openbao-helm/test/terraform/main.tf

locals {
  service_account_path = "${path.module}/service-account.yaml"
}

provider "google" {
  project = "${var.project}"
  region  = "us-central1"

  credentials = "${file("vault-helm-dev-creds.json")}"
}

resource "random_id" "suffix" {
  byte_length = 4
}

data "google_container_engine_versions" "main" {
  location = "${var.zone}"
  version_prefix = "1.12."
}

data "google_service_account" "gcpapi" {
  account_id = "${var.gcp_service_account}"
}

resource "google_kms_key_ring" "keyring" {
  name     = "vault-helm-unseal-kr"
  location = "global"
}

resource "google_kms_crypto_key" "vault-helm-unseal-key" {
  name            = "vault-helm-unseal-key"
  key_ring        = "${google_kms_key_ring.keyring.self_link}"

  lifecycle {
    prevent_destroy = true
  }
}

resource "google_container_cluster" "cluster" {
  name               = "vault-helm-dev-${random_id.suffix.dec}"
  project            = "${var.project}"
  enable_legacy_abac = true
  initial_node_count = 3
  zone               = "${var.zone}"
  min_master_version = "${data.google_container_engine_versions.main.latest_master_version}"
  node_version       = "${data.google_container_engine_versions.main.latest_node_version}"

  node_config {
    #service account for nodes to use
    oauth_scopes = [
      "https://www.googleapis.com/auth/cloud-platform",
      "https://www.googleapis.com/auth/compute",
      "https://www.googleapis.com/auth/devstorage.read_write",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring",
      "https://www.googleapis.com/auth/service.management.readonly",
      "https://www.googleapis.com/auth/servicecontrol",
      "https://www.googleapis.com/auth/trace.append",
    ]

    service_account = "${data.google_service_account.gcpapi.email}"
  }
}

resource "null_resource" "kubectl" {
  count = "${var.init_cli ? 1 : 0 }"

  triggers = {
    cluster = "${google_container_cluster.cluster.id}"
  }

  # On creation, we want to setup the kubectl credentials. The easiest way
  # to do this is to shell out to gcloud.
  provisioner "local-exec" {
    command = "gcloud container clusters get-credentials --zone=${var.zone} ${google_container_cluster.cluster.name}"
  }

  # On destroy we want to try to clean up the kubectl credentials. This
  # might fail if the credentials are already cleaned up or something so we
  # want this to continue on failure. Generally, this works just fine since
  # it only operates on local data.
  provisioner "local-exec" {
    when       = "destroy"
    on_failure = "continue"
    command    = "kubectl config get-clusters | grep ${google_container_cluster.cluster.name} | xargs -n1 kubectl config delete-cluster"
  }

  provisioner "local-exec" {
    when       = "destroy"
    on_failure = "continue"
    command    = "kubectl config get-contexts | grep ${google_container_cluster.cluster.name} | xargs -n1 kubectl config delete-context"
  }
}

resource "null_resource" "helm" {
  count      = "${var.init_cli ? 1 : 0 }"
  depends_on = ["null_resource.kubectl"]

  triggers = {
    cluster = "${google_container_cluster.cluster.id}"
  }

  provisioner "local-exec" {
    command = <<EOF
kubectl apply -f '${local.service_account_path}'
helm init --service-account helm
EOF
  }
}
Move all terraform setup to test/terraform 2018-08-20 23:15:47 +00:00			`locals {`
			`service_account_path = "${path.module}/service-account.yaml"`
			`}`

Initial stuff 2018-08-20 22:26:37 +00:00			`provider "google" {`
update terraform config: specific scopes needed to use auto-unseal. Right now a pre-made service account is used, but will be replaced later 2018-11-29 21:48:02 +00:00			`project = "${var.project}"`
			`region = "us-central1"`

really ugly hack/slash proof-of-concept, forked from consul-helm 2018-10-02 21:14:57 +00:00			`credentials = "${file("vault-helm-dev-creds.json")}"`
Initial stuff 2018-08-20 22:26:37 +00:00			`}`

			`resource "random_id" "suffix" {`
			`byte_length = 4`
			`}`

test: terraform uses data source to get latest GKE version 2018-09-11 19:35:16 +00:00			`data "google_container_engine_versions" "main" {`
Refactor chart for 1.0, add tests, update TF (#2) * Refactor chart for 1.0, add tests, update TF * Fix typo in helper comment * Add NOTES for post install instructions * Fix typo in NOTES * Fix replication port for enterprise * Change updateStrategy to OnDelete * Add icon * Remove cluster address from config * Update README, add contributing doc * Update README * Change HA replicas to 3 2019-07-31 18:26:12 +00:00			`location = "${var.zone}"`
			`version_prefix = "1.12."`
test: terraform uses data source to get latest GKE version 2018-09-11 19:35:16 +00:00			`}`

update terraform config: specific scopes needed to use auto-unseal. Right now a pre-made service account is used, but will be replaced later 2018-11-29 21:48:02 +00:00			`data "google_service_account" "gcpapi" {`
			`account_id = "${var.gcp_service_account}"`
			`}`
snapshot of dev before I switched tasks 2018-10-29 15:36:23 +00:00
Refactor chart for 1.0, add tests, update TF (#2) * Refactor chart for 1.0, add tests, update TF * Fix typo in helper comment * Add NOTES for post install instructions * Fix typo in NOTES * Fix replication port for enterprise * Change updateStrategy to OnDelete * Add icon * Remove cluster address from config * Update README, add contributing doc * Update README * Change HA replicas to 3 2019-07-31 18:26:12 +00:00			`resource "google_kms_key_ring" "keyring" {`
			`name = "vault-helm-unseal-kr"`
			`location = "global"`
			`}`

