Pulled Vault core into a separate submodule

.kitchen.yml

@@ -34,4 +34,9 @@ suites:
       name: terraform
       command_timeout: 1800
       root_module_directory: test/fixtures/simple_external
+  - name: shared_vpc_internal
+    driver:
+      name: terraform
+      command_timeout: 1800
+      root_module_directory: test/fixtures/shared_vpc_internal
 

Makefile

@@ -27,6 +27,9 @@ REGISTRY_URL := gcr.io/cloud-foundation-cicd
 docker_run:
 	docker run --rm -it \
 		-e SERVICE_ACCOUNT_JSON \
+		-e TF_VAR_org_id \
+		-e TF_VAR_folder_id \
+		-e TF_VAR_billing_account \
 		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/bin/bash
@@ -60,6 +63,9 @@ docker_test_cleanup:
 docker_test_integration:
 	docker run --rm -it \
 		-e SERVICE_ACCOUNT_JSON \
+		-e TF_VAR_org_id \
+		-e TF_VAR_folder_id \
+		-e TF_VAR_billing_account \
 		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/usr/local/bin/test_integration.sh

examples/shared_vpc_internal/main.tf

@@ -0,0 +1,61 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+data "google_compute_network" "vault" {
+  name    = var.network_name
+  project = var.host_project_id
+}
+
+data "google_compute_subnetwork" "vault" {
+  name    = var.subnet_name
+  project = var.host_project_id
+  region  = var.region
+}
+
+resource "google_compute_address" "vault_ilb" {
+  project      = var.service_project_id
+  region       = var.region
+  subnetwork   = data.google_compute_subnetwork.vault.self_link
+  name         = "vault-internal"
+  address_type = "INTERNAL"
+}
+
+resource "google_service_account" "vault-admin" {
+  project      = var.service_project_id
+  account_id   = var.service_account_name
+  display_name = "Vault Admin"
+}
+
+resource "google_storage_bucket" "vault" {
+  project       = var.service_project_id
+  name          = "${var.service_project_id}-vault-storage"
+  location      = "US"
+  force_destroy = true
+}
+
+module "vault_cluster" {
+  source = "../../modules/cluster"
+
+  project_id                  = var.service_project_id
+  host_project_id             = var.host_project_id
+  subnet                      = data.google_compute_subnetwork.vault.self_link
+  ip_address                  = google_compute_address.vault_ilb.address
+  vault_storage_bucket        = google_storage_bucket.vault.name
+  vault_service_account_email = google_service_account.vault-admin.email
+  load_balancing_scheme       = "INTERNAL"
+  kms_keyring                 = var.kms_keyring
+  region                      = var.region
+}

examples/shared_vpc_internal/variables.tf

@@ -0,0 +1,42 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "host_project_id" {}
+
+variable "service_project_id" {}
+
+variable "kms_keyring" {
+  default = "vault-keyring"
+}
+
+variable "service_project_name" {
+  default = "vault-svpc-service"
+}
+
+variable "network_name" {
+  default = "vault-svpc"
+}
+
+variable "subnet_name" {
+  default = "vault"
+}
+
+variable "service_account_name" {
+  default = "vault-svpc-admin"
+}
+variable "region" {
+  default = "us-west1"
+}

main.tf

@@ -14,21 +14,22 @@
  * limitations under the License.
  */
 
-
 locals {
-  vault_tls_bucket  = var.vault_tls_bucket != "" ? var.vault_tls_bucket : local.storage_bucket_name
-  default_kms_key   = "projects/${var.project_id}/locations/${var.region}/keyRings/${var.kms_keyring}/cryptoKeys/${var.kms_crypto_key}"
-  vault_tls_kms_key = var.vault_tls_kms_key != "" ? var.vault_tls_kms_key : local.default_kms_key
-  lb_ip             = local.use_external_lb ? google_compute_forwarding_rule.external[0].ip_address : google_compute_address.vault_ilb[0].address
-  api_addr          = var.domain != "" ? "https://${var.domain}:${var.vault_port}" : "https://${local.lb_ip}:${var.vault_port}"
+  lb_scheme       = upper(var.load_balancing_scheme)
+  use_internal_lb = local.lb_scheme == "INTERNAL"
+  use_external_lb = local.lb_scheme == "EXTERNAL"
+  ip_address      = local.use_internal_lb ? google_compute_address.vault_ilb[0].address : google_compute_address.vault[0].address
 }
 
