ci: Initial Terraform configurations (Work in Progress)

.gitignore

@@ -57,4 +57,16 @@ api_key
 generation/new_client/workspace
 
 # Monorepo repository generation
-monorepo
+monorepo
+
+# Terraform
+*.hcl
+**/.terraform/.terraform/
+**/.terraform/plugins/
+**/.terraform/providers/
+**/.terraform/plugin_path
+*.lock.
+*.tfstate
+*.tfstate.backup
+*.tfstate.*.backup
+*.tfstate.lock.info

.kokoro/build.sh

@@ -47,6 +47,13 @@ case ${JOB_TYPE} in
         IFS=,
         echo "${modified_module_list[*]}"
       )
+
+#      terraform -version
+#      source ./.terraform/helpers/init.sh "$module_list"
+#      source ./.terraform/helpers/plan.sh
+#      source ./.terraform/helpers/apply.sh
+#      source ./.terraform/helpers/populate-env.sh
+
       install_modules
       printf "Running Integration Tests for:\n%s\n" "${module_list}"
       mvn -B ${INTEGRATION_TEST_ARGS} \
@@ -66,6 +73,9 @@ case ${JOB_TYPE} in
         -T 1C \
         verify
       RETURN_CODE=$?
+
+#      source ./.terraform/helpers/destroy.sh
+
       printf "Finished Integration Tests for:\n%s\n" "${module_list}"
     else
       echo "No Integration Tests to run"

.terraform/.gitignore

@@ -0,0 +1,7 @@
+generated.tfplan
+generated.tfplan.json
+generated.auto.tfvars
+generated-env.sh
+generated-main.tf
+generated-outputs.tf
+generated-variables.tf

.terraform/cleanup.sh

@@ -0,0 +1,31 @@
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+set -eo pipefail
+
+scriptDir="$(cd -P -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd -P)"
+pushd "$scriptDir" >/dev/null
+
+# Ensure GCP project environment variables are initialized.
+if [[ $(terraform state list) == "" ]]; then
+  echo "Nothing to destroy."
+  exit
+fi
+
+source ./helpers/gcloud-sync-env.sh
+source ./helpers/destroy.sh
+source ./helpers/gcloud-delete-project.sh
+
+popd >/dev/null

.terraform/helpers/apply.sh

@@ -0,0 +1,21 @@
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+set -eo pipefail
+
+helperDir="$(cd -P -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd -P)"
+pushd "$helperDir/.." >/dev/null || exit
+terraform apply "generated.tfplan" || exit
+popd >/dev/null || exit

.terraform/helpers/common.sh

@@ -0,0 +1,71 @@
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+set -eo pipefail
+
+# Find all directories starting with 'java-', sort them, then join
+# with ',' as the delimiter.
+function listAllModules() {
+  # Ensure current directory is repo root.
+  helperDir="$(cd -P -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd -P)"
+  pushd "$helperDir/../.." >/dev/null
+
+  ls -1 -d java-* | sort | paste -s -d, -
+
+  popd >/dev/null
+}
+
+# Replaces '-' with '_' to get a Terraform output-friendly label
+function getFriendlyOutputName() {
+  echo "$1" | tr '-' _
+}
+
+# Get the output object in JSON format for the given module.
+function getOutput() {
+  friendlyName=$(getFriendlyOutputName "$1")
+  terraform output -json "$friendlyName"
+}
+
+# Parse stdin and get the value associated with the given key.
+function parseJson() {
+  python3 -c "import sys, json; print(json.load(sys.stdin)['$1'])"
+}
+
+# Example use: getModuleOutput java-redis redis_network
+function getModuleOutput() {
+  getOutput "$1" | parseJson "$2"
+}
+
+# @returns exit code 0 if list $1 contains entry $2.
+function contains() {
+  echo "$1" | grep -w -q "$2"
+}
+
+# @returns a new-line delimited list of active terraform modules
+function getActiveTerraformModules() {
+  terraform state list | awk -F'[/.]' '{print $2}' | uniq
+}
+
+function getTerraformServiceAccountName() {
+  echo "terraform-service-account"
+}
+
+function getTerraformServiceAccountEmail() {
+  if [ -z "${GOOGLE_CLOUD_PROJECT}" ]; then
+    echo "GOOGLE_CLOUD_PROJECT must be defined."
+    exit 1
+  fi
+  echo "$(getTerraformServiceAccountName)@$GOOGLE_CLOUD_PROJECT.iam.gserviceaccount.com"
+}

.terraform/helpers/destroy.sh

@@ -0,0 +1,39 @@
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+set -eo pipefail
+
+helperDir="$(cd -P -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd -P)"
+pushd "$helperDir/.." >/dev/null
+
+# Execute 'predestroy.sh' scripts for any active modules
+source ./helpers/common.sh
+allModules=$(listAllModules)
+activeModules=$(getActiveTerraformModules)
+IFS=','
+for module in $allModules; do
+  friendlyName=$(getFriendlyOutputName "$module")
+  if ! contains "$activeModules" "$friendlyName"; then
+    continue # Skip unless active.
+  fi
+
+  if [[ -f "../$module/.terraform/predestroy.sh" ]]; then
+    # shellcheck disable=SC1090
+    source "../$module/.terraform/predestroy.sh"
+  fi
+done
+
+terraform destroy -auto-approve
+popd >/dev/null

