Add Terraform Linting (#638)

Makefile

@@ -783,7 +783,7 @@ vet:
 golangci: build/toolchain/bin/golangci-lint$(EXE_EXTENSION)
 	GO111MODULE=on $(GOLANGCI) run --config=$(REPOSITORY_ROOT)/.golangci.yaml
 
-lint: fmt vet golangci lint-chart
+lint: fmt vet golangci lint-chart terraform-lint
 
 assets: all-protos tls-certs third_party/ build/chart/
 
@@ -851,15 +851,25 @@ else
 	$(SED_REPLACE) 's/$$EVALUATION_MODE/ALWAYS_ALLOW/g' $(BUILD_DIR)/policies/binauthz.yaml
 endif
 
+terraform-test: install/terraform/open-match/.terraform/ install/terraform/open-match-build/.terraform/
+	(cd $(REPOSITORY_ROOT)/install/terraform/open-match/ && $(TERRAFORM) validate)
+	(cd $(REPOSITORY_ROOT)/install/terraform/open-match-build/ && $(TERRAFORM) validate)
+
 terraform-plan: install/terraform/open-match/.terraform/
 	(cd $(REPOSITORY_ROOT)/install/terraform/open-match/ && $(TERRAFORM) plan -var gcp_project_id=$(GCP_PROJECT_ID) -var gcp_location=$(GCP_LOCATION))
 
+terraform-lint: build/toolchain/bin/terraform$(EXE_EXTENSION)
+	$(TERRAFORM) fmt -recursive
+
 terraform-apply: install/terraform/open-match/.terraform/
 	(cd $(REPOSITORY_ROOT)/install/terraform/open-match/ && $(TERRAFORM) apply -var gcp_project_id=$(GCP_PROJECT_ID) -var gcp_location=$(GCP_LOCATION))
 
 install/terraform/open-match/.terraform/: build/toolchain/bin/terraform$(EXE_EXTENSION)
 	(cd $(REPOSITORY_ROOT)/install/terraform/open-match/ && $(TERRAFORM) init)
 
+install/terraform/open-match-build/.terraform/: build/toolchain/bin/terraform$(EXE_EXTENSION)
+	(cd $(REPOSITORY_ROOT)/install/terraform/open-match-build/ && $(TERRAFORM) init)
+
 build/certificates/: build/toolchain/bin/certgen$(EXE_EXTENSION)
 	mkdir -p $(BUILD_DIR)/certificates/
 	cd $(BUILD_DIR)/certificates/ && $(CERTGEN)
@@ -885,7 +895,7 @@ ci-reap-clusters: build/toolchain/bin/reaper$(EXE_EXTENSION)
 
 # For presubmit we want to update the protobuf generated files and verify that tests are good.
 presubmit: GOLANG_TEST_COUNT = 5
-presubmit: clean update-deps third_party/ assets lint build install-toolchain test md-test
+presubmit: clean update-deps third_party/ assets lint build install-toolchain test md-test terraform-test
 
 build/release/: presubmit clean-install-yaml install/yaml/
 	mkdir -p $(BUILD_DIR)/release/

cloudbuild.yaml

@@ -128,6 +128,11 @@ steps:
     path: '/go'
   waitFor: ['Build: Assets', 'Build: Deployment Configs']
 
+- id: 'Test: Terraform Configuration'
+  name: 'gcr.io/$PROJECT_ID/open-match-build'
+  args: ['make', 'terraform-test']
+  waitFor: ['Build: Install Toolchain']
+
 - id: 'Test: Create Cluster'
   name: 'gcr.io/$PROJECT_ID/open-match-build'
   args: ['make', 'SHORT_SHA=${SHORT_SHA}', 'delete-gke-cluster', 'create-gke-cluster', 'push-helm']

install/terraform/open-match-build/README.md

@@ -12,7 +12,8 @@ If you're making changes to these files you must check in the .tfstate file as
 well as comment the reason why you're enabling a feature or making a change.
 
