Make terraform more configurable (#1087)

* Make TUF bucket member configurable

In some cases it may not be desireable to expose the TUF bucket to
'allUsers', and some GCP organizations may restrict it through the
`constraints/storage.publicAccessPrevention` organization policy.

Signed-off-by: Colleen Murphy <[email protected]>

* Make DNS variables optional

For development purposes, a DNS domain may not be necessary, and
configuring one may be overkill for a short-lived proof of concept
deployment, since the registration expiration is not tied to the life of
the project.

Signed-off-by: Colleen Murphy <[email protected]>

* Make OAuth scopes configurable

GKE applies the user.info access scope to standard clusters, in addition
to the cloud-platform scope[1]. Because of this, if the scaffolding
terraform is used to create a cluster, and then run again after
completion, the one access scope specified in terraform will be in
conflict with the two automatically assigned by GKE. Making this
configurable ensures that terraform can be idempotent if the user
provides the expected scopes for their cluster type.

[1] https://cloud.google.com/kubernetes-engine/docs/how-to/access-scopes

Signed-off-by: Colleen Murphy <[email protected]>

* Make project_number optional

project_number is only used for monitoring, so if monitoring is not
enabled then it is not needed.

Signed-off-by: Colleen Murphy <[email protected]>

---------

Signed-off-by: Colleen Murphy <[email protected]>

terraform/gcp/modules/ctlog/main.tf

@@ -29,9 +29,10 @@ resource "google_project_service" "service" {
 }
 
 resource "google_dns_record_set" "A_ctfe" {
-  name = "ctfe.${var.dns_domain_name}"
-  type = "A"
-  ttl  = 60
+  count = var.dns_domain_name == "" ? 0 : 1
+  name  = "ctfe.${var.dns_domain_name}"
+  type  = "A"
+  ttl   = 60
 
   project      = var.project_id
   managed_zone = var.dns_zone_name

terraform/gcp/modules/dex/main.tf

@@ -29,9 +29,10 @@ resource "google_project_service" "service" {
 }
 
 resource "google_dns_record_set" "A_dex" {
-  name = "oauth2.${var.dns_domain_name}"
-  type = "A"
-  ttl  = 60
+  count = var.dns_domain_name == "" ? 0 : 1
+  name  = "oauth2.${var.dns_domain_name}"
+  type  = "A"
+  ttl   = 60
 
   project      = var.project_id
   managed_zone = var.dns_zone_name

terraform/gcp/modules/fulcio/fulcio.tf

@@ -28,9 +28,10 @@ module "ca" {
 }
 
 resource "google_dns_record_set" "A_fulcio" {
-  name = "fulcio.${var.dns_domain_name}"
-  type = "A"
-  ttl  = 60
+  count = var.dns_domain_name == "" ? 0 : 1
+  name  = "fulcio.${var.dns_domain_name}"
+  type  = "A"
+  ttl   = 60
 
   project      = var.project_id
   managed_zone = var.dns_zone_name

terraform/gcp/modules/gke_cluster/cluster.tf

@@ -66,7 +66,7 @@ resource "google_container_cluster" "cluster" {
     }
     tags            = [local.cluster_network_tag]
     service_account = google_service_account.gke-sa.email
-    oauth_scopes    = ["https://www.googleapis.com/auth/cloud-platform"]
+    oauth_scopes    = var.oauth_scopes
   }
 
   resource_labels = {

terraform/gcp/modules/gke_cluster/variables.tf

@@ -225,3 +225,9 @@ variable "security_group" {
   type        = string
   default     = ""
 }
+
+variable "oauth_scopes" {
+  description = "OAuth scopes to assign to the cluster node config"
+  type        = list(string)
+  default     = ["https://www.googleapis.com/auth/cloud-platform"]
+}

terraform/gcp/modules/rekor/rekor.tf

@@ -56,9 +56,10 @@ module "newentry_pubsub_topic" {
 }
 
 resource "google_dns_record_set" "A_rekor" {
-  name = "rekor.${var.dns_domain_name}"
-  type = "A"
-  ttl  = 60
+  count = var.dns_domain_name == "" ? 0 : 1
+  name  = "rekor.${var.dns_domain_name}"
+  type  = "A"
+  ttl   = 60
 
