From 5698eab44df540d27c0c2c9479981bb89659ec60 Mon Sep 17 00:00:00 2001 From: Anupam Date: Tue, 18 Jun 2024 11:37:26 +0530 Subject: [PATCH 1/7] bumped the tf version to 1.8.0 --- tf-count/backend.tf | 20 +++++++++++++++ tf-count/gcp_network.tf | 4 +-- tf-count/gcp_subnetwork.tf | 4 +-- tf-count/outputs.tf | 12 +++------ tf-count/providers.tf | 12 --------- tf-count/providers.tf.disabled | 47 ++++++++++++++++++++++++++++++++++ tf-count/terraform.tfvars | 12 +++++---- tf-count/variables.tf | 11 ++++++-- tf-count/versions.tf | 10 ++++---- 9 files changed, 96 insertions(+), 36 deletions(-) create mode 100644 tf-count/backend.tf delete mode 100644 tf-count/providers.tf create mode 100644 tf-count/providers.tf.disabled diff --git a/tf-count/backend.tf b/tf-count/backend.tf new file mode 100644 index 0000000..d47ecf4 --- /dev/null +++ b/tf-count/backend.tf @@ -0,0 +1,20 @@ +/* +1. Create the GCS Bucket using Cloud SDK / Cloud Shell: +> gcloud auth login +> gcloud config set project PROJECT_ID +> gsutil mb -c standard -l eu gs://bkt-tfstates-xxxxxx + +2. Set the Bucket versioning. +> gsutil versioning set on gs://bkt-tfstates-xxxxxx + +3. Clean-up process +> gcloud storage rm --recursive gs://bkt-tfstates-xxxxxx +*/ + +// Configure Google Cloud Storage (GCS) Backend +terraform { + backend "gcs" { + bucket = "bkt-tfstates-15062024" + prefix = "tst/tf-count" + } +} diff --git a/tf-count/gcp_network.tf b/tf-count/gcp_network.tf index a49d49b..b377eb9 100644 --- a/tf-count/gcp_network.tf +++ b/tf-count/gcp_network.tf @@ -1,8 +1,8 @@ -// Resource block to deploy vpc network +# Resource block to deploy vpc network resource "google_compute_network" "tst_vpc" { project = var.project_id name = var.vpc_name routing_mode = "GLOBAL" auto_create_subnetworks = var.auto_create_subnetworks delete_default_routes_on_create = var.delete_default_routes -} \ No newline at end of file +} diff --git a/tf-count/gcp_subnetwork.tf b/tf-count/gcp_subnetwork.tf index 21b2bf2..d03e56b 100644 --- a/tf-count/gcp_subnetwork.tf +++ b/tf-count/gcp_subnetwork.tf @@ -1,4 +1,4 @@ -// Resource block to deploy Subnetwork +# Resource block to deploy Subnetwork resource "google_compute_subnetwork" "tst_vpc_subnet" { count = length(var.subnet_name) @@ -7,4 +7,4 @@ resource "google_compute_subnetwork" "tst_vpc_subnet" { region = var.default_region private_ip_google_access = true network = google_compute_network.tst_vpc.id -} \ No newline at end of file +} diff --git a/tf-count/outputs.tf b/tf-count/outputs.tf index 56fc873..d28ba68 100644 --- a/tf-count/outputs.tf +++ b/tf-count/outputs.tf @@ -1,12 +1,10 @@ -// Resource outputs +# Resource outputs output "tst_vpc_subnet_all" { description = "The VPC resource being created" value = google_compute_subnetwork.tst_vpc_subnet } -/************************************************* - Output using for expression -*************************************************/ +# Output using for expression output "tst_vpc_subnet_ids_01" { description = "The IDs of the subnets being created." value = [ @@ -23,10 +21,8 @@ output "tst_vpc_subnet_details" { } } -/************************************************* - Output using splat expression -*************************************************/ +# Output using splat expression output "tst_vpc_subnet_ids_02" { description = "The IDs of the subnets being created." value = google_compute_subnetwork.tst_vpc_subnet[*].id -} \ No newline at end of file +} diff --git a/tf-count/providers.tf b/tf-count/providers.tf deleted file mode 100644 index 3ac53cc..0000000 --- a/tf-count/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -// Provider block to configure Google GA and Google Beta providers -provider "google" { - project = var.project_id - region = var.default_region - zone = var.default_zone -} - -provider "google-beta" { - project = var.project_id - region = var.default_region - zone = var.default_zone -} \ No newline at end of file diff --git a/tf-count/providers.tf.disabled b/tf-count/providers.tf.disabled new file mode 100644 index 0000000..005969c --- /dev/null +++ b/tf-count/providers.tf.disabled @@ -0,0 +1,47 @@ +# Locals block to hold and modify the values +locals { + tf_sa = var.terraform_service_account +} + +provider "google" { + alias = "tokengen" +} + +data "google_service_account_access_token" "default" { + provider = google.tokengen + target_service_account = local.tf_sa + + // To see, edit, configure, and delete your Google Cloud data + scopes = ["https://www.googleapis.com/auth/cloud-platform"] + lifetime = "600s" +} + +/****************************************** + GA Provider credential configuration + *****************************************/ + +provider "google" { + // configure the default project and region. + project = var.project_id + region = var.default_region + zone = var.default_zone + + // A temporary OAuth 2.0 access token obtained from the Google Authorization server + // used to authenticate HTTP requests to GCP APIs. + access_token = data.google_service_account_access_token.default.access_token +} + +/****************************************** + Beta Provider credential configuration + *****************************************/ + +provider "google-beta" { + // configure the default project and region. + project = var.project_id + region = var.default_region + zone = var.default_zone + + // A temporary OAuth 2.0 access token obtained from the Google Authorization server + // used to authenticate HTTP requests to GCP APIs. + access_token = data.google_service_account_access_token.default.access_token +} diff --git a/tf-count/terraform.tfvars b/tf-count/terraform.tfvars index 3df2dbe..5d46bdb 100644 --- a/tf-count/terraform.tfvars +++ b/tf-count/terraform.tfvars @@ -1,9 +1,11 @@ -// Variables definition -project_id = "prj-tf-training" -default_region = "us-central1" -default_zone = "us-central1-a" +# Variables definition +project_id = "tidy-interface-421310" +default_region = "us-central1" +default_zone = "us-central1-a" +terraform_service_account = "infra-prov-svc-acc@tidy-interface-421310.iam.gserviceaccount.com" + vpc_name = "fdn-tst-vpc-01" auto_create_subnetworks = "false" delete_default_routes = false subnet_name = ["fdn-tst-subnet-01", "fdn-tst-subnet-02"] -subnet_cidr = ["10.0.40.0/24", "10.0.42.0/24"] \ No newline at end of file +subnet_cidr = ["10.0.40.0/24", "10.0.42.0/24"] diff --git a/tf-count/variables.tf b/tf-count/variables.tf index c21c510..51884d7 100644 --- a/tf-count/variables.tf +++ b/tf-count/variables.tf @@ -1,4 +1,4 @@ -// Variables declaration +# Variables declaration variable "project_id" { type = string description = "The ID of the google project to house the resources." @@ -14,6 +14,13 @@ variable "default_zone" { description = "The default zone to create the google cloud zonal resources." } +variable "terraform_service_account" { + type = string + description = "Terraform service account to execute the terraform code." + # Make sure to give "roles/iam.serviceAccountTokenCreator" role to an identity (who will trigger the terraform code) on this service account for the impersonation to succeed. +} + + variable "vpc_name" { description = "The name of the VPC network being created." type = string @@ -44,4 +51,4 @@ variable "subnet_name" { variable "subnet_cidr" { type = list(string) description = "The list of the CIDR range of the subnets." -} \ No newline at end of file +} diff --git a/tf-count/versions.tf b/tf-count/versions.tf index c39bb11..0f0ad6c 100644 --- a/tf-count/versions.tf +++ b/tf-count/versions.tf @@ -1,15 +1,15 @@ -// Terraform block to configure terraform and provider version +# Terraform block to configure terraform and provider version terraform { - required_version = "~> 1.3.6" + required_version = "~> 1.8.0" required_providers { google = { source = "hashicorp/google" - version = "~> 4.55.0" + version = "~> 5.33.0" } google-beta = { source = "hashicorp/google-beta" - version = "~> 4.55.0" + version = "~> 5.33.0" } } -} \ No newline at end of file +} From e21b7902d5e8433640321cbf253c5dbce32e5832 Mon Sep 17 00:00:00 2001 From: Anupam Date: Tue, 18 Jun 2024 11:39:54 +0530 Subject: [PATCH 2/7] commented the tf-apply step --- .github/workflows/gitops.