Updating the way Forseti Server Configuration is retrieved from GCS (#…

…480) * Updating the way Forseti Server Configuration is retrieved from GCS Moved away from `google_storage_object_signed_url` as it requires a local json keyfile and I am deploying using service account impersonation. hashicorp/terraform-provider-google#3558 * Pinning version of helm provider to ~> v0.10 * Passing helm chart version through the on_gke_end_to_end example to the on_gke module Co-authored-by: Gregg Kowalski <10247435+gkowalski-google@users.noreply.github.com>
forseti-security · Mar 12, 2020 · 5cdc2df · 5cdc2df
1 parent 4fc5019
commit 5cdc2df
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 11 deletions.
diff --git a/examples/on_gke_end_to_end/main.tf b/examples/on_gke_end_to_end/main.tf
@@ -44,6 +44,7 @@ provider "helm" {
   debug                           = true
   automount_service_account_token = true
   install_tiller                  = true
+  version = "~> v0.10"
 }
 
 #--------------------#
@@ -168,6 +169,7 @@ module "forseti" {
   k8s_forseti_server_image_tag       = var.k8s_forseti_server_image_tag
   k8s_forseti_orchestrator_image_tag = var.k8s_forseti_orchestrator_image_tag
   helm_repository_url                = var.helm_repository_url
+  helm_chart_version                 = var.helm_chart_version
   policy_library_repository_url      = var.policy_library_repository_url
   policy_library_repository_branch   = var.policy_library_repository_branch
   policy_library_sync_enabled        = var.policy_library_sync_enabled

diff --git a/examples/on_gke_end_to_end/variables.tf b/examples/on_gke_end_to_end/variables.tf
@@ -114,6 +114,11 @@ variable "helm_repository_url" {
   default     = "https://forseti-security-charts.storage.googleapis.com/release/"
 }
 
+variable "helm_chart_version" {
+  description = "The version of the Helm chart to use"
+  default     = "2.2.1"
+}
+
 variable "k8s_forseti_namespace" {
   description = "The Kubernetes namespace in which to deploy Forseti."
   default     = "forseti"

diff --git a/modules/on_gke/main.tf b/modules/on_gke/main.tf
@@ -27,7 +27,7 @@ resource "null_resource" "org_id_and_folder_id_are_both_empty" {
   count = length(var.composite_root_resources) == 0 && var.org_id == "" && var.folder_id == "" ? 1 : 0
 
   provisioner "local-exec" {
-    command     = "echo 'composite_root_resources=${var.composite_root_resources} org_id=${var.org_id} folder_id=${var.org_id}' >&2; false"
+    command     = "echo 'composite_root_resources=${var.composite_root_resources} org_id=${var.org_id} folder_id=${var.folder_id}' >&2; false"
     interpreter = ["bash", "-c"]
   }
 }
@@ -121,20 +121,23 @@ data "tls_public_key" "git_sync_public_ssh_key" {
 //*****************************************
 //  Obtain Forseti Server Configuration
 //*****************************************
-data "google_storage_object_signed_url" "file_url" {
-  bucket      = module.server_gcs.forseti-server-storage-bucket
-  path        = "configs/forseti_conf_server.yaml"
-  content_md5 = module.server_config.forseti-server-config-md5
+data "google_storage_bucket_object" "server_config_contents" {
+  bucket     = module.server_gcs.forseti-server-storage-bucket
+  name       = "configs/forseti_conf_server.yaml"
+  depends_on = [
+    module.server_config.forseti-server-config-md5
+  ]
 }
 
+data "google_client_config" "current" {}
+
 data "http" "server_config_contents" {
-  url = data.google_storage_object_signed_url.file_url.signed_url
+  url = format("%s?alt=media", data.google_storage_bucket_object.server_config_contents.self_link)
 
+  # Optional request headers
   request_headers = {
-    "Content-MD5" = module.server_config.forseti-server-config-md5
+    "Authorization" = "Bearer ${data.google_client_config.current.access_token}"
   }
-
-  depends_on = ["data.google_storage_object_signed_url.file_url"]
 }
 
 //*****************************************
@@ -225,10 +228,12 @@ resource "helm_release" "forseti-security" {
   version       = var.helm_chart_version
   chart         = "forseti-security"
   recreate_pods = var.recreate_pods
-  depends_on = ["kubernetes_role_binding.tiller",
+  depends_on = [
+    "kubernetes_role_binding.tiller",
     "kubernetes_namespace.forseti",
     "google_service_account_iam_binding.forseti_server_workload_identity",
-  "google_service_account_iam_binding.forseti_client_workload_identity"]
+    "google_service_account_iam_binding.forseti_client_workload_identity"
+  ]
 
   set {
     name  = "database.username"