diff --git a/applications/jupyter/main.tf b/applications/jupyter/main.tf index 0cdf30cf9..f4cb91abd 100644 --- a/applications/jupyter/main.tf +++ b/applications/jupyter/main.tf @@ -77,6 +77,16 @@ module "namespace" { create_namespace = true } +# IAP Section: Enabled the IAP service +resource "google_project_service" "project_service" { + count = var.add_auth ? 1 : 0 + project = var.project_id + service = "iap.googleapis.com" + + disable_dependent_services = false + disable_on_destroy = false +} + # Creates jupyterhub module "jupyterhub" { source = "../../modules/jupyter" diff --git a/applications/rag/frontend/main.tf b/applications/rag/frontend/main.tf index 3e9c2bbfd..e82cc1f76 100644 --- a/applications/rag/frontend/main.tf +++ b/applications/rag/frontend/main.tf @@ -15,48 +15,30 @@ data "google_project" "project" { project_id = var.project_id } - locals { instance_connection_name = format("%s:%s:%s", var.project_id, var.region, var.cloudsql_instance) } -# IAP Section: Enabled the IAP service -resource "google_project_service" "project_service" { - count = var.add_auth ? 1 : 0 - project = var.project_id - service = "iap.googleapis.com" - - disable_dependent_services = false - disable_on_destroy = false -} - -# IAP Section: Creates the OAuth client used in IAP -resource "google_iap_client" "iap_oauth_client" { - count = var.add_auth && var.client_id == "" ? 1 : 0 - display_name = "Frontend-Client" - brand = var.brand == "" ? "projects/${data.google_project.project.number}/brands/${data.google_project.project.number}" : var.brand -} - # IAP Section: Creates the GKE components module "iap_auth" { count = var.add_auth ? 1 : 0 source = "../../../modules/iap" - project_id = var.project_id - namespace = var.namespace - frontend_add_auth = var.add_auth - frontend_k8s_ingress_name = var.k8s_ingress_name - frontend_k8s_managed_cert_name = var.k8s_managed_cert_name - frontend_k8s_iap_secret_name = var.k8s_iap_secret_name - frontend_k8s_backend_config_name = var.k8s_backend_config_name - frontend_k8s_backend_service_name = var.k8s_backend_service_name - frontend_k8s_backend_service_port = var.k8s_backend_service_port - frontend_client_id = var.client_id != "" ? var.client_id : google_iap_client.iap_oauth_client[0].client_id - frontend_client_secret = var.client_id != "" ? var.client_secret : google_iap_client.iap_oauth_client[0].secret - frontend_url_domain_addr = var.url_domain_addr - frontend_url_domain_name = var.url_domain_name + project_id = var.project_id + namespace = var.namespace + app_name = "frontend" + brand = var.brand + k8s_ingress_name = var.k8s_ingress_name + k8s_managed_cert_name = var.k8s_managed_cert_name + k8s_iap_secret_name = var.k8s_iap_secret_name + k8s_backend_config_name = var.k8s_backend_config_name + k8s_backend_service_name = var.k8s_backend_service_name + k8s_backend_service_port = var.k8s_backend_service_port + client_id = var.client_id + client_secret = var.client_secret + url_domain_addr = var.url_domain_addr + url_domain_name = var.url_domain_name depends_on = [ - google_project_service.project_service, kubernetes_service.rag_frontend_service ] } diff --git a/applications/rag/frontend/outputs.tf b/applications/rag/frontend/outputs.tf index 84c2239ef..f808f71e5 100644 --- a/applications/rag/frontend/outputs.tf +++ b/applications/rag/frontend/outputs.tf @@ -13,5 +13,5 @@ # limitations under the License. output "frontend_uri" { - value = var.add_auth ? module.iap_auth[0].frontend_domain : (data.kubernetes_service.frontend-ingress.status != null ? (data.kubernetes_service.frontend-ingress.status[0].load_balancer != null ? "${data.kubernetes_service.frontend-ingress.status[0].load_balancer[0].ingress[0].ip}" : "") : "") + value = var.add_auth ? module.iap_auth[0].domain : (data.kubernetes_service.frontend-ingress.status != null ? (data.kubernetes_service.frontend-ingress.status[0].load_balancer != null ? "${data.kubernetes_service.frontend-ingress.status[0].load_balancer[0].ingress[0].ip}" : "") : "") } \ No newline at end of file diff --git a/applications/rag/main.tf b/applications/rag/main.tf index e3e56ed47..ff6ab1f60 100644 --- a/applications/rag/main.tf +++ b/applications/rag/main.tf @@ -123,6 +123,16 @@ module "cloudsql" { depends_on = [module.namespace] } +# IAP Section: Enabled the IAP service +resource "google_project_service" "project_service" { + count = var.frontend_add_auth || var.jupyter_add_auth ? 1 : 0 + project = var.project_id + service = "iap.googleapis.com" + + disable_dependent_services = false + disable_on_destroy = false +} + module "jupyterhub" { source = "../../modules/jupyter" providers = { helm = helm.rag, kubernetes = kubernetes.rag } diff --git a/modules/iap/iap.tf b/modules/iap/iap.tf index c9344ae18..8ad690a55 100644 --- a/modules/iap/iap.tf +++ b/modules/iap/iap.tf @@ -12,100 +12,46 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Used to generate ip address -resource "random_string" "random" { - length = 4 - special = false - upper = false +# IAP Section: Enabled the IAP service +data "google_project" "project" { + project_id = var.project_id } -# TODO refactor Jupyter and Frontend to be one -# Jupyter IAP -resource "google_compute_global_address" "jupyter_ip_address" { - count = var.jupyter_add_auth && var.jupyter_url_domain_addr == "" ? 1 : 0 - provider = google-beta - project = var.project_id - name = "jupyter-address-${random_string.random.result}" - address_type = "EXTERNAL" - ip_version = "IPV4" +# Creates a "Brand", equivalent to the OAuth consent screen on Cloud console +resource "google_iap_brand" "project_brand" { + count = var.brand == "" ? 1 : 0 + support_email = var.support_email + application_title = "${var.app_name}-Application" + project = var.project_id } -# Helm Chart IAP -resource "helm_release" "iap_jupyter" { - count = var.jupyter_add_auth ? 1 : 0 - name = "iap-jupyter" - chart = "${path.module}/charts/iap/" - namespace = var.namespace - create_namespace = true - # timeout increased to support autopilot scaling resources, and give enough time to complete the deployment - timeout = 1200 - set { - name = "iap.backendConfig.name" - value = var.jupyter_k8s_backend_config_name - } - - set { - name = "iap.secret.name" - value = var.jupyter_k8s_iap_secret_name - } - - set { - name = "iap.secret.client_id" - value = base64encode(var.jupyter_client_id) - } - - set { - name = "iap.secret.client_secret" - value = base64encode(var.jupyter_client_secret) - } - - set { - name = "iap.managedCertificate.name" - value = var.jupyter_k8s_managed_cert_name - } - - set { - name = "iap.managedCertificate.domain" - value = var.jupyter_url_domain_addr != "" ? var.jupyter_url_domain_addr : "${google_compute_global_address.jupyter_ip_address[0].address}.nip.io" - } - - set { - name = "iap.ingress.staticIpName" - value = var.jupyter_url_domain_addr != "" ? var.jupyter_url_domain_name : "${google_compute_global_address.jupyter_ip_address[0].name}" - } - - set { - name = "iap.ingress.name" - value = var.jupyter_k8s_ingress_name - } - - set { - name = "iap.ingress.backendServiceName" - value = var.jupyter_k8s_backend_service_name - } - - set { - name = "iap.ingress.backendServicePort" - value = var.jupyter_k8s_backend_service_port - } +# IAP Section: Creates the OAuth client used in IAP +resource "google_iap_client" "iap_oauth_client" { + count = var.client_id == "" ? 1 : 0 + display_name = "${var.app_name}-Client" + brand = var.brand == "" ? "projects/${data.google_project.project.number}/brands/${data.google_project.project.number}" : var.brand } -# TODO set the member allowlist +# Used to generate ip address +resource "random_string" "random" { + length = 4 + special = false + upper = false +} -# Frontend IAP -resource "google_compute_global_address" "frontend_ip_address" { - count = var.frontend_add_auth && var.frontend_url_domain_addr == "" ? 