From 2c28151e620fa42ed7001c046f26103f35e75f95 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sat, 21 Dec 2024 18:34:15 -0500 Subject: [PATCH 1/2] move SQL for rekor indices into rekor module, add cloud sql iam user Signed-off-by: Bob Callaway --- terraform/gcp/modules/mysql/mysql.tf | 8 ---- terraform/gcp/modules/rekor/rekor.tf | 1 + .../gcp/modules/rekor/service_accounts.tf | 7 --- terraform/gcp/modules/rekor/sql.tf | 43 +++++++++++++++++++ terraform/gcp/modules/rekor/variables.tf | 5 +++ terraform/gcp/modules/sigstore/sigstore.tf | 6 +++ 6 files changed, 55 insertions(+), 15 deletions(-) create mode 100644 terraform/gcp/modules/rekor/sql.tf diff --git a/terraform/gcp/modules/mysql/mysql.tf b/terraform/gcp/modules/mysql/mysql.tf index 012a5fdcb..c43381b30 100644 --- a/terraform/gcp/modules/mysql/mysql.tf +++ b/terraform/gcp/modules/mysql/mysql.tf @@ -190,14 +190,6 @@ resource "google_sql_database" "trillian" { depends_on = [google_sql_database_instance.sigstore] } -resource "google_sql_database" "searchindexes" { - name = var.index_db_name - project = var.project_id - instance = google_sql_database_instance.sigstore.name - collation = var.collation - depends_on = [google_sql_database_instance.sigstore] -} - resource "google_sql_user" "trillian" { name = "trillian" project = var.project_id diff --git a/terraform/gcp/modules/rekor/rekor.tf b/terraform/gcp/modules/rekor/rekor.tf index a196243eb..1cad26e2c 100644 --- a/terraform/gcp/modules/rekor/rekor.tf +++ b/terraform/gcp/modules/rekor/rekor.tf @@ -20,6 +20,7 @@ resource "google_project_service" "service" { "dns.googleapis.com", // For configuring DNS records "storage.googleapis.com", // For GCS bucket. roles/storage.admin "cloudkms.googleapis.com", // For KMS keyring and crypto key. roles/cloudkms.admin + "sqladmin.googleapis.com", // For Cloud SQL. roles/cloudsql.admin ]) project = var.project_id service = each.key diff --git a/terraform/gcp/modules/rekor/service_accounts.tf b/terraform/gcp/modules/rekor/service_accounts.tf index 25fd5dc1a..dd57b270c 100644 --- a/terraform/gcp/modules/rekor/service_accounts.tf +++ b/terraform/gcp/modules/rekor/service_accounts.tf @@ -56,13 +56,6 @@ resource "google_service_account_iam_member" "gke_sa_iam_member_rekor_server" { depends_on = [google_service_account.rekor-sa] } -resource "google_project_iam_member" "db_admin_member_rekor" { - project = var.project_id - role = "roles/cloudsql.client" - member = "serviceAccount:${google_service_account.rekor-sa.email}" - depends_on = [google_service_account.rekor-sa] -} - resource "google_project_iam_member" "logserver_iam" { # // Give rekor permission to export metrics to Stackdriver for_each = toset([ diff --git a/terraform/gcp/modules/rekor/sql.tf b/terraform/gcp/modules/rekor/sql.tf new file mode 100644 index 000000000..6086194ff --- /dev/null +++ b/terraform/gcp/modules/rekor/sql.tf @@ -0,0 +1,43 @@ +/** + * Copyright 2024 The Sigstore Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_sql_database" "searchindexes" { + name = "searchindexes" + project = var.project_id + instance = var.index_database_instance_name + collation = "utf8mb3_general_ci" +} + +// be sure to manually GRANT SELECT, INSERT, CREATE privileges for this user +resource "google_sql_user" "iam_user" { + name = google_service_account.rekor-sa.email + instance = var.index_database_instance_name + type = "CLOUD_IAM_SERVICE_ACCOUNT" +} + +resource "google_project_iam_member" "db_admin_member_rekor" { + project = var.project_id + role = "roles/cloudsql.client" + member = "serviceAccount:${google_service_account.rekor-sa.email}" + depends_on = [google_service_account.rekor-sa] +} + +resource "google_project_iam_member" "db_iam_auth" { + project = var.project_id + role = "roles/cloudsql.instanceUser" + member = "serviceAccount:${google_service_account.rekor-sa.email}" + depends_on = [google_service_account.rekor-sa] +} diff --git a/terraform/gcp/modules/rekor/variables.tf b/terraform/gcp/modules/rekor/variables.tf index f62a491e4..b45eda488 100644 --- a/terraform/gcp/modules/rekor/variables.tf +++ b/terraform/gcp/modules/rekor/variables.tf @@ -116,3 +116,8 @@ variable "new_entry_pubsub_consumers" { type = list(string) default = [] } + +variable "index_database_instance_name" { + description = "name of SQL database instance used to store index lookups" + type = string +} diff --git a/terraform/gcp/modules/sigstore/sigstore.tf b/terraform/gcp/modules/sigstore/sigstore.tf index 60110e6a9..f9720d5b8 100644 --- a/terraform/gcp/modules/sigstore/sigstore.tf +++ b/terraform/gcp/modules/sigstore/sigstore.tf @@ -200,6 +200,10 @@ module "mysql" { ] } +moved { + from = module.mysql.google_sql_database.searchindexes + to = module.rekor.google_sql_database.searchindexes +} // Rekor module "rekor" { @@ -231,6 +235,8 @@ module "rekor" { redis_cluster_memory_size_gb = var.redis_cluster_memory_size_gb + index_database_instance_name = module.mysql.mysql_instance + depends_on = [ module.network, module.gke-cluster, From c4c0f8964432acd8b75719e3dbe7093d5d241312 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sat, 21 Dec 2024 19:56:41 -0500 Subject: [PATCH 2/2] fix lint Signed-off-by: Bob Callaway --- terraform/gcp/modules/rekor/sql.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/gcp/modules/rekor/sql.tf b/terraform/gcp/modules/rekor/sql.tf index 6086194ff..9003cd4ae 100644 --- a/terraform/gcp/modules/rekor/sql.tf +++ b/terraform/gcp/modules/rekor/sql.tf @@ -15,10 +15,10 @@ */ resource "google_sql_database" "searchindexes" { - name = "searchindexes" - project = var.project_id - instance = var.index_database_instance_name - collation = "utf8mb3_general_ci" + name = "searchindexes" + project = var.project_id + instance = var.index_database_instance_name + collation = "utf8mb3_general_ci" } // be sure to manually GRANT SELECT, INSERT, CREATE privileges for this user