server-1704 | Terraform format (#139)

* server-1704 - applied terraform format * server-1713 | added new example in ReadMe file * server-1713 | add k8s_namespace in example * added k8s_namespace in readme file Co-authored-by: Atul Singh <[email protected]>
CircleCI-Public · Mar 24, 2022 · 41ee1ea · 41ee1ea
1 parent f49d116
commit 41ee1ea
Show file tree

Hide file tree

Showing 7 changed files with 58 additions and 29 deletions.
diff --git a/nomad-aws/nomad-autoscaler.tf b/nomad-aws/nomad-autoscaler.tf
@@ -13,8 +13,8 @@ resource "aws_iam_access_key" "nomad_asg_user" {
 resource "aws_iam_user_policy" "nomad_asg_user" {
   count = local.autoscaler_type == "user" ? 1 : 0
 
-  name   = "${var.basename}-nomad-asg-user-policy"
-  user   = aws_iam_user.nomad_asg_user[0].name
+  name = "${var.basename}-nomad-asg-user-policy"
+  user = aws_iam_user.nomad_asg_user[0].name
   policy = templatefile("${path.module}/template/nomad_asg_policy.tpl", {
     "ASG_ARN" = aws_autoscaling_group.clients_asg.arn
   })
@@ -24,18 +24,18 @@ resource "aws_iam_user_policy" "nomad_asg_user" {
 resource "aws_iam_role" "nomad_role" {
   count = local.autoscaler_type == "role" ? 1 : 0
 
-  name                    = "${var.basename}-circleci-nomad-autoscaler-irsa-role"
-  assume_role_policy      = templatefile("${path.module}/template/nomad_irsa_trust_policy.tpl", {
-                              OIDC_PRINCIPAL_ID     = lookup(var.enable_irsa, "oidc_principal_id", "")
-                              OIDC_EKS_VARIABLE     = lookup(var.enable_irsa, "oidc_eks_variable", "")
-                              K8S_SERVICE_ACCOUNT   = lookup(var.enable_irsa, "k8s_service_account", "")
-                            })
+  name = "${var.basename}-circleci-nomad-autoscaler-irsa-role"
+  assume_role_policy = templatefile("${path.module}/template/nomad_irsa_trust_policy.tpl", {
+    OIDC_PRINCIPAL_ID   = lookup(var.enable_irsa, "oidc_principal_id", "")
+    OIDC_EKS_VARIABLE   = lookup(var.enable_irsa, "oidc_eks_variable", "")
+    K8S_SERVICE_ACCOUNT = lookup(var.enable_irsa, "k8s_service_account", "")
+  })
 
   inline_policy {
-                name      = "${var.basename}-circleci-nomad-autoscaler-role-policy"
-                policy    = templatefile("${path.module}/template/nomad_asg_policy.tpl", {
-                              "ASG_ARN" = aws_autoscaling_group.clients_asg.arn
-                            })
+    name = "${var.basename}-circleci-nomad-autoscaler-role-policy"
+    policy = templatefile("${path.module}/template/nomad_asg_policy.tpl", {
+      "ASG_ARN" = aws_autoscaling_group.clients_asg.arn
+    })
   }
-  tags                    = local.tags
+  tags = local.tags
 }
diff --git a/nomad-aws/variables.tf b/nomad-aws/variables.tf
@@ -117,7 +117,7 @@ variable "enable_irsa" {
 
 
 locals {
-  tags = merge ({ "environment" = var.basename}, var.instance_tags)
+  tags = merge({ "environment" = var.basename }, var.instance_tags)
 
   # If nomad_auto_scaler is true and enable_irsa is empty - set autoscaler_type=user
   # If nomad_auto_scaler is true and enable_irsa is not empty - set autoscaler_type=role