   project      = var.project_id
   managed_zone = var.dns_zone_name

terraform/gcp/modules/sigstore/sigstore.tf

@@ -60,6 +60,7 @@ module "tuf" {
 
   tuf_bucket          = var.tuf_bucket
   tuf_preprod_bucket  = var.tuf_preprod_bucket
+  tuf_bucket_member   = var.tuf_bucket_member
   gcs_logging_enabled = var.gcs_logging_enabled
   gcs_logging_bucket  = var.gcs_logging_bucket
   storage_class       = var.tuf_storage_class
@@ -151,6 +152,8 @@ module "gke-cluster" {
 
   security_group = var.gke_cluster_security_group
 
+  oauth_scopes = var.gke_oauth_scopes
+
   depends_on = [
     module.network,
     module.bastion,

terraform/gcp/modules/sigstore/variables.tf

@@ -23,11 +23,8 @@ variable "project_id" {
 }
 
 variable "project_number" {
-  type = string
-  validation {
-    condition     = length(var.project_number) > 0
-    error_message = "Must specify project_number variable."
-  }
+  type    = string
+  default = ""
 }
 
 variable "region" {
@@ -74,6 +71,12 @@ variable "tuf_preprod_bucket" {
   description = "Name of GCS bucket for preprod/staged TUF root."
 }
 
+variable "tuf_bucket_member" {
+  type        = string
+  description = "User(s) to grant access to the TUF GCS buckets."
+  default     = "allUsers"
+}
+
 variable "tuf_storage_class" {
   type        = string
   description = "Storage class for TUF bucket."
@@ -315,11 +318,13 @@ variable "oslogin" {
 variable "dns_zone_name" {
   description = "Name of DNS Zone object in Google Cloud DNS"
   type        = string
+  default     = ""
 }
 
 variable "dns_domain_name" {
   description = "Name of DNS domain name in Google Cloud DNS"
   type        = string
+  default     = ""
 }
 
 variable "ctlog_shards" {
@@ -397,3 +402,9 @@ variable "gke_cluster_security_group" {
   description = "name of Google Group used for GKE Group RBAC; must be gke-security-groups@<yourdomain>"
   type        = string
 }
+
+variable "gke_oauth_scopes" {
+  description = "OAuth scopes to assign to the cluster node config"
+  type        = list(string)
+  default     = ["https://www.googleapis.com/auth/cloud-platform"]
+}

terraform/gcp/modules/timestamp/timestamp.tf

@@ -15,9 +15,10 @@
  */
 
 resource "google_dns_record_set" "A_timestamp" {
-  name = "timestamp.${var.dns_domain_name}"
-  type = "A"
-  ttl  = 60
+  count = var.dns_domain_name == "" ? 0 : 1
+  name  = "timestamp.${var.dns_domain_name}"
+  type  = "A"
+  ttl   = 60
 
   project      = var.project_id
   managed_zone = var.dns_zone_name

terraform/gcp/modules/tuf/tuf.tf

@@ -69,7 +69,7 @@ resource "google_storage_bucket" "tuf" {
 resource "google_storage_bucket_iam_member" "public_tuf_member" {
   bucket = google_storage_bucket.tuf.name
   role   = "roles/storage.legacyObjectReader"
-  member = "allUsers"
+  member = var.tuf_bucket_member
 
   depends_on = [google_storage_bucket.tuf]
 }
@@ -128,7 +128,7 @@ resource "google_storage_bucket" "tuf_preprod" {
 resource "google_storage_bucket_iam_member" "public_tuf_preprod_member" {
   bucket = google_storage_bucket.tuf_preprod.name
   role   = "roles/storage.legacyObjectReader"
-  member = "allUsers"
+  member = var.tuf_bucket_member
 
   depends_on = [google_storage_bucket.tuf_preprod]
 }
@@ -144,4 +144,4 @@ resource "google_storage_bucket_iam_member" "tuf_sa_preprod_editor" {
   member = format("serviceAccount:%s@%s.iam.gserviceaccount.com", var.tuf_service_account_name, var.project_id)
 
   depends_on = [google_storage_bucket.tuf_preprod, google_service_account.tuf-sa]
-}
+}

terraform/gcp/modules/tuf/variables.tf

@@ -39,6 +39,12 @@ variable "tuf_preprod_bucket" {
   description = "Name of GCS bucket for preprod/staged TUF root."
 }
 
+variable "tuf_bucket_member" {
+  type        = string
+  description = "User, group, or service account to grant access to the TUF GCS buckets. Use 'allUsers' for general access, or e.g. group:[email protected] for granular access."
+  default     = "allUsers"
+}
+
 variable "storage_class" {
   type        = string
   description = "Storage class for TUF root bucket."