 ## GCP Service Account Setup
-To use the terraform templates when developing Open Match, you need to have the [credential of your service account](https://www.terraform.io/docs/providers/google/provider_reference.html#credentials-1) associated with your Open Match project. The terraform templates would read the credentials from `./creds.json` file to authenticate with GCP.
+To use the terraform templates when developing Open Match, you need to have the [credential of your service account](https://www.terraform.io/docs/providers/google/provider_reference.html#credentials-1) associated with your Open Match project.
+
 ```bash
 # Example: Generates the key file in GCP.
 # Create the service account. Replace [NAME] with a name for the service account.
@@ -21,6 +22,8 @@ gcloud iam service-accounts create [NAME]
 gcloud projects add-iam-policy-binding [PROJECT_ID] --member "serviceAccount:[NAME]@[PROJECT_ID].iam.gserviceaccount.com" --role "roles/owner"
 # Generate the key file for terraform authentication.
 gcloud iam service-accounts keys create ./creds.json --iam-account [NAME]@[PROJECT_ID].iam.gserviceaccount.com
+# Set the environment variable for Terraform to pick up the credentials.
+export GOOGLE_APPLICATION_CREDENTIALS=$PWD/creds.json
 ```
 
 

install/terraform/open-match-build/open-match-build.tf

@@ -14,65 +14,65 @@
 
 variable "gcp_project_id" {
   description = "GCP Project ID"
-  default = "open-match-build"
+  default     = "open-match-build"
 }
 
 variable "gcp_region" {
   description = "Location where resources in GCP will be located."
-  default = "us-west1"
+  default     = "us-west1"
 }
 
 variable "gcp_zone" {
   description = "Location where resources in GCP will be located."
-  default = "us-west1-b"
+  default     = "us-west1-b"
 }
 
 variable "vpc_flow_logs" {
   description = "Enables VPC network flow logs for debugging."
-  default = "false"
+  default     = "false"
 }
 
 provider "null" {
 }
 
 provider "google" {
-  version = ">=0.0.0"
+  version = ">=2.8"
   project = "${var.gcp_project_id}"
-  region = "${var.gcp_region}"
+  region  = "${var.gcp_region}"
 }
 
 provider "google-beta" {
-  version = ">=0.0.0"
+  version = ">=2.8"
   project = "${var.gcp_project_id}"
-  region = "${var.gcp_region}"
+  region  = "${var.gcp_region}"
 }
 
 # Create a manual-mode GCP regionalized network for CI.
 # We'll create GKE clusters outside of the "default" auto-mode network so that we can have many subnets.
 resource "google_compute_network" "ci_network" {
-  name = "open-match-ci"
-  description = "VPC Network for Continuous Integration runs."
+  name                    = "open-match-ci"
+  description             = "VPC Network for Continuous Integration runs."
   auto_create_subnetworks = false
-  routing_mode = "REGIONAL"
+  routing_mode            = "REGIONAL"
 }
 
 # We create 60 subnetworks so that each GKE cluster we create in CI can run on it's own subnet.
 # This is to workaround a bug in GKE where it cannot tolerate creating 2 clusters on the same subnet at the same time.
 resource "google_compute_subnetwork" "ci_subnet" {
-  count = 60
-  name          = "ci-${var.gcp_region}-${count.index}"
-  ip_cidr_range = "10.0.${count.index}.0/24"
-  region        = "${var.gcp_region}"
-  network       = "${google_compute_network.ci_network.self_link}"
-  enable_flow_logs = "${var.vpc_flow_logs}"
-  description = "Subnetwork for continuous integration build that runs on the :${count.index} second."
+  count                    = 60
+  name                     = "ci-${var.gcp_region}-${count.index}"
+  ip_cidr_range            = "10.0.${count.index}.0/24"
+  region                   = "${var.gcp_region}"
+  network                  = "${google_compute_network.ci_network.self_link}"
+  enable_flow_logs         = "${var.vpc_flow_logs}"
+  description              = "Subnetwork for continuous integration build that runs on the :${count.index} second."
   private_ip_google_access = true
 }
 
 # The cluster reaper is a tool that scans for orphaned GKE clusters created by CI and deletes them.
 # The reaper runs as this service account.
 resource "google_service_account" "cluster_reaper" {
-  project     = "${var.gcp_project_id}"
+  project      = "${var.gcp_project_id}"
   account_id   = "cluster-reaper"
   display_name = "cluster-reaper"
   # Description is not supported yet.
@@ -82,7 +82,7 @@ resource "google_service_account" "cluster_reaper" {
 # This role defines all the permissions that the cluster reaper has.
 # It mainly needs to list and delete GKE cluster but it also runs in Cloud Run so it needs invoker permissions.
 resource "google_project_iam_custom_role" "cluster_reaper_role" {
-  provider = "google-beta"
+  provider    = "google-beta"
   project     = "${var.gcp_project_id}"
   role_id     = "continuousintegration.reaper"
   title       = "Open Match CI Cluster Reaper"
@@ -113,8 +113,8 @@ resource "google_project_iam_binding" "cluster_reaper_role_binding" {
 # TODO: Remove once run.routes.invoke can be added to custom roles.
 resource "google_project_iam_binding" "cluster_reaper_role_binding_for_cloud_run_invoker" {
   provider = "google-beta"
-  project = "${google_project_iam_custom_role.cluster_reaper_role.project}"
-  role    = "roles/run.invoker"
+  project  = "${google_project_iam_custom_role.cluster_reaper_role.project}"
+  role     = "roles/run.invoker"
   members = [
     "serviceAccount:${google_service_account.cluster_reaper.email}"
   ]
@@ -125,7 +125,7 @@ resource "google_project_iam_binding" "cluster_reaper_role_binding_for_cloud_run
 # It's recommended to delay creation of the role binding by a few seconds after the service account
 # because the service account creation is eventually consistent.
 resource "null_resource" "before_service_account_creation" {
-    depends_on = ["google_service_account.cluster_reaper"]
+  depends_on = ["google_service_account.cluster_reaper"]
 }
 
