Refactor IAP (#314)

Refactor IAP module Tested-by: zlq on AP cluster and standard
GoogleCloudPlatform · Mar 7, 2024 · 90d1b7e · 90d1b7e
1 parent f33cc2b
commit 90d1b7e
Show file tree

Hide file tree

Showing 9 changed files with 108 additions and 267 deletions.
diff --git a/applications/jupyter/main.tf b/applications/jupyter/main.tf
@@ -77,6 +77,16 @@ module "namespace" {
   create_namespace = true
 }
 
+# IAP Section: Enabled the IAP service
+resource "google_project_service" "project_service" {
+  count   = var.add_auth ? 1 : 0
+  project = var.project_id
+  service = "iap.googleapis.com"
+
+  disable_dependent_services = false
+  disable_on_destroy         = false
+}
+
 # Creates jupyterhub
 module "jupyterhub" {
   source                            = "../../modules/jupyter"

diff --git a/applications/rag/frontend/main.tf b/applications/rag/frontend/main.tf
@@ -15,48 +15,30 @@ data "google_project" "project" {
   project_id = var.project_id
 }
 
-
 locals {
   instance_connection_name = format("%s:%s:%s", var.project_id, var.region, var.cloudsql_instance)
 }
 
-# IAP Section: Enabled the IAP service
-resource "google_project_service" "project_service" {
-  count   = var.add_auth ? 1 : 0
-  project = var.project_id
-  service = "iap.googleapis.com"
-
-  disable_dependent_services = false
-  disable_on_destroy         = false
-}
-
-# IAP Section: Creates the OAuth client used in IAP
-resource "google_iap_client" "iap_oauth_client" {
-  count        = var.add_auth && var.client_id == "" ? 1 : 0
-  display_name = "Frontend-Client"
-  brand        = var.brand == "" ? "projects/${data.google_project.project.number}/brands/${data.google_project.project.number}" : var.brand
-}
-
 # IAP Section: Creates the GKE components
 module "iap_auth" {
   count  = var.add_auth ? 1 : 0
   source = "../../../modules/iap"
 
-  project_id                        = var.project_id
-  namespace                         = var.namespace
-  frontend_add_auth                 = var.add_auth
-  frontend_k8s_ingress_name         = var.k8s_ingress_name
-  frontend_k8s_managed_cert_name    = var.k8s_managed_cert_name
-  frontend_k8s_iap_secret_name      = var.k8s_iap_secret_name
-  frontend_k8s_backend_config_name  = var.k8s_backend_config_name
-  frontend_k8s_backend_service_name = var.k8s_backend_service_name
-  frontend_k8s_backend_service_port = var.k8s_backend_service_port
-  frontend_client_id                = var.client_id != "" ? var.client_id : google_iap_client.iap_oauth_client[0].client_id
-  frontend_client_secret            = var.client_id != "" ? var.client_secret : google_iap_client.iap_oauth_client[0].secret
-  frontend_url_domain_addr          = var.url_domain_addr
-  frontend_url_domain_name          = var.url_domain_name
+  project_id               = var.project_id
+  namespace                = var.namespace
+  app_name                 = "frontend"
+  brand                    = var.brand
+  k8s_ingress_name         = var.k8s_ingress_name
+  k8s_managed_cert_name    = var.k8s_managed_cert_name
+  k8s_iap_secret_name      = var.k8s_iap_secret_name
+  k8s_backend_config_name  = var.k8s_backend_config_name
+  k8s_backend_service_name = var.k8s_backend_service_name
+  k8s_backend_service_port = var.k8s_backend_service_port
+  client_id                = var.client_id
+  client_secret            = var.client_secret
+  url_domain_addr          = var.url_domain_addr
+  url_domain_name          = var.url_domain_name
   depends_on = [
-    google_project_service.project_service,
     kubernetes_service.rag_frontend_service
   ]
 }

diff --git a/applications/rag/frontend/outputs.tf b/applications/rag/frontend/outputs.tf
@@ -13,5 +13,5 @@
 # limitations under the License.
 
