diff --git a/projects/core/config/main.tf b/projects/core/config/main.tf deleted file mode 100644 index 41e57bd..0000000 --- a/projects/core/config/main.tf +++ /dev/null @@ -1,16 +0,0 @@ -terraform { - backend "gcs" { - bucket = "goboolean-450909-terraform-state" - prefix = "core/config" - } -} - -module "vault_config" { - source = "../../../modules/infra/vault/config" - token_reviewer_jwt = local.token_reviewer_jwt - kubernetes_host = local.gke_host - kubernetes_ca_cert = local.gke_cluster_ca_certificate - providers = { - vault = vault - } -} diff --git a/projects/core/config/terraform.tfvars b/projects/core/config/terraform.tfvars deleted file mode 100644 index 9005dae..0000000 --- a/projects/core/config/terraform.tfvars +++ /dev/null @@ -1,3 +0,0 @@ -# Google Cloud Platform -project_id = "goboolean-450909" -region = "asia-northeast3" diff --git a/projects/core/main.tf b/projects/core/main.tf deleted file mode 100644 index 95a5aa9..0000000 --- a/projects/core/main.tf +++ /dev/null @@ -1,23 +0,0 @@ -terraform { - backend "gcs" { - bucket = "goboolean-450909-terraform-state" - prefix = "core" - } -} - -module "istio_gateway" { - source = "../../modules/infra/istio/gateway" -} - -module "cert_manager_manifest" { - source = "../../modules/infra/cert-manager/manifest" - cloudflare_api_token = local.cloudflare_api_token -} - -module "vault" { - source = "../../modules/infra/vault" - project_id = var.project_id - region = var.region - key_ring_name = local.vault_kms_keyring_name - crypto_key_name = local.vault_kms_crypto_key_name -} diff --git a/projects/core/provider.tf b/projects/core/provider.tf deleted file mode 100644 index 9ee47fd..0000000 --- a/projects/core/provider.tf +++ /dev/null @@ -1,59 +0,0 @@ -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = "4.84.0" - } - } - required_version = ">= 0.14" -} - -# cloudflare secrets -provider "google" { - project = var.project_id - region = var.region -} - -data "google_secret_manager_secret_version" "cloudflare_api_token" { - secret = "cloudflare_api_token" -} - -locals { - cloudflare_api_token = data.google_secret_manager_secret_version.cloudflare_api_token.secret_data -} - -# gke secrets -data "terraform_remote_state" "gcp" { - backend = "gcs" - - config = { - bucket = "goboolean-450909-terraform-state" - prefix = "gcp" - } -} - -data "google_client_config" "default" {} - -locals { - gke_host = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.host - gke_token = data.google_client_config.default.access_token - gke_cluster_ca_certificate = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.cluster_ca_certificate - - vault_kms_keyring_name = data.terraform_remote_state.gcp.outputs.vault_kms_keyring_name - vault_kms_crypto_key_name = data.terraform_remote_state.gcp.outputs.vault_kms_crypto_key_name -} - -# providers -provider "helm" { - kubernetes { - host = local.gke_host - token = local.gke_token - cluster_ca_certificate = local.gke_cluster_ca_certificate - } -} - -provider "kubernetes" { - host = local.gke_host - token = local.gke_token - cluster_ca_certificate = local.gke_cluster_ca_certificate -} diff --git a/projects/core/terraform.tfvars b/projects/core/terraform.tfvars deleted file mode 100644 index 9005dae..0000000 --- a/projects/core/terraform.tfvars +++ /dev/null @@ -1,3 +0,0 @@ -# Google Cloud Platform -project_id = "goboolean-450909" -region = "asia-northeast3" diff --git a/projects/infra/terraform.tfvars b/projects/infra/terraform.tfvars deleted file mode 100644 index a93fc8c..0000000 --- a/projects/infra/terraform.tfvars +++ /dev/null @@ -1,5 +0,0 @@ -# Google Cloud Platform -project_id = "goboolean-450909" -region = "asia-northeast3" -zone = "asia-northeast3-a" -location = "ASIA" diff --git a/projects/infra/variables.tf b/projects/infra/variables.tf deleted file mode 100644 index cd97bf3..0000000 --- a/projects/infra/variables.tf +++ /dev/null @@ -1,19 +0,0 @@ -# Google Cloud Platform -variable "project_id" { - description = "project id" -} -variable "region" { - description = "region" -} -variable "zone" { - description = "zone" -} -variable "location" { - description = "location" -} - -/* - The following infrastructure depends on Vault. - Therefore, it should be separated into a distinct module - and divided into stages. -*/ diff --git a/projects/k8s/base/istio-system.json b/projects/k8s/base/istio-system.json deleted file mode 100644 index 5ad4111..0000000 --- a/projects/k8s/base/istio-system.