feat: add optional worker pools and add support to self-signed certificates (GoogleCloudPlatform#399)

Author: caetano-colin

1-bootstrap/README.md

@@ -275,6 +275,7 @@ Within the repository, you'll find `backend.tf` files that define the GCS bucket
 | project\_id | Project ID for initial resources | `string` | n/a | yes |
 | tf\_apply\_branches | List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. | `list(string)` | <pre>[<br>  "development",<br>  "nonproduction",<br>  "production"<br>]</pre> | no |
 | trigger\_location | Location of for Cloud Build triggers created in the workspace. If using private pools should be the same location as the pool. | `string` | `"us-central1"` | no |
+| worker\_pool\_id | Specifies the Cloud Build Worker Pool that will be utilized for triggers created in this step.<br><br>The expected format is:<br>`projects/PROJECT/locations/LOCATION/workerPools/POOL_NAME`.<br><br>If you are using worker pools from a different project, ensure that you grant the<br>`roles/cloudbuild.workerPoolUser` role to the Cloud Build Service Agent and the Cloud Build Service Account of the trigger project:<br>`service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com`, `PROJECT_NUMBER@cloudbuild.gserviceaccount.com`<br><br>If this variable is left undefined, Worker Pool will not be used for the Cloud Build Triggers. | `string` | `""` | no |
 
 ## Outputs
 

1-bootstrap/main.tf

@@ -34,6 +34,9 @@ locals {
   use_csr                    = var.cloudbuildv2_repository_config.repo_type == "CSR"
   csr_repos                  = local.use_csr ? { for k, v in var.cloudbuildv2_repository_config.repositories : k => v.repository_name } : {}
   cb_service_accounts_emails = { for k, v in module.tf_cloudbuild_workspace : k => reverse(split("/", v.cloudbuild_sa))[0] }
+
+  // If the user specify a Cloud Build Worker Pool, utilize it in the trigger
+  optional_worker_pool = var.worker_pool_id != "" ? { "_PRIVATE_POOL" = var.worker_pool_id } : {}
 }
 
 resource "google_sourcerepo_repository" "gcp_repo" {
@@ -102,12 +105,12 @@ module "tf_cloudbuild_workspace" {
     roles = local.cb_config[each.key].roles }
   }
 
-  substitutions = {
+  substitutions = merge({
     "_GAR_REGION"                   = var.location
     "_GAR_PROJECT_ID"               = google_artifact_registry_repository.tf_image.project
     "_GAR_REPOSITORY"               = google_artifact_registry_repository.tf_image.name
     "_DOCKER_TAG_VERSION_TERRAFORM" = local.docker_tag_version_terraform
-  }
+  }, local.optional_worker_pool)
 
   # Branches to run the build
   tf_apply_branches = var.tf_apply_branches

1-bootstrap/terraform.tfvars

@@ -20,4 +20,10 @@ cloudbuildv2_repository_config = {
   gitlab_webhook_secret_id                    = "REPLACE_WITH_WEBHOOK_SECRET_ID"
   # If you are using a self-hosted instance, you may change the URL below accordingly
   gitlab_enterprise_host_uri = "https://gitlab.com"
+  # Format is projects/PROJECT/locations/LOCATION/namespaces/NAMESPACE/services/SERVICE
+  gitlab_enterprise_service_directory = "REPLACE_WITH_SERVICE_DIRECTORY"
+  # .pem string
+  gitlab_enterprise_ca_certificate = <<EOF
+REPLACE_WITH_SSL_CERT
+EOF
 }

1-bootstrap/variables.tf

@@ -154,3 +154,20 @@ variable "cloudbuildv2_repository_config" {
   }
 
 }
+
+variable "worker_pool_id" {
+  description = <<-EOT
+    Specifies the Cloud Build Worker Pool that will be utilized for triggers created in this step.
+
+    The expected format is:
+    `projects/PROJECT/locations/LOCATION/workerPools/POOL_NAME`.
+
+    If you are using worker pools from a different project, ensure that you grant the
+    `roles/cloudbuild.workerPoolUser` role to the Cloud Build Service Agent and the Cloud Build Service Account of the trigger project:
+    `service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com`, `PROJECT_NUMBER@cloudbuild.gserviceaccount.com`
+
+    If this variable is left undefined, Worker Pool will not be used for the Cloud Build Triggers.
+  EOT
+  type        = string
+  default     = ""
+}

