Merge pull request #19 from redbadger/gcp-infra

gcp infra wip

java-containers-k8s/tear_down.sh

@@ -5,20 +5,20 @@ pushd infrastructure
 echo "tearing down infrastructure..."
 
 pushd kubernetes
-terraform init
-terraform destroy -auto-approve
+tofu init
+tofu destroy
 popd
 
 pushd cluster
-terraform init
-terraform destroy -auto-approve
+tofu init
+tofu destroy
 popd
 
 pushd storage
-terraform init
-terraform destroy -auto-approve
+tofu init
+tofu destroy
 popd
 
 echo "infrastructure tear down finished!"
 
-popd
+popd

platform-wasmcloud/google/.gitignore

@@ -0,0 +1 @@
+.terraform

platform-wasmcloud/google/README.md

@@ -0,0 +1,37 @@
+# Platform PoC wasmCloud on Google Cloud
+
+## Prerequisites
+
+- [Google Cloud SDK](https://cloud.google.com/sdk/docs/install)
+- [OpenTofu](https://opentofu.org/)
+- [wash](https://wasmcloud.com/docs/installation/)
+
+## Setup
+
+Login to Google Cloud:
+
+```fish
+# for interactive use of gcloud CLI ...
+gcloud auth login
+
+# for OpenTofu/Terraform ...
+gcloud auth application-default login
+```
+
+Install the GKE gcloud auth plugin (so that the provision script can get the cluster credentials):
+
+```fish
+gcloud components install gke-gcloud-auth-plugin
+```
+
+## Provisioning
+
+```fish
+./scripts/provision.fish
+```
+
+## Destroying
+
+```fish
+./scripts/destroy.fish
+```

platform-wasmcloud/google/scripts/destroy.fish

@@ -0,0 +1,14 @@
+#!/usr/bin/env fish
+set SCRIPT_DIR (dirname (realpath (status -f)))
+
+# STAGE 2
+pushd $SCRIPT_DIR/../stage_2
+    tofu init
+    tofu destroy --var-file=../terraform.tfvars
+popd
+
+# STAGE 1
+pushd $SCRIPT_DIR/../stage_1
+    tofu init
+    tofu destroy --var-file=../terraform.tfvars
+popd

platform-wasmcloud/google/scripts/provision.fish

@@ -0,0 +1,19 @@
+#!/usr/bin/env fish
+set SCRIPT_DIR (dirname (realpath (status -f)))
+
+# STAGE 1
+pushd $SCRIPT_DIR/../stage_1
+    tofu init
+    tofu apply --var-file=../terraform.tfvars
+popd
+
+# Authenticate with the cluster
+gcloud container clusters get-credentials platform-poc-wasmcloud-cluster \
+    --project platform-poc-wasmcloud \
+    --location europe-west2
+
+# STAGE 2
+pushd $SCRIPT_DIR/../stage_2
+    tofu init
+    tofu apply --var-file=../terraform.tfvars
+popd

platform-wasmcloud/google/stage_1/cluster.tf

@@ -0,0 +1,52 @@
+resource "google_container_cluster" "primary" {
+  name                = "${var.project_id}-cluster"
+  location            = var.region
+  deletion_protection = false
+
+  remove_default_node_pool = true
+  initial_node_count       = 1
+
+  workload_identity_config {
+    workload_pool = "${var.project_id}.svc.id.goog"
+  }
+}
+
+resource "google_container_node_pool" "primary_nodes" {
+  name       = "primary-node-pool"
+  location   = var.region
+  cluster    = google_container_cluster.primary.name
+  node_count = 1
+
+  node_config {
+    machine_type    = "e2-standard-2"
+    service_account = google_service_account.workload-identity-user-sa.email
+  }
+}
+
+resource "google_service_account" "workload-identity-user-sa" {
+  account_id   = "cloud-sql-client-sa"
+  display_name = "Cloud SQL Client Service Account"
+  description  = "Service account used for Cloud SQL Auth PRoxy"
+}
+
+resource "google_project_iam_member" "sql-client-role" {
+  project = var.project_id
+  role    = "roles/cloudsql.client"
+  member  = "serviceAccount:${google_service_account.workload-identity-user-sa.email}"
+}
+
+resource "google_project_iam_member" "datastore-user-role" {
+  project = var.project_id
+  role    = "roles/datastore.user"
+  member  = "serviceAccount:${google_service_account.workload-identity-user-sa.email}"
+}
+
+resource "google_project_iam_member" "artifact-registry-reader-role" {
+  project = var.project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.workload-identity-user-sa.email}"
+}
+
+output "node_pool_service_account" {
+  value = google_service_account.workload-identity-user-sa.email
+}

platform-wasmcloud/google/stage_1/main.tf

@@ -0,0 +1,4 @@
+provider "google" {
+  project = var.project_id
+  region  = var.region
+}