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/gitops.yml b/.github/workflows/gitops.yml index 49e69dc..c7ed783 100644 --- a/.github/workflows/gitops.yml +++ b/.github/workflows/gitops.yml @@ -128,10 +128,10 @@ jobs: }) # Executes the apply operation to deploy the actual infrastructure - - name: Terraform Apply - id: tf_apply - if: github.ref == 'refs/heads/master' && github.event_name == 'push' - run: terraform apply -auto-approve + # - name: Terraform Apply + # id: tf_apply + # if: github.ref == 'refs/heads/master' && github.event_name == 'push' + # run: terraform apply -auto-approve - name: Notify success if: success() # this step runs only if the previous steps succeeded. From 813864f290bb1d02d5f287aeec8dbda18347b09c Mon Sep 17 00:00:00 2001 From: Anupam Date: Tue, 18 Jun 2024 11:53:26 +0530 Subject: [PATCH 3/7] chnaged the working directory --- .github/workflows/gitops.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gitops.yml b/.github/workflows/gitops.yml index c7ed783..1f815fd 100644 --- a/.github/workflows/gitops.yml +++ b/.github/workflows/gitops.yml @@ -9,10 +9,10 @@ on: workflow_dispatch: defaults: run: - working-directory: ./tf-variables/ + working-directory: ./tf-count/ env: TERRAFORM_VER: 1.8.0 - TERRAFORM_DIR: "./tf-variables/" + TERRAFORM_DIR: "./tf-count/" CLOUDSDK_VER: 480.0.0 permissions: pull-requests: write From 51ea2fa32666fe9798d50b3ee77f896251622f9b Mon Sep 17 00:00:00 2001 From: Anupam Date: Tue, 18 Jun 2024 12:03:42 +0530 Subject: [PATCH 4/7] added additional arg to ingore low, med sev issues --- .github/workflows/gitops.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/gitops.yml b/.github/workflows/gitops.yml index 1f815fd..7bd4efa 100644 --- a/.github/workflows/gitops.yml +++ b/.github/workflows/gitops.yml @@ -44,6 +44,7 @@ jobs: uses: aquasecurity/tfsec-action@v1.0.3 with: working_directory: ${{ env.TERRAFORM_DIR }} + additional_args: --exclude-severity LOW,MEDIUM # Install the latest version of Google Cloud SDK - id: cloud_sdk_installation From c4f592ff5cad6c821236ee4109d9bdd4b376da4d Mon Sep 17 00:00:00 2001 From: Anupam Date: Tue, 18 Jun 2024 12:07:08 +0530 Subject: [PATCH 5/7] added additional arg to ingore low, med sev issues --- .github/workflows/gitops.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gitops.yml b/.github/workflows/gitops.yml index 7bd4efa..27e4fc1 100644 --- a/.github/workflows/gitops.yml +++ b/.github/workflows/gitops.yml @@ -44,7 +44,7 @@ jobs: uses: aquasecurity/tfsec-action@v1.0.3 with: working_directory: ${{ env.TERRAFORM_DIR }} - additional_args: --exclude-severity LOW,MEDIUM + additional_args: --exclude-ignores LOW,MEDIUM # Install the latest version of Google Cloud SDK - id: cloud_sdk_installation From 4169f605594d64112b49ed3c4e6bcec333dc9af9 Mon Sep 17 00:00:00 2001 From: Anupam Date: Tue, 18 Jun 2024 12:10:48 +0530 Subject: [PATCH 6/7] added additional arg to ingore low, med sev issues --- .github/workflows/gitops.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gitops.yml b/.github/workflows/gitops.yml index 27e4fc1..f9c14fb 100644 --- a/.github/workflows/gitops.yml +++ b/.github/workflows/gitops.yml @@ -44,7 +44,7 @@ jobs: uses: aquasecurity/tfsec-action@v1.0.3 with: working_directory: ${{ env.TERRAFORM_DIR }} - additional_args: --exclude-ignores LOW,MEDIUM + additional_args: --minimum-severity HIGH # Install the latest version of Google Cloud SDK - id: cloud_sdk_installation From d1faf6098bd83848d3d1a38aec4423223cbf8efe Mon Sep 17 00:00:00 2001 From: Anupam Date: Tue, 18 Jun 2024 12:15:31 +0530 Subject: [PATCH 7/7] project arg added in subnet code --- tf-count/gcp_subnetwork.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/tf-count/gcp_subnetwork.tf b/tf-count/gcp_subnetwork.tf index d03e56b..f4913d0 100644 --- a/tf-count/gcp_subnetwork.tf +++ b/tf-count/gcp_subnetwork.tf @@ -2,6 +2,7 @@ resource "google_compute_subnetwork" "tst_vpc_subnet" { count = length(var.subnet_name) + project = var.project_id name = var.subnet_name[count.index] ip_cidr_range = var.subnet_cidr[count.index] region = var.default_region