Terraform Configs (#541)

2025-03-25 13:24:18 +00:00 · 2019-06-18 06:56:28 -07:00
parent a1271ff820
commit 7b3d6d38d3
5 changed files with 337 additions and 5 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -101,6 +101,14 @@ install/yaml/
 # Temp Directories
 tmp/

+# Terraform context
+.terraform
+*.tfstate
+*.tfstate.backup
+
+# Credential Files
+creds.json
+
 # Open Match Binaries
 cmd/backend/backend
 cmd/frontend/frontend
--- a/.gitignore
+++ b/.gitignore
@ -101,6 +101,14 @@ install/yaml/
 # Temp Directories
 tmp/

+# Terraform context
+.terraform
+*.tfstate
+*.tfstate.backup
+
+# Credential Files
+creds.json
+
 # Open Match Binaries
 cmd/backend/backend
 cmd/frontend/frontend
--- a/38
+++ b/38
@ -16,7 +16,7 @@
 ## ====================
 ##
 ## Create a GKE Cluster (requires gcloud installed and initialized, https://cloud.google.com/sdk/docs/quickstarts)
-## make enable-gcp-apis
+## make activate-gcp-apis
 ## make create-gke-cluster push-helm
 ##
 ## Create a Minikube Cluster (requires VirtualBox)
@ -70,6 +70,7 @@ HTMLTEST_VERSION = 0.10.3
 GOLANGCI_VERSION = 1.17.1
 KIND_VERSION = 0.3.0
 SWAGGERUI_VERSION = 3.22.3
+TERRAFORM_VERSION = 0.12.1

 ENABLE_SECURITY_HARDENING = 0
 GO = GO111MODULE=on go
@ -110,10 +111,11 @@ KUBECTL = $(TOOLCHAIN_BIN)/kubectl$(EXE_EXTENSION)
 HTMLTEST = $(TOOLCHAIN_BIN)/htmltest$(EXE_EXTENSION)
 KIND = $(TOOLCHAIN_BIN)/kind$(EXE_EXTENSION)
 HUGO = $(TOOLCHAIN_BIN)/hugo$(EXE_EXTENSION)
+TERRAFORM = $(TOOLCHAIN_BIN)/terraform$(EXE_EXTENSION)
 SKAFFOLD = $(TOOLCHAIN_BIN)/skaffold$(EXE_EXTENSION)
 CERTGEN = $(TOOLCHAIN_BIN)/certgen$(EXE_EXTENSION)
 GOLANGCI = $(TOOLCHAIN_BIN)/golangci-lint$(EXE_EXTENSION)
-GCLOUD = gcloud
+GCLOUD = gcloud --quiet
 OPEN_MATCH_CHART_NAME = open-match
 OPEN_MATCH_KUBERNETES_NAMESPACE = open-match
 OPEN_MATCH_DEMO_CHART_NAME = open-match-demo
@ -171,6 +173,7 @@ ifeq ($(OS),Windows_NT)
 	HTMLTEST_PACKAGE = https://github.com/wjdp/htmltest/releases/download/v$(HTMLTEST_VERSION)/htmltest_$(HTMLTEST_VERSION)_windows_amd64.zip
 	GOLANGCI_PACKAGE = https://github.com/golangci/golangci-lint/releases/download/v$(GOLANGCI_VERSION)/golangci-lint-$(GOLANGCI_VERSION)-windows-amd64.zip
 	KIND_PACKAGE = https://github.com/kubernetes-sigs/kind/releases/download/v$(KIND_VERSION)/kind-windows-amd64
+	TERRAFORM_PACKAGE = https://releases.hashicorp.com/terraform/$(TERRAFORM_VERSION)/terraform_$(TERRAFORM_VERSION)_windows_amd64.zip
 	SED_REPLACE = sed -i
 else
 	UNAME_S := $(shell uname -s)
@ -184,6 +187,7 @@ else
 		HTMLTEST_PACKAGE = https://github.com/wjdp/htmltest/releases/download/v$(HTMLTEST_VERSION)/htmltest_$(HTMLTEST_VERSION)_linux_amd64.tar.gz
 		GOLANGCI_PACKAGE = https://github.com/golangci/golangci-lint/releases/download/v$(GOLANGCI_VERSION)/golangci-lint-$(GOLANGCI_VERSION)-linux-amd64.tar.gz
 		KIND_PACKAGE = https://github.com/kubernetes-sigs/kind/releases/download/v$(KIND_VERSION)/kind-linux-amd64
+		TERRAFORM_PACKAGE = https://releases.hashicorp.com/terraform/$(TERRAFORM_VERSION)/terraform_$(TERRAFORM_VERSION)_linux_amd64.zip
 		SED_REPLACE = sed -i
 	endif
 	ifeq ($(UNAME_S),Darwin)
@ -196,6 +200,7 @@ else
 		HTMLTEST_PACKAGE = https://github.com/wjdp/htmltest/releases/download/v$(HTMLTEST_VERSION)/htmltest_$(HTMLTEST_VERSION)_osx_amd64.tar.gz
 		GOLANGCI_PACKAGE = https://github.com/golangci/golangci-lint/releases/download/v$(GOLANGCI_VERSION)/golangci-lint-$(GOLANGCI_VERSION)-darwin-amd64.tar.gz
 		KIND_PACKAGE = https://github.com/kubernetes-sigs/kind/releases/download/v$(KIND_VERSION)/kind-darwin-amd64
+		TERRAFORM_PACKAGE = https://releases.hashicorp.com/terraform/$(TERRAFORM_VERSION)/terraform_$(TERRAFORM_VERSION)_darwin_amd64.zip
 		SED_REPLACE = sed -i ''
 	endif
 endif
@ -209,7 +214,6 @@ local-cloud-build: gcloud