4-appfactory/README.md

@@ -31,6 +31,8 @@ It will also create an Application Folder to group your admin projects under it,
 
 ## Usage
 
+### Git Provider
+
 You have 3 Git provider options for this step: Cloud Source Repositories (CSR), Github, and Gitlab. If you are using Github or Gitlab you will need to take additional steps that are described in the following sections:
 
 - [Cloud Build with Github Pre-requisites](#cloud-build-with-github-pre-requisites)
@@ -107,6 +109,20 @@ To proceed with Gitlab as your git provider you will need:
     gcloud projects add-iam-policy-binding $GIT_SECRET_PROJECT --role=roles/secretmanager.admin --member=serviceAccount:tf-cb-eab-applicationfactory@YOUR-CLOUDBUILD-PROJECT.iam.gserviceaccount.com
     ```
 
+### Worker Pool Requirements
+
+If you are not using Worker Pools you can skip this step. If you are using Worker Pools, an additional step must be taken before deploying.
+
+There is a terraform script that will assign required permissions on the Worker Pool Host Project and requires `var.worker_pool_id` to be specified on the 4-appfactory `terraform.tfvars` file. The script is located at [./modules/app-group-baseline/additional_workerpool_permissions.tf.example](./modules/app-group-baseline/additional_workerpool_permissions.tf.example).
+
+1. Enable the permission assignment terraform script on `app-group-baseline` module.
+
+    ```bash
+    mv ./modules/app-group-baseline/additional_workerpool_permissions.tf.example ./modules/app-group-baseline/additional_workerpool_permissions.tf
+    ```
+
+After renaming the file to `additional_workerpool_permissions.tf`, when you run the pipeline, the required permissions will automatically be assigned on the Worker Pool Host Project.
+
 ### Deploying with Google Cloud Build
 
 The steps below assume that you are checked out on the same level as `terraform-google-enterprise-application` and `terraform-example-foundation` directories.

4-appfactory/envs/shared/README.md

@@ -15,6 +15,7 @@
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
 | tf\_apply\_branches | List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. | `list(string)` | <pre>[<br>  "development",<br>  "nonproduction",<br>  "production"<br>]</pre> | no |
 | trigger\_location | Location of for Cloud Build triggers created in the workspace. If using private pools should be the same location as the pool. | `string` | `"us-central1"` | no |
+| worker\_pool\_id | Specifies the Cloud Build Worker Pool that will be utilized for triggers created in this step.<br><br>The expected format is:<br>`projects/PROJECT/locations/LOCATION/workerPools/POOL_NAME`.<br><br>If you are using worker pools from a different project, ensure that you grant the<br>`roles/cloudbuild.workerPoolUser` role to the Cloud Build Service Agent and the Cloud Build Service Account of the trigger project:<br>`service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com`, `PROJECT_NUMBER@cloudbuild.gserviceaccount.com`<br><br>If this variable is left undefined, Worker Pool will not be used for the Cloud Build Triggers. | `string` | `""` | no |
 
 ## Outputs
 

4-appfactory/envs/shared/main.tf

@@ -79,6 +79,6 @@ module "components" {
   create_admin_project = each.value.service.create_admin_project
   create_infra_project = each.value.service.create_infra_project
 
-
   cloudbuildv2_repository_config = var.cloudbuildv2_repository_config
+  worker_pool_id                 = var.worker_pool_id
 }

