Skip to content
Snippets Groups Projects

GONRG-3031 develop tf for workflow

Merged GONRG-3031 develop tf for workflow
feature/GONRG-3031-Develop-tf-for-workflow into master
Merged Oleksii Tsyganov (EPAM) requested to merge feature/GONRG-3031-Develop-tf-for-workflow into master
Compare
and
1 file
+ 115
0
Compare changes
  • Side-by-side
  • Inline
modules/osdu/helm-workflow.tf 0 → 100644
+ 115
0
locals {
workflow_name = "workflow"
workflow_image = "community.opengroup.org:5555/osdu/platform/data-flow/ingestion/ingestion-workflow/osdu-gcp:latest"
workflow_roles_name = [
"roles/datastore.owner",
"roles/iam.serviceAccountTokenCreator",
]
}
resource "google_service_account" "workflow_sa" {
# GCP service account ids must be < 30 chars matching regex ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$
# KSA does not have this naming restriction.
depends_on = [google_container_node_pool.cluster_node_pool]
account_id = "workload-${local.workflow_name}-sa"
display_name = substr("GCP SA bound to K8S SA ${local.workflow_name}", 0, 100)
project = var.service_google_project
}
resource "kubernetes_service_account" "workflow-k8s" {
depends_on = [google_container_node_pool.cluster_node_pool, google_service_account.workflow_sa]
metadata {
name = "gke-${local.workflow_name}-sa"
namespace = "default"
annotations = {
"iam.gke.io/gcp-service-account" = google_service_account.workflow_sa.email
}
}
}
resource "google_project_iam_member" "iam-member-workflow" {
depends_on = [google_container_node_pool.cluster_node_pool, google_service_account.workflow_sa]
for_each = toset(local.workflow_roles_name)
project = var.service_google_project
role = each.value
member = "serviceAccount:${google_service_account.workflow_sa.email}"
}
resource "google_service_account_iam_member" "workflow-k8s" {
depends_on = [kubernetes_service_account.workflow-k8s]
service_account_id = google_service_account.workflow_sa.name
role = "roles/iam.workloadIdentityUser"
member = "serviceAccount:${var.service_google_project}.svc.id.goog[default/${kubernetes_service_account.workflow-k8s.metadata[0].name}]"
}
# Apply configmap from helm chart
resource "helm_release" "workflow-config" {
depends_on = [
google_container_node_pool.cluster_node_pool,
google_composer_environment.airflow,
]
name = "workflow-configmap"
repository = "https://community.opengroup.org/osdu/platform/data-flow/ingestion/ingestion-workflow/-/jobs/artifacts/gcp-helm-release-0-1/raw/helm-charts/?job=osdu-gcp-helm-charts"
chart = "gcp-ingestion-workflow-configmap"
namespace = "default"
recreate_pods = true
set {
name = "data.log_level"
value = var.log_level
}
set {
name = "data.osdu_entitlements_url"
value = "http://${local.ent_name}.default.svc.cluster.local/api/entitlements/v2"
}
set {
name = "data.authorize_api"
value = "http://${local.ent_name}.default.svc.cluster.local/api/entitlements/v2"
}
set {
name = "data.partition_api"
value = "http://${local.partition_name}.default.svc.cluster.local/api/partition/v1/"
}
set {
name = "data.google_audiences"
value = var.audiences
}
set {
name = "data.osdu_entitlements_appkey"
value = "workflow-service"
}
set {
name = "data.gcp_airflow_url"
value = google_composer_environment.airflow.config.0.airflow_uri
}
set {
name = "data.osdu_airflow_url"
value = google_composer_environment.airflow.config.0.airflow_uri
}
}
# Apply deploy from helm chart
resource "helm_release" "workflow-deploy" {
depends_on = [
helm_release.partition-deploy,
]
name = "workflow-deploy"
repository = "https://community.opengroup.org/osdu/platform/data-flow/ingestion/ingestion-workflow/-/jobs/artifacts/gcp-helm-release-0-1/raw/helm-charts/?job=osdu-gcp-helm-charts"
chart = "gcp-workflow-deploy"
namespace = "default"
recreate_pods = true
set {
name = "data.image"
value = local.workflow_image
}
set {
name = "data.serviceAccountName"
value = kubernetes_service_account.workflow-k8s.metadata[0].name
}
set {
name = "conf.app_name"
value = local.workflow_name
}
}