Allow per-service location customization (#488)

* Add multiple region vars to allow more deployment flexibility

Not all regions support all services; separate out different region
variables to support the main services but also keep the ability to
define a single region for deployment

Bugfix: scheduler_jobs need to use the app engine region

* Remove "clever" code to derive regional arguments

Replaces the region derivations with top-level variables and
extra documentation to sepcify dependencies

* Terraform variable rename (as required by review)

Also minor comment fixes

* Further comment fix. .gitignore *.tfvar files.

* Fix DB connection string to use "db_region" instead of "region"

Also add the different region variables to the outputs

* Simplify note

* Use in new services

Co-authored-by: Jae Hossell <[email protected]>

.gitignore

@@ -14,7 +14,7 @@
 # Output of terraform
 *.tfstate*
 *.terraform/
-terraform.tfvars
+*.tfvars
 terraform/state.tf
 
 /local/

terraform/README.md

@@ -69,7 +69,7 @@ For full instructions on deploying, view the [deployment docs](../docs/deploying
  $ gsutil mb -p ${PROJECT_ID} gs://${PROJECT_ID}-tf-state
  ```
 
- Configurre Terraform to store state in the bucket:
+ Configure Terraform to store state in the bucket:
 
  ```text
  $ cat <<EOF > ./terraform/state.tf
@@ -111,3 +111,16 @@ project = "..."
 cloudsql_tier = "db-custom-1-3840"
 cloudsql_disk_size_gb = "16"
 ```
+
+### Changing Regions
+
+The target cloud region for each resource types are exposed as Terraform
+variables in `vars.tf`. Each region or location variable may be changed,
+however, they are not necessarily independent. The comments for each variable
+make a note of required dependencies and also link to the associated docs page
+listing the valid values.
+
+Note that not all resources used by this project are currently available in all
+regions, but bringing up infrastructure in different regions needs careful
+consideration as geographic location of resources does impact service
+performance.

terraform/database.tf

@@ -21,7 +21,7 @@ resource "random_string" "db-name" {
 
 resource "google_sql_database_instance" "db-inst" {
  project = data.google_project.project.project_id
- region = var.region
+ region = var.db_location
  database_version = "POSTGRES_11"
  name = "en-${random_string.db-name.result}"
 
@@ -166,7 +166,7 @@ resource "null_resource" "migrate" {
  DB_USER = google_sql_user.user.name
  COMMAND = "up"
 
- REGION = var.region
+ REGION = var.db_location
  SERVICES = "all"
  TAG = "initial"
  }

terraform/key_management.tf

@@ -15,7 +15,7 @@
 resource "google_kms_key_ring" "export-signing" {
  project = data.google_project.project.project_id
  name = "export-signing"
- location = var.region
+ location = var.kms_location
 
  depends_on = [
  google_project_service.services["cloudkms.googleapis.com"],

terraform/main.tf

@@ -76,7 +76,7 @@ resource "google_service_networking_connection" "private_vpc_connection" {
 resource "google_vpc_access_connector" "connector" {
  project = data.google_project.project.project_id
  name = "serverless-vpc-connector"
- region = var.region
+ region = var.network_location
  network = "default"
  ip_cidr_range = "10.8.0.0/28"
 
@@ -91,7 +91,7 @@ resource "null_resource" "build" {
  provisioner "local-exec" {
  environment = {
  PROJECT_ID = data.google_project.project.project_id
- REGION = var.region
+ REGION = var.cloudrun_location
  SERVICES = "all"
  TAG = "initial"
  }
@@ -172,6 +172,34 @@ output "region" {
  value = var.region
 }
 
+output "db_location" {
+ value = var.db_location
+}
+
+output "network_location" {
+ value = var.network_location
+}
+
+output "kms_location" {
+ value = var.kms_location
+}
+
+output "appengine_location" {
+ value = var.appengine_location
+}
+
+output "cloudscheduler_location" {
+ value = var.cloudscheduler_location
+}
+
+output "cloudrun_location" {
+ value = var.cloudrun_location
+}
+
+output "storage_location" {
+ value = var.storage_location
+}
+
 output "project" {
  value = data.google_project.project.project_id
 }

terraform/service_cleanup_export.tf

@@ -55,7 +55,7 @@ resource "google_storage_bucket_iam_member" "cleanup-export-objectadmin" {
 
 resource "google_cloud_run_service" "cleanup-export" {
  name = "cleanup-export"
- location = var.region
+ location = var.cloudrun_location
 
  template {
  spec {
@@ -131,6 +131,7 @@ resource "google_cloud_run_service_iam_member" "cleanup-export-invoker" {
 
 resource "google_cloud_scheduler_job" "cleanup-export-worker" {
  name = "cleanup-export-worker"
+ region = var.cloudscheduler_location
  schedule = "0 */6 * * *"
  time_zone = "Etc/UTC"
  attempt_deadline = "600s"

terraform/service_cleanup_exposure.tf

@@ -49,7 +49,7 @@ resource "google_secret_manager_secret_iam_member" "cleanup-exposure-db" {
 
 resource "google_cloud_run_service" "cleanup-exposure" {
  name = "cleanup-exposure"
- location = var.region
+ location = var.cloudrun_location
 
  template {
  spec {