 push-images: push-service-images push-example-images push-tool-images

-
 push-service-images: push-backend-image push-frontend-image push-mmlogic-image push-minimatch-image push-synchronizer-image push-swaggerui-image
 push-example-images: push-demo-images push-mmf-example-images push-evaluator-example-images
 push-demo-images: push-mmf-go-soloduel-image push-demo-image
@ -479,7 +483,7 @@ set-redis-password:
 		$(KUBECTL) create secret generic $(REDIS_NAME) -n $(OPEN_MATCH_DEMO_KUBERNETES_NAMESPACE) --from-literal=redis-password=$$REDIS_PASSWORD --dry-run -o yaml | $(KUBECTL) replace -f - --force

 install-toolchain: install-kubernetes-tools install-protoc-tools install-openmatch-tools
-install-kubernetes-tools: build/toolchain/bin/kubectl$(EXE_EXTENSION) build/toolchain/bin/helm$(EXE_EXTENSION) build/toolchain/bin/minikube$(EXE_EXTENSION) build/toolchain/bin/skaffold$(EXE_EXTENSION)
+install-kubernetes-tools: build/toolchain/bin/kubectl$(EXE_EXTENSION) build/toolchain/bin/helm$(EXE_EXTENSION) build/toolchain/bin/minikube$(EXE_EXTENSION) build/toolchain/bin/skaffold$(EXE_EXTENSION) build/toolchain/bin/terraform$(EXE_EXTENSION)
 install-protoc-tools: build/toolchain/bin/protoc$(EXE_EXTENSION) build/toolchain/bin/protoc-gen-go$(EXE_EXTENSION) build/toolchain/bin/protoc-gen-grpc-gateway$(EXE_EXTENSION) build/toolchain/bin/protoc-gen-swagger$(EXE_EXTENSION)
 install-openmatch-tools: build/toolchain/bin/certgen$(EXE_EXTENSION) build/toolchain/bin/reaper$(EXE_EXTENSION)

@ -526,6 +530,13 @@ build/toolchain/bin/kind$(EXE_EXTENSION):
 	curl -Lo $(KIND) $(KIND_PACKAGE)
 	chmod +x $(KIND)

