refactor terraform and fix kafka authentication

redbadger · Dec 11, 2023 · d0dcaaa · d0dcaaa
1 parent bf3e2eb
commit d0dcaaa
Show file tree

Hide file tree

Showing 13 changed files with 279 additions and 157 deletions.
diff --git a/infrastructure/cluster/main.tf b/infrastructure/cluster/main.tf
@@ -0,0 +1,60 @@
+provider "google" {
+  project = "platform-poc-407113"
+}
+
+module "shared_vars" {
+  source = "../shared"
+}
+
+resource "google_container_cluster" "primary" {
+  name     = "${module.shared_vars.project_id}-cluster"
+  location = module.shared_vars.region
+  deletion_protection = false
+
+  remove_default_node_pool = true
+  initial_node_count       = 1
+
+  workload_identity_config {
+    workload_pool = "${module.shared_vars.project_id}.svc.id.goog"
+  }
+}
+
+resource "google_container_node_pool" "primary_nodes" {
+  name       = "primary-node-pool"
+  location   = module.shared_vars.region
+  cluster    = google_container_cluster.primary.name
+  node_count = 1
+
+  node_config {
+    machine_type = "e2-standard-2"
+    service_account = google_service_account.workload-identity-user-sa.email
+  }
+}
+
+resource "google_service_account" "workload-identity-user-sa" {
+  account_id   = "cloud-sql-client-sa"
+  display_name = "Cloud SQL Client Service Account"
+  description  = "Service account used for Cloud SQL Auth PRoxy"
+}
+
+resource "google_project_iam_member" "sql-client-role" {
+  project = module.shared_vars.project_id
+  role    = "roles/cloudsql.client"
+  member  = "serviceAccount:${google_service_account.workload-identity-user-sa.email}"
+}
+
+resource "google_project_iam_member" "datastore-user-role" {
+  project = module.shared_vars.project_id
+  role    = "roles/datastore.user"
+  member  = "serviceAccount:${google_service_account.workload-identity-user-sa.email}"
+}
+
+resource "google_project_iam_member" "storage-role" {
+  project = module.shared_vars.project_id
+  role    = "roles/storage.admin"
+  member  = "serviceAccount:${google_service_account.workload-identity-user-sa.email}"
+}
+
+output "node_pool_service_account" {
+  value = google_service_account.workload-identity-user-sa.email
+}
diff --git a/infrastructure/cluster/versions.tf b/infrastructure/cluster/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "= 5.8.0"
+    }
+  }
+
+  required_version = ">= 1.6.5"
+}
diff --git a/infrastructure/kubernetes/main.tf b/infrastructure/kubernetes/main.tf
@@ -0,0 +1,55 @@
+provider "kubernetes" {
+  config_path    = "~/.kube/config"
+  config_context = module.shared_vars.kubernetes_context
+}
+
+module "shared_vars" {
+  source = "../shared"
+}
+
+variable "pg_user" {
+  description = "Username for Postgres Cloud SQL database"
+}
+
+variable "pg_password" {
+  description = "password for Postgres Cloud SQL database"
+}
+
+variable "pg_database" {
+  description = "Postgres Cloud SQL database name"
+}
+
+data "terraform_remote_state" "workload-identity-user-sa" {
+  backend = "local"
+
+  config = {
+    path = "../cluster/terraform.tfstate"
+  }
+}
+
+resource "google_project_iam_member" "workload_identity-role" {
+  project = module.shared_vars.project_id
+  role    = "roles/iam.workloadIdentityUser"
+  member  = "serviceAccount:${module.shared_vars.project_id}.svc.id.goog[default/${kubernetes_service_account.ksa.metadata[0].name}]"
+}
+
+resource "kubernetes_service_account" "ksa" {
+  metadata {
+    name        = "kubernetes-service-account"
+    annotations = {
+      "iam.gke.io/gcp-service-account" = data.terraform_remote_state.workload-identity-user-sa.outputs.node_pool_service_account
+    }
+  }
+}
+
+resource "kubernetes_secret" "db_secrets" {
+  metadata {
+    name = "postgres-db-secrets"
+  }
+