1 : 0 +# IAP +resource "google_compute_global_address" "ip_address" { + count = var.url_domain_addr == "" ? 1 : 0 provider = google-beta project = var.project_id - name = "frontend-address-${random_string.random.result}" + name = "${var.app_name}-address-${random_string.random.result}" address_type = "EXTERNAL" ip_version = "IPV4" } # Helm Chart IAP -resource "helm_release" "iap_frontend" { - count = var.frontend_add_auth ? 1 : 0 - name = "iap-frontend" +resource "helm_release" "iap" { + name = "${var.app_name}-iap" chart = "${path.module}/charts/iap/" namespace = var.namespace create_namespace = true @@ -113,51 +59,51 @@ resource "helm_release" "iap_frontend" { timeout = 1200 set { name = "iap.backendConfig.name" - value = var.frontend_k8s_backend_config_name + value = var.k8s_backend_config_name } set { name = "iap.secret.name" - value = var.frontend_k8s_iap_secret_name + value = var.k8s_iap_secret_name } set { name = "iap.secret.client_id" - value = base64encode(var.frontend_client_id) + value = base64encode(var.client_id != "" ? var.client_id : google_iap_client.iap_oauth_client[0].client_id) } set { name = "iap.secret.client_secret" - value = base64encode(var.frontend_client_secret) + value = base64encode(var.client_secret != "" ? var.client_secret : google_iap_client.iap_oauth_client[0].secret) } set { name = "iap.managedCertificate.name" - value = var.frontend_k8s_managed_cert_name + value = var.k8s_managed_cert_name } set { name = "iap.managedCertificate.domain" - value = var.frontend_url_domain_addr != "" ? var.frontend_url_domain_addr : "${google_compute_global_address.frontend_ip_address[0].address}.nip.io" + value = var.url_domain_addr != "" ? var.url_domain_addr : "${google_compute_global_address.ip_address[0].address}.nip.io" } set { name = "iap.ingress.staticIpName" - value = var.frontend_url_domain_addr != "" ? var.frontend_url_domain_name : "${google_compute_global_address.frontend_ip_address[0].name}" + value = var.url_domain_addr != "" ? var.url_domain_name : "${google_compute_global_address.ip_address[0].name}" } set { name = "iap.ingress.name" - value = var.frontend_k8s_ingress_name + value = var.k8s_ingress_name } set { name = "iap.ingress.backendServiceName" - value = var.frontend_k8s_backend_service_name + value = var.k8s_backend_service_name } set { name = "iap.ingress.backendServicePort" - value = var.frontend_k8s_backend_service_port + value = var.k8s_backend_service_port } } \ No newline at end of file diff --git a/modules/iap/outputs.tf b/modules/iap/outputs.tf index 8ec76c552..900d25a37 100644 --- a/modules/iap/outputs.tf +++ b/modules/iap/outputs.tf @@ -12,10 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -output "jupyter_domain" { - value = var.jupyter_add_auth && var.jupyter_url_domain_addr == "" ? "${google_compute_global_address.jupyter_ip_address[0].address}.nip.io" : var.jupyter_url_domain_addr -} - -output "frontend_domain" { - value = var.frontend_add_auth && var.frontend_url_domain_addr == "" ? "${google_compute_global_address.frontend_ip_address[0].address}.nip.io" : var.frontend_url_domain_addr +output "domain" { + value = var.url_domain_addr == "" ? "${google_compute_global_address.ip_address[0].address}.nip.io" : var.url_domain_addr } \ No newline at end of file diff --git a/modules/iap/variables.tf b/modules/iap/variables.tf index af09d87c2..4a442c8dc 100644 --- a/modules/iap/variables.tf +++ b/modules/iap/variables.tf @@ -22,156 +22,78 @@ variable "namespace" { description = "Kubernetes namespace where resources are deployed" } -# Frontend IAP settings -variable "frontend_add_auth" { - type = bool - description = "Enable iap authentication on frontend" - default = false -} - -variable "frontend_k8s_ingress_name" { - type = string - default = "frontend-ingress" -} - -variable "frontend_k8s_managed_cert_name" { - type = string - description = "Name for frontend managed certificate" - default = "frontend-managed-cert" -} - -variable "frontend_k8s_iap_secret_name" { - type = string - description = "Name for frontend iap secret" - default = "frontend-iap-secret" -} - -variable "frontend_k8s_backend_config_name" { - type = string - description = "Name of the Kubernetes Backend Config" - default = "frontend-iap-config" -} - -variable "frontend_k8s_backend_service_name" { - type = string - description = "Name of the Backend Service" - default = "rag-frontend" -} - -variable "frontend_k8s_backend_service_port" { - type = number - description = "Name of the Backend Service Port" - default = 8080 -} - -variable "frontend_url_domain_addr" { - type = string - description = "Domain provided by the user. If it's empty, we will create one for you." - default = "" -} - -variable "frontend_url_domain_name" { +variable "app_name" { type = string - description = "Name of the domain provided by the user. This var will only be used if url_domain_addr is not empty" - default = "" + description = "App Name" } -variable "frontend_support_email" { +# IAP settings +variable "brand" { type = string - description = "Email for users to contact with questions about their consent" - default = "" + description = "Brand" } -variable "frontend_client_id" { +variable "k8s_ingress_name" { type = string - description = "Client ID used for enabling IAP" - default = "" -} - -variable "frontend_client_secret" { - type = string - description = "Client secret used for enabling IAP" - default = "" -} - -variable "frontend_members_allowlist" { - type = list(string) - default = [] -} - -# Jupyter IAP settings -variable "jupyter_add_auth" { - type = bool - description = "Enable iap authentication on jupyterhub" - default = false -} - -variable "jupyter_k8s_ingress_name" { - type = string - default = "jupyter-ingress" + description = "Name for k8s Ingress" } -variable "jupyter_k8s_managed_cert_name" { +variable "k8s_managed_cert_name" { type = string - description = "Name for frontend managed certificate" - default = "frontend-managed-cert" + description = "Name for k8s managed certificate" } -variable "jupyter_k8s_iap_secret_name" { +variable "k8s_iap_secret_name" { type = string - description = "Name for jupyter iap secret" - default = "jupyter-iap-secret" + description = "Name for k8s iap secret" } -variable "jupyter_k8s_backend_config_name" { +variable "k8s_backend_config_name" { type = string description = "Name of the Kubernetes Backend Config" - default = "jupyter-iap-config" } -variable "jupyter_k8s_backend_service_name" { +variable "k8s_backend_service_name" { type = string description = "Name of the Backend Service" - default = "proxy-public" } -variable "jupyter_k8s_backend_service_port" { +variable "k8s_backend_service_port" { type = number description = "Name of the Backend Service Port" - default = 80 } -variable "jupyter_url_domain_addr" { +variable "url_domain_addr" { type = string description = "Domain provided by the user. If it's empty, we will create one for you." default = "" } -variable "jupyter_url_domain_name" { +variable "url_domain_name" { type = string description = "Name of the domain provided by the user. This var will only be used if url_domain_addr is not empty" default = "" } -variable "jupyter_support_email" { +variable "support_email" { type = string description = "Email for users to contact with questions about their consent" default = "" } -variable "jupyter_client_id" { +variable "client_id" { type = string description = "Client ID used