Update terraform modules

README.terraform.md

@@ -47,7 +47,7 @@ For local development, there is a `sandbox-deploy` module set up to deploy the r
 
 1. Create a [cloud.gov service account](https://cloud.gov/docs/services/cloud-gov-service-account/) with the `OrgManager` permission
     ```
-    ./create_service_account -s SPACEPREFIX-mgmt -u glr-local-deploy -m > secrets.auto.tfvars
+    ./create_service_account -s SPACEPREFIX-mgmt -u glr-local-deploy > secrets.auto.tfvars
     ```
 
 1. Copy `vars.tfvars-example` to `vars.auto.tfvars`.

main.tf

@@ -19,7 +19,7 @@ locals {
 
 # manager_space: cloud.gov space for running the manager app
 module "manager_space" {
-  source = "github.com/GSA-TTS/terraform-cloudgov//cg_space?ref=v2.0.0"
+  source = "github.com/GSA-TTS/terraform-cloudgov//cg_space?ref=v2.1.0"
 
   cf_org_name   = var.cf_org_name
   cf_space_name = "${var.cf_space_prefix}-manager"
@@ -30,25 +30,19 @@ module "manager_space" {
 
 # worker_space: cloud.gov space for running runner workers and runner services
 module "worker_space" {
-  source = "github.com/GSA-TTS/terraform-cloudgov//cg_space?ref=v2.0.0"
-
-  cf_org_name   = var.cf_org_name
-  cf_space_name = "${var.cf_space_prefix}-workers"
-  allow_ssh     = true # manager must be able to cf ssh into workers
-  deployers     = [var.cf_user]
-  developers    = var.developer_emails
-}
-
-# temporary method for setting egress rules until terraform provider supports it and cg_space module is updated
-data "external" "set-worker-egress" {
-  program     = ["/bin/sh", "set_space_egress.sh", "-t", "-s", module.worker_space.space_name]
-  working_dir = path.module
-  depends_on  = [module.worker_space]
+  source = "github.com/GSA-TTS/terraform-cloudgov//cg_space?ref=v2.1.0"
+
+  cf_org_name          = var.cf_org_name
+  cf_space_name        = "${var.cf_space_prefix}-workers"
+  allow_ssh            = true # manager must be able to cf ssh into workers
+  deployers            = [var.cf_user]
+  developers           = var.developer_emails
+  security_group_names = ["trusted_local_networks_egress"]
 }
 
 # object_store_instance: s3 bucket for caching build dependencies
 module "object_store_instance" {
-  source = "github.com/GSA-TTS/terraform-cloudgov//s3?ref=v2.0.0"
+  source = "github.com/GSA-TTS/terraform-cloudgov//s3?ref=v2.1.0"
 
   cf_space_id  = module.manager_space.space_id
   name         = var.object_store_instance
@@ -80,14 +74,16 @@ locals {
 
 # gitlab-runner-manager: the actual runner manager app
 resource "cloudfoundry_app" "gitlab-runner-manager" {
-  provider          = cloudfoundry-community
   name              = var.runner_manager_app_name
-  space             = module.manager_space.space_id
+  space_name        = module.manager_space.space_name
+  org_name          = var.cf_org_name
   path              = data.archive_file.src.output_path
   source_code_hash  = data.archive_file.src.output_base64sha256
   buildpacks        = ["https://github.com/cloudfoundry/apt-buildpack", "binary_buildpack"]
   instances         = var.manager_instances
+  strategy          = "rolling"
   command           = "gitlab-runner run"
+  no_route          = true
   memory            = var.manager_memory
   health_check_type = "process"
 
@@ -128,23 +124,26 @@ resource "cloudfoundry_app" "gitlab-runner-manager" {
     DOCKER_HUB_USER           = var.docker_hub_user
     DOCKER_HUB_TOKEN          = var.docker_hub_token
   }
-  service_binding {
-    service_instance = module.object_store_instance.bucket_id
-  }
-  service_binding {
-    service_instance = cloudfoundry_service_instance.egress-proxy-credentials.id
-  }
+  service_bindings = [
+    { service_instance = var.object_store_instance },
+    { service_instance = cloudfoundry_service_instance.egress-proxy-credentials.name }
+  ]
+  depends_on = [
+    module.object_store_instance,
+    cloudfoundry_service_instance.egress-proxy-credentials
+  ]
 }
 
 # egress_space: cloud.gov space for running the egress proxy
 module "egress_space" {
-  source = "github.com/GSA-TTS/terraform-cloudgov//cg_space?ref=v2.0.0"
-
-  cf_org_name   = var.cf_org_name
-  cf_space_name = "${var.cf_space_prefix}-egress"
-  allow_ssh     = var.allow_ssh
-  deployers     = [var.cf_user]
-  developers    = var.developer_emails
+  source = "github.com/GSA-TTS/terraform-cloudgov//cg_space?ref=v2.1.0"
+
+  cf_org_name          = var.cf_org_name
+  cf_space_name        = "${var.cf_space_prefix}-egress"
+  allow_ssh            = var.allow_ssh
+  deployers            = [var.cf_user]
+  developers           = var.developer_emails
+  security_group_names = ["public_networks_egress"]
 }
 