.terraform/helpers/gcloud-create-project.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+set -eo pipefail
+
+if [ -n "${GOOGLE_CLOUD_PROJECT}" ]; then
+  echo "Using current GOOGLE_CLOUD_PROJECT: $GOOGLE_CLOUD_PROJECT"
+  return
+fi
+
+currentProject=$(gcloud config get project)
+if [ -n "${currentProject}" ]; then
+  echo -n "Do you want to use the current gcloud project ($currentProject)? (Y|n): "
+  read -r shouldUseCurrent
+  if [[ "$shouldUseCurrent" != n* ]] && [[ "$shouldUseCurrent" != N* ]]; then
+    GOOGLE_CLOUD_PROJECT=$currentProject
+    export GOOGLE_CLOUD_PROJECT
+    return
+  fi
+fi
+
+echo -n "GOOGLE_CLOUD_PROJECT not set. Do you want to create a project? (Y|n): "
+read -r shouldCreate
+if [[ "$shouldCreate" == n* ]] || [[ "$shouldCreate" == N* ]]; then
+  echo "Project required. Exiting."
+  exit 1
+fi
+
+# Ensure required environment variables are set.
+if [ -z "${GOOGLE_CLOUD_FOLDER_ID}" ]; then
+  echo -n "GOOGLE_CLOUD_FOLDER_ID not set. GCP Folder ID: "
+  read -r folder_id
+  export GOOGLE_CLOUD_FOLDER_ID="${folder_id}"
+fi
+if [ -z "${GOOGLE_CLOUD_BILLING_ACCOUNT}" ]; then
+  echo -n "GOOGLE_CLOUD_BILLING_ACCOUNT not set. GCP Billing Account ID: "
+  read -r billing_acct
+  export GOOGLE_CLOUD_BILLING_ACCOUNT="${billing_acct}"
+fi
+if [ -z "${GOOGLE_CLOUD_PROJECT_PREFIX}" ]; then
+  echo -n "GOOGLE_CLOUD_PROJECT_PREFIX not set. Prefix for New Project: "
+  read -r prefix
+  export GOOGLE_CLOUD_PROJECT_PREFIX="${prefix}"
+fi
+
+# Provision GCP Project
+projectId="${GOOGLE_CLOUD_PROJECT_PREFIX}"-"$RANDOM"
+gcloud projects create --folder="$GOOGLE_CLOUD_FOLDER_ID" "$projectId" || exit
+gcloud config set project "$projectId"
+gcloud services enable cloudresourcemanager.googleapis.com
+gcloud beta billing projects link "$projectId" --billing-account="$GOOGLE_CLOUD_BILLING_ACCOUNT"
+GOOGLE_CLOUD_PROJECT=$projectId

.terraform/helpers/gcloud-create-service-account.sh

@@ -0,0 +1,63 @@
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+set -eo pipefail
+
+# Use the project ID in gcloud set-quota-project. Clear the existing quota project directly from
+# the configuration, and re-set.
+gcloud config set project "$GOOGLE_CLOUD_PROJECT"
+sed -i.bak '/quota_project_id/d' ~/.config/gcloud/application_default_credentials.json
+gcloud auth application-default set-quota-project "$GOOGLE_CLOUD_PROJECT"
+
+# Assign permission for current gcloud account to impersonate a service account.
+gcloud_account=$(gcloud config get account)
+gcloud projects add-iam-policy-binding "$GOOGLE_CLOUD_PROJECT" \
+  --member="user:$gcloud_account" \
+  --role="roles/iam.serviceAccountTokenCreator" >/dev/null
+
+# Set up service account for impersonation
+source ./helpers/common.sh
+service_account_name=$(getTerraformServiceAccountName)
+service_account_email=$(getTerraformServiceAccountEmail)
+# If it doesn't already exist, create the service account.
+gcloud iam service-accounts describe "$service_account_email" &>/dev/null
+if [[ $? -ne 0 ]]; then
+  gcloud iam service-accounts create "$service_account_name"
+  createdServiceAccount=true
+else
+  createdServiceAccount=false
+fi
+
+# Assign permissions to the service account.
+gcloud projects add-iam-policy-binding "$GOOGLE_CLOUD_PROJECT" \
+  --member="serviceAccount:$service_account_email" \
+  --role="roles/owner" >/dev/null
+gcloud projects add-iam-policy-binding "$GOOGLE_CLOUD_PROJECT" \
+  --member="serviceAccount:$service_account_email" \
+  --role="roles/resourcemanager.projectIamAdmin" >/dev/null
+
+# See https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code
+export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$service_account_email
+
+if $createdServiceAccount; then
+  echo "Waiting 2m for service account permissions to take effect... [0s elapsed]"
+  sleep 30
+  echo "Waiting 2m for service account permissions to take effect... [30s elapsed]"
+  sleep 30
+  echo "Waiting 2m for service account permissions to take effect... [1m0s elapsed]"
+  sleep 30
+  echo "Waiting 2m for service account permissions to take effect... [1m30s elapsed]"
+  sleep 30
+fi

.terraform/helpers/gcloud-delete-project.sh

@@ -0,0 +1,35 @@
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+set -eo pipefail
+
+if [ -n "${GOOGLE_CLOUD_PROJECT}" ]; then
+  helperDir="$(cd -P -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd -P)"
+  pushd "$helperDir/.." >/dev/null
+
+  # Always verify whether or not to destroy the project.
+  echo -n "Delete project ($GOOGLE_CLOUD_PROJECT)? (y/N): "
+  read -r shouldDestroy
+  if [[ "$shouldDestroy" == y* ]] || [[ "$shouldDestroy" == Y* ]]; then
+    # Do not use service account when attempting to delete the project
+    unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
+    gcloud projects delete "$GOOGLE_CLOUD_PROJECT"
+    gcloud config unset project
+    unset GOOGLE_CLOUD_PROJECT
+    rm ./generated.auto.tfvars
+  fi
+
+  popd >/dev/null
+fi