Refactor terraform modules

roger2hk · roger2hk · commit 622afdc1723d · 2024-11-12T21:02:50.000Z
diff --git a/deployment/live/gcp/test/terragrunt.hcl b/deployment/live/gcp/test/terragrunt.hcl
@@ -1,5 +1,5 @@
 terraform {
-  source = "${get_repo_root()}/deployment/modules/gcp//storage"
+  source = "${get_repo_root()}/deployment/modules/gcp//"
 }
 
 locals {
diff --git a/deployment/modules/gcp/key/main.tf b/deployment/modules/gcp/key/main.tf
@@ -0,0 +1,60 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "registry.terraform.io/hashicorp/google"
+      version = "6.1.0"
+    }
+  }
+}
+
+# Secret Manager
+
+# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
+#
+# Security Notice
+# The private key generated by this resource will be stored unencrypted in your 
+# Terraform state file. Use of this resource for production deployments is not 
+# recommended. Instead, generate a private key file outside of Terraform and 
+# distribute it securely to the system where Terraform will be run.
+#
+# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
+resource "tls_private_key" "sctfe_ecdsa_p256" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}
+
+resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" {
+  secret_id = "sctfe-ecdsa-p256-public-key"
+
+  labels = {
+    label = "sctfe-public-key"
+  }
+
+  replication {
+    auto {}
+  }
+}
+
+resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_public_key" {
+  secret = google_secret_manager_secret.sctfe_ecdsa_p256_public_key.id
+
+  secret_data = tls_private_key.sctfe_ecdsa_p256.public_key_pem
+}
+
+resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" {
+  secret_id = "sctfe-ecdsa-p256-private-key"
+
+  labels = {
+    label = "sctfe-private-key"
+  }
+
+  replication {
+    auto {}
+  }
+}
+
+resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_private_key" {
+  secret = google_secret_manager_secret.sctfe_ecdsa_p256_private_key.id
+
+  secret_data = tls_private_key.sctfe_ecdsa_p256.private_key_pem
+}
diff --git a/deployment/modules/gcp/key/outputs.tf b/deployment/modules/gcp/key/outputs.tf
@@ -0,0 +1,9 @@
+output "ecdsa_p256_public_key_id" {
+  description = "Signer public key (P256_SHA256)"
+  value       = google_secret_manager_secret_version.sctfe_ecdsa_p256_public_key.id
+}
+
+output "ecdsa_p256_private_key_id" {
+  description = "Signer private key (P256_SHA256)"
+  value       = google_secret_manager_secret_version.sctfe_ecdsa_p256_private_key.id
+}
diff --git a/deployment/modules/gcp/main.tf b/deployment/modules/gcp/main.tf
@@ -0,0 +1,15 @@
+terraform {
+  backend "gcs" {}
+}
+
+module "storage" {
+  source = "./storage"
+
+  project_id = var.project_id
+  base_name  = var.base_name
+  location   = var.location
+}
+
+module "key" {
+  source = "./key"
+}
diff --git a/deployment/modules/gcp/outputs.tf b/deployment/modules/gcp/outputs.tf
@@ -0,0 +1,9 @@
+output "ecdsa_p256_public_key_id" {
+  description = "Signer public key (P256_SHA256)"
+  value       = module.key.ecdsa_p256_public_key_id
+}
+
+output "ecdsa_p256_private_key_id" {
+  description = "Signer private key (P256_SHA256)"
+  value       = module.key.ecdsa_p256_private_key_id
+}
diff --git a/deployment/modules/gcp/storage/main.tf b/deployment/modules/gcp/storage/main.tf
@@ -1,6 +1,4 @@
 terraform {
-  backend "gcs" {}
-
   required_providers {
     google = {
       source  = "registry.terraform.io/hashicorp/google"
@@ -37,6 +35,7 @@ resource "google_storage_bucket" "log_bucket" {
   location                    = var.location
   storage_class               = "STANDARD"
   uniform_bucket_level_access = true
+  force_destroy = true
 }
 
 # Spanner
@@ -46,6 +45,7 @@ resource "google_spanner_instance" "log_spanner" {
   config           = "regional-${var.location}"
   display_name     = var.base_name
   processing_units = 100
+  force_destroy = true
 }
 
 resource "google_spanner_database" "log_db" {
@@ -65,55 +65,3 @@ resource "google_spanner_database" "dedup_db" {
     "CREATE TABLE IDSeq (id INT64 NOT NULL, h BYTES(MAX) NOT NULL, idx INT64 NOT NULL,) PRIMARY KEY (id, h)",
   ]
 }
-
-# Secret Manager
-
-# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
-#
-# Security Notice
-# The private key generated by this resource will be stored unencrypted in your 
-# Terraform state file. Use of this resource for production deployments is not 
-# recommended. Instead, generate a private key file outside of Terraform and 
-# distribute it securely to the system where Terraform will be run.
-#
-# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
-resource "tls_private_key" "sctfe_ecdsa_p256" {
-  algorithm   = "ECDSA"
-  ecdsa_curve = "P256"
-}
-
-resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" {
-  secret_id = "sctfe-ecdsa-p256-public-key"
-
-  labels = {
-    label = "sctfe-public-key"
-  }
-
-  replication {
-    auto {}
-  }
-}
-
-resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_public_key" {
-  secret = google_secret_manager_secret.sctfe_ecdsa_p256_public_key.id
-
-  secret_data = tls_private_key.sctfe_ecdsa_p256.public_key_pem
-}
-
-resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" {
-  secret_id = "sctfe-ecdsa-p256-private-key"
-
-  labels = {
-    label = "sctfe-private-key"
-  }
-
-  replication {
-    auto {}
-  }
-}
-
-resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_private_key" {
-  secret = google_secret_manager_secret.sctfe_ecdsa_p256_private_key.id
-
-  secret_data = tls_private_key.sctfe_ecdsa_p256.private_key_pem
-}
diff --git a/deployment/modules/gcp/storage/outputs.tf b/deployment/modules/gcp/storage/outputs.tf
@@ -17,13 +17,3 @@ output "dedup_spanner_db" {
   description = "Dedup Spanner database"
   value       = google_spanner_database.dedup_db
 }
-
-output "ecdsa_p256_public_key_id" {
-  description = "Signer public key (P256_SHA256)"
-  value       = google_secret_manager_secret_version.sctfe_ecdsa_p256_public_key.id
-}
-
-output "ecdsa_p256_private_key_id" {
-  description = "Signer private key (P256_SHA256)"
-  value       = google_secret_manager_secret_version.sctfe_ecdsa_p256_private_key.id
-}
diff --git a/deployment/modules/gcp/variables.tf b/deployment/modules/gcp/variables.tf
@@ -0,0 +1,14 @@
+variable "project_id" {
+  description = "GCP project ID where the log is hosted"
+  type        = string
+}
+
+variable "base_name" {
+  description = "Base name to use when naming resources"
+  type        = string
+}
+
+variable "location" {
+  description = "Location in which to create resources"
+  type        = string
+}

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`terraform {`
`2`		`- source = "${get_repo_root()}/deployment/modules/gcp//storage"`
	`2`	`+ source = "${get_repo_root()}/deployment/modules/gcp//"`
`3`	`3`	`}`
`4`	`4`
`5`	`5`	`locals {`