diff --git a/nomad-gcp/README.md b/nomad-gcp/README.md
@@ -29,7 +29,38 @@ output "module" {
 }
 ```
 
-There are more examples in the `examples` directory.
+Use latest codebase:
+
+```Terraform
+provider "google-beta" {
+  project = "my-project"
+  region  = "us-east1"
+  zone    = "us-east1-a"
+}
+
+module "nomad" {
+  # we are using latest code for gcp nomad client here, but We strongly recommend pinning the version using ref=<<release tag>> as in above example
+  source = ""git::https://github.com/CircleCI-Public/server-terraform.git//nomad-gcp"
+
+  name            = "test"
+  zone            = "us-east1-a"
+  region          = "us-east1"
+  network         = "default"
+  subnetwork      = "default"
+  server_endpoint = "nomad.example.com:4647"
+
+  # Autoscaling for Managed Instance Group
+  nomad_auto_scaler        = true       # If true, will generate a service account to be used by nomad-autoscaler. The is output in the file nomad-as-key.json if enable_workload_identity is false
+  enable_workload_identity = false       # If using GCP work identities rather than static keys in CircleCI Server
+  k8s_namespace            = "circleci-server"            # If enable_workload_identity is true, provide k8s_namespace else leave as is
+}
+
+output "module" {
+  value = module.nomad
+}
+```
+
+There are more examples in the [examples](./examples/) directory.
 
 ## Requirements
 
@@ -86,7 +117,6 @@ There are more examples in the `examples` directory.
 | unsafe\_disable\_mtls | Disables mTLS between nomad client and servers. Compromises the authenticity and confidentiality of client-server communication. Should not be set to true in any production setting | `bool` | `false` | no |
 | zone | GCP compute zone to deploy nomad clients into (e.g us-east1-a) | `string` | n/a | yes |
 | enable_workload_identity | Enable nomad service account as gcp workload identity | `bool` | `false` | no |
-| project | GCP Project ID | `string` | n/a | Yes, if enable_workload_identity is true |
 | k8s_namespace | k8s namespace where application is installed | `string` | `circleci-server` | Yes, if enable_workload_identity is true |
 
 ## Outputs

diff --git a/nomad-gcp/examples/basic/main.tf b/nomad-gcp/examples/basic/main.tf
@@ -63,12 +63,17 @@ variable "enable_workload_identity" {
   description = "If true, Workload Identity will be used rather than static credentials'"
 }
 
+variable "k8s_namespace" {
+  type        = string
+  default     = "circleci-server"
+  description = "If enable_workload_identity is true, provide application k8s namespace"
+}
+
 variable "machine_type" {
   type    = string
   default = "n2-standard-8"
 }
 
-
 provider "google-beta" {
   project = var.project
   region  = var.region
@@ -98,7 +103,7 @@ module "nomad" {
   max_replicas             = var.max_replicas      # Max and Min replica values should match the values intended to be used by nomad autoscaler in CircleCI Server
   min_replicas             = var.min_replicas
   enable_workload_identity = var.enable_workload_identity # If using GCP work identities rather than static keys in CircleCI Server
-
+  k8s_namespace            = var.k8s_namespace            # If enable_workload_identity is true, provide k8s_namespace else leave as is
 }
 
 output "module" {

diff --git a/nomad-gcp/examples/basic/terraform.tfvars_template b/nomad-gcp/examples/basic/terraform.tfvars_template
@@ -7,6 +7,6 @@ subnetwork                  = "default"
 min_replicas                = 1
 nomad_auto_scaler           = true
 server_endpoint             = "nomad.exmaple.com:4647"
-enable_workload_identity    = true
-machine_type                = "n2-standard-8"
-k8s_namespace               = "circleci-server" # Yes, if enable_workload_identity is true
+machine_type                = "n2-sqtandard-8"
+enable_workload_identity    = false
+k8s_namespace               = "circleci-server"    # You must set k8s_namespace if enable_workload_identity is true
diff --git a/nomad-gcp/nomad-autoscaler.tf b/nomad-gcp/nomad-autoscaler.tf
@@ -28,7 +28,7 @@ resource "google_service_account_iam_binding" "nomad_as_work_identity_k8s" {
   service_account_id = google_service_account.nomad_as_service_account[0].name
   role               = "roles/iam.workloadIdentityUser"
   members = [
-    "serviceAccount:${var.project}.svc.id.goog[${var.k8s_namespace}/nomad-autoscaler]",
+    "serviceAccount:${data.google_project.project.project_id}.svc.id.goog[${var.k8s_namespace}/nomad-autoscaler]",
   ]
 }
 

diff --git a/nomad-gcp/variables.tf b/nomad-gcp/variables.tf
@@ -149,10 +149,4 @@ variable "k8s_namespace" {
   type        = string
   default     = "circleci-server"
   description = "If enable_workload_identity is true, provide application k8s namespace"
-}
-
-variable "project" {
-  type        = string
-  default     = "project-id"
-  description = "GCP Project ID"
-}
+}