platform-wasmcloud/google/stage_1/memorystore.tf

@@ -0,0 +1,44 @@
+resource "google_memorystore_instance" "redis" {
+  instance_id = "${var.project_id}-redis"
+  shard_count = 1
+  desired_psc_auto_connections {
+    network    = google_compute_network.producer_net.id
+    project_id = data.google_project.project.project_id
+  }
+  location                    = var.region
+  deletion_protection_enabled = false
+  depends_on = [
+    google_network_connectivity_service_connection_policy.default
+  ]
+
+  lifecycle {
+    # we don't store any critical data
+    prevent_destroy = false
+  }
+}
+
+resource "google_network_connectivity_service_connection_policy" "default" {
+  name          = "${var.project_id}-redis-policy"
+  location      = var.region
+  service_class = "gcp-memorystore"
+  description   = "redis connection policy"
+  network       = google_compute_network.producer_net.id
+  psc_config {
+    subnetworks = [google_compute_subnetwork.producer_subnet.id]
+  }
+}
+
+resource "google_compute_subnetwork" "producer_subnet" {
+  name          = "my-subnet"
+  ip_cidr_range = "10.0.0.248/29"
+  region        = var.region
+  network       = google_compute_network.producer_net.id
+}
+
+resource "google_compute_network" "producer_net" {
+  name                    = "my-network"
+  auto_create_subnetworks = false
+}
+
+data "google_project" "project" {
+}

platform-wasmcloud/google/stage_1/outputs.tf

@@ -0,0 +1,7 @@
+output "kubernetes_context" {
+  value = "gke_${var.project_id}_${var.region}_${google_container_cluster.primary.name}"
+}
+
+output "workload-identity-user-sa" {
+  value = google_service_account.workload-identity-user-sa.email
+}

platform-wasmcloud/google/stage_1/postgres.tf

@@ -0,0 +1,30 @@
+resource "google_sql_database" "database_orders" {
+  name     = "order-service"
+  instance = google_sql_database_instance.instance.name
+}
+
+resource "google_sql_database" "database_inventory" {
+  name     = "inventory-service"
+  instance = google_sql_database_instance.instance.name
+}
+
+resource "google_sql_user" "user" {
+  name     = var.pg_user
+  instance = google_sql_database_instance.instance.name
+  password = var.pg_password
+}
+
+resource "google_sql_database_instance" "instance" {
+  name             = "${var.project_id}-pg"
+  region           = var.region
+  database_version = "POSTGRES_15"
+  settings {
+    tier = "db-f1-micro"
+    database_flags {
+      name  = "max_connections"
+      value = "50"
+    }
+  }
+
+  deletion_protection = "false"
+}

platform-wasmcloud/google/stage_1/registry.tf

@@ -0,0 +1,10 @@
+resource "google_artifact_registry_repository" "registry" {
+  location      = var.region
+  repository_id = "registry"
+  description   = "OCI registry for wasmcloud services"
+  format        = "DOCKER"
+
+  docker_config {
+    immutable_tags = false
+  }
+}

platform-wasmcloud/google/stage_1/variables.tf

@@ -0,0 +1,24 @@
+variable "project_id" {
+  type        = string
+  description = "The project ID"
+}
+
+variable "region" {
+  type        = string
+  description = "The region"
+}
+
+variable "pg_user" {
+  type        = string
+  description = "Username for Postgres Cloud SQL database"
+}
+
+variable "pg_password" {
+  type        = string
+  description = "password for Postgres Cloud SQL database"
+}
+
+variable "pg_database" {
+  type        = string
+  description = "Postgres Cloud SQL database name"
+}

platform-wasmcloud/google/stage_1/versions.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "6.19.0"
+    }
+  }
+
+  backend "gcs" {
+    bucket = "platform-poc-wasmcloud-tofu-state"
+    prefix = "dev"
+  }
+
+  required_version = ">= 1.9.0"
+}

platform-wasmcloud/google/stage_2/kubernetes.tf

@@ -0,0 +1,26 @@
+resource "google_project_iam_member" "workload_identity-role" {
+  project = var.project_id
+  role    = "roles/iam.workloadIdentityUser"
+  member  = "serviceAccount:${var.project_id}.svc.id.goog[default/${kubernetes_service_account.ksa.metadata[0].name}]"
+}
+
+resource "kubernetes_service_account" "ksa" {
+  metadata {
+    name = "kubernetes-service-account"
+    annotations = {
+      "iam.gke.io/gcp-service-account" = data.terraform_remote_state.stage_1.outputs.workload-identity-user-sa
+    }
+  }
+}
+
+resource "kubernetes_secret" "db_secrets" {
+  metadata {
+    name = "postgres-db-secrets"
+  }
+
+  data = {
+    username = var.pg_user
+    password = var.pg_password
+    database = var.pg_database
+  }
+}