 # service-account-egress-role: grant the service account user space_developer in the egress space to
@@ -155,16 +154,9 @@ resource "cloudfoundry_space_role" "service-account-egress-role" {
   type     = "space_developer"
 }
 
-# temporary method for setting egress rules until terraform provider supports it and cg_space module is updated
-data "external" "set-proxy-egress" {
-  program     = ["/bin/sh", "set_space_egress.sh", "-p", "-s", module.egress_space.space_name]
-  working_dir = path.module
-  depends_on  = [module.egress_space]
-}
-
 # egress_proxy: set up the egress proxy app
 module "egress_proxy" {
-  source = "github.com/GSA-TTS/terraform-cloudgov//egress_proxy?ref=v2.0.0"
+  source = "github.com/GSA-TTS/terraform-cloudgov//egress_proxy?ref=v2.1.0"
 
   cf_org_name     = var.cf_org_name
   cf_egress_space = module.egress_space.space

providers.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = ">= 1.1.0"
+      version = ">= 1.2.0"
     }
     cloudfoundry-community = {
       source  = "cloudfoundry-community/cloudfoundry"

sandbox-deploy/create_service_account.sh

@@ -7,18 +7,17 @@ $0: Create a Service User Account for a given space
 
 Usage:
   $0 -h
-  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>] [-m]
+  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>]
 
 Options:
 -h: show help and exit
 -s <SPACE NAME>: configure the space to act on. Required
 -u <USER NAME>: set the service user name. Required
 -r <ROLE NAME>: set the service user's role to either space-deployer or space-auditor. Default: space-deployer
--m: If provided, make the service user an OrgManager
 -o <ORG NAME>: configure the organization to act on. Default: $org
 
 Notes:
-* OrgManager is required for terraform to create <env>-egress spaces
+* Will make the service account an OrgManager in order to create spaces
 * Requires cf-cli@8 & jq
 "
 
@@ -35,10 +34,8 @@ set -o pipefail
 space=""
 service=""
 role="space-deployer"
-org_manager="false"
-org_manager_output=""
 
-while getopts ":hms:u:r:o:" opt; do
+while getopts ":hs:u:r:o:" opt; do
   case "$opt" in
     s)
       space=${OPTARG}
@@ -52,41 +49,35 @@ while getopts ":hms:u:r:o:" opt; do
     o)
       org=${OPTARG}
       ;;
-    m)
-      org_manager_output="-m"
-      org_manager="true"
-      ;;
     h)
       echo "$usage"
       exit 0
       ;;
   esac
 done
 
-if [[ $space = "" || $service = "" ]]; then
+if [[ -z "$space" || -z "$service" ]]; then
   echo "$usage" >&2
   exit 1
 fi
 
-cf target -o $org -s $space >&2
+cf target -o "$org" -s "$space" >&2
 
 # create user account service
-cf create-service cloud-gov-service-account $role $service >&2
+cf create-service cloud-gov-service-account "$role" "$service" >&2
 
 # create service key
-cf create-service-key $service service-account-key >&2
+cf create-service-key "$service" service-account-key >&2
 
 # output service key to stdout in secrets.auto.tfvars format
-creds=`cf service-key $service service-account-key | tail -n +2 | jq '.credentials'`
-username=`echo $creds | jq -r '.username'`
-password=`echo $creds | jq -r '.password'`
+creds=`cf service-key "$service" service-account-key | tail -n +2 | jq '.credentials'`
+username=`echo "$creds" | jq -r '.username'`
+password=`echo "$creds" | jq -r '.password'`
 
-if [[ $org_manager = "true" ]]; then
-  cf set-org-role $username $org OrgManager >&2
-fi
+cf set-org-role "$username" "$org" OrgManager >&2
 
 cat << EOF
-# generated with $0 -s $space -u $service -r $role -o $org $org_manager_output
+# generated with $0 -s $space -u $service -r $role -o $org
 # revoke with $(dirname $0)/destroy_service_account.sh -s $space -u $service -o $org
 
 cf_user = "$username"

sandbox-deploy/destroy_service_account.sh

@@ -39,12 +39,12 @@ while getopts ":hs:u:o:" opt; do
   esac
 done
 
-if [[ $space = "" || $service = "" ]]; then
+if [[ -z "$space" || -z "$service" ]]; then
   echo "$usage"
   exit 1
 fi
 
-cf target -o $org -s $space
+cf target -o "$org" -s "$space"
 
 # destroy service
-cf delete-service $service -f
+cf delete-service -f "$service"

sandbox-deploy/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = "1.1.0"
+      version = "1.2.0"
     }
     cloudfoundry-community = {
       source  = "cloudfoundry-community/cloudfoundry"

variables.tf

@@ -60,9 +60,9 @@ variable "runner_concurrency" {
 }
 
 variable "manager_memory" {
-  type        = number
-  default     = 512
-  description = "Manager Runner Memory, given as number of megabytes"
+  type        = string
+  default     = "256M"
+  description = "Manager Runner Memory - Unit required (e.g. 512M or 2G)"
 }
 
 variable "worker_memory" {