blob: 711c86091e0a180d4513c3f499d4d7d950f5cfa7 [file] [log] [blame]
# Copyright 2021 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# Config for vuln worker.
################################################################
# Inputs.
variable "env" {
description = "environment name"
type = string
}
variable "project" {
description = "GCP project"
type = string
}
variable "region" {
description = "GCP region"
type = string
}
variable "use_profiler" {
description = "use Stackdriver Profiler"
type = bool
}
variable "min_frontend_instances" {
description = "minimum number of frontend instances"
type = number
}
variable "oauth_client_id" {
description = "OAuth 2 client ID (visit APIs & Services > Credentials)"
type = string
}
variable "issue_repo" {
description = "name of GitHub repo to post issues on"
type = string
}
################################################################
# Cloud Run service.
resource "google_cloud_run_service" "worker" {
provider = google-beta
lifecycle {
ignore_changes = [
# When we deploy, we may use different clients at different versions.
# Ignore those changes.
template[0].metadata[0].annotations["run.googleapis.com/client-name"],
template[0].metadata[0].annotations["run.googleapis.com/client-version"]
]
}
name = "${var.env}-vuln-worker"
project = var.project
location = var.region
template {
spec {
containers {
# Get the image from GCP (see the "data" block below).
# Exception: when first creating the service, replace this with a hardcoded
# image tag.
image = data.google_cloud_run_service.worker.template[0].spec[0].containers[0].image
env {
name = "GOOGLE_CLOUD_PROJECT"
value = var.project
}
env {
name = "VULN_WORKER_NAMESPACE"
value = var.env
}
env {
name = "VULN_WORKER_REPORT_ERRORS"
value = true
}
env {
name = "VULN_WORKER_ISSUE_REPO"
value = var.issue_repo
}
env {
name = "VULN_GITHUB_ACCESS_TOKEN"
value_from {
secret_key_ref {
name = google_secret_manager_secret.vuln_github_access_token.secret_id
key = "latest"
}
}
}
env {
name = "VULN_WORKER_USE_PROFILER"
value = var.use_profiler
}
resources {
limits = {
"cpu" = "2000m"
"memory" = "8Gi"
}
}
}
service_account_name = data.google_compute_default_service_account.default.email
# 60 minutes is the maximum Cloud Run request time.
timeout_seconds = 60 * 60
}
metadata {
annotations = {
"autoscaling.knative.dev/minScale" = var.min_frontend_instances
"autoscaling.knative.dev/maxScale" = "1"
#"client.knative.dev/user-image" = data.google_cloud_run_service.worker.template[0].spec[0].containers[0].image
}
}
}
autogenerate_revision_name = true
traffic {
latest_revision = true
percent = 100
}
}
# We deploy new images with gcloud, not terraform, so we need to
# make sure that "terraform apply" doesn't change the deployed image
# to whatever is in this file. (The image attribute is required in
# a Cloud Run config; it can't be empty.)
#
# We use this data source is used to determine the deployed image.
data "google_cloud_run_service" "worker" {
name = "${var.env}-vuln-worker"
project = var.project
location = var.region
}
################################################################
# Other components.
locals {
tz = "America/New_York"
}
resource "google_secret_manager_secret" "vuln_github_access_token" {
secret_id = "vuln-${var.env}-github-access-token"
project = var.project
replication {
automatic = true
}
}
data "google_compute_default_service_account" "default" {
project = var.project
}
resource "google_cloud_scheduler_job" "vuln_issue_triage" {
name = "vuln-${var.env}-issue-triage"
description = "Updates the DB and files issues."
schedule = "0 * * * *" # every hour
time_zone = local.tz
project = var.project
attempt_deadline = format("%ds", 30 * 60)
http_target {
http_method = "POST"
uri = "${google_cloud_run_service.worker.status[0].url}/update-and-issues"
oidc_token {
service_account_email = data.google_compute_default_service_account.default.email
audience = var.oauth_client_id
}
}
retry_config {
max_backoff_duration = "3600s"
max_doublings = 5
max_retry_duration = "0s"
min_backoff_duration = "5s"
retry_count = 0
}
}
resource "google_cloud_scheduler_job" "scan_modules" {
name = "vuln-${var.env}-scan-modules"
description = "Scan selected modules for vulns."
schedule = "30 * * * *" # every hour on the half hour
time_zone = local.tz
project = var.project
attempt_deadline = format("%ds", 30 * 60)
http_target {
http_method = "POST"
uri = "${google_cloud_run_service.worker.status[0].url}/scan-modules"
oidc_token {
service_account_email = data.google_compute_default_service_account.default.email
audience = var.oauth_client_id
}
}
retry_config {
max_backoff_duration = "3600s"
max_doublings = 5
max_retry_duration = "0s"
min_backoff_duration = "5s"
retry_count = 0
}
}