4-appfactory/envs/shared/variables.tf

@@ -169,3 +169,20 @@ variable "cloudbuildv2_repository_config" {
   }
 
 }
+
+variable "worker_pool_id" {
+  description = <<-EOT
+    Specifies the Cloud Build Worker Pool that will be utilized for triggers created in this step.
+
+    The expected format is:
+    `projects/PROJECT/locations/LOCATION/workerPools/POOL_NAME`.
+
+    If you are using worker pools from a different project, ensure that you grant the
+    `roles/cloudbuild.workerPoolUser` role to the Cloud Build Service Agent and the Cloud Build Service Account of the trigger project:
+    `service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com`, `PROJECT_NUMBER@cloudbuild.gserviceaccount.com`
+
+    If this variable is left undefined, Worker Pool will not be used for the Cloud Build Triggers.
+  EOT
+  type        = string
+  default     = ""
+}

4-appfactory/modules/app-group-baseline/README.md

@@ -24,6 +24,7 @@
 | service\_name | The name of a single service application. | `string` | `"demo-app"` | no |
 | tf\_apply\_branches | List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. | `list(string)` | <pre>[<br>  "development",<br>  "nonproduction",<br>  "production"<br>]</pre> | no |
 | trigger\_location | Location of for Cloud Build triggers created in the workspace. If using private pools should be the same location as the pool. | `string` | `"global"` | no |
+| worker\_pool\_id | Specifies the Cloud Build Worker Pool that will be utilized for triggers created in this step.<br><br>The expected format is:<br>`projects/PROJECT/locations/LOCATION/workerPools/POOL_NAME`.<br><br>If you are using worker pools from a different project, ensure that you grant the<br>`roles/cloudbuild.workerPoolUser` role to the Cloud Build Service Agent and the Cloud Build Service Account of the trigger project:<br>`service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com`, `PROJECT_NUMBER@cloudbuild.gserviceaccount.com`<br><br>If this variable is left undefined, Worker Pool will not be used for the Cloud Build Triggers. | `string` | `""` | no |
 
 ## Outputs
 

4-appfactory/modules/app-group-baseline/additional_workerpool_permissions.tf.example

@@ -0,0 +1,44 @@
+
+// ============== TERRAFOM SCRIPT - CLOUD BUILD WORKER POOL PERMISSIONS ==============
+// This is an optional terraform script
+// - Assigns workerPoolUser to Cloud Build Service Agent and Service Account
+// - Allows the use of worker pool in separate project
+// - Admin projects will be able to build images using workerpool
+// ******************
+// ** REQUIREMENTS **
+// ******************
+// To run this script in AppFactory Pipeline:
+// - Application Factory Pipeline SA must have `roles/resourcemanager.projectIamAdmin` on the workerpool project
+
+locals {
+  projects_re         = "projects/([^/]+)/"
+  worker_pool_project = regex(local.projects_re, var.worker_pool_id)[0]
+}
+
+data "google_project" "admin_projects" {
+  project_id = local.admin_project_id
+}
+
+resource "google_project_iam_member" "assign_permissions" {
+  project  = local.worker_pool_project
+  role     = "roles/cloudbuild.workerPoolUser"
+  member   = "serviceAccount:service-${data.google_project.admin_projects.number}@gcp-sa-cloudbuild.iam.gserviceaccount.com"
+}
+
+resource "google_project_iam_member" "assign_permissions_service_agent" {
+  project  = local.worker_pool_project
+  role     = "roles/cloudbuild.workerPoolUser"
+  member   = "serviceAccount:${data.google_project.admin_projects.number}@cloudbuild.gserviceaccount.com"
+}
+
+resource "google_project_iam_member" "sd_viewer" {
+  project = local.worker_pool_project
+  role    = "roles/servicedirectory.viewer"
+  member  = "serviceAccount:service-${data.google_project.admin_projects.number}@gcp-sa-cloudbuild.iam.gserviceaccount.com"
+}
+
+resource "google_project_iam_member" "access_network" {
+  project = local.worker_pool_project
+  role    = "roles/servicedirectory.pscAuthorizedService"
+  member  = "serviceAccount:service-${data.google_project.admin_projects.number}@gcp-sa-cloudbuild.iam.gserviceaccount.com"
+}