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "apiVersion": "v1", - "kind": "Namespace", - "metadata": { - "creationTimestamp": "2025-02-25T14:20:09Z", - "deletionTimestamp": "2025-02-26T14:04:39Z", - "labels": { - "kubernetes.io/metadata.name": "istio-system" - }, - "name": "istio-system", - "resourceVersion": "1196581", - "uid": "1706b331-1e53-4df8-a4c6-dd0e34262fb6" - }, - "spec": { - "finalizers": [ - "kubernetes" - ] - }, - "status": { - "conditions": [ - { - "lastTransitionTime": "2025-02-26T14:04:46Z", - "message": "All resources successfully discovered", - "reason": "ResourcesDiscovered", - "status": "False", - "type": "NamespaceDeletionDiscoveryFailure" - }, - { - "lastTransitionTime": "2025-02-26T14:04:46Z", - "message": "All legacy kube types successfully parsed", - "reason": "ParsedGroupVersions", - "status": "False", - "type": "NamespaceDeletionGroupVersionParsingFailure" - }, - { - "lastTransitionTime": "2025-02-26T14:04:46Z", - "message": "All content successfully deleted, may be waiting on finalization", - "reason": "ContentDeleted", - "status": "False", - "type": "NamespaceDeletionContentFailure" - }, - { - "lastTransitionTime": "2025-02-26T14:04:46Z", - "message": "Some resources are remaining: challenges.acme.cert-manager.io has 1 resource instances", - "reason": "SomeResourcesRemain", - "status": "True", - "type": "NamespaceContentRemaining" - }, - { - "lastTransitionTime": "2025-02-26T14:04:46Z", - "message": "Some content in the namespace has finalizers remaining: finalizer.acme.cert-manager.io in 1 resource instances", - "reason": "SomeFinalizersRemain", - "status": "True", - "type": "NamespaceFinalizersRemaining" - } - ], - "phase": "Terminating" - } -} diff --git a/projects/k8s/infra/configs/main.tf b/projects/k8s/infra/configs/main.tf new file mode 100644 index 0000000..e2c6397 --- /dev/null +++ b/projects/k8s/infra/configs/main.tf @@ -0,0 +1,13 @@ +module "harbor-policy" { + source = "../../../../modules/infra/harbor/policy" + providers = { + harbor = harbor + } +} + +module "argocd-application" { + source = "../../../../modules/infra/argocd/application" + providers = { + argocd = argocd + } +} diff --git a/projects/infra/provider.tf b/projects/k8s/infra/configs/providers.tf similarity index 60% rename from projects/infra/provider.tf rename to projects/k8s/infra/configs/providers.tf index 3fdc7a3..762b12c 100644 --- a/projects/infra/provider.tf +++ b/projects/k8s/infra/configs/providers.tf @@ -1,15 +1,10 @@ terraform { - required_providers { - kubectl = { - source = "gavinbunney/kubectl" - version = ">= 1.14.0" - } - - vault = { - source = "hashicorp/vault" - version = "4.6.0" - } + backend "gcs" { + bucket = "goboolean-450909-tfstate" + prefix = "452007/k8s/infra/configs" + } + required_providers { argocd = { source = "argoproj-labs/argocd" version = "7.3.0" @@ -23,6 +18,7 @@ terraform { required_version = ">= 0.14" } + data "terraform_remote_state" "gcp" { backend = "gcs" @@ -38,9 +34,12 @@ locals { gke_host = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.host gke_token = data.google_client_config.default.access_token gke_cluster_ca_certificate = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.cluster_ca_certificate +} - vault_role_id = data.google_secret_manager_secret_version.vault_role_id.secret_data - vault_secret_id = data.google_secret_manager_secret_version.vault_secret_id.secret_data +provider "kubernetes" { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate } provider "google" { @@ -48,46 +47,29 @@ provider "google" { region = var.region } -data "google_secret_manager_secret_version" "vault_role_id" { - secret = "vault_role_id" -} +ephemeral "google_service_account_jwt" "vault_jwt" { + target_service_account = "atlantis@${var.project_id}.iam.gserviceaccount.com" + + payload = jsonencode({ + sub: "atlantis@${var.project_id}.iam.gserviceaccount.com", + aud: "vault/terraform", + }) -data "google_secret_manager_secret_version" "vault_secret_id" { - secret = "vault_secret_id" + expires_in = 1800 } provider "vault" { address = "https://vault.goboolean.io" + auth_login { - path = "auth/approle/login" + path = "auth/gcp/login" parameters = { - role_id = local.vault_role_id - secret_id = local.vault_secret_id + jwt = ephemeral.google_service_account_jwt.vault_jwt.jwt + role = "terraform" } } } -provider "kubernetes" { - host = local.gke_host - token = local.gke_token - cluster_ca_certificate = local.gke_cluster_ca_certificate -} - -provider "helm" { - kubernetes { - host = local.gke_host - token = local.gke_token - cluster_ca_certificate = local.gke_cluster_ca_certificate - } -} - -provider "kubectl" { - host = local.gke_host - token = local.gke_token - cluster_ca_certificate = local.gke_cluster_ca_certificate - load_config_file = false -} - data "vault_kv_secret_v2" "argocd" { mount = "kv" name = "infra/argocd" @@ -99,6 +81,11 @@ provider "argocd" { password = data.vault_kv_secret_v2.argocd.data["password"] } +data "vault_kv_secret_v2" "harbor" { + mount = "kv" + name = "infra/harbor" +} + provider "harbor" { url = "https://registry.goboolean.io" username = data.vault_kv_secret_v2.harbor.data["username"] diff --git a/projects/core/variables.tf b/projects/k8s/infra/configs/variables.tf similarity index 80% rename from projects/core/variables.tf rename to projects/k8s/infra/configs/variables.tf index c3aa77c..d6823f7 100644 --- a/projects/core/variables.tf +++ b/projects/k8s/infra/configs/variables.tf @@ -1,7 +1,7 @@ +# Google Cloud Platform variable "project_id" { description = "project id" } - variable "region" { description = "region" } diff --git a/projects/infra/main.tf b/projects/k8s/infra/deployments/main.tf similarity index 75% rename from projects/infra/main.tf rename to projects/k8s/infra/deployments/main.tf index d977b12..1d2d4e5 100644 --- a/projects/infra/main.tf +++ b/projects/k8s/infra/deployments/main.tf @@ -1,7 +1,7 @@ terraform { backend "gcs" { bucket = "goboolean-450909-terraform-state" - prefix = "infra" + prefix = "452007/k8s/infra/deployments" } } @@ -11,35 +11,24 @@ data "vault_kv_secret_v2" "harbor" { } module "harbor" { - source = "../../modules/infra/harbor" + source = "../../../../modules/infra/harbor" harbor_username = data.vault_kv_secret_v2.harbor.data["username"] harbor_password = data.vault_kv_secret_v2.harbor.data["password"] } -module "harbor_policy" { - source = "../../modules/infra/harbor/policy" - providers = { - harbor = harbor - } -} - module "kafka" { - source = "../../modules/infra/kafka" + source = "../../../../modules/infra/kafka" + depends_on = [module.kube-prometheus-stack] } module "etcd" { - source = "../../modules/infra/etcd" + source = "../../../../modules/infra/etcd" } module "opentelemetry" { source = "../../modules/infra/opentelemetry" } -data "vault_kv_secret_v2" "argocd" { - mount = "kv" - name = "infra/argocd" -} - module "argocd" { source = "../../modules/infra/argocd" admin_password = data.vault_kv_secret_v2.argocd.data["password"] @@ -52,6 +41,9 @@ module "argocd-application" { argocd = argocd } } + source = "../../../../modules/infra/argocd" +} + data "vault_kv_secret_v2" "postgresql" { mount = "kv" @@ -59,7 +51,7 @@ data "vault_kv_secret_v2" "postgresql" { } module "postgresql" { - source = "../../modules/infra/postgresql" + source = "../../../../modules/infra/postgresql" postgresql_username = data.vault_kv_secret_v2.postgresql.data["username"] postgresql_password = data.vault_kv_secret_v2.postgresql.data["password"] } @@ -70,7 +62,7 @@ data "vault_kv_secret_v2" "influxdb" { } module "influxdb" { - source = "../../modules/infra/influxdb" + source = "../../../../modules/infra/influxdb" influxdb_username = data.vault_kv_secret_v2.influxdb.data["username"] influxdb_password = data.vault_kv_secret_v2.influxdb.data["password"] influxdb_token = data.vault_kv_secret_v2.influxdb.data["token"] @@ -82,7 +74,7 @@ data "vault_kv_secret_v2" "grafana" { } module "kube-prometheus-stack" { - source = "../../modules/infra/monitoring/kube-prometheus-stack" + source = "../../../../modules/infra/monitoring/kube-prometheus-stack" grafana_username = data.vault_kv_secret_v2.grafana.data["username"] grafana_password = data.vault_kv_secret_v2.grafana.data["password"] } @@ -93,7 +85,7 @@ data "vault_kv_secret_v2" "airflow" { } module "airflow" { - source = "../../modules/infra/airflow" + source = "../../../../modules/infra/airflow" airflow_username = data.vault_kv_secret_v2.airflow.data["username"] airflow_password = data.vault_kv_secret_v2.airflow.data["password"] postgres_host = "postgresql.postgresql.svc.cluster.local" @@ -102,12 +94,12 @@ module "airflow" { } module "loki-stack" { - source = "../../modules/infra/monitoring/loki-stack" + source = "../../../../modules/infra/monitoring/loki-stack" project_id = var.project_id } module "dex" { - source = "../../modules/infra/dex" + source = "../../../../modules/infra/dex" } data "vault_kv_secret_v2" "github" { @@ -121,7 +113,7 @@ data "vault_kv_secret_v2" "atlantis" { } module "atlantis" { - source = "../../modules/infra/atlantis" + source = "../../../../modules/infra/atlantis" project_id = var.project_id github_username = "goboolean-io" @@ -132,18 +124,12 @@ module "atlantis" { } module "kiali" { - source = "../../modules/infra/kiali" + source = "../../../../modules/infra/kiali" grafana_username = data.vault_kv_secret_v2.grafana.data["username"] grafana_password = data.vault_kv_secret_v2.grafana.data["password"] } module "redis" { - source = "../../modules/infra/redis" -} - -module "vault_operator" { - source = "../../modules/infra/vault/operator" - vault_role_id = local.vault_role_id - vault_secret_id = local.vault_secret_id + source = "../../../../modules/infra/redis" } diff --git a/projects/core/config/provider.tf b/projects/k8s/infra/deployments/provider.tf similarity index 51% rename from projects/core/config/provider.tf rename to projects/k8s/infra/deployments/provider.tf index 121da01..39a29ac 100644 --- a/projects/core/config/provider.tf +++ b/projects/k8s/infra/deployments/provider.tf @@ -2,12 +2,16 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "4.84.0" + version = "6.23.0" } vault = { source = "hashicorp/vault" version = "4.6.0" } + kubectl = { + source = "gavinbunney/kubectl" + version = ">= 1.14.0" + } } required_version = ">= 0.14" } @@ -16,8 +20,8 @@ data "terraform_remote_state" "gcp" { backend = "gcs" config = { - bucket = "goboolean-450909-terraform-state" - prefix = "gcp" + bucket = "goboolean-450909-tfstate" + prefix = "452007/gcp" } } @@ -35,37 +39,45 @@ provider "kubernetes" { cluster_ca_certificate = local.gke_cluster_ca_certificate } -data "kubernetes_secret" "vault_sa_token" { - metadata { - name = "vault-sa-token" - namespace = "vault" - } -} - -locals { - token_reviewer_jwt = data.kubernetes_secret.vault_sa_token.data["token"] -} - provider "google" { project = var.project_id region = var.region } -data "google_secret_manager_secret_version" "vault_role_id" { - secret = "vault_role_id" -} +ephemeral "google_service_account_jwt" "vault_jwt" { + target_service_account = "atlantis@${var.project_id}.iam.gserviceaccount.com" + + payload = jsonencode({ + sub: "atlantis@${var.project_id}.iam.gserviceaccount.com", + aud: "vault/terraform", + }) -data "google_secret_manager_secret_version" "vault_secret_id" { - secret = "vault_secret_id" + expires_in = 1800 } provider "vault" { address = "https://vault.goboolean.io" + auth_login { - path = "auth/approle/login" + path = "auth/gcp/login" parameters = { - role_id = data.google_secret_manager_secret_version.vault_role_id.secret_data - secret_id = data.google_secret_manager_secret_version.vault_secret_id.secret_data + jwt = ephemeral.google_service_account_jwt.vault_jwt.jwt + role = "terraform" } } } + +provider "helm" { + kubernetes { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate + } +} + +provider "kubectl" { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate + load_config_file = false +} diff --git a/projects/core/config/variables.tf b/projects/k8s/infra/deployments/variables.tf similarity index 80% rename from projects/core/config/variables.tf rename to projects/k8s/infra/deployments/variables.tf index c3aa77c..d6823f7 100644 --- a/projects/core/config/variables.tf +++ b/projects/k8s/infra/deployments/variables.tf @@ -1,7 +1,7 @@ +# Google Cloud Platform variable "project_id" { description = "project id" } - variable "region" { description = "region" } diff --git a/projects/k8s/vault/configs/provider.tf b/projects/k8s/vault/configs/provider.tf index 4b16b97..808c9c4 100644 --- a/projects/k8s/vault/configs/provider.tf +++ b/projects/k8s/vault/configs/provider.tf @@ -16,8 +16,8 @@ data "terraform_remote_state" "gcp" { backend = "gcs" config = { - bucket = "goboolean-450909-terraform-state" - prefix = "gcp" + bucket = "goboolean-450909-tfstate" + prefix = "452007/gcp" } }