terraform: moved to x/vulndb
For golang/go#50247
Change-Id: I07c75096d7223915d32201779e5984d81edcabdc
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/373503
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
diff --git a/terraform/environment/worker.tf b/terraform/environment/worker.tf
deleted file mode 100644
index 26b97c0..0000000
--- a/terraform/environment/worker.tf
+++ /dev/null
@@ -1,218 +0,0 @@
-# Copyright 2021 The Go Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-
-# Config for vuln worker.
-
-################################################################
-# Inputs.
-
-variable "env" {
- description = "environment name"
- type = string
-}
-
-variable "project" {
- description = "GCP project"
- type = string
-}
-
-variable "region" {
- description = "GCP region"
- type = string
-}
-
-variable "use_profiler" {
- description = "use Stackdriver Profiler"
- type = bool
-}
-
-variable "min_frontend_instances" {
- description = "minimum number of frontend instances"
- type = number
-}
-
-variable "oauth_client_id" {
- description = "OAuth 2 client ID (visit APIs & Services > Credentials)"
- type = string
-}
-
-variable "oauth_client_secret" {
- description = "OAuth 2 client ID (visit APIs & Services > Credentials, click on client)"
- type = string
-}
-
-
-################################################################
-# Cloud Run service.
-
-resource "google_cloud_run_service" "worker" {
-
- lifecycle {
- ignore_changes = [
- # When we deploy, we may use different clients at different versions.
- # Ignore those changes.
- template[0].metadata[0].annotations["run.googleapis.com/client-name"],
- template[0].metadata[0].annotations["run.googleapis.com/client-version"]
- ]
- }
-
- name = "${var.env}-vuln-worker"
- project = var.project
- location = var.region
-
- template {
- spec {
- containers {
- # Don't hardcode the image here; get it from GCP. See the "data" block
- # below for more.
- image = data.google_cloud_run_service.worker.template[0].spec[0].containers[0].image
- env {
- name = "GOOGLE_CLOUD_PROJECT"
- value = var.project
- }
- env {
- name = "VULN_WORKER_NAMESPACE"
- value = var.env
- }
- env {
- name = "VULN_WORKER_REPORT_ERRORS"
- value = true
- }
- env {
- name = "VULN_WORKER_ISSUE_REPO"
- value = var.env == "dev"? "": "golang/vulndb"
- }
- env{
- name = "VULN_WORKER_USE_PROFILER"
- value = var.use_profiler
- }
- resources {
- limits = {
- "cpu" = "1000m"
- "memory" = "2Gi"
- }
- }
- }
-
- service_account_name = "frontend@${var.project}.iam.gserviceaccount.com"
- # 60 minutes is the maximum Cloud Run request time.
- timeout_seconds = 60 * 60
- }
-
- metadata {
- annotations = {
- "autoscaling.knative.dev/minScale" = var.min_frontend_instances
- "autoscaling.knative.dev/maxScale" = "1"
- "client.knative.dev/user-image" = data.google_cloud_run_service.worker.template[0].spec[0].containers[0].image
- }
- }
- }
- autogenerate_revision_name = true
-
- traffic {
- latest_revision = true
- percent = 100
- }
-}
-
-# We deploy new images with gcloud, not terraform, so we need to
-# make sure that "terraform apply" doesn't change the deployed image
-# to whatever is in this file. (The image attribute is required in
-# a Cloud Run config; it can't be empty.)
-#
-# We use this data source is used to determine the deployed image.
-data "google_cloud_run_service" "worker" {
- name = "${var.env}-vuln-worker"
- project = var.project
- location = var.region
-}
-
-################################################################
-# Load balancer for Cloud Run service.
-
-resource "google_compute_region_network_endpoint_group" "worker" {
- count = var.oauth_client_secret == ""? 0: 1
- name = "${var.env}-vuln-worker-neg"
- network_endpoint_type = "SERVERLESS"
- project = var.project
- region = var.region
- cloud_run {
- service = google_cloud_run_service.worker.name
- }
-}
-
-module "worker_lb" {
- count = var.oauth_client_secret == ""? 0: 1
- source = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
- version = "~> 6.1.1"
-
- name = "${var.env}-vuln-worker-lb"
- project = var.project
-
- ssl = true
- managed_ssl_certificate_domains = ["${var.env}-vuln-worker.go.dev"]
- https_redirect = true
-
- backends = {
- default = {
- description = null
- groups = [
- {
- group = google_compute_region_network_endpoint_group.worker[0].id
- }
- ]
- enable_cdn = false
- security_policy = null
- custom_request_headers = null
- custom_response_headers = null
-
- iap_config = {
- enable = true
- oauth2_client_id = var.oauth_client_id
- oauth2_client_secret = var.oauth_client_secret
- }
- log_config = {
- enable = false
- sample_rate = null
- }
- }
- }
-}
-
-output "worker_url" {
- value = data.google_cloud_run_service.worker.status[0].url
-}
-
-output "load_balancer_ip" {
- value = var.oauth_client_secret == ""? "": module.worker_lb[0].external_ip
-}
-
-################################################################
-# Other components.
-
-locals {
- tz = "America/New_York"
-}
-
-data "google_compute_default_service_account" "default" {
- project = var.project
-}
-
-resource "google_cloud_scheduler_job" "issue_triage" {
- name = "${var.env}-issue-triage"
- description = "Updates the DB and files issues."
- schedule = "0 * * * *" # every hour
- time_zone = local.tz
- project = var.project
- attempt_deadline = format("%ds", 60 * 60)
-
- http_target {
- http_method = "POST"
- uri = "${google_cloud_run_service.worker.status[0].url}/update-and-issues"
- oidc_token {
- service_account_email = data.google_compute_default_service_account.default.email
- audience = var.oauth_client_id
- }
- }
-}
diff --git a/terraform/main.tf b/terraform/main.tf
deleted file mode 100644
index 6739480..0000000
--- a/terraform/main.tf
+++ /dev/null
@@ -1,67 +0,0 @@
-# Copyright 2021 The Go Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-
-# Terraform configuration for GCP components from this repo.
-
-terraform {
- required_version = ">= 1.0.9, < 2.0.0"
- # Store terraform state in a GCS bucket, so all team members share it.
- backend "gcs" {
- bucket = "go-discovery-exp"
- prefix = "vuln"
- }
- required_providers {
- google = {
- version = "~> 3.90.1"
- source = "hashicorp/google"
- }
- }
-}
-
-locals {
- region = "us-central1"
-}
-
-provider "google" {
- region = local.region
-}
-
-# Inputs for values that should not appear in the repo.
-# Terraform will prompt for these when you run it, or
-# you can put them in a local file that is only readable
-# by you, and pass them to terraform.
-# See https://www.terraform.io/docs/language/values/variables.html#variable-definitions-tfvars-files.
-
-variable "prod_client_secret" {
- description = "OAuth 2 client secret for prod"
- type = string
- sensitive = true
-}
-
-
-
-# Deployment environments
-
-module "dev" {
- source = "./environment"
- env = "dev"
- project = "go-discovery-exp"
- region = local.region
- use_profiler = false
- min_frontend_instances = 0
- oauth_client_id = "55665122702-tk2rogkaalgru7pqibvbltqs7geev8j5.apps.googleusercontent.com"
- oauth_client_secret = "" # go-discovery-exp does not allow external load balancers
-}
-
-# module "prod" {
-# source = "./environment"
-# env = "prod"
-# project = "golang-org"
-# region = local.region
-# use_profiler = true
-# min_frontend_instances = 1
-# client_id = "unknown"
-# client_secret = var.prod_client_secret
-# }
-