@@ -125,6 +125,7 @@ resource "google_cloud_run_service_iam_member" "cleanup-exposure-invoker" {
 
 resource "google_cloud_scheduler_job" "cleanup-exposure-worker" {
  name = "cleanup-exposure-worker"
+ region = var.cloudscheduler_location
  schedule = "0 */4 * * *"
  time_zone = "Etc/UTC"
  attempt_deadline = "600s"

terraform/service_export.tf

@@ -61,7 +61,7 @@ resource "google_kms_key_ring_iam_member" "export-signerverifier" {
 
 resource "google_cloud_run_service" "export" {
  name = "export"
- location = var.region
+ location = var.cloudrun_location
 
  template {
  spec {
@@ -139,6 +139,7 @@ resource "google_cloud_run_service_iam_member" "export-invoker" {
 
 resource "google_cloud_scheduler_job" "export-worker" {
  name = "export-worker"
+ region = var.cloudscheduler_location
  schedule = "* * * * *"
  time_zone = "Etc/UTC"
  attempt_deadline = "600s"
@@ -165,6 +166,7 @@ resource "google_cloud_scheduler_job" "export-worker" {
 
 resource "google_cloud_scheduler_job" "export-create-batches" {
  name = "export-create-batches"
+ region = var.cloudscheduler_location
  schedule = "*/5 * * * *"
  time_zone = "Etc/UTC"
  attempt_deadline = "600s"

terraform/service_exposure.tf

@@ -49,7 +49,7 @@ resource "google_secret_manager_secret_iam_member" "exposure-db" {
 
 resource "google_cloud_run_service" "exposure" {
  name = "exposure"
- location = var.region
+ location = var.cloudrun_location
 
  template {
  spec {

terraform/service_federationin.tf

@@ -49,7 +49,7 @@ resource "google_secret_manager_secret_iam_member" "federationin" {
 
 resource "google_cloud_run_service" "federationin" {
  name = "federationin"
- location = var.region
+ location = var.cloudrun_location
 
  template {
  spec {

terraform/service_federationout.tf

@@ -49,7 +49,7 @@ resource "google_secret_manager_secret_iam_member" "federationout-db" {
 
 resource "google_cloud_run_service" "federationout" {
  name = "federationout"
- location = var.region
+ location = var.cloudrun_location
 
  template {
  spec {

terraform/service_gcr_cleaner.tf

@@ -44,7 +44,7 @@ resource "google_storage_bucket_iam_member" "gcr-cleaner-objectadmin" {
 
 resource "google_cloud_run_service" "gcr-cleaner" {
  name = "gcr-cleaner"
- location = var.region
+ location = var.cloudrun_location
 
  template {
  spec {

terraform/service_generate.tf

@@ -49,7 +49,7 @@ resource "google_secret_manager_secret_iam_member" "generate-db" {
 
 resource "google_cloud_run_service" "generate" {
  name = "generate"
- location = var.region
+ location = var.cloudrun_location
 
  template {
  spec {

terraform/storage.tf

@@ -21,6 +21,7 @@ resource "random_string" "bucket-name" {
 
 resource "google_storage_bucket" "export" {
  project = data.google_project.project.project_id
+ location = var.storage_location
  name = "exposure-notification-export-${random_string.bucket-name.result}"
  bucket_policy_only = true
 }

terraform/vars.tf

@@ -12,28 +12,71 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# The default region for resources in the project, individual resources should
+# have more specific variables defined to specify their region/location which
+# increases the flexibility of deployments
 variable "region" {
  type = string
  default = "us-central1"
 }
 
+# The region in which to put the SQL DB: it is currently configured to use
+# PostgreSQL.
+# https://cloud.google.com/sql/docs/postgres/locations
+variable "db_location" {
+ type = string
+ default = "us-central1"
+}
+
+# The region for the networking components.
+# https://cloud.google.com/compute/docs/regions-zones
+variable "network_location" {
+ type = string
+ default = "us-central1"
+}
+
+# The region for the key management service.
+# https://cloud.google.com/kms/docs/locations
+variable "kms_location" {
+ type = string
+ default = "us-central1"
+}
+
+# The location for the app engine; this implicitly defines the region for
+# scheduler jobs as specified by the cloudscheduler_location variable but the
+# values are sometimes different (as in the default values) so they are kept as
+# separate variables.
+# https://cloud.google.com/appengine/docs/locations
 variable "appengine_location" {
  type = string
  default = "us-central"
 }
 
-variable "project" {
- type = string
+# The cloudscheduler_location MUST use the same region as appengine_location but
+# it must include the region number even if this is omitted from the
+# appengine_location (as in the default values).
+variable "cloudscheduler_location" {
+ type = string
+ default = "us-central1"
 }
 
-variable "repo_owner" {
+
+# The region in which cloudrun jobs are executed.
+# https://cloud.google.com/run/docs/locations
+variable "cloudrun_location" {
  type = string
- default = "google"
+ default = "us-central1"
 }
 
-variable "repo_name" {
+# The location holding the storage bucket for exported files.
+# https://cloud.google.com/storage/docs/locations
+variable "storage_location" {
  type = string
- default = "exposure-notifications-server"
+ default = "US"
+}
+
+variable "project" {
+ type = string
 }
 
 variable "cloudsql_tier" {