+build/toolchain/bin/terraform$(EXE_EXTENSION):
+	mkdir -p $(TOOLCHAIN_BIN)
+	mkdir -p $(TOOLCHAIN_DIR)/temp-terraform
+	cd $(TOOLCHAIN_DIR)/temp-terraform && curl -Lo terraform.zip $(TERRAFORM_PACKAGE) && unzip -j -q -o terraform.zip
+	mv $(TOOLCHAIN_DIR)/temp-terraform/terraform$(EXE_EXTENSION) $(TOOLCHAIN_BIN)/terraform$(EXE_EXTENSION)
+	rm -rf $(TOOLCHAIN_DIR)/temp-terraform/
+
 build/toolchain/python/:
 	virtualenv --python=python3 $(TOOLCHAIN_DIR)/python/
 	# Hack to workaround some crazy bug in pip that's chopping off python executable's name.
@ -607,6 +618,11 @@ activate-gcp-apis: gcloud
 	$(GCLOUD) services enable containeranalysis.googleapis.com
 	$(GCLOUD) services enable binaryauthorization.googleapis.com

+create-gcp-service-account: gcloud
+	gcloud $(GCP_PROJECT_FLAG) iam service-accounts create open-match --display-name="Open Match Service Account"
+	gcloud $(GCP_PROJECT_FLAG) iam service-accounts add-iam-policy-binding --member=open-match@$(GCP_PROJECT_ID).iam.gserviceaccount.com --role=roles/container.clusterAdmin
+	gcloud $(GCP_PROJECT_FLAG) iam service-accounts keys create ~/key.json --iam-account open-match@$(GCP_PROJECT_ID).iam.gserviceaccount.com
+
 create-kind-cluster: build/toolchain/bin/kind$(EXE_EXTENSION) build/toolchain/bin/kubectl$(EXE_EXTENSION)
 	$(KIND) create cluster

@ -753,6 +769,15 @@ else
 	$(SED_REPLACE) 's/$$EVALUATION_MODE/ALWAYS_ALLOW/g' $(BUILD_DIR)/policies/binauthz.yaml
 endif

+terraform-plan: install/terraform/open-match/.terraform/
+	(cd $(REPOSITORY_ROOT)/install/terraform/open-match/ && $(TERRAFORM) plan -var gcp_project_id=$(GCP_PROJECT_ID) -var gcp_location=$(GCP_LOCATION))
+
+terraform-apply: install/terraform/open-match/.terraform/
+	(cd $(REPOSITORY_ROOT)/install/terraform/open-match/ && $(TERRAFORM) apply -var gcp_project_id=$(GCP_PROJECT_ID) -var gcp_location=$(GCP_LOCATION))
+
+install/terraform/open-match/.terraform/: build/toolchain/bin/terraform$(EXE_EXTENSION)
+	(cd $(REPOSITORY_ROOT)/install/terraform/open-match/ && $(TERRAFORM) init)
+
 build/certificates/: build/toolchain/bin/certgen$(EXE_EXTENSION)
 	mkdir -p $(BUILD_DIR)/certificates/
 	cd $(BUILD_DIR)/certificates/ && $(CERTGEN)
@ -806,6 +831,9 @@ clean-binaries:
 	rm -rf $(REPOSITORY_ROOT)/tools/certgen/certgen$(EXE_EXTENSION)
 	rm -rf $(REPOSITORY_ROOT)/tools/reaper/reaper$(EXE_EXTENSION)

+clean-terraform:
+	rm -rf $(REPOSITORY_ROOT)/install/terraform/.terraform/
+
 clean-build: clean-toolchain clean-archives clean-release
 	rm -rf $(BUILD_DIR)/

@ -828,7 +856,7 @@ clean-swagger-docs:
 clean-swaggerui:
 	rm -rf $(REPOSITORY_ROOT)/third_party/swaggerui/

