terraform: adjust worker config

Remove the load balancer config. We will not be using a load balancer.

Make more variables private, by removing them from the config.

Add a README.

Improve how the issue repo is specified.

Configure a GitHub access token.

Add a .gitignore file for terraform's internal data.

Change-Id: Ifeaa4528faa9988be424af3c943d50791c0405ff
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/373674
Trust: Jonathan Amsterdam <[email protected]>
Run-TryBot: Jonathan Amsterdam <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Julie Qiu <[email protected]>

Author: jba

.gitignore

@@ -0,0 +1,3 @@
+**/.terraform/*
+.terraform.lock.hcl
+terraform/terraform.tfvars

terraform/README.md

@@ -0,0 +1,60 @@
+# Terraform configuration for vuln worker
+
+## External variables
+
+Some inputs to this config are not checked into the repo.
+You can provide them on the `terraform` command line,
+or create a `terraform.tfvars` file in this directory
+with the information, like this one:
+
+```
+prod_project    = "prod-project"
+prod_issue_repo = "org/repo"
+prod_client_id  = "[email protected]"
+
+dev_project    = "dev-project"
+dev_issue_repo = "org/dev-repo"
+dev_client_id  = "abc@@apps.googleusercontent.com"
+```
+
+`terraform.tfvars` is in the repo's `.gitignore` file, so it won't show up in
+`git status`. **Do not** check it into the repo.
+
+## Cloud Run image
+
+We use terraform to set up the Cloud Run service, but we deploy in other ways.
+Our deploy process changes only the Docker image for the service. If we
+hardcoded a Docker image into the config, our config would often be out of date
+(since we apply it rarely compared to deploying), and we would risk overwriting
+a newer image with the old one in the config.
+
+For that reason, the Docker image in the config is obtained from the service
+itself, by using a `data` block:
+
+```
+resource "google_cloud_run_service" "worker" {
+  ...
+  template {
+    spec {
+      containers {
+        image = data.google_cloud_run_service.worker.template[0].spec[0].containers[0].image
+  ...
+}
+
+data "google_cloud_run_service" "worker" {
+  name     = "${var.env}-vuln-worker"
+  project  = var.project
+  location = var.region
+}
+```
+
+This works fine once the service exists, but before it does we have a circularity:
+to create the service we need to get the image from the service!
+
+So to create the service:
+
+1. Build and push a Docker image.
+2. Replace the `data.google_cloud_run_service.worker` expressions (there are
+   two) with the actual image label.
+3. Run `terraform apply`.
+4. Undo the replacement.

terraform/environment/worker.tf

@@ -37,8 +37,8 @@ variable "oauth_client_id" {
   type = string
 }
 
-variable "oauth_client_secret" {
-  description = "OAuth 2 client ID (visit APIs & Services > Credentials, click on client)"
+variable "issue_repo" {
+  description = "name of GitHub repo to post issues on"
   type = string
 }
 
@@ -47,6 +47,7 @@ variable "oauth_client_secret" {
 # Cloud Run service.
 
 resource "google_cloud_run_service" "worker" {
+  provider = google-beta
 
   lifecycle {
     ignore_changes = [
@@ -64,8 +65,9 @@ resource "google_cloud_run_service" "worker" {
   template {
     spec {
       containers {
-	# Don't hardcode the image here; get it from GCP. See the "data" block
-	# below for more.
+	# Get the image from GCP (see the "data" block below).
+	# Exception: when first creating the service, replace this with a hardcoded
+	# image tag.
 	image = data.google_cloud_run_service.worker.template[0].spec[0].containers[0].image
         env {
           name  = "GOOGLE_CLOUD_PROJECT"
@@ -81,7 +83,16 @@ resource "google_cloud_run_service" "worker" {
 	}
 	env {
 	  name = "VULN_WORKER_ISSUE_REPO"
-	  value = var.env == "dev"? "": "golang/vulndb"
+	  value = var.issue_repo
+	}
+	env {
+	  name = "VULN_GITHUB_ACCESS_TOKEN"
+	  value_from {
+	    secret_key_ref {
+	      name = google_secret_manager_secret.vuln_github_access_token.secret_id
+	      key = "latest"
+	    }
+	  }
 	}
 	env{
           name  = "VULN_WORKER_USE_PROFILER"
@@ -95,7 +106,7 @@ resource "google_cloud_run_service" "worker" {
         }
       }
 
-      service_account_name = "frontend@${var.project}.iam.gserviceaccount.com"
+      service_account_name = data.google_compute_default_service_account.default.email
       # 60 minutes is the maximum Cloud Run request time.
       timeout_seconds = 60 * 60
     }
@@ -104,7 +115,7 @@ resource "google_cloud_run_service" "worker" {
       annotations = {
         "autoscaling.knative.dev/minScale"  = var.min_frontend_instances
         "autoscaling.knative.dev/maxScale"  = "1"
-	"client.knative.dev/user-image"     = data.google_cloud_run_service.worker.template[0].spec[0].containers[0].image
+	#"client.knative.dev/user-image"     = data.google_cloud_run_service.worker.template[0].spec[0].containers[0].image
       }
     }
   }
@@ -129,83 +140,31 @@ data "google_cloud_run_service" "worker" {
 }
 
 ################################################################
-# Load balancer for Cloud Run service.
+# Other components.
 
