Clean up

koenighotze · Apr 30, 2024 · 8585b42 · 8585b42
1 parent 3444957
commit 8585b42
Show file tree

Hide file tree

Showing 9 changed files with 47 additions and 23 deletions.
diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml
@@ -70,7 +70,7 @@ jobs:
       - name: Init
         run: terraform init -backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}"
       - name: Apply
-        run: terraform apply -auto-approve
+        run: terraform apply -var git_sha="${{ github.sha }}" -auto-approve
       - name: Show Terraform Output as Summary
         run: |
           {

diff --git a/.github/workflows/plan.yml b/.github/workflows/plan.yml
@@ -135,7 +135,7 @@ jobs:
       - name: Terraform Init
         run: terraform init -backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}"
       - name: Terraform Plan
-        run: terraform plan -no-color -out=tfplan
+        run: terraform plan -no-color -var git_sha="${{ github.sha }}" -out=tfplan
       - name: Show Terraform Plan as Summary
         run: |
           {

diff --git a/getting-started/07/bucket.tf b/getting-started/07/bucket.tf
@@ -1,13 +1,6 @@
-locals {
-  website_content = [
-    "index.html",
-    "404.html"
-  ]
-}
-
 resource "google_storage_bucket" "websitecontent" {
   #checkov:skip=CKV_GCP_62: No logging needed
-  name     = "website-${local.name_postfix}"
+  name     = local.website_bucket_name
   location = var.region
   # we do not use object level ACLs
   uniform_bucket_level_access = true
@@ -38,7 +31,7 @@ resource "google_storage_bucket_object" "bucket_object" {
 
   name   = each.value
   bucket = google_storage_bucket.websitecontent.name
-  source = "./website/${each.value}"
+  source = "${path.module}/website/${each.value}"
 
   content_type = "text/html"
 }
diff --git a/getting-started/07/locals.tf b/getting-started/07/locals.tf
@@ -1,5 +1,21 @@
 locals {
-  name_postfix = "ex-07-${random_integer.integer.result}"
+  project      = "ex-07"
+  name_postfix = "${local.project}-${random_integer.integer.result}"
 
   firewall_target_tags = ["webserver"]
+
+  website_bucket_name = lower("website-${local.name_postfix}")
+  website_content = [
+    "index.html",
+    "404.html"
+  ]
+
+  default_labels = {
+    purpose        = "gcp-terraform-training"
+    gettingstarted = local.name_postfix
+    owner          = "koenighotze"
+    environment    = "dev"
+    project        = local.project
+    git_sha        = var.git_sha
+  }
 }
diff --git a/getting-started/07/mig.tf b/getting-started/07/mig.tf
@@ -63,7 +63,7 @@ resource "google_compute_region_instance_template" "template" {
     block-project-ssh-keys = true
   }
 
-  metadata_startup_script = templatefile("./scripts/setup-webserver.sh", { bucket_url = google_storage_bucket.websitecontent.url })
+  metadata_startup_script = templatefile("${path.module}/scripts/setup-webserver.sh", { bucket_url = google_storage_bucket.websitecontent.url })
 
   tags           = local.firewall_target_tags
   can_ip_forward = false

diff --git a/getting-started/07/network.tf b/getting-started/07/network.tf
@@ -14,8 +14,8 @@ resource "google_compute_subnetwork" "instance_subnetwork" {
 
   log_config {
     aggregation_interval = "INTERVAL_10_MIN"
-    flow_sampling        = 0.5
     metadata             = "INCLUDE_ALL_METADATA"
+    flow_sampling        = 0.5
   }
 }
 
@@ -38,7 +38,7 @@ resource "google_compute_firewall" "firewall" {
   direction = "INGRESS"
   priority  = 1000
   #checkov:skip=CKV_GCP_106:allow everybody to connect
-  source_ranges = ["0.0.0.0/0"]
+  source_ranges = var.ingress_ip_ranges
   target_tags   = local.firewall_target_tags
   #checkov:skip=CKV_GCP_2: we need http
   allow {

diff --git a/getting-started/07/providers.tf b/getting-started/07/providers.tf
@@ -1,12 +1,8 @@
 provider "google" {
   project = var.project_id
   region  = var.region
-  zone    = var.zone
 
-  default_labels = {
-    purpose        = "gcp-terraform-training"
-    gettingstarted = local.name_postfix
-  }
+  default_labels = merge(local.default_labels, var.extra_labels)
 }
 
 provider "random" {

diff --git a/getting-started/07/sa.tf b/getting-started/07/sa.tf
@@ -7,12 +7,13 @@ resource "google_project_iam_member" "iam_member" {
   project  = var.project_id
   for_each = toset(["roles/logging.logWriter"])
   role     = each.value
-  member   = "serviceAccount:${google_service_account.instance_service_account.email}"
+
+  member = "serviceAccount:${google_service_account.instance_service_account.email}"
 }
 
 resource "google_service_account_iam_member" "iam_binding_service_account" {
   service_account_id = google_service_account.instance_service_account.name
   role               = "roles/iam.serviceAccountUser"
 
   member = "serviceAccount:${var.sa_email}"
-}
+}
diff --git a/getting-started/07/variables.tf b/getting-started/07/variables.tf
@@ -83,4 +83,22 @@ variable "base_cidr_block" {
     condition     = can(cidrsubnet(var.base_cidr_block, 0, 0))
     error_message = "The value given for CIDR block is not a valid CIDR notation."
   }
-}
+}
+
+variable "ingress_ip_ranges" {
+  description = "IP ranges allowed to access the website"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
+variable "extra_labels" {
+  description = "Extra labels to add to resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "git_sha" {
+  description = "The git sha of the current commit"
+  type        = string
+  default     = "unknown"
+}