-clean: clean-images clean-binaries clean-release clean-build clean-protos clean-swagger-docs clean-install-yaml clean-stress-test-tools clean-secrets clean-swaggerui
+clean: clean-images clean-binaries clean-release clean-build clean-protos clean-swagger-docs clean-install-yaml clean-stress-test-tools clean-secrets clean-swaggerui clean-terraform

 proxy-frontend: build/toolchain/bin/kubectl$(EXE_EXTENSION)
 	@echo "Frontend Health: http://localhost:$(FRONTEND_PORT)/healthz"
--- a/install/terraform/open-match-build/open-match-iam.tf
+++ b/install/terraform/open-match-build/open-match-iam.tf
--- a/install/terraform/open-match/secure-gke.tf
+++ b/install/terraform/open-match/secure-gke.tf
@ -0,0 +1,288 @@
+# Copyright 2019 Google LLC All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+######################################
+# Open Match Terraform Configuration #
+######################################
+
+# This is an example of a security-hardened Terraform configuration to a GKE
+# cluster. This example assumes the GCP project will solely be used to host
+# Open Match. It's not recommended to use this script on a project that's
+# currently in use as it will delete resources that it does not know about.
+
+# Glossary
+# Terraform - A tool to configure your cloud environment based on a configuration file.
+#             This tool basically drives the "infrastructure-as-code".
+# IAM - Identity and Access Managements
+# IAM Service Account - An identity that's used to talk to Google APIs. IAM
+#     service accounts are typically used in automation where no human is
+#     involved.
+# Kubernetes Service Account - An identity that is bound to a Kubernetes pod. =
+#     Based on the RoleBinding in Kubernetes it can call the api-server to
+#     perform actions on the Kubernetes cluster. A Kubernetes Service Account
+#     cannot call the Google APIs but you can use Workload Identity to obtain
+#     IAM Service Account credentials for delegation.
+
+# Declare the providers necessary to call the Google APIs 
+provider "google" {
+  version = "~> 2.8"
+  credentials = "${file("creds.json")}"
+}
+
+provider "google-beta" {
+  version = ">=0.0.0"
+  credentials = "${file("creds.json")}"
+}
+
+variable "gcp_project_id" {
+  description = "GCP Project ID"
+  default = "jeremyedwards-gaming-dev"
+}
+
+variable "gcp_location" {
+  description = "Location where resources in GCP will be located."
+  default = "us-west1-a"
+}
+variable "gcp_machine_type" {
+  description = "Machine type of VM."
+  default = "n1-standard-4"
+}
+
+# Create a role with the minimum amount of permissions for logging, auditing, etc from the node VM.
+resource "google_project_iam_custom_role" "open_match_node_vm_role" {
+  project     = "${var.gcp_project_id}"
+  role_id     = "open_match_node_vm"
+  title       = "Open Match Service Agent"
+  description = "Role for Open Match Cluster to interact with Google APIs"
+  permissions = [
+    "logging.logEntries.create",
+    "logging.logEntries.list",
+    "logging.logMetrics.create",
+    "logging.logMetrics.delete",
+    "logging.logMetrics.get",
+    "logging.logMetrics.update",
+    "logging.logEntries.create",
+  ]
+  stage = "BETA"
+}
+
+# Create a low-privileged service account that will be the identity of the Node VMs that run Open Match.
+# This service account is mainly used to export service health and logging data to Stackdriver.
+resource "google_service_account" "node_vm" {
+  project     = "${var.gcp_project_id}"
+  account_id   = "open-match-node-vm"
+  display_name = "Open Match Node VM Service Account"
+}
+
+# Create the IAM role binding {Node VM service account to the minimal role.}
+resource "google_project_iam_binding" "node_vm_binding" {
+  project = "${google_project_iam_custom_role.open_match_node_vm_role.project}"
+  role    = "projects/${google_project_iam_custom_role.open_match_node_vm_role.project}/roles/${google_project_iam_custom_role.open_match_node_vm_role.role_id}"