-# Configure the Google provider, locking to the 2.0 series.
+# Configure the Google provider.
 provider "google" {
   project = var.project_id
   region  = var.region
 }
 
+# This needs to stay here to allow migration from 4.2 to 5.0
+provider "tls" {}
+
 # Enable required services on the project
 resource "google_project_service" "service" {
   for_each = toset(var.project_services)
@@ -50,122 +51,49 @@ resource "google_service_account" "vault-admin" {
   depends_on = [google_project_service.service]
 }
 
-# Give project-level IAM permissions to the service account.
-resource "google_project_iam_member" "project-iam" {
-  for_each = toset(var.service_account_project_iam_roles)
-  project  = var.project_id
-  role     = each.value
-  member   = "serviceAccount:${google_service_account.vault-admin.email}"
-
-  depends_on = [google_project_service.service]
-}
-
-# Give additional project-level IAM permissions to the service account.
-resource "google_project_iam_member" "additional-project-iam" {
-  for_each = toset(var.service_account_project_additional_iam_roles)
-  project  = var.project_id
-  role     = each.key
-  member   = "serviceAccount:${google_service_account.vault-admin.email}"
-
-  depends_on = [google_project_service.service]
-}
-
-# Give bucket-level permissions to the service account.
-resource "google_storage_bucket_iam_member" "vault" {
-  for_each = toset(var.service_account_storage_bucket_iam_roles)
-  bucket   = google_storage_bucket.vault.name
-  role     = each.key
-  member   = "serviceAccount:${google_service_account.vault-admin.email}"
-
-  depends_on = [google_project_service.service]
-}
-
-# Give kms cryptokey-level permissions to the service account.
-resource "google_kms_crypto_key_iam_member" "ck-iam" {
-  crypto_key_id = google_kms_crypto_key.vault-init.self_link
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:${google_service_account.vault-admin.email}"
-
-  depends_on = [google_project_service.service]
-}
-
-resource "google_kms_crypto_key_iam_member" "tls-ck-iam" {
-  count = var.manage_tls == false ? 1 : 0
-
-  crypto_key_id = var.vault_tls_kms_key
-  role          = "roles/cloudkms.cryptoKeyDecrypter"
-  member        = "serviceAccount:${google_service_account.vault-admin.email}"
-}
-
-resource "google_storage_bucket_iam_member" "tls-bucket-iam" {
-  count = var.manage_tls == false ? 1 : 0
-
-  bucket = var.vault_tls_bucket
-  role   = "roles/storage.objectViewer"
-  member = "serviceAccount:${google_service_account.vault-admin.email}"
-}
-
-# Create the KMS key ring
-resource "google_kms_key_ring" "vault" {
-  name     = var.kms_keyring
-  location = var.region
-  project  = var.project_id
-
-  depends_on = [google_project_service.service]
-}
-
-# Create the crypto key for encrypting init keys
-resource "google_kms_crypto_key" "vault-init" {
-  name            = var.kms_crypto_key
-  key_ring        = google_kms_key_ring.vault.id
-  rotation_period = "604800s"
-
-  version_template {
-    algorithm        = "GOOGLE_SYMMETRIC_ENCRYPTION"
-    protection_level = upper(var.kms_protection_level)
-  }
-}
-
-# Compile the startup script. This script installs and configures Vault and all
-# dependencies.
-data "template_file" "vault-startup-script" {
-  template = file("${path.module}/scripts/startup.sh.tpl")
-
-  vars = {
-    config                  = data.template_file.vault-config.rendered
-    custom_http_proxy       = var.http_proxy
-    service_account_email   = google_service_account.vault-admin.email
-    internal_lb             = local.use_internal_lb
-    vault_args              = var.vault_args
-    vault_port              = var.vault_port
-    vault_proxy_port        = var.vault_proxy_port
-    vault_version           = var.vault_version
-    vault_tls_bucket        = local.vault_tls_bucket
-    vault_ca_cert_filename  = var.vault_ca_cert_filename
-    vault_tls_key_filename  = var.vault_tls_key_filename
-    vault_tls_cert_filename = var.vault_tls_cert_filename
-    kms_project             = var.vault_tls_kms_key_project == "" ? var.project_id : var.vault_tls_kms_key_project
-    kms_crypto_key          = local.vault_tls_kms_key
-    user_startup_script     = var.user_startup_script
-  }
-}
-
-# Compile the Vault configuration.