for enabling IAP" default = "" } -variable "jupyter_client_secret" { +variable "client_secret" { type = string description = "Client secret used for enabling IAP" default = "" } -variable "jupyter_members_allowlist" { +variable "members_allowlist" { type = list(string) default = [] } \ No newline at end of file diff --git a/modules/jupyter/main.tf b/modules/jupyter/main.tf index 13ab2b505..48601020c 100644 --- a/modules/jupyter/main.tf +++ b/modules/jupyter/main.tf @@ -16,51 +16,26 @@ data "google_project" "project" { project_id = var.project_id } -# Creates a "Brand", equivalent to the OAuth consent screen on Cloud console -resource "google_iap_brand" "project_brand" { - count = var.add_auth && var.brand == "" ? 1 : 0 - support_email = var.support_email - application_title = "Application" - project = var.project_id -} - -# IAP Section: Enabled the IAP service -resource "google_project_service" "project_service" { - count = var.add_auth ? 1 : 0 - project = var.project_id - service = "iap.googleapis.com" - - disable_dependent_services = false - disable_on_destroy = false -} - -# IAP Section: Creates the OAuth client used in IAP -resource "google_iap_client" "iap_oauth_client" { - count = var.add_auth && var.client_id == "" ? 1 : 0 - display_name = "Jupyter-Client" - brand = var.brand == "" ? "projects/${data.google_project.project.number}/brands/${data.google_project.project.number}" : var.brand -} - # IAP Section: Creates the GKE components module "iap_auth" { count = var.add_auth ? 1 : 0 source = "../../modules/iap" - project_id = var.project_id - namespace = var.namespace - jupyter_add_auth = var.add_auth - jupyter_k8s_ingress_name = var.k8s_ingress_name - jupyter_k8s_managed_cert_name = var.k8s_managed_cert_name - jupyter_k8s_iap_secret_name = var.k8s_iap_secret_name - jupyter_k8s_backend_config_name = var.k8s_backend_config_name - jupyter_k8s_backend_service_name = var.k8s_backend_service_name - jupyter_k8s_backend_service_port = var.k8s_backend_service_port - jupyter_client_id = var.client_id != "" ? var.client_id : google_iap_client.iap_oauth_client[0].client_id - jupyter_client_secret = var.client_id != "" ? var.client_secret : google_iap_client.iap_oauth_client[0].secret - jupyter_url_domain_addr = var.url_domain_addr - jupyter_url_domain_name = var.url_domain_name + project_id = var.project_id + namespace = var.namespace + app_name = "jupyter" + brand = var.brand + k8s_ingress_name = var.k8s_ingress_name + k8s_managed_cert_name = var.k8s_managed_cert_name + k8s_iap_secret_name = var.k8s_iap_secret_name + k8s_backend_config_name = var.k8s_backend_config_name + k8s_backend_service_name = var.k8s_backend_service_name + k8s_backend_service_port = var.k8s_backend_service_port + client_id = var.client_id + client_secret = var.client_secret + url_domain_addr = var.url_domain_addr + url_domain_name = var.url_domain_name depends_on = [ - google_project_service.project_service, helm_release.jupyterhub ] } diff --git a/modules/jupyter/outputs.tf b/modules/jupyter/outputs.tf index f1e36a12d..a6a4ef30f 100644 --- a/modules/jupyter/outputs.tf +++ b/modules/jupyter/outputs.tf @@ -13,7 +13,7 @@ # limitations under the License. output "jupyterhub_uri" { - value = var.add_auth ? module.iap_auth[0].jupyter_domain : (data.kubernetes_service.jupyter-ingress.status != null ? (data.kubernetes_service.jupyter-ingress.status[0].load_balancer != null ? "${data.kubernetes_service.jupyter-ingress.status[0].load_balancer[0].ingress[0].ip}" : "") : "") + value = var.add_auth ? module.iap_auth[0].domain : (data.kubernetes_service.jupyter-ingress.status != null ? (data.kubernetes_service.jupyter-ingress.status[0].load_balancer != null ? "${data.kubernetes_service.jupyter-ingress.status[0].load_balancer[0].ingress[0].ip}" : "") : "") } output "jupyterhub_password" {