 resource "null_resource" "delay_after_service_account_creation" {

install/terraform/open-match/README.md

@@ -16,7 +16,8 @@ Lastly, these templates are meant for advanced users that are most likely
 already using Terraform.
 
 ## GCP Service Account Setup
-To use the terraform templates when developing Open Match, you need to have the [credential of your service account](https://www.terraform.io/docs/providers/google/provider_reference.html#credentials-1) associated with your Open Match project. The terraform templates would read the credentials from `./creds.json` file to authenticate with GCP.
+To use the terraform templates when developing Open Match, you need to have the [credential of your service account](https://www.terraform.io/docs/providers/google/provider_reference.html#credentials-1) associated with your Open Match project.
+
 ```bash
 # Example: Generates the key file in GCP.
 # Create the service account. Replace [NAME] with a name for the service account.
@@ -25,6 +26,8 @@ gcloud iam service-accounts create [NAME]
 gcloud projects add-iam-policy-binding [PROJECT_ID] --member "serviceAccount:[NAME]@[PROJECT_ID].iam.gserviceaccount.com" --role "roles/owner"
 # Generate the key file for terraform authentication.
 gcloud iam service-accounts keys create ./creds.json --iam-account [NAME]@[PROJECT_ID].iam.gserviceaccount.com
+# Set the environment variable for Terraform to pick up the credentials.
+export GOOGLE_APPLICATION_CREDENTIALS=$PWD/creds.json
 ```
 
 ## Apply Infrastructure

install/terraform/open-match/secure-gke.tf

@@ -36,33 +36,31 @@
 
 # Declare the providers necessary to call the Google APIs 
 provider "google" {
-  version = "~> 2.8"
-  credentials = "${file("creds.json")}"
+  version = ">=2.8"
 }
 
 provider "google-beta" {
-  version = ">=0.0.0"
-  credentials = "${file("creds.json")}"
+  version = ">=2.8"
 }
 
 variable "gcp_project_id" {
   description = "GCP Project ID"
-  default = "open-match-build"
+  default     = "open-match-build"
 }
 
 variable "gcp_location" {
   description = "Location where resources in GCP will be located."
-  default = "us-west1-a"
+  default     = "us-west1-a"
 }
 variable "gcp_machine_type" {
   description = "Machine type of VM."
-  default = "n1-standard-4"
+  default     = "n1-standard-4"
 }
 
 # Enable Kubernetes and Cloud Resource Manager API
 resource "google_project_services" "gcp_apis" {
-  project = "${var.gcp_project_id}"
-  services   = ["container.googleapis.com", "cloudresourcemanager.googleapis.com"]
+  project  = "${var.gcp_project_id}"
+  services = ["container.googleapis.com", "cloudresourcemanager.googleapis.com"]
 }
 