+  data = {
+    username = var.pg_user
+    password = var.pg_password
+    database = var.pg_database
+  }
+}
diff --git a/infrastructure/versions.tf → infrastructure/kubernetes/versions.tf b/infrastructure/versions.tf → infrastructure/kubernetes/versions.tf
diff --git a/infrastructure/main.tf b/infrastructure/main.tf
diff --git a/infrastructure/shared/shared.tf b/infrastructure/shared/shared.tf
@@ -0,0 +1,17 @@
+locals {
+  project_id         = "platform-poc-407113"
+  region             = "europe-west2"
+  kubernetes_context = "gke_platform-poc-407113_europe-west2_platform-poc-407113-cluster"
+}
+
+output "project_id" {
+  value = local.project_id
+}
+
+output "region" {
+  value = local.region
+}
+
+output "kubernetes_context" {
+  value = local.kubernetes_context
+}
diff --git a/infrastructure/shared/versions.tf b/infrastructure/shared/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "= 5.8.0"
+    }
+  }
+
+  required_version = ">= 1.6.5"
+}
diff --git a/infrastructure/storage/main.tf b/infrastructure/storage/main.tf
@@ -0,0 +1,59 @@
+provider "google" {
+  project = "platform-poc-407113"
+}
+
+module "shared_vars" {
+  source = "../shared"
+}
+
+variable "pg_user" {
+  description = "Username for Postgres Cloud SQL database"
+}
+
+variable "pg_password" {
+  description = "password for Postgres Cloud SQL database"
+}
+
+variable "pg_database" {
+  description = "Postgres Cloud SQL database name"
+}
+
+resource "google_sql_database" "database_orders" {
+  name     = "order-service"
+  instance = google_sql_database_instance.instance.name
+}
+
+resource "google_sql_database" "database_inventory" {
+  name     = "inventory-service"
+  instance = google_sql_database_instance.instance.name
+}
+
+resource "google_sql_user" "user" {
+  name     = var.pg_user
+  instance = google_sql_database_instance.instance.name
+  password = var.pg_password
+}
+
+resource "google_sql_database_instance" "instance" {
+  name             = "${module.shared_vars.project_id}-pg"
+  region           = module.shared_vars.region
+  database_version = "POSTGRES_15"
+  settings {
+    tier = "db-f1-micro"
+    database_flags {
+      name  = "max_connections"
+      value = "50"
+    }
+  }
+
+  deletion_protection = "false"
+}
+
+resource "google_firestore_database" "datastore_database" {
+  project                 = module.shared_vars.project_id
+  name                    = "(default)"
+  location_id             = module.shared_vars.region
+  type                    = "DATASTORE_MODE"
+  delete_protection_state = "DELETE_PROTECTION_DISABLED"
+  deletion_policy         = "DELETE"
+}
diff --git a/infrastructure/storage/versions.tf b/infrastructure/storage/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 1.6.5"
+}
diff --git a/infrastructure/terraform.tfvars b/infrastructure/terraform.tfvars
diff --git a/order-service/src/main/resources/application.properties b/order-service/src/main/resources/application.properties
@@ -28,13 +28,11 @@ resilience4j.timelimiter.instances.inventory.timeout-duration=3s
 resilience4j.retry.instances.inventory.max-attempts=3
 resilience4j.retry.instances.inventory.wait-duration=5s
 
-spring.zipkin.base-url=${ZIPKIN_URL}
-spring.sleuth.sampler.probability= 1.0
 
 # Kafka Properties
 spring.kafka.bootstrap-servers=${KAFKA_URL}
 spring.kafka.template.default-topic=notificationTopic
 spring.kafka.producer.key-serializer=org.apache.kafka.common.serialization.StringSerializer
 spring.kafka.producer.value-serializer=org.springframework.kafka.support.serializer.JsonSerializer
 spring.kafka.producer.properties.spring.json.type.mapping=event:com.redbadger.orderservice.event.OrderPlacedEvent
-
+spring.kafka.properties.security.protocol=PLAINTEXT