Merge pull request #4 from sizzldev/redis-updates

fix: Redis updates and sa cluster permissions

main.tf

@@ -5,9 +5,11 @@ module "project_factory_project_services" {
   disable_dependent_services  = false
   disable_services_on_destroy = false
   activate_apis = [
-    "sqladmin.googleapis.com",          // Database
-    "networkmanagement.googleapis.com", // Networking
-    "servicenetworking.googleapis.com", // Networking
+    "iam.googleapis.com",
+    "sqladmin.googleapis.com",
+    "networkmanagement.googleapis.com",
+    "servicenetworking.googleapis.com",
+    "redis.googleapis.com",
   ]
 }
 
@@ -36,8 +38,9 @@ module "redis" {
   source    = "./modules/redis"
   namespace = var.namespace
 
-  tier           = var.redis_tier
-  memory_size_gb = var.redis_memory_size_gb
+  tier                = var.redis_tier
+  memory_size_gb      = var.redis_memory_size_gb
+  rdb_snapshot_period = var.redis_rdb_snapshot_period
 
   network_id = module.networking.network_id
 }

modules/gke/main.tf

@@ -1,3 +1,9 @@
+data "google_client_config" "current" {}
+
+locals {
+  project_id = data.google_client_config.current.project
+}
+
 resource "google_container_cluster" "this" {
   name = "${var.namespace}-cluster"
 
@@ -8,8 +14,8 @@ resource "google_container_cluster" "this" {
 
   deletion_protection = var.deletion_protection
 
-  node_config {
-    service_account = var.service_account_email
+  workload_identity_config {
+    workload_pool = "${local.project_id}.svc.id.goog"
   }
 
   release_channel {

modules/redis/main.tf

@@ -9,5 +9,12 @@ resource "google_redis_instance" "this" {
 
   auth_enabled = true
 
-  transit_encryption_mode = "SERVER_AUTHENTICATION"
+  redis_configs = {
+    maxmemory-policy = "noeviction"
+  }
+
+  persistence_config {
+    persistence_mode    = "RDB"
+    rdb_snapshot_period = var.rdb_snapshot_period
+  }
 }

modules/redis/outputs.tf

@@ -1,7 +1,3 @@
-output "redis_ca_cert" {
-  value = google_redis_instance.this.server_ca_certs[0].cert
-}
-
 output "redis_auth_string" {
   value = google_redis_instance.this.auth_string
 }

modules/redis/variables.tf

@@ -17,3 +17,8 @@ variable "memory_size_gb" {
   description = "The memory size for the Redis instance."
   type        = number
 }
+
+variable "rdb_snapshot_period" {
+  description = "The snapshot period for the Redis instance."
+  type        = string
+}

modules/service_accounts/main.tf

@@ -16,8 +16,22 @@ locals {
   project_id = data.google_client_config.current.project
 }
 
-resource "google_project_iam_member" "this" {
+resource "google_project_iam_member" "cloudsql_client" {
   project = local.project_id
   role    = "roles/cloudsql.client"
   member  = local.sa_member
 }
+
+resource "google_project_iam_member" "sa_creator" {
+  project = local.project_id
+  role    = "roles/iam.serviceAccountCreator"
+  member  = local.sa_member
+}
+
+resource "google_service_account_iam_binding" "this" {
+  service_account_id = google_service_account.this.id
+  role               = "roles/iam.workloadIdentityUser"
+  members = [
+    "serviceAccount:${local.project_id}.svc.id.goog[default/ctrlplane-${var.namespace}-sa]"
+  ]
+}

outputs.tf

@@ -18,11 +18,6 @@ output "database_instance_private_ip_address" {
   description = "The private IP address of the database instance."
 }
 
-output "redis_ca_cert" {
-  value       = module.redis.redis_ca_cert
-  description = "The CA certificate of the Redis instance."
-}
-
 output "redis_auth_string" {
   value       = module.redis.redis_auth_string
   description = "The authentication string of the Redis instance."

variables.tf

@@ -27,6 +27,12 @@ variable "redis_memory_size_gb" {
   default     = 1
 }
 
+variable "redis_rdb_snapshot_period" {
+  description = "The snapshot period for the Redis instance."
+  type        = string
+  default     = "ONE_HOUR"
+}
+
 variable "deletion_protection" {
   description = "Whether to enable deletion protection for the resources."
   type        = bool