-resource "google_compute_region_network_endpoint_group" "worker" {
-  count = var.oauth_client_secret == ""? 0: 1
-  name         = "${var.env}-vuln-worker-neg"
-  network_endpoint_type = "SERVERLESS"
-  project = var.project
-  region = var.region
-  cloud_run {
-    service = google_cloud_run_service.worker.name
-  }
+locals {
+  tz = "America/New_York"
 }
 
-module "worker_lb" {
-  count = var.oauth_client_secret == ""? 0: 1
-  source  = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
-  version = "~> 6.1.1"
-
-  name = "${var.env}-vuln-worker-lb"
+resource google_secret_manager_secret "vuln_github_access_token" {
+  secret_id = "vuln-${var.env}-github-access-token"
   project = var.project
-
-  ssl                             = true
-  managed_ssl_certificate_domains = ["${var.env}-vuln-worker.go.dev"]
-  https_redirect                  = true
-
-  backends = {
-    default = {
-      description = null
-      groups = [
-        {
-	  group = google_compute_region_network_endpoint_group.worker[0].id
-        }
-      ]
-      enable_cdn              = false
-      security_policy         = null
-      custom_request_headers  = null
-      custom_response_headers = null
-
-      iap_config = {
-        enable               = true
-        oauth2_client_id     = var.oauth_client_id
-        oauth2_client_secret = var.oauth_client_secret
-      }
-      log_config = {
-        enable      = false
-        sample_rate = null
-      }
-    }
+  replication {
+    automatic = true
   }
 }
 
-output "worker_url" {
-  value = data.google_cloud_run_service.worker.status[0].url
-}
-
-output "load_balancer_ip" {
-  value = var.oauth_client_secret == ""? "": module.worker_lb[0].external_ip
-}
-
-################################################################
-# Other components.
-
-locals {
-  tz = "America/New_York"
-}
-
 data "google_compute_default_service_account" "default" {
   project = var.project
 }
 
-resource "google_cloud_scheduler_job" "issue_triage" {
-  name             = "${var.env}-issue-triage"
+resource "google_cloud_scheduler_job" "vuln_issue_triage" {
+  name             = "vuln-${var.env}-issue-triage"
   description      = "Updates the DB and files issues."
   schedule         = "0 * * * *" # every hour
   time_zone        = local.tz
   project          = var.project
-  attempt_deadline = format("%ds", 60 * 60)
+  attempt_deadline = format("%ds", 30 * 60)
 
   http_target {
     http_method = "POST"

terraform/main.tf

@@ -33,35 +33,58 @@ provider "google" {
 # by you, and pass them to terraform.
 # See https://www.terraform.io/docs/language/values/variables.html#variable-definitions-tfvars-files.
 
-variable "prod_client_secret" {
-  description = "OAuth 2 client secret for prod"
+
+variable "prod_project" {
+  description = "GCP project where resources live"
   type        = string
-  sensitive   = true
 }
 
+variable "prod_issue_repo" {
+  description = "repo where issues are filed"
+  type        = string
+}
 
+variable "prod_client_id" {
+  description = "OAuth2 client ID"
+  type        = string
+}
+
+variable "dev_project" {
+  description = "GCP project where resources live"
+  type        = string
+}
+
+variable "dev_issue_repo" {
+  description = "repo where issues are filed"
+  type        = string
+}
+
+variable "dev_client_id" {
+  description = "OAuth2 client ID"
+  type        = string
+}
 
 # Deployment environments
 
 module "dev" {
   source                 = "./environment"
   env                    = "dev"
-  project                = "go-discovery-exp"
+  project                = var.dev_project
   region                 = local.region
   use_profiler           = false
   min_frontend_instances = 0
-  oauth_client_id              = "55665122702-tk2rogkaalgru7pqibvbltqs7geev8j5.apps.googleusercontent.com"
-  oauth_client_secret          = ""  # go-discovery-exp does not allow external load balancers
+  oauth_client_id        = var.dev_client_id
+  issue_repo             = var.dev_issue_repo
 }
 
-# module "prod" {
-#   source                 = "./environment"
-#   env                    = "prod"
-#   project                = "golang-org"
-#   region                 = local.region
-#   use_profiler           = true
-#   min_frontend_instances = 1
-#   client_id              = "unknown"
-#   client_secret          = var.prod_client_secret
-# }
+module "prod" {
+  source                 = "./environment"
+  env                    = "prod"
+  project                = var.prod_project
+  region                 = local.region
+  use_profiler           = true
+  min_frontend_instances = 1
+  oauth_client_id        = var.prod_client_id
+  issue_repo             = var.prod_issue_repo
+}