.googleapis.com", "servicenetworking.googleapis.com", "compute.googleapis.com", "sqladmin.googleapis.com"])
+ for_each = toset([
+ "cloudbuild.googleapis.com",
+ "cloudkms.googleapis.com",
+ "cloudscheduler.googleapis.com",
+ "compute.googleapis.com",
+ "run.googleapis.com",
+ "secretmanager.googleapis.com",
+ "servicenetworking.googleapis.com",
+ "sql-component.googleapis.com",
+ "sqladmin.googleapis.com",
+ "storage-api.googleapis.com",
+ ])
  service = each.value
  disable_on_destroy = false
 }
@@ -125,15 +135,6 @@ locals {
  ]
 }
 
-data "google_iam_policy" "noauth" {
- binding {
- role = "roles/run.invoker"
- members = [
- "allUsers",
- ]
- }
-}
-
 # Cloud Scheduler requires AppEngine projects!
 resource "google_app_engine_application" "app" {
  project = data.google_project.project.project_id

diff --git a/terraform/service_cleanup_export.tf b/terraform/service_cleanup_export.tf
@@ -53,6 +53,13 @@ resource "google_cloud_run_service" "cleanup-export" {
  containers {
  image = "us.gcr.io/${data.google_project.project.project_id}/github.com/google/exposure-notifications-server/cmd/cleanup-export:latest"
 
+ resources {
+ limits = {
+ cpu = "2"
+ memory = "2G"
+ }
+ }
+
  dynamic "env" {
  for_each = local.common_cloudrun_env_vars
  content {

diff --git a/terraform/service_cleanup_exposure.tf b/terraform/service_cleanup_exposure.tf
@@ -47,6 +47,13 @@ resource "google_cloud_run_service" "cleanup-exposure" {
  containers {
  image = "us.gcr.io/${data.google_project.project.project_id}/github.com/google/exposure-notifications-server/cmd/cleanup-exposure:latest"
 
+ resources {
+ limits = {
+ cpu = "2"
+ memory = "1G"
+ }
+ }
+
  dynamic "env" {
  for_each = local.common_cloudrun_env_vars
  content {

diff --git a/terraform/service_export.tf b/terraform/service_export.tf
@@ -42,6 +42,12 @@ resource "google_storage_bucket_iam_member" "export-objectadmin" {
  member = "serviceAccount:${google_service_account.export.email}"
 }
 
+resource "google_kms_key_ring_iam_member" "export-signerverifier" {
+ key_ring_id = google_kms_key_ring.export-signing.self_link
+ role = "roles/cloudkms.signerVerifier"
+ member = "serviceAccount:${google_service_account.export.email}"
+}
+
 resource "google_cloud_run_service" "export" {
  name = "export"
  location = var.region
@@ -53,6 +59,13 @@ resource "google_cloud_run_service" "export" {
  containers {
  image = "us.gcr.io/${data.google_project.project.project_id}/github.com/google/exposure-notifications-server/cmd/export:latest"
 
+ resources {
+ limits = {
+ cpu = "2"
+ memory = "1G"
+ }
+ }
+
  env {
  name = "EXPORT_FILE_MAX_RECORDS"
  value = "100"
@@ -96,7 +109,7 @@ resource "google_cloud_run_service" "export" {
 resource "google_service_account" "export-invoker" {
  project = data.google_project.project.project_id
  account_id = "en-export-invoker-sa"
- display_name = "Exposure Notification Cleanup Exposure Invoker"
+ display_name = "Exposure Notification Export Invoker"
 }
 
 resource "google_cloud_run_service_iam_member" "export-invoker" {

diff --git a/terraform/service_exposure.tf b/terraform/service_exposure.tf
@@ -47,6 +47,13 @@ resource "google_cloud_run_service" "exposure" {
  containers {
  image = "us.gcr.io/${data.google_project.project.project_id}/github.com/google/exposure-notifications-server/cmd/exposure:latest"
 
+ resources {
+ limits = {
+ cpu = "2"
+ memory = "1G"
+ }
+ }
+
  dynamic "env" {
  for_each = local.common_cloudrun_env_vars
  content {
@@ -72,10 +79,10 @@ resource "google_cloud_run_service" "exposure" {
  ]
 }
 
-resource "google_cloud_run_service_iam_policy" "exposure-noauth" {
+resource "google_cloud_run_service_iam_member" "exposure-public" {
  location = google_cloud_run_service.exposure.location
  project = google_cloud_run_service.exposure.project
  service = google_cloud_run_service.exposure.name
-
- policy_data = data.google_iam_policy.noauth.policy_data
+ role = "roles/run.invoker"
+ member = "allUsers"
 }
diff --git a/terraform/service_federationin.tf b/terraform/service_federationin.tf
@@ -47,6 +47,13 @@ resource "google_cloud_run_service" "federationin" {
  containers {
  image = "us.gcr.io/${data.google_project.project.project_id}/github.com/google/exposure-notifications-server/cmd/federationin:latest"
 
+ resources {
+ limits = {
+ cpu = "2"
+ memory = "1G"
+ }
+ }
+
  dynamic "env" {
  for_each = local.common_cloudrun_env_vars
  content {

diff --git a/terraform/service_federationout.tf b/terraform/service_federationout.tf
@@ -47,6 +47,13 @@ resource "google_cloud_run_service" "federationout" {
  containers {
  image = "us.gcr.io/${data.google_project.project.project_id}/github.com/google/exposure-notifications-server/cmd/federationout:latest"
 
+ resources {
+ limits = {
+ cpu = "2"
+ memory = "1G"
+ }
+ }
+
  dynamic "env" {
  for_each = local.common_cloudrun_env_vars
  content {
@@ -72,10 +79,10 @@ resource "google_cloud_run_service" "federationout" {
  ]
 }
 
-resource "google_cloud_run_service_iam_policy" "federationout-noauth" {
+resource "google_cloud_run_service_iam_member" "federationout-public" {
  location = google_cloud_run_service.federationout.location
  project = google_cloud_run_service.federationout.project
  service = google_cloud_run_service.federationout.name
-
- policy_data = data.google_iam_policy.noauth.policy_data
+ role = "roles/run.invoker"
+ member = "allUsers"
 }
diff --git a/terraform/storage.tf b/terraform/storage.tf
@@ -20,6 +20,13 @@ resource "random_string" "bucket-name" {
 }
 
 resource "google_storage_bucket" "export" {
+ project = data.google_project.project.project_id
  name = "exposure-notification-export-${random_string.bucket-name.result}"
  bucket_policy_only = true
 }
+
+resource "google_storage_bucket_iam_member" "public" {
+ bucket = google_storage_bucket.export.name
+ role = "roles/storage.objectViewer"
+ member = "allUsers"
+}