Add ctlog shards that create their own Cloud SQL instances. (#370)

* Add ctlog shards that create their own Cloud SQL instances. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Do not wire in db version / tier. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Clean up and simplify. Introduce mysql-shard that does not create serviceaccounts, services, etc. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * fix output variable name. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Use known good vpc_connection. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Remove creating a new private network. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * remove depends on for private networking creation. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * bake cluster name to db instance to reduce mistakes against wrong db. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Output connection strings too. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
sigstore · Oct 13, 2022 · 9322721 · 9322721
1 parent 3759c86
commit 9322721
Show file tree

Hide file tree

Showing 9 changed files with 373 additions and 4 deletions.
diff --git a/terraform/gcp/modules/ctlog/main.tf b/terraform/gcp/modules/ctlog/main.tf
@@ -37,4 +37,4 @@ resource "google_dns_record_set" "A_ctfe" {
   managed_zone = var.dns_zone_name
 
   rrdatas = [var.load_balancer_ipv4]
-}
+}
diff --git a/terraform/gcp/modules/ctlog/variables.tf b/terraform/gcp/modules/ctlog/variables.tf
@@ -36,4 +36,4 @@ variable "dns_domain_name" {
 variable "load_balancer_ipv4" {
   description = "IPv4 adddress of external load balancer"
   type        = string
-}
+}
diff --git a/terraform/gcp/modules/mysql-shard/mysql.tf b/terraform/gcp/modules/mysql-shard/mysql.tf
@@ -0,0 +1,105 @@
+/**
+ * Copyright 2022 The Sigstore Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# MySQL that only creates a mysql instance. Different from the ../mysql
+# which creates serviceaccounts and services, etc. New shards for fulcio/rekor
+# should use this module.
+# Forked from https://github.com/GoogleCloudPlatform/gke-private-cluster-demo/blob/master/terraform/postgres.tf
+
+resource "google_sql_database_instance" "trillian" {
+  project          = var.project_id
+  name             = var.instance_name
+  database_version = var.database_version
+  region           = var.region
+
+  # Set to false to delete this database
+  deletion_protection = var.deletion_protection
+
+  settings {
+    tier              = var.tier
+    activation_policy = "ALWAYS"
+    availability_type = var.availability_type
+
+    ip_configuration {
+      ipv4_enabled    = var.ipv4_enabled
+      private_network = var.network
+      require_ssl     = var.require_ssl
+    }
+
+    database_flags {
+      name  = "cloudsql_iam_authentication"
+      value = "on"
+    }
+
+    backup_configuration {
+      enabled            = var.backup_enabled
+      binary_log_enabled = var.binary_log_backup_enabled
+    }
+  }
+
+  timeouts {
+    create = "10m"
+    update = "10m"
+    delete = "10m"
+  }
+}
+
+resource "google_sql_database_instance" "read_replica" {
+  for_each = toset(var.replica_zones)
+
+  name                 = "${google_sql_database_instance.trillian.name}-replica-${each.key}"
+  master_instance_name = google_sql_database_instance.trillian.name
+  region               = var.region
+  database_version     = var.database_version
+
+  replica_configuration {
+    failover_target = false
+  }
+
+  settings {
+    tier              = var.replica_tier
+    availability_type = "ZONAL"
+
+    ip_configuration {
+      ipv4_enabled    = var.ipv4_enabled
+      private_network = var.network
+      require_ssl     = var.require_ssl
+    }
+
+    database_flags {
+      name  = "cloudsql_iam_authentication"
+      value = "on"
+    }
+  }
+}
+
+resource "google_sql_database" "trillian" {
+  name       = var.db_name
+  project    = var.project_id
+  instance   = google_sql_database_instance.trillian.name
+  collation  = "utf8_general_ci"
+  depends_on = [google_sql_database_instance.trillian]
+}
+
+resource "google_sql_user" "trillian" {
+  name       = "trillian"
+  project    = var.project_id
+  instance   = google_sql_database_instance.trillian.name
+  password   = var.password
+  host       = "%"
+  depends_on = [google_sql_database_instance.trillian]
+}
+
diff --git a/terraform/gcp/modules/mysql-shard/outputs.tf b/terraform/gcp/modules/mysql-shard/outputs.tf
@@ -0,0 +1,40 @@
+/**
+ * Copyright 2022 The Sigstore Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// Used when setting up the GKE cluster to talk to MySQL.
+output "mysql_instance" {
+  description = "The generated name of the Cloud SQL instance"
+  value       = google_sql_database_instance.trillian.name
