Merge pull request #5067 from BenTheElder/module

move oci-proxy configuration to common module

infra/gcp/terraform/k8s-infra-oci-proxy-prod/oci-proxy.tf

@@ -14,132 +14,38 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-data "google_organization" "org" {
-  domain = "kubernetes.io"
+locals {
+  project_id = "k8s-infra-oci-proxy-prod"
 }
 
-resource "google_project" "project" {
-  name            = var.project_id
-  project_id      = var.project_id
-  org_id          = data.google_organization.org.org_id
-  billing_account = "018801-93540E-22A20E"
+module "oci-proxy" {
+  source = "../modules/oci-proxy"
+  // ***** production vs staging variables inputs *****
+  //
+  // gcr.io/k8s-staging-infra-tools/archeio:v20230310-v0.2.0@sha256:bc742c5f47a69e21e828768991853faddbe13a7f69a9da4d7d2ad16e0e55892c
+  // If you're interested in running this image yourself releases are available at registry.k8s.io/infra-tools/archeio
+  digest     = "sha256:bc742c5f47a69e21e828768991853faddbe13a7f69a9da4d7d2ad16e0e55892c"
+  domain     = "registry.k8s.io"
+  project_id = local.project_id
+  // we increase this in staging, but not in production
+  // we already get a lot of info from build-in cloud run logs
+  verbosity = "0"
+  // Manually created. Monitoring channels can't be created with Terraform.
+  // See: https://github.com/hashicorp/terraform-provider-google/issues/1134
+  notification_channel_id = "15334306215710275143"
 }
 
+// we only sink logs to bigquery in production
+resource "google_logging_project_sink" "bigquery_sink" {
+  project     = local.project_id
+  name        = "registry-k8s-io-logs-sink"
+  destination = "bigquery.googleapis.com/projects/k8s-infra-public-pii/datasets/registry_k8s_io_logs"
 
-// Enable services needed for the project
-resource "google_project_service" "project" {
-  project = google_project.project.id
-
-  for_each = toset([
-    "compute.googleapis.com",
-    "containerregistry.googleapis.com",
-    "logging.googleapis.com",
-    "monitoring.googleapis.com",
-    "oslogin.googleapis.com",
-    "pubsub.googleapis.com",
-    "run.googleapis.com",
-    "storage-api.googleapis.com",
-    "storage-component.googleapis.com"
-  ])
-
-  service = each.key
-}
-
-// Ensure [email protected] has admin access to this project
-resource "google_project_iam_member" "k8s_infra_oci_proxy_admins" {
-  project = google_project.project.id
-  role    = "roles/owner"
-  member  = "group:[email protected]"
-}
-
-
-resource "google_service_account" "oci-proxy" {
-  project      = google_project.project.project_id
-  account_id   = "oci-proxy-prod"
-  display_name = "Minimal Service Account for OCI Proxy"
-}
-
-// Make each service invokable by all users.
-resource "google_cloud_run_service_iam_member" "allUsers" {
-  project  = google_project.project.project_id
-  for_each = google_cloud_run_service.oci-proxy
-
-  service  = google_cloud_run_service.oci-proxy[each.key].name
-  location = google_cloud_run_service.oci-proxy[each.key].location
-  role     = "roles/run.invoker"
-  member   = "allUsers"
-}
-
-resource "google_cloud_run_service" "oci-proxy" {
-  project  = google_project.project.project_id
-  for_each = var.cloud_run_config
-  name     = "${var.project_id}-${each.key}"
-  location = each.key
-
-  template {
-    metadata {
-      annotations = {
-        "autoscaling.knative.dev/maxScale" = "10" // TODO: adjust to control costs
-        "run.googleapis.com/launch-stage"  = "BETA"
-      }
-    }
-    spec {
-      service_account_name = google_service_account.oci-proxy.email
-      containers {
-        // NOTE: We deploy from staging because:
-        // - We pin by digest anyhow (so it's comparably secure)
-        // - We need to be able to deploy registry fixes ASAP
-        // - We will eventually auto-deploy staging by overriding the project and digest on the production config to avoid skew
-        // If you're interested in running this image yourself releases are available at registry.k8s.io/infra-tools/archeio
-        image = "gcr.io/k8s-staging-infra-tools/archeio@${var.digest}"
-
-        dynamic "env" {
-          for_each = each.value.environment_variables
-          content {
-            name  = env.value["name"]
-            value = env.value["value"]
-          }
-        }
-
-        // ensure this match the value for template.spec.containers.resources.limits
-        env {
-          name  = "GOMAXPROCS"
-          value = "1"
-        }
-
-        resources {
-          limits = {
-            "cpu" = "1000m"
-          }
-        }
-      }
-
-      # we can probably hit 1k QPS/core (cloud run's maximum configurable)
-      # but we are leaving in a little overhead, if we actually hit 1k qps in
-      # a region we can scale to another 1 core instance
-      container_concurrency = 800
-
-      // we only serve cheap redirects, 60s is a rather long request
-      timeout_seconds = 60
-    }
+  bigquery_options {
+    use_partitioned_tables = false
   }
 
-  traffic {
-    percent         = 100
-    latest_revision = true
-  }
+  unique_writer_identity = true
 
-  depends_on = [
-    google_project_service.project["run.googleapis.com"]
-  ]
-
-  lifecycle {
-    ignore_changes = [
-      // This gets added by the Cloud Run API post deploy and causes diffs, can be ignored...
-      template[0].metadata[0].annotations["client.knative.dev/sandbox"],
-      template[0].metadata[0].annotations["run.googleapis.com/user-image"],
-      template[0].metadata[0].annotations["run.googleapis.com/client-name"],
-      template[0].metadata[0].annotations["run.googleapis.com/client-version"],
-    ]
-  }
+  filter = "resource.type = \"cloud_run_revision\" AND log_name= \"projects/${local.project_id}/logs/run.googleapis.com%2Frequests\""
 }