diff --git a/main.tf b/main.tf index 0381e1b..c3fbbfd 100644 --- a/main.tf +++ b/main.tf @@ -85,6 +85,8 @@ resource "google_compute_managed_ssl_certificate" "this" { module "helm_release" { source = "./modules/helm_release" + google_auth = var.google_auth + redis_host = module.redis.redis_host redis_port = module.redis.redis_port redis_password = module.redis.redis_auth_string diff --git a/modules/helm_release/main.tf b/modules/helm_release/main.tf index ce83ce7..15b01d3 100644 --- a/modules/helm_release/main.tf +++ b/modules/helm_release/main.tf @@ -1,104 +1,66 @@ -resource "helm_release" "this" { - name = "ctrlplane" - chart = "ctrlplane" - repository = "https://charts.ctrlplane.dev/" - version = "0.1.13" - - set { - name = "migrations.image.tag" - value = "bf077e5" - } - - - set { - name = "webservice.image.tag" - value = "72ce135" - } - - - set { - name = "event-worker.image.tag" - value = "72ce135" - } - - - set { - name = "job-policy-checker.image.tag" - value = "72ce135" - } - - set { - name = "global.postgresql.user" - value = var.postgres_user - } - - set { - name = "global.postgresql.password" - value = var.postgres_password +locals { + image_tags = { + "migrations.image.tag" = "26397ff", + "webservice.image.tag" = "0d18a53", + "event-worker.image.tag" = "0d18a53", + "job-policy-checker.image.tag" = "0d18a53", } - set { - name = "global.postgresql.host" - value = var.postgres_host + postgres_settings = { + "global.postgresql.user" = var.postgres_user, + "global.postgresql.password" = var.postgres_password, + "global.postgresql.host" = var.postgres_host, + "global.postgresql.port" = var.postgres_port, + "global.postgresql.database" = var.postgres_database, } - set { - name = "global.postgresql.port" - value = var.postgres_port + auth_providers_settings = { + "global.authProviders.google.clientId" = var.google_auth.client_id, + "global.authProviders.google.clientSecret" = var.google_auth.client_secret, } - set { - name = "global.postgresql.database" - value = var.postgres_database + redis_settings = { + "global.redis.host" = var.redis_host, + "global.redis.password" = var.redis_password, + "global.redis.port" = var.redis_port, } - set { - name = "global.redis.host" - value = var.redis_host + ingress_annotations = { + "ingress.annotations.kubernetes\\.io/ingress\\.class" = "gce", + "ingress.annotations.kubernetes\\.io/ingress\\.global-static-ip-name" = var.global_static_ip_name, + "ingress.annotations.ingress\\.gcp\\.kubernetes\\.io/pre-shared-cert" = var.pre_shared_cert, } - set { - name = "global.redis.password" - value = var.redis_password - } - - set { - name = "global.redis.port" - value = var.redis_port - } - - set { - name = "ingress.annotations.kubernetes\\.io/ingress\\.class" - value = "gce" - } - - set { - name = "ingress.annotations.kubernetes\\.io/ingress\\.global-static-ip-name" - value = var.global_static_ip_name - } - - set { - name = "ingress.annotations.ingress\\.gcp\\.kubernetes\\.io/pre-shared-cert" - value = var.pre_shared_cert - } - - # set { - # name = "ingress.annotations.kubernetes\\.io/ingress\\.allow-http" - # value = "true " # idk how to make this a string not a booleaning - # } - - set { - name = "webservice.annotations.iam\\.gke\\.io/gcp-service-account" - value = var.service_account_email - } - - set { - name = "job-policy-checker.annotations.iam\\.gke\\.io/gcp-service-account" - value = var.service_account_email + service_account_annotations = { + "webservice.serviceAccount.create" = true, + "webservice.annotations.iam\\.gke\\.io/gcp-service-account" = var.service_account_email, + "job-policy-checker.serviceAccount.create" = true, + "job-policy-checker.annotations.iam\\.gke\\.io/gcp-service-account" = var.service_account_email, + "migrations.serviceAccount.create" = true, + "migrations.annotations.iam\\.gke\\.io/gcp-service-account" = var.service_account_email, + "event-worker.serviceAccount.create" = true, + "event-worker.annotations.iam\\.gke\\.io/gcp-service-account" = var.service_account_email, } +} - set { - name = "migrations.annotations.iam\\.gke\\.io/gcp-service-account" - value = var.service_account_email +resource "helm_release" "this" { + name = "ctrlplane" + chart = "ctrlplane" + repository = "https://charts.ctrlplane.dev/" + version = "0.1.15" + + dynamic "set" { + for_each = merge( + local.image_tags, + local.auth_providers_settings, + local.postgres_settings, + local.redis_settings, + local.ingress_annotations, + local.service_account_annotations + ) + content { + name = set.key + value = set.value + } } } diff --git a/modules/helm_release/variables.tf b/modules/helm_release/variables.tf index ff41594..e308cd5 100644 --- a/modules/helm_release/variables.tf +++ b/modules/helm_release/variables.tf @@ -49,4 +49,12 @@ variable "global_static_ip_name" { variable "pre_shared_cert" { type = string +} + +variable "google_auth" { + type = object({ + client_id = string + client_secret = string + }) + description = "The Google OAuth client ID and secret." } \ No newline at end of file diff --git a/modules/service_accounts/main.tf b/modules/service_accounts/main.tf index 834f60c..ca4aa70 100644 --- a/modules/service_accounts/main.tf +++ b/modules/service_accounts/main.tf @@ -33,6 +33,7 @@ resource "google_service_account_iam_binding" "gke" { members = [ "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-webservice]", "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-job-policy-checker]", - "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-migrations]" + "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-migrations]", + "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-event-worker]", ] } diff --git a/variables.tf b/variables.tf index e87a538..f6b6620 100644 --- a/variables.tf +++ b/variables.tf @@ -43,3 +43,11 @@ variable "domains" { description = "The domains to use for the SSL certificate." type = list(string) } + +variable "google_auth" { + type = object({ + client_id = string + client_secret = string + }) + description = "The Google OAuth client ID and secret." +} \ No newline at end of file