From 5cdc2df2de2c114a30397cc45e42d45fe964406e Mon Sep 17 00:00:00 2001
From: hiloboy0119 <hiloboy0119@users.noreply.github.com>
Date: Thu, 12 Mar 2020 10:33:21 -0700
Subject: [PATCH] Updating the way Forseti Server Configuration is retrieved
 from GCS (#480)

* Updating the way Forseti Server Configuration is retrieved from GCS

Moved away from `google_storage_object_signed_url` as it requires
a local json keyfile and I am deploying using service account
impersonation.

https://github.com/terraform-providers/terraform-provider-google/issues/3558

* Pinning version of helm provider to ~> v0.10

* Passing helm chart version through the on_gke_end_to_end example to the on_gke module

Co-authored-by: Gregg Kowalski <10247435+gkowalski-google@users.noreply.github.com>
---
 examples/on_gke_end_to_end/main.tf      |  2 ++
 examples/on_gke_end_to_end/variables.tf |  5 +++++
 modules/on_gke/main.tf                  | 27 +++++++++++++++----------
 3 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/examples/on_gke_end_to_end/main.tf b/examples/on_gke_end_to_end/main.tf
index 59fe31de5..4f27fd2fa 100644
--- a/examples/on_gke_end_to_end/main.tf
+++ b/examples/on_gke_end_to_end/main.tf
@@ -44,6 +44,7 @@ provider "helm" {
   debug                           = true
   automount_service_account_token = true
   install_tiller                  = true
+  version = "~> v0.10"
 }
 
 #--------------------#
@@ -168,6 +169,7 @@ module "forseti" {
   k8s_forseti_server_image_tag       = var.k8s_forseti_server_image_tag
   k8s_forseti_orchestrator_image_tag = var.k8s_forseti_orchestrator_image_tag
   helm_repository_url                = var.helm_repository_url
+  helm_chart_version                 = var.helm_chart_version
   policy_library_repository_url      = var.policy_library_repository_url
   policy_library_repository_branch   = var.policy_library_repository_branch
   policy_library_sync_enabled        = var.policy_library_sync_enabled
diff --git a/examples/on_gke_end_to_end/variables.tf b/examples/on_gke_end_to_end/variables.tf
index eb7e89d39..51382d18d 100644
--- a/examples/on_gke_end_to_end/variables.tf
+++ b/examples/on_gke_end_to_end/variables.tf
@@ -114,6 +114,11 @@ variable "helm_repository_url" {
   default     = "https://forseti-security-charts.storage.googleapis.com/release/"
 }
 
+variable "helm_chart_version" {
+  description = "The version of the Helm chart to use"
+  default     = "2.2.1"
+}
+
 variable "k8s_forseti_namespace" {
   description = "The Kubernetes namespace in which to deploy Forseti."
   default     = "forseti"
diff --git a/modules/on_gke/main.tf b/modules/on_gke/main.tf
index d1239d647..ed51f0c73 100644
--- a/modules/on_gke/main.tf
+++ b/modules/on_gke/main.tf
@@ -27,7 +27,7 @@ resource "null_resource" "org_id_and_folder_id_are_both_empty" {
   count = length(var.composite_root_resources) == 0 && var.org_id == "" && var.folder_id == "" ? 1 : 0
 
   provisioner "local-exec" {
-    command     = "echo 'composite_root_resources=${var.composite_root_resources} org_id=${var.org_id} folder_id=${var.org_id}' >&2; false"
+    command     = "echo 'composite_root_resources=${var.composite_root_resources} org_id=${var.org_id} folder_id=${var.folder_id}' >&2; false"
     interpreter = ["bash", "-c"]
   }
 }
@@ -121,20 +121,23 @@ data "tls_public_key" "git_sync_public_ssh_key" {
 //*****************************************
 //  Obtain Forseti Server Configuration
 //*****************************************
-data "google_storage_object_signed_url" "file_url" {
-  bucket      = module.server_gcs.forseti-server-storage-bucket
-  path        = "configs/forseti_conf_server.yaml"
-  content_md5 = module.server_config.forseti-server-config-md5
+data "google_storage_bucket_object" "server_config_contents" {
+  bucket     = module.server_gcs.forseti-server-storage-bucket
+  name       = "configs/forseti_conf_server.yaml"
+  depends_on = [
+    module.server_config.forseti-server-config-md5
+  ]
 }
 
+data "google_client_config" "current" {}
+
 data "http" "server_config_contents" {
-  url = data.google_storage_object_signed_url.file_url.signed_url
+  url = format("%s?alt=media", data.google_storage_bucket_object.server_config_contents.self_link)
 
+  # Optional request headers
   request_headers = {
-    "Content-MD5" = module.server_config.forseti-server-config-md5
+    "Authorization" = "Bearer ${data.google_client_config.current.access_token}"
   }
-
-  depends_on = ["data.google_storage_object_signed_url.file_url"]
 }
 
 //*****************************************
@@ -225,10 +228,12 @@ resource "helm_release" "forseti-security" {
   version       = var.helm_chart_version
   chart         = "forseti-security"
   recreate_pods = var.recreate_pods
-  depends_on = ["kubernetes_role_binding.tiller",
+  depends_on = [
+    "kubernetes_role_binding.tiller",
     "kubernetes_namespace.forseti",
     "google_service_account_iam_binding.forseti_server_workload_identity",
-  "google_service_account_iam_binding.forseti_client_workload_identity"]
+    "google_service_account_iam_binding.forseti_client_workload_identity"
+  ]
 
   set {
     name  = "database.username"