			`resource "google_kms_crypto_key" "vault-helm-unseal-key" {`
			`name = "vault-helm-unseal-key"`
			`key_ring = "${google_kms_key_ring.keyring.self_link}"`

			`lifecycle {`
			`prevent_destroy = true`
			`}`
			`}`

Initial stuff 2018-08-20 22:26:37 +00:00			`resource "google_container_cluster" "cluster" {`
really ugly hack/slash proof-of-concept, forked from consul-helm 2018-10-02 21:14:57 +00:00			`name = "vault-helm-dev-${random_id.suffix.dec}"`
Initial stuff 2018-08-20 22:26:37 +00:00			`project = "${var.project}"`
			`enable_legacy_abac = true`
minor tweaks 2018-10-04 20:07:41 +00:00			`initial_node_count = 3`
Initial stuff 2018-08-20 22:26:37 +00:00			`zone = "${var.zone}"`
test: terraform uses data source to get latest GKE version 2018-09-11 19:35:16 +00:00			`min_master_version = "${data.google_container_engine_versions.main.latest_master_version}"`
			`node_version = "${data.google_container_engine_versions.main.latest_node_version}"`
update terraform config: specific scopes needed to use auto-unseal. Right now a pre-made service account is used, but will be replaced later 2018-11-29 21:48:02 +00:00
			`node_config {`
			`#service account for nodes to use`
			`oauth_scopes = [`
			`"https://www.googleapis.com/auth/cloud-platform",`
			`"https://www.googleapis.com/auth/compute",`
			`"https://www.googleapis.com/auth/devstorage.read_write",`
			`"https://www.googleapis.com/auth/logging.write",`
			`"https://www.googleapis.com/auth/monitoring",`
			`"https://www.googleapis.com/auth/service.management.readonly",`
			`"https://www.googleapis.com/auth/servicecontrol",`
			`"https://www.googleapis.com/auth/trace.append",`
			`]`

			`service_account = "${data.google_service_account.gcpapi.email}"`
			`}`
Initial stuff 2018-08-20 22:26:37 +00:00			`}`

Move all terraform setup to test/terraform 2018-08-20 23:15:47 +00:00			`resource "null_resource" "kubectl" {`
			`count = "${var.init_cli ? 1 : 0 }"`

Refactor chart for 1.0, add tests, update TF (#2) * Refactor chart for 1.0, add tests, update TF * Fix typo in helper comment * Add NOTES for post install instructions * Fix typo in NOTES * Fix replication port for enterprise * Change updateStrategy to OnDelete * Add icon * Remove cluster address from config * Update README, add contributing doc * Update README * Change HA replicas to 3 2019-07-31 18:26:12 +00:00			`triggers = {`
Move all terraform setup to test/terraform 2018-08-20 23:15:47 +00:00			`cluster = "${google_container_cluster.cluster.id}"`
			`}`

			`# On creation, we want to setup the kubectl credentials. The easiest way`
			`# to do this is to shell out to gcloud.`
			`provisioner "local-exec" {`
			`command = "gcloud container clusters get-credentials --zone=${var.zone} ${google_container_cluster.cluster.name}"`
			`}`

			`# On destroy we want to try to clean up the kubectl credentials. This`
			`# might fail if the credentials are already cleaned up or something so we`
			`# want this to continue on failure. Generally, this works just fine since`
			`# it only operates on local data.`
			`provisioner "local-exec" {`
			`when = "destroy"`
			`on_failure = "continue"`
			`command = "kubectl config get-clusters \| grep ${google_container_cluster.cluster.name} \| xargs -n1 kubectl config delete-cluster"`
			`}`

			`provisioner "local-exec" {`
			`when = "destroy"`
			`on_failure = "continue"`
			`command = "kubectl config get-contexts \| grep ${google_container_cluster.cluster.name} \| xargs -n1 kubectl config delete-context"`
			`}`
			`}`

			`resource "null_resource" "helm" {`
really ugly hack/slash proof-of-concept, forked from consul-helm 2018-10-02 21:14:57 +00:00			`count = "${var.init_cli ? 1 : 0 }"`
test/terraform: can't install helm until kubectl is configured 2018-08-20 23:17:46 +00:00			`depends_on = ["null_resource.kubectl"]`
Move all terraform setup to test/terraform 2018-08-20 23:15:47 +00:00
Refactor chart for 1.0, add tests, update TF (#2) * Refactor chart for 1.0, add tests, update TF * Fix typo in helper comment * Add NOTES for post install instructions * Fix typo in NOTES * Fix replication port for enterprise * Change updateStrategy to OnDelete * Add icon * Remove cluster address from config * Update README, add contributing doc * Update README * Change HA replicas to 3 2019-07-31 18:26:12 +00:00			`triggers = {`
Move all terraform setup to test/terraform 2018-08-20 23:15:47 +00:00			`cluster = "${google_container_cluster.cluster.id}"`
			`}`

			`provisioner "local-exec" {`
			`command = <<EOF`
			`kubectl apply -f '${local.service_account_path}'`
			`helm init --service-account helm`
			`EOF`
			`}`
			`}`