+  members = [
+    "user:${google_service_account.node_vm.name}"
+  ]
+}
+
+# Create a GKE Cluster for serving Open Match.
+resource "google_container_cluster" "primary" {
+  provider = "google-beta"
+  
+  name = "om-cluster"
+  location = "${var.gcp_location}"
+  
+  addons_config {
+    horizontal_pod_autoscaling {
+      disabled = false
+    }
+    http_load_balancing {
+      disabled = false
+    }
+    kubernetes_dashboard {
+      disabled = true
+    }
+    network_policy_config {
+      disabled = true
+    }
+    istio_config {
+      disabled = true
+      auth = "AUTH_MUTUAL_TLS"
+    }
+    cloudrun_config {
+      disabled = true
+    }
+  }
+  
+  cluster_autoscaling {
+    enabled = true
+    resource_limits {
+			resource_type = "cpu"
+			minimum = 0
+			maximum = 16
+		}
+		resource_limits {
+			resource_type = "memory"
+			minimum = 0
+			maximum = 32768
+		}
+  }
+  
+  database_encryption {
+    state = "DECRYPTED"
+    key_name = ""
+  }
+
+  ip_allocation_policy {
+    use_ip_aliases = true
+  }
+  
+  description = "Open Match Cluster"
+  
+  default_max_pods_per_node = 100
+  enable_binary_authorization = false
+  enable_kubernetes_alpha = false
+  enable_tpu = false
+  enable_legacy_abac = false
+  initial_node_count = 1
+  logging_service = "logging.googleapis.com/kubernetes"
+  
+  maintenance_policy {
+    daily_maintenance_window {
+      start_time = "03:00"
+    }
+  }
+  
+  master_auth {
+    username = ""
+    password = ""
+    client_certificate_config {
+      issue_client_certificate = false
+    }
+  }
+
+  min_master_version = "1.13"
+  
+  monitoring_service = "monitoring.googleapis.com/kubernetes"
+  network_policy {
+    provider = "PROVIDER_UNSPECIFIED"
+    enabled = false
+  }
+
+  /*
+  node_pool = {
+    
+  }
+  */
+  
+  #node_version = "1.13"
+  pod_security_policy_config {
+    enabled = false
+  }
+  
+  project = "${var.gcp_project_id}"
+  remove_default_node_pool = true
+  
+  /*
+  resource_labels {
+    application = "open-match"
+  }
+  */
+  vertical_pod_autoscaling {
+    enabled = false
+  }
+}
+
+# Create a Node Pool inside the GKE cluster to serve the Open Match services.
+resource "google_container_node_pool" "om-services" {
+  provider = "google-beta"
+  
+  name       = "open-match-services"
+  cluster    = "${google_container_cluster.primary.name}"
+  location   = "${google_container_cluster.primary.location}"
+  
+  autoscaling {
+    min_node_count = 1
+    max_node_count = 5
+  }
+
+  management {
+    auto_repair = true
+    auto_upgrade = true
+  }
+
+  max_pods_per_node = 100
+  node_config {
+    disk_size_gb = 50
+    disk_type = "pd-standard"
+    /*
+    guest_accelerator {
+      
+    }
+    */
+    image_type = "cos_containerd"
+    /*
+    labels {
+      
+    }
+    */
+    local_ssd_count = 0
+    machine_type = "${var.gcp_machine_type}"
+    /*
+    metadata {
+      disable-legacy-endpoints = "true"
+    }
+    */
+    min_cpu_platform = "Intel Haswell"
+    oauth_scopes = [
+      "https://www.googleapis.com/auth/cloud-platform",
+      "https://www.googleapis.com/auth/compute",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring",
+    ]
+    preemptible = false
+    service_account = "${google_service_account.node_vm.email}"
+    tags = []
+    /*
+    taint {
+      
+    }
+    */
+    workload_metadata_config {
+      node_metadata = "SECURE"
+    }
+  }
+  node_count = 5
+  project = "${google_container_cluster.primary.project}"
+  version = "1.13"
+}
+
+output "cluster_name" {
+  value = "${google_container_cluster.primary.name}"
+}
+
+output "primary_zone" {
+  value = "${google_container_cluster.primary.zone}"
+}
+
+output "additional_zones" {
+  value = "${google_container_cluster.primary.additional_zones}"
+}
+
+output "endpoint" {
+  value = "${google_container_cluster.primary.endpoint}"
+}
+
+output "node_version" {
+  value = "${google_container_cluster.primary.node_version}"
+}