Merge branch 'workload_identity'

3 years ago · 63799618da
parent bae77832d2 c3e5b70a84
commit 63799618da
4 changed files with 160 additions and 7 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,7 @@
 .terraform/
 terraform.tfstate
 terraform.tfstate.backup
+
+pgclient.crt
+pgclient.key
+pgserver.crt
--- a/terraform/basic_gke/main.tf
+++ b/terraform/basic_gke/main.tf
@ -105,6 +105,63 @@ module "cloudsql" {
  ]
 }

+output "cloudsql_ip_address" {
+  description = "IP address for cloudsql database."
+  value       = module.cloudsql.instance.ip_address.0.ip_address
+}
+
+output "cloudsql_server_certificate" {
+  description = "CA certificate."
+  value       = module.cloudsql.certificate.server_ca_cert
+  sensitive   = true
+}
+
+output "cloudsql_client_certificate" {
+  description = "Client certificate."
+  value       = module.cloudsql.certificate.cert
+  sensitive   = true
+}
+
+output "cloudsql_client_key" {
+  description = "Client key."
+  value       = module.cloudsql.certificate.private_key
+  sensitive   = true
+}
+
+resource "local_file" "pgserver_crt" {
+  sensitive_content    = module.cloudsql.certificate.server_ca_cert
+  filename             = "${path.module}/pgserver.crt"
+  file_permission      = "0600"
+  directory_permission = "0700"
+}
+
+resource "local_file" "pgclient_crt" {
+  sensitive_content    = module.cloudsql.certificate.cert
+  filename             = "${path.module}/pgclient.crt"
+  file_permission      = "0600"
+  directory_permission = "0700"
+}
+
+resource "local_file" "pgclient_key" {
+  sensitive_content    = module.cloudsql.certificate.private_key
+  filename             = "${path.module}/pgclient.key"
+  file_permission      = "0600"
+  directory_permission = "0700"
+}
+
+output "cloudsql_connection_string" {
+  description = "Connection URL for main user in cloudsql."
+  value       = "postgresql://postgres@${module.cloudsql.instance.ip_address.0.ip_address}/postgres?ssl=true&sslmode=verify-ca&sslcert=${urlencode(abspath(local_file.pgclient_crt.filename))}&sslkey=${urlencode(abspath(local_file.pgclient_key.filename))}&sslrootcert=${urlencode(abspath(local_file.pgserver_crt.filename))}"
+}
+
+# Create a workload identity service account for IAM authentication to
+# cloudsql
+module "cloudsql_test_sa" {
+  source              = "../modules/workload_identity_account"
+  project             = var.project
+  k8s_service_account = "test-sa"
+}
+
 #################### Redis ################################

 module "redis" {
@ -127,9 +184,3 @@ output "redis_port" {
  description = "Port for redis database."
  value       = module.redis.redis_port
 }
-
-
-
-
-
-
--- a/terraform/modules/cloudsql/cloudsql.tf
+++ b/terraform/modules/cloudsql/cloudsql.tf
@ -1,3 +1,5 @@
+# For the cloudsql auth proxy grant roles/cloudsql.instanceUser and
+# roles/cloudsql.client roles to the service account for the proxy.
 variable "project" {
  description = "Project ID."
  type        = string
@ -25,11 +27,40 @@ variable "private_network_id" {
  type        = string
 }

+variable "postgres_password" {
+  description = "Password for the default postgres user."
+  type        = string
+  default     = "hunter2"
+}
+
+variable "require_tls" {
+  description = "Whether or not we should require TLS when connecting to cloudsql."
+  type        = bool
+  default     = false
+}
+
 output "connection_name" {
  description = "The connection string for connecting to the cloudsql instance (for example, through cloudsql proxy)."
  value       = google_sql_database_instance.instance.connection_name
 }

+output "instance" {
+  description = "The google_sql_database_instance object."
+  value       = google_sql_database_instance.instance
+}
+
+output "certificate" {
+  description = "TLS certificate for connecting to the database."
+  value       = google_sql_ssl_cert.client_cert
+}
+
+# Needed for CloudSQL Auth Proxy
+resource "google_project_service" "sqladmin" {
+  project                    = var.project
+  service                    = "sqladmin.googleapis.com"
+  disable_dependent_services = true
+}
+
 resource "random_id" "cloudsql" {
  byte_length = 4
 }
@ -46,10 +77,28 @@ resource "google_sql_database_instance" "instance" {
    ip_configuration {
      ipv4_enabled    = false
      private_network = var.private_network_id
-      require_ssl     = true
+      require_ssl     = var.require_tls
+    }
+
+    database_flags {
+      name  = "cloudsql.iam_authentication"
+      value = "on"
    }
  }

  deletion_protection = "false"
  # deletion_protection = "true"
 }
+
+resource "google_sql_user" "postgres" {
+  project  = var.project
+  name     = "postgres"
+  instance = google_sql_database_instance.instance.name
+  password = var.postgres_password
+}
+
+resource "google_sql_ssl_cert" "client_cert" {
+  project     = var.project
+  common_name = "client-name"
+  instance    = google_sql_database_instance.instance.name
+}
--- a/terraform/modules/workload_identity_account/workload_identity_account.tf
+++ b/terraform/modules/workload_identity_account/workload_identity_account.tf
@ -0,0 +1,49 @@
+# Requires a google_iam_workload_identity_pool to exist, but it is not
+# referenced in this module.
+
+
+variable "project" {
+  description = "Project ID."
+  type        = string
+}
+
+variable "k8s_namespace" {
+  description = "Name of the kubernetes namespace containing the service account."
+  type        = string
+  default     = "default"
+}
+
+variable "k8s_service_account" {
+  description = "Service account name from kubernetes."
+  type        = string
+}
+
+output "service_account" {
+  description = "The google_service_account that has been bound to the kubernetes service account."
+  value       = google_service_account.service_account
+}
+
+output "cloudsql_username" {
+  description = "If this service account is to be used with IAM database authentication, this would be the username for the user. Note that the google_sql_user is not created by this module."
+  value       = trimsuffix(google_service_account.service_account.email, ".gserviceaccount.com")
+}
+
+resource "google_service_account" "service_account" {
+  account_id   = "wi-${var.k8s_namespace}-${var.k8s_service_account}"
+  display_name = "Workload identity account for GKE [${var.k8s_namespace}/${var.k8s_service_account}]"
+}
+
+data "google_iam_policy" "policy" {
+  binding {
+    role = "roles/iam.workloadIdentityUser"
+
+    members = [
+      "serviceAccount:${var.project}.svc.id.goog[${var.k8s_namespace}/${var.k8s_service_account}]",
+    ]
+  }
+}
+
+resource "google_service_account_iam_policy" "policy_binding" {
+  service_account_id = google_service_account.service_account.name
+  policy_data        = data.google_iam_policy.policy.policy_data
+}