 output "frontend_uri" {
-  value = var.add_auth ? module.iap_auth[0].frontend_domain : (data.kubernetes_service.frontend-ingress.status != null ? (data.kubernetes_service.frontend-ingress.status[0].load_balancer != null ? "${data.kubernetes_service.frontend-ingress.status[0].load_balancer[0].ingress[0].ip}" : "") : "")
+  value = var.add_auth ? module.iap_auth[0].domain : (data.kubernetes_service.frontend-ingress.status != null ? (data.kubernetes_service.frontend-ingress.status[0].load_balancer != null ? "${data.kubernetes_service.frontend-ingress.status[0].load_balancer[0].ingress[0].ip}" : "") : "")
 }
diff --git a/applications/rag/main.tf b/applications/rag/main.tf
@@ -123,6 +123,16 @@ module "cloudsql" {
   depends_on    = [module.namespace]
 }
 
+# IAP Section: Enabled the IAP service
+resource "google_project_service" "project_service" {
+  count   = var.frontend_add_auth || var.jupyter_add_auth ? 1 : 0
+  project = var.project_id
+  service = "iap.googleapis.com"
+
+  disable_dependent_services = false
+  disable_on_destroy         = false
+}
+
 module "jupyterhub" {
   source     = "../../modules/jupyter"
   providers  = { helm = helm.rag, kubernetes = kubernetes.rag }

diff --git a/modules/iap/iap.tf b/modules/iap/iap.tf
@@ -12,152 +12,98 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Used to generate ip address
-resource "random_string" "random" {
-  length  = 4
-  special = false
-  upper   = false
+# IAP Section: Enabled the IAP service
+data "google_project" "project" {
+  project_id = var.project_id
 }
 
-# TODO refactor Jupyter and Frontend to be one
-# Jupyter IAP
-resource "google_compute_global_address" "jupyter_ip_address" {
-  count        = var.jupyter_add_auth && var.jupyter_url_domain_addr == "" ? 1 : 0
-  provider     = google-beta
-  project      = var.project_id
-  name         = "jupyter-address-${random_string.random.result}"
-  address_type = "EXTERNAL"
-  ip_version   = "IPV4"
+# Creates a "Brand", equivalent to the OAuth consent screen on Cloud console
+resource "google_iap_brand" "project_brand" {
+  count             = var.brand == "" ? 1 : 0
+  support_email     = var.support_email
+  application_title = "${var.app_name}-Application"
+  project           = var.project_id
 }
 
-# Helm Chart IAP
-resource "helm_release" "iap_jupyter" {
-  count            = var.jupyter_add_auth ? 1 : 0
-  name             = "iap-jupyter"
-  chart            = "${path.module}/charts/iap/"
-  namespace        = var.namespace
-  create_namespace = true
-  # timeout increased to support autopilot scaling resources, and give enough time to complete the deployment 
-  timeout = 1200
-  set {
-    name  = "iap.backendConfig.name"
-    value = var.jupyter_k8s_backend_config_name
-  }
-
-  set {
-    name  = "iap.secret.name"
-    value = var.jupyter_k8s_iap_secret_name
-  }
-
-  set {
-    name  = "iap.secret.client_id"
-    value = base64encode(var.jupyter_client_id)
-  }
-
-  set {
-    name  = "iap.secret.client_secret"
-    value = base64encode(var.jupyter_client_secret)
-  }
-
-  set {
-    name  = "iap.managedCertificate.name"
-    value = var.jupyter_k8s_managed_cert_name
-  }
-
-  set {
-    name  = "iap.managedCertificate.domain"
-    value = var.jupyter_url_domain_addr != "" ? var.jupyter_url_domain_addr : "${google_compute_global_address.jupyter_ip_address[0].address}.nip.io"
-  }
-
-  set {
-    name  = "iap.ingress.staticIpName"
-    value = var.jupyter_url_domain_addr != "" ? var.jupyter_url_domain_name : "${google_compute_global_address.jupyter_ip_address[0].name}"
-  }
-
-  set {
-    name  = "iap.ingress.name"
-    value = var.jupyter_k8s_ingress_name
-  }
-
-  set {
-    name  = "iap.ingress.backendServiceName"
-    value = var.jupyter_k8s_backend_service_name
-  }
-
-  set {
-    name  = "iap.ingress.backendServicePort"
-    value = var.jupyter_k8s_backend_service_port
-  }
+# IAP Section: Creates the OAuth client used in IAP
+resource "google_iap_client" "iap_oauth_client" {
+  count        = var.client_id == "" ? 1 : 0
+  display_name = "${var.app_name}-Client"
+  brand        = var.brand == "" ? "projects/${data.google_project.project.number}/brands/${data.google_project.project.number}" : var.brand
 }
 