-data "template_file" "vault-config" {
-  template = file(format("%s/scripts/config.hcl.tpl", path.module))
-
-  vars = {
-    kms_project                              = var.project_id
-    kms_location                             = google_kms_key_ring.vault.location
-    kms_keyring                              = google_kms_key_ring.vault.name
-    kms_crypto_key                           = google_kms_crypto_key.vault-init.name
-    lb_ip                                    = local.lb_ip
-    api_addr                                 = local.api_addr
-    storage_bucket                           = google_storage_bucket.vault.name
-    vault_log_level                          = var.vault_log_level
-    vault_port                               = var.vault_port
-    vault_tls_disable_client_certs           = var.vault_tls_disable_client_certs
-    vault_tls_require_and_verify_client_cert = var.vault_tls_require_and_verify_client_cert
-    vault_ui_enabled                         = var.vault_ui_enabled
-  }
+module "cluster" {
+  source                                       = "./modules/cluster"
+  ip_address                                   = local.ip_address
+  subnet                                       = local.subnet
+  project_id                                   = var.project_id
+  region                                       = var.region
+  vault_storage_bucket                         = google_storage_bucket.vault.name
+  vault_service_account_email                  = google_service_account.vault-admin.email
+  service_account_project_additional_iam_roles = var.service_account_project_additional_iam_roles
+  service_account_storage_bucket_iam_roles     = var.service_account_storage_bucket_iam_roles
+  kms_keyring                                  = var.kms_keyring
+  kms_crypto_key                               = var.kms_crypto_key
+  kms_protection_level                         = var.kms_protection_level
+  load_balancing_scheme                        = var.load_balancing_scheme
+  vault_args                                   = var.vault_args
+  vault_instance_labels                        = var.vault_instance_labels
+  vault_ca_cert_filename                       = var.vault_ca_cert_filename
+  vault_instance_metadata                      = var.vault_instance_metadata
+  vault_instance_base_image                    = var.vault_instance_base_image
+  vault_instance_tags                          = var.vault_instance_tags
+  vault_log_level                              = var.vault_log_level
+  vault_min_num_servers                        = var.vault_min_num_servers
+  vault_machine_type                           = var.vault_machine_type
+  vault_max_num_servers                        = var.vault_max_num_servers
+  vault_port                                   = var.vault_port
+  vault_proxy_port                             = var.vault_proxy_port
+  vault_tls_disable_client_certs               = var.vault_tls_disable_client_certs
+  vault_tls_require_and_verify_client_cert     = var.vault_tls_require_and_verify_client_cert
+  vault_tls_bucket                             = var.vault_tls_bucket
+  vault_tls_kms_key                            = var.vault_tls_kms_key
+  vault_tls_kms_key_project                    = var.vault_tls_kms_key_project
+  vault_tls_cert_filename                      = var.vault_tls_cert_filename
+  vault_tls_key_filename                       = var.vault_tls_key_filename
+  vault_ui_enabled                             = var.vault_ui_enabled
+  vault_version                                = var.vault_version
+  http_proxy                                   = var.http_proxy
+  user_startup_script                          = var.user_startup_script
+  manage_tls                                   = var.manage_tls
+  tls_ca_subject                               = var.tls_ca_subject
+  tls_cn                                       = var.tls_cn
+  domain                                       = var.domain
+  tls_dns_names                                = var.tls_dns_names
+  tls_ips                                      = var.tls_ips
+  tls_save_ca_to_disk                          = var.tls_save_ca_to_disk
+  tls_ou                                       = var.tls_ou
 }