+}
+
+// Full connection string for the MySQL DB>
+output "mysql_connection" {
+  description = "The connection string dynamically generated for storage inside the Kubernetes configmap"
+  value       = format("%s:%s:%s", var.project_id, var.region, google_sql_database_instance.trillian.name)
+}
+
+// Mysql DB username.
+output "mysql_user" {
+  description = "The Cloud SQL Instance User name"
+  value       = google_sql_user.trillian.name
+}
+
+// Mysql DB password.
+output "mysql_pass" {
+  sensitive   = true
+  description = "The Cloud SQL Instance Password (Generated)"
+  value       = google_sql_user.trillian.password
+}
diff --git a/terraform/gcp/modules/mysql-shard/variables.tf b/terraform/gcp/modules/mysql-shard/variables.tf
@@ -0,0 +1,124 @@
+/**
+ * Copyright 2022 The Sigstore Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type    = string
+  default = ""
+  validation {
+    condition     = length(var.project_id) > 0
+    error_message = "Must specify project_id variable."
+  }
+}
+
+variable "region" {
+  type        = string
+  description = "GCP region"
+  default     = "us-west1"
+}
+
+variable "replica_zones" {
+  description = "List of zones for read replicas."
+  type        = list(any)
+  default     = []
+}
+
+variable "cluster_name" {
+  type    = string
+  default = ""
+}
+
+variable "tier" {
+  type        = string
+  description = "Machine tier for MySQL instance."
+  default     = "db-n1-standard-1"
+}
+
+variable "replica_tier" {
+  type        = string
+  description = "Machine tier for MySQL replica."
+  default     = "db-n1-standard-1"
+}
+
+variable "availability_type" {
+  type        = string
+  description = "Availability tier for MySQL"
+  default     = "REGIONAL"
+}
+
+variable "ipv4_enabled" {
+  type        = bool
+  description = "Whether to enable ipv4 for MySQL instance."
+  default     = false
+}
+
+variable "require_ssl" {
+  type        = bool
+  description = "Whether to require ssl for MySQL instance."
+  default     = true
+}
+
+variable "backup_enabled" {
+  type        = bool
+  description = "Whether to enable backup configuration."
+  default     = true
+}
+
+variable "binary_log_backup_enabled" {
+  type        = bool
+  description = "Whether to enable binary log for backup."
+  default     = true
+}
+
+variable "network" {
+  type    = string
+  default = "default"
+}
+
+variable "subnetwork" {
+  type    = string
+  default = "default"
+}
+
+variable "instance_name" {
+  type        = string
+  description = "Name for MySQL instance."
+}
+
+variable "db_name" {
+  type        = string
+  description = "Name for MySQL database name."
+  default     = "trillian"
+}
+
+variable "database_version" {
+  type        = string
+  description = "MySQL database version."
+  default     = "MYSQL_5_7"
+}
+
+variable "deletion_protection" {
+  type        = bool
+  description = "Deletion protection for MYSQL database. Must be set to false for `terraform apply` or `terraform destroy` to delete the db."
+  default     = true
+}
+
+// This is ok to have here because nobody can connect to the database without
+// IAM and it sits on private network.
+variable "password" {
+  type        = string
+  description = "mysql password within the database"
+  sensitive   = true
+}
diff --git a/terraform/gcp/modules/mysql-shard/versions.tf b/terraform/gcp/modules/mysql-shard/versions.tf
@@ -0,0 +1,34 @@
+/**
+ * Copyright 2022 The Sigstore Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 1.1.3, < 1.4.0"
+
+  required_providers {
+    google = {
+      version = ">= 4.11.0, < 4.38.0"
+      source  = "hashicorp/google"
+    }
+    google-beta = {
+      version = ">= 4.11.0, < 4.38.0"
+      source  = "hashicorp/google-beta"
+    }
+    random = {
+      version = ">= 3.1.0, < 3.2.0"
+      source  = "hashicorp/random"
+    }
+  }
+}
diff --git a/terraform/gcp/modules/sigstore/outputs.tf b/terraform/gcp/modules/sigstore/outputs.tf
@@ -31,6 +31,18 @@ output "mysql_instance" {
   value       = module.mysql.mysql_instance
 }
 
+// Outputs a list of strings for each CTLog Cloud SQL instance.
+output "ctlog_mysql_instances" {
+  description = "Names of the DB instances created for the CTLog shards"
+  value       = [for ctlog_shard in module.ctlog_shards : ctlog_shard.mysql_instance]
+}
+
+// Outputs a list of connection strings for each CTLog Cloud SQL instance.
+output "ctlog_mysql_connections" {
+  description = "Connection strings of the DB instances created for the CTLog shards"
+  value       = [for ctlog_shard in module.ctlog_shards : ctlog_shard.mysql_connection]
+}
+
 // Full connection string for the MySQL DB>
 output "mysql_connection" {
   description = "The connection string dynamically generated for storage inside the Kubernetes configmap"