Make dev distributor available via URL mappings

This will be available at api.transparency.dev/dev which is consistent with api.transparency.dev/ci
transparency-dev · Jan 14, 2025 · 400f394 · 400f394
1 parent 8b6a01c
commit 400f394
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 17 deletions.
diff --git a/deployment/api_transparency_dev/main.tf b/deployment/api_transparency_dev/main.tf
@@ -16,17 +16,17 @@ data "google_project" "project" {
 }
 
 data "terraform_remote_state" "ci_build_artefacts" {
-  backend = "gcs"
+  backend   = "gcs"
   workspace = terraform.workspace
-  config  = {
+  config = {
     bucket = "${var.project_name}-build-and-release-bucket-tfstate-ci"
     prefix = "ci/terraform.tfstate"
   }
 }
 data "terraform_remote_state" "prod_build_artefacts" {
-  backend = "gcs"
+  backend   = "gcs"
   workspace = terraform.workspace
-  config  = {
+  config = {
     bucket = "${var.project_name}-build-and-release-bucket-tfstate-prod"
     prefix = "prod/terraform.tfstate"
   }
@@ -105,6 +105,28 @@ module "lb-http" {
 
       enable_cdn = false
 
+      iap_config = {
+        enable = false
+      }
+      log_config = {
+        enable = false
+      }
+    }
+    dev = {
+      description = "Distributor API backend (dev)"
+      protocol    = "HTTPS"
+      port_name   = "https"
+      port        = 443
+      groups = [
+        {
+          group = google_compute_global_network_endpoint_group.distributor_dev.id
+        }
+      ]
+
+      health_check = null
+
+      enable_cdn = false
+
       iap_config = {
         enable = false
       }
@@ -158,14 +180,14 @@ resource "google_compute_url_map" "default" {
       route_action {
         url_rewrite {
           path_prefix_rewrite = "/distributor/"
-          host_rewrite = var.distributor_prod_host
+          host_rewrite        = var.distributor_prod_host
         }
       }
       service = module.lb-http.backend_services["prod"].id
     }
     path_rule {
       paths = [
-	# match on /distributor/ to prevent /metrics being exposed publicly
+        # match on /distributor/ to prevent /metrics being exposed publicly
         "/ci/distributor/*"
       ]
       route_action {
@@ -176,6 +198,19 @@ resource "google_compute_url_map" "default" {
       }
       service = module.lb-http.backend_services["ci"].id
     }
+    path_rule {
+      paths = [
+        # match on /distributor/ to prevent /metrics being exposed publicly
+        "/dev/distributor/*"
+      ]
+      route_action {
+        url_rewrite {
+          path_prefix_rewrite = "/distributor/"
+          host_rewrite        = var.distributor_dev_host
+        }
+      }
+      service = module.lb-http.backend_services["dev"].id
+    }
 
     #####
     ## CI log & aretefacts rules
@@ -255,15 +290,15 @@ resource "google_compute_backend_bucket" "firmware_log_ci" {
 
   name        = "firmware-log-ci-backend-${each.key}"
   description = "Contains CI firmware transparency log ${each.key}"
-  bucket_name = "${each.value}"
+  bucket_name = each.value
   enable_cdn  = false
 }
 resource "google_compute_backend_bucket" "firmware_artefacts_ci" {
   for_each = data.terraform_remote_state.ci_build_artefacts.outputs.firmware_artefact_buckets
 
   name        = "firmware-artefacts-ci-backend-${each.key}"
   description = "Contains CI firmware artefacts for FT log ${each.key}"
-  bucket_name = "${each.value}"
+  bucket_name = each.value
   enable_cdn  = false
 }
 
@@ -273,15 +308,15 @@ resource "google_compute_backend_bucket" "firmware_log_prod" {
 
   name        = "firmware-log-prod-backend-${each.key}"
   description = "Contains prod firmware transparency log ${each.key}"
-  bucket_name = "${each.value}"
+  bucket_name = each.value
   enable_cdn  = false
 }
 resource "google_compute_backend_bucket" "firmware_artefacts_prod" {
   for_each = data.terraform_remote_state.prod_build_artefacts.outputs.firmware_artefact_buckets
 
   name        = "firmware-artefacts-prod-backend-${each.key}"
   description = "Contains prod firmware artefacts for FT log ${each.key}"
-  bucket_name = "${each.value}"
+  bucket_name = each.value
   enable_cdn  = false
 }
 
@@ -299,6 +334,13 @@ resource "google_compute_global_network_endpoint_group" "distributor_ci" {
   default_port          = var.distributor_ci_port
   network_endpoint_type = "INTERNET_FQDN_PORT"
 }
+resource "google_compute_global_network_endpoint_group" "distributor_dev" {
+  name                  = "distributor-dev"
+  project               = var.project_id
+  provider              = google-beta
+  default_port          = var.distributor_dev_port
+  network_endpoint_type = "INTERNET_FQDN_PORT"
+}
 
 resource "google_compute_global_network_endpoint" "distributor_prod" {
   global_network_endpoint_group = google_compute_global_network_endpoint_group.distributor_prod.name
@@ -310,6 +352,11 @@ resource "google_compute_global_network_endpoint" "distributor_ci" {
   port                          = var.distributor_ci_port
   fqdn                          = var.distributor_ci_host
 }
+resource "google_compute_global_network_endpoint" "distributor_dev" {
+  global_network_endpoint_group = google_compute_global_network_endpoint_group.distributor_dev.name
+  port                          = var.distributor_dev_port
+  fqdn                          = var.distributor_dev_host
+}
 
 ## Terraform keys
 ## Commented out here as they're provided in the build_and_release unit.

diff --git a/deployment/api_transparency_dev/terraform.tfvars b/deployment/api_transparency_dev/terraform.tfvars
@@ -14,3 +14,6 @@ distributor_prod_port = 443
 
 distributor_ci_host = "distributor-service-ci-oxxl2d5jeq-uc.a.run.app"
 distributor_ci_port = 443
+
+distributor_dev_host = "distributor-service-dev-oxxl2d5jeq-uc.a.run.app"
+distributor_dev_port = 443
diff --git a/deployment/api_transparency_dev/variables.tf b/deployment/api_transparency_dev/variables.tf
@@ -1,20 +1,20 @@
 variable "project_id" {
-  type = number
+  type        = number
   description = "The project ID to host the cluster in"
 }
 
 variable "project_name" {
-  type = string
+  type        = string
   description = "The string project ID"
 }
 
 variable "signing_keyring_location" {
-  type = string
+  type        = string
   description = "The GCP location to create the signing keyring"
 }
 
 variable "tf_state_location" {
-  type = string
+  type        = string
   description = "The GCP location to store Terraform remote state"
 }
 
@@ -29,23 +29,31 @@ variable "tls" {
 }
 
 variable "distributor_prod_host" {
-  type = string
+  type        = string
   description = "Host name serving distributor service API (prod)"
 }
 variable "distributor_prod_port" {
   description = "Port on distributor_host where distributor service API is served (prod)"
   type        = number
 }
 variable "distributor_ci_host" {
-  type = string
+  type        = string
   description = "Host name serving distributor service API (ci)"
 }
 variable "distributor_ci_port" {
   description = "Port on distributor_host where distributor service API is served (ci)"
   type        = number
 }
+variable "distributor_dev_host" {
+  type        = string
+  description = "Host name serving distributor service API (dev)"
+}
+variable "distributor_dev_port" {
+  description = "Port on distributor_host where distributor service API is served (dev)"
+  type        = number
+}
 
 variable "lb_name" {
-  type = string
+  type        = string
   description = "Name of the load balancer"
 }