Refactor terraform modules

transparency-dev · Nov 13, 2024 · 3d3c3c5 · 3d3c3c5
1 parent 5816176
commit 3d3c3c5
Show file tree

Hide file tree

Showing 7 changed files with 121 additions and 65 deletions.
diff --git a/deployment/live/gcp/test/terragrunt.hcl b/deployment/live/gcp/test/terragrunt.hcl
@@ -1,11 +1,11 @@
 terraform {
-  source = "${get_repo_root()}/deployment/modules/gcp//storage"
+  source = "${get_repo_root()}/deployment/modules/gcp//conformance"
 }
 
 locals {
-  project_id                   = get_env("GOOGLE_PROJECT", "phboneff-dev")
-  location                     = get_env("GOOGLE_REGION", "us-central1")
-  base_name                    = get_env("TESSERA_BASE_NAME", "tessera-staticct")
+  project_id = get_env("GOOGLE_PROJECT", "phboneff-dev")
+  location   = get_env("GOOGLE_REGION", "us-central1")
+  base_name  = get_env("TESSERA_BASE_NAME", "tessera-staticct")
 }
 
 inputs = local
@@ -20,7 +20,7 @@ remote_state {
     prefix   = "terraform.tfstate"
 
     gcs_bucket_labels = {
-      name = "terraform_state_storage"
+      name = "terraform_state_conformance"
     }
   }
 }
diff --git a/deployment/modules/gcp/conformance/main.tf b/deployment/modules/gcp/conformance/main.tf
@@ -0,0 +1,15 @@
+terraform {
+  backend "gcs" {}
+}
+
+module "storage" {
+  source = "../storage"
+
+  project_id = var.project_id
+  base_name  = var.base_name
+  location   = var.location
+}
+
+module "secretmanager" {
+  source = "../secretmanager"
+}
diff --git a/deployment/modules/gcp/conformance/outputs.tf b/deployment/modules/gcp/conformance/outputs.tf
@@ -0,0 +1,9 @@
+output "ecdsa_p256_public_key_id" {
+  description = "Signer public key (P256_SHA256)"
+  value       = module.secretmanager.ecdsa_p256_public_key_id
+}
+
+output "ecdsa_p256_private_key_id" {
+  description = "Signer private key (P256_SHA256)"
+  value       = module.secretmanager.ecdsa_p256_private_key_id
+}
diff --git a/deployment/modules/gcp/conformance/variables.tf b/deployment/modules/gcp/conformance/variables.tf
@@ -0,0 +1,14 @@
+variable "project_id" {
+  description = "GCP project ID where the log is hosted"
+  type        = string
+}
+
+variable "base_name" {
+  description = "Base name to use when naming resources"
+  type        = string
+}
+
+variable "location" {
+  description = "Location in which to create resources"
+  type        = string
+}
diff --git a/deployment/modules/gcp/secretmanager/main.tf b/deployment/modules/gcp/secretmanager/main.tf
@@ -0,0 +1,69 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "registry.terraform.io/hashicorp/google"
+      version = "6.1.0"
+    }
+  }
+}
+
+# Secret Manager
+
+# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
+#
+# Security Notice
+# The private key generated by this resource will be stored unencrypted in your 
+# Terraform state file. Use of this resource for production deployments is not 
+# recommended. Instead, generate a private key file outside of Terraform and 
+# distribute it securely to the system where Terraform will be run.
+#
+# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
+resource "google_project_service" "secretmanager_googleapis_com" {
+  service            = "secretmanager.googleapis.com"
+  disable_on_destroy = false
+}
+
+resource "tls_private_key" "sctfe_ecdsa_p256" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}
+
+resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" {
+  secret_id = "sctfe-ecdsa-p256-public-key"
+
+  labels = {
+    label = "sctfe-public-key"
+  }
+
+  replication {
+    auto {}
+  }
+
+  depends_on = [google_project_service.secretmanager_googleapis_com]
+}
+
+resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_public_key" {
+  secret = google_secret_manager_secret.sctfe_ecdsa_p256_public_key.id
+
+  secret_data = tls_private_key.sctfe_ecdsa_p256.public_key_pem
+}
+
+resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" {
+  secret_id = "sctfe-ecdsa-p256-private-key"
+
+  labels = {
+    label = "sctfe-private-key"
+  }
+
+  replication {
+    auto {}
+  }
+
+  depends_on = [google_project_service.secretmanager_googleapis_com]
+}
+
+resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_private_key" {
+  secret = google_secret_manager_secret.sctfe_ecdsa_p256_private_key.id
+
+  secret_data = tls_private_key.sctfe_ecdsa_p256.private_key_pem
+}
diff --git a/deployment/modules/gcp/secretmanager/outputs.tf b/deployment/modules/gcp/secretmanager/outputs.tf
@@ -0,0 +1,9 @@
+output "ecdsa_p256_public_key_id" {
+  description = "Signer public key (P256_SHA256)"
+  value       = google_secret_manager_secret_version.sctfe_ecdsa_p256_public_key.id
+}
+
+output "ecdsa_p256_private_key_id" {
+  description = "Signer private key (P256_SHA256)"
+  value       = google_secret_manager_secret_version.sctfe_ecdsa_p256_private_key.id
+}
diff --git a/deployment/modules/gcp/storage/main.tf b/deployment/modules/gcp/storage/main.tf
@@ -27,10 +27,6 @@ resource "google_project_service" "storage_googleapis_com" {
   service            = "storage.googleapis.com"
   disable_on_destroy = false
 }
-resource "google_project_service" "secretmanager_googleapis_com" {
-  service            = "secretmanager.googleapis.com"
-  disable_on_destroy = false
-}
 
 ## Resources
 
@@ -69,59 +65,3 @@ resource "google_spanner_database" "dedup_db" {
     "CREATE TABLE IDSeq (id INT64 NOT NULL, h BYTES(MAX) NOT NULL, idx INT64 NOT NULL,) PRIMARY KEY (id, h)",
   ]
 }
-
-# Secret Manager
-
-# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
-#
-# Security Notice
-# The private key generated by this resource will be stored unencrypted in your 
-# Terraform state file. Use of this resource for production deployments is not 
-# recommended. Instead, generate a private key file outside of Terraform and 
-# distribute it securely to the system where Terraform will be run.
-#
-# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
-resource "tls_private_key" "sctfe_ecdsa_p256" {
-  algorithm   = "ECDSA"
-  ecdsa_curve = "P256"
-}
-
-resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" {
-  secret_id = "sctfe-ecdsa-p256-public-key"
-
-  labels = {
-    label = "sctfe-public-key"
-  }
-
-  replication {
-    auto {}
-  }
-
-  depends_on = [google_project_service.secretmanager_googleapis_com]
-}
-
-resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_public_key" {
-  secret = google_secret_manager_secret.sctfe_ecdsa_p256_public_key.id
-
-  secret_data = tls_private_key.sctfe_ecdsa_p256.public_key_pem
-}
-
-resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" {
-  secret_id = "sctfe-ecdsa-p256-private-key"
-
-  labels = {
-    label = "sctfe-private-key"
-  }
-
-  replication {
-    auto {}
-  }
-
-  depends_on = [google_project_service.secretmanager_googleapis_com]
-}
-
-resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_private_key" {
-  secret = google_secret_manager_secret.sctfe_ecdsa_p256_private_key.id
-
-  secret_data = tls_private_key.sctfe_ecdsa_p256.private_key_pem
-}