 # Create a role with the minimum amount of permissions for logging, auditing, etc from the node VM.
@@ -86,7 +84,7 @@ resource "google_project_iam_custom_role" "open_match_node_vm_role" {
 # Create a low-privileged service account that will be the identity of the Node VMs that run Open Match.
 # This service account is mainly used to export service health and logging data to Stackdriver.
 resource "google_service_account" "node_vm" {
-  project     = "${var.gcp_project_id}"
+  project      = "${var.gcp_project_id}"
   account_id   = "open-match-node-vm"
   display_name = "Open Match Node VM Service Account"
 }
@@ -103,10 +101,10 @@ resource "google_project_iam_binding" "node_vm_binding" {
 # Create a GKE Cluster for serving Open Match.
 resource "google_container_cluster" "primary" {
   provider = "google-beta"
-  
-  name = "om-cluster"
+
+  name     = "om-cluster"
   location = "${var.gcp_location}"
-  
+
   addons_config {
     horizontal_pod_autoscaling {
       disabled = false
@@ -122,52 +120,52 @@ resource "google_container_cluster" "primary" {
     }
     istio_config {
       disabled = true
-      auth = "AUTH_MUTUAL_TLS"
+      auth     = "AUTH_MUTUAL_TLS"
     }
     cloudrun_config {
       disabled = true
     }
   }
-  
+
   cluster_autoscaling {
     enabled = true
     resource_limits {
-			resource_type = "cpu"
-			minimum = 0
-			maximum = 16
-		}
-		resource_limits {
-			resource_type = "memory"
-			minimum = 0
-			maximum = 32768
-		}
+      resource_type = "cpu"
+      minimum       = 0
+      maximum       = 16
+    }
+    resource_limits {
+      resource_type = "memory"
+      minimum       = 0
+      maximum       = 32768
+    }
   }
-  
+
   database_encryption {
-    state = "DECRYPTED"
+    state    = "DECRYPTED"
     key_name = ""
   }
 
   ip_allocation_policy {
     use_ip_aliases = true
   }
-  
+
   description = "Open Match Cluster"
-  
-  default_max_pods_per_node = 100
+
+  default_max_pods_per_node   = 100
   enable_binary_authorization = false
-  enable_kubernetes_alpha = false
-  enable_tpu = false
-  enable_legacy_abac = false
-  initial_node_count = 1
-  logging_service = "logging.googleapis.com/kubernetes"
-  
+  enable_kubernetes_alpha     = false
+  enable_tpu                  = false
+  enable_legacy_abac          = false
+  initial_node_count          = 1
+  logging_service             = "logging.googleapis.com/kubernetes"
+
   maintenance_policy {
     daily_maintenance_window {
       start_time = "03:00"
     }
   }
-  
+
   master_auth {
     username = ""
     password = ""
@@ -177,11 +175,11 @@ resource "google_container_cluster" "primary" {
   }
 
   min_master_version = "1.13"
-  
+
   monitoring_service = "monitoring.googleapis.com/kubernetes"
   network_policy {
     provider = "PROVIDER_UNSPECIFIED"
-    enabled = false
+    enabled  = false
   }
 
   /*
@@ -189,15 +187,15 @@ resource "google_container_cluster" "primary" {
     
   }
   */
-  
+
   #node_version = "1.13"
   pod_security_policy_config {
     enabled = false
   }
-  
-  project = "${var.gcp_project_id}"
+
+  project                  = "${var.gcp_project_id}"
   remove_default_node_pool = true
-  
+
   /*
   resource_labels {
     application = "open-match"
@@ -211,25 +209,25 @@ resource "google_container_cluster" "primary" {
 # Create a Node Pool inside the GKE cluster to serve the Open Match services.
 resource "google_container_node_pool" "om-services" {
   provider = "google-beta"
-  
-  name       = "open-match-services"
-  cluster    = "${google_container_cluster.primary.name}"
-  location   = "${google_container_cluster.primary.location}"
-  
+
+  name     = "open-match-services"
+  cluster  = "${google_container_cluster.primary.name}"
+  location = "${google_container_cluster.primary.location}"
+
   autoscaling {
     min_node_count = 1
     max_node_count = 5
   }
 
   management {
-    auto_repair = true
+    auto_repair  = true
     auto_upgrade = true
   }
 
   max_pods_per_node = 100
   node_config {
     disk_size_gb = 50
-    disk_type = "pd-standard"
+    disk_type    = "pd-standard"
     /*
     guest_accelerator {
       
@@ -242,7 +240,7 @@ resource "google_container_node_pool" "om-services" {
     }
     */
     local_ssd_count = 0
-    machine_type = "${var.gcp_machine_type}"
+    machine_type    = "${var.gcp_machine_type}"
     /*
     metadata {
       disable-legacy-endpoints = "true"
@@ -256,9 +254,9 @@ resource "google_container_node_pool" "om-services" {
       "https://www.googleapis.com/auth/logging.write",
       "https://www.googleapis.com/auth/monitoring",
     ]
-    preemptible = false
+    preemptible     = false
     service_account = "${google_service_account.node_vm.email}"
-    tags = []
+    tags            = []
     /*
     taint {
       
@@ -269,8 +267,8 @@ resource "google_container_node_pool" "om-services" {
     }
   }
   node_count = 5
-  project = "${google_container_cluster.primary.project}"
-  version = "1.13"
+  project    = "${google_container_cluster.primary.project}"
+  version    = "1.13"
 
   depends_on = [google_project_services.gcp_apis]
 }