terraform: config for worker load balancer
Configure a load balancer for the worker Cloud Run service.
The dev instance runs in a project that doesn't allow external load balancers,
so disable it there.
Also, disable issue creation in the dev instance by setting the issue
repo to the empty string.
Change-Id: Ie9ff6d7d57f9a424c18eb68acf9e486cc676301f
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/370014
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
diff --git a/.gitignore b/.gitignore
index 95708bc..de221d1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
**/.terraform/*
.terraform.lock.hcl
+terraform/terraform.tfvars
diff --git a/terraform/environment/worker.tf b/terraform/environment/worker.tf
index 4e7533a..e550c64 100644
--- a/terraform/environment/worker.tf
+++ b/terraform/environment/worker.tf
@@ -4,6 +4,8 @@
# Config for vuln worker.
+################################################################
+# Inputs.
variable "env" {
description = "environment name"
@@ -30,6 +32,19 @@
type = number
}
+variable "client_id" {
+ description = "OAuth 2 client ID (visit APIs & Services > Credentials)"
+ type = string
+}
+
+variable "client_secret" {
+ description = "OAuth 2 client ID (visit APIs & Services > Credentials, click on client)"
+ type = string
+}
+
+
+################################################################
+# Cloud Run service.
resource "google_cloud_run_service" "worker" {
@@ -66,7 +81,7 @@
}
env {
name = "VULN_WORKER_ISSUE_REPO"
- value = var.env == "dev"? "jba/nested-modules": "golang/vulndb"
+ value = var.env == "dev"? "": "golang/vulndb"
}
env{
name = "VULN_WORKER_USE_PROFILER"
@@ -109,3 +124,59 @@
project = var.project
location = var.region
}
+
+################################################################
+# Load balancer for Cloud Run service.
+
+resource "google_compute_region_network_endpoint_group" "worker" {
+ count = var.client_id == ""? 0: 1
+ name = "${var.env}-vuln-worker-neg"
+ network_endpoint_type = "SERVERLESS"
+ project = var.project
+ region = var.region
+ cloud_run {
+ service = google_cloud_run_service.worker.name
+ }
+}
+
+module "worker_lb" {
+ count = var.client_id == ""? 0: 1
+ source = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
+ version = "~> 6.1.1"
+
+ name = "${var.env}-vuln-worker-lb"
+ project = var.project
+
+ ssl = true
+ managed_ssl_certificate_domains = ["${var.env}-vuln-worker.go.dev"]
+ https_redirect = true
+
+ backends = {
+ default = {
+ description = null
+ groups = [
+ {
+ group = google_compute_region_network_endpoint_group.worker[0].id
+ }
+ ]
+ enable_cdn = false
+ security_policy = null
+ custom_request_headers = null
+ custom_response_headers = null
+
+ iap_config = {
+ enable = true
+ oauth2_client_id = var.client_id
+ oauth2_client_secret = var.client_secret
+ }
+ log_config = {
+ enable = false
+ sample_rate = null
+ }
+ }
+ }
+}
+
+output "load_balancer_ip" {
+ value = var.client_id == ""? "": module.worker_lb[0].external_ip
+}
diff --git a/terraform/main.tf b/terraform/main.tf
index d66189d..70fcff3 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -13,7 +13,7 @@
}
required_providers {
google = {
- version = "~> 3.86.0"
+ version = "~> 3.90.1"
source = "hashicorp/google"
}
}
@@ -28,6 +28,19 @@
region = local.region
}
+# Inputs for values that should not appear in the repo.
+# Terraform will prompt for these when you run it, or
+# you can put them in a local file that is only readable
+# by you, and pass them to terraform.
+# See https://www.terraform.io/docs/language/values/variables.html#variable-definitions-tfvars-files.
+
+variable "prod_client_secret" {
+ description = "OAuth 2 client secret for prod"
+ type = string
+ sensitive = true
+}
+
+
# Deployment environments
@@ -38,6 +51,8 @@
region = local.region
use_profiler = false
min_frontend_instances = 0
+ client_id = "" # go-discovery-exp does not allow external load balancers
+ client_secret = ""
}
module "prod" {
@@ -47,5 +62,7 @@
region = local.region
use_profiler = true
min_frontend_instances = 1
+ client_id = "unknown"
+ client_secret = var.prod_client_secret
}