-# TODO set the member allowlist
+# Used to generate ip address
+resource "random_string" "random" {
+  length  = 4
+  special = false
+  upper   = false
+}
 
-# Frontend IAP
-resource "google_compute_global_address" "frontend_ip_address" {
-  count        = var.frontend_add_auth && var.frontend_url_domain_addr == "" ? 1 : 0
+# IAP
+resource "google_compute_global_address" "ip_address" {
+  count        = var.url_domain_addr == "" ? 1 : 0
   provider     = google-beta
   project      = var.project_id
-  name         = "frontend-address-${random_string.random.result}"
+  name         = "${var.app_name}-address-${random_string.random.result}"
   address_type = "EXTERNAL"
   ip_version   = "IPV4"
 }
 
 # Helm Chart IAP
-resource "helm_release" "iap_frontend" {
-  count            = var.frontend_add_auth ? 1 : 0
-  name             = "iap-frontend"
+resource "helm_release" "iap" {
+  name             = "${var.app_name}-iap"
   chart            = "${path.module}/charts/iap/"
   namespace        = var.namespace
   create_namespace = true
   # timeout increased to support autopilot scaling resources, and give enough time to complete the deployment
   timeout = 1200
   set {
     name  = "iap.backendConfig.name"
-    value = var.frontend_k8s_backend_config_name
+    value = var.k8s_backend_config_name
   }
 
   set {
     name  = "iap.secret.name"
-    value = var.frontend_k8s_iap_secret_name
+    value = var.k8s_iap_secret_name
   }
 
   set {
     name  = "iap.secret.client_id"
-    value = base64encode(var.frontend_client_id)
+    value = base64encode(var.client_id != "" ? var.client_id : google_iap_client.iap_oauth_client[0].client_id)
   }
 
   set {
     name  = "iap.secret.client_secret"
-    value = base64encode(var.frontend_client_secret)
+    value = base64encode(var.client_secret != "" ? var.client_secret : google_iap_client.iap_oauth_client[0].secret)
   }
 
   set {
     name  = "iap.managedCertificate.name"
-    value = var.frontend_k8s_managed_cert_name
+    value = var.k8s_managed_cert_name
   }
 
   set {
     name  = "iap.managedCertificate.domain"
-    value = var.frontend_url_domain_addr != "" ? var.frontend_url_domain_addr : "${google_compute_global_address.frontend_ip_address[0].address}.nip.io"
+    value = var.url_domain_addr != "" ? var.url_domain_addr : "${google_compute_global_address.ip_address[0].address}.nip.io"
   }
 
   set {
     name  = "iap.ingress.staticIpName"
-    value = var.frontend_url_domain_addr != "" ? var.frontend_url_domain_name : "${google_compute_global_address.frontend_ip_address[0].name}"
+    value = var.url_domain_addr != "" ? var.url_domain_name : "${google_compute_global_address.ip_address[0].name}"
   }
 
   set {
     name  = "iap.ingress.name"
-    value = var.frontend_k8s_ingress_name
+    value = var.k8s_ingress_name
   }
 
   set {
     name  = "iap.ingress.backendServiceName"
-    value = var.frontend_k8s_backend_service_name
+    value = var.k8s_backend_service_name
   }
 
   set {
     name  = "iap.ingress.backendServicePort"
-    value = var.frontend_k8s_backend_service_port
+    value = var.k8s_backend_service_port
   }
 }
diff --git a/modules/iap/outputs.tf b/modules/iap/outputs.tf
@@ -12,10 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-output "jupyter_domain" {
-  value = var.jupyter_add_auth && var.jupyter_url_domain_addr == "" ? "${google_compute_global_address.jupyter_ip_address[0].address}.nip.io" : var.jupyter_url_domain_addr
-}
-
-output "frontend_domain" {
-  value = var.frontend_add_auth && var.frontend_url_domain_addr == "" ? "${google_compute_global_address.frontend_ip_address[0].address}.nip.io" : var.frontend_url_domain_addr
+output "domain" {
+  value = var.url_domain_addr == "" ? "${google_compute_global_address.ip_address[0].address}.nip.io" : var.url_domain_addr
 }