Add Kubernetes Secrets

Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-apps/apps/outputs.tf

@@ -1,3 +1,7 @@
 output "service_account" {
   value = module.heroes_hat_cluster.service_account
 }
+
+output "gke_cluster" {
+  value = module.heroes_hat_cluster
+}

Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-apps/apps/variables.tf

@@ -8,7 +8,6 @@ variable "network_project_id" {
   type        = string
 }
 
-
 variable "gke_region" {
   description = "The region to host the clusters in"
   type        = string

Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-apps/kubernetes/main.tf

@@ -0,0 +1,3 @@
+terraform {
+  backend "gcs" {}
+}

Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-apps/kubernetes/secrets.tf

@@ -0,0 +1,101 @@
+data "google_container_cluster" "gke_cluster" {
+  name     = var.heroes_hat_cluster.name
+  location = var.heroes_hat_cluster.location
+  project  = var.project_id
+}
+
+
+provider "kubernetes" {
+  host                   = data.google_container_cluster.gke_cluster.endpoint
+  client_certificate     = base64decode(data.google_container_cluster.gke_cluster.master_auth.0.client_certificate)
+  client_key             = base64decode(data.google_container_cluster.gke_cluster.master_auth.0.client_key)
+  cluster_ca_certificate = base64decode(data.google_container_cluster.gke_cluster.master_auth.0.cluster_ca_certificate)
+}
+
+
+# Data sources from Secret Manager.
+
+data "google_secret_manager_secret_version" "secrets" {
+  provider = google-beta
+  project  = var.secrets_project_id
+  secret   = each.key
+
+  for_each = toset([
+    "my-studies-sql-default-user-password",
+    "registration_client_id",
+    "registration_client_secret",
+    "wcp_user",
+    "wcp_pass",
+    "email_address",
+    "email_password",
+  ])
+}
+
+# Secrets from Secret Manager.
+resource "kubernetes_secret" "cloudsql_db_credentials" {
+  metadata {
+    name = "cloudsql-db-credentials"
+  }
+
+  data = {
+    username = var.sql_instance_user
+    password = data.google_secret_manager_secret_version.secrets["my-studies-sql-default-user-password"].secret_data
+    dbname   = var.sql_instance_name
+  }
+}
+
+resource "kubernetes_secret" "response_server_credentials" {
+  metadata {
+    name = "response-server-credentials"
+  }
+
+  data = {
+    REGISTRATION_CLIENT_ID     = data.google_secret_manager_secret_version.secrets["registration_client_id"].secret_data
+    REGISTRATION_CLIENT_SECRET = data.google_secret_manager_secret_version.secrets["registration_client_secret"].secret_data
+    WCP_USER                   = data.google_secret_manager_secret_version.secrets["wcp_user"].secret_data
+    WCP_PASS                   = data.google_secret_manager_secret_version.secrets["wcp_pass"].secret_data
+  }
+}
+
+resource "kubernetes_secret" "email_credentials" {
+  metadata {
+    name = "email-credentials"
+  }
+
+  data = {
+    email_address  = data.google_secret_manager_secret_version.secrets["email_address"].secret_data
+    email_password = data.google_secret_manager_secret_version.secrets["email_password"].secret_data
+  }
+}
+
+# Secrets from service accounts.
+resource "google_service_account_key" "gke_cluster_service_account_key" {
+  service_account_id = var.heroes_hat_cluster.service_account
+}
+
+resource "kubernetes_secret" "cloudsql_instance_credentials" {
+  metadata {
+    name = "cloudsql-instance-credentials"
+  }
+  data = {
+    "sql_credentials.json" = base64decode(google_service_account_key.gke_cluster_service_account_key.private_key)
+  }
+}
+
+resource "kubernetes_secret" "response_server_ws_gcloud_key" {
+  metadata {
+    name = "response-server-ws-gcloud-key"
+  }
+  data = {
+    "key.json" = base64decode(google_service_account_key.gke_cluster_service_account_key.private_key)
+  }
+}
+
+resource "kubernetes_secret" "user_registration_server_ws_gcloud_key" {
+  metadata {
+    name = "user-registration-server-ws-gcloud-key"
+  }
+  data = {
+    "key.json" = base64decode(google_service_account_key.gke_cluster_service_account_key.private_key)
+  }
+}

Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-apps/kubernetes/terraform.tfvars

@@ -0,0 +1,2 @@
+project_id         = "heroes-hat-dev-apps"
+secrets_project_id = "heroes-hat-dev-devops"

Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-apps/kubernetes/terragrunt.hcl

@@ -0,0 +1,30 @@
+include {
+  path = find_in_parent_folders()
+}
+
+dependency "apps" {
+  config_path = "../apps"
+
+  mock_outputs = {
+    gke_cluster = {
+      name            = "mock-name"
+      location        = "mock-location"
+      service_account = "mock-service-account"
+    }
+  }
+}
+
+dependency "data" {
+  config_path = "../../project.heroes-hat-dev-data/data/"
+
+  mock_outputs = {
+    instance_name = "mock-db"
+    instance_user = "mock-db-user"
+  }
+}
+
+inputs = {
+  sql_instance_name  = dependency.data.outputs.instance_name
+  sql_instance_user  = dependency.data.outputs.instance_user
+  heroes_hat_cluster = dependency.apps.outputs.gke_cluster
+}

Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-apps/kubernetes/variables.tf

@@ -0,0 +1,27 @@
+variable "project_id" {
+  description = "The GCP project id"
+  type        = string
+}
+
+variable "sql_instance_name" {
+  description = "The name of the SQL instance"
+  type        = string
+}
+
+variable "sql_instance_user" {
+  description = "The name of the user to use to log into the SQL instance"
+  type        = string
+}
+
+variable "secrets_project_id" {
+  type = string
+}
+
+variable "heroes_hat_cluster" {
+  description = "The GKE cluster module"
+  type = object({
+    name            = string
+    location        = string
+    service_account = string
+  })
+}

Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-data/data/outputs.tf

@@ -0,0 +1,9 @@
+output "instance_name" {
+  value = module.my_studies_cloudsql.instance_name
+}
+
+# This is not outputted by the safer_sql module, but allow dependents to treat
+# it like it is.
+output "instance_user" {
+  value = "default"
+}