ci: Initial Terraform configurations (Work in Progress)

.gitignore

@@ -60,3 +60,14 @@ generation/new_client/workspace
 # Monorepo repository generation
 monorepo/
 
+# Terraform
+*.hcl
+**/.terraform/.terraform/
+**/.terraform/plugins/
+**/.terraform/providers/
+**/.terraform/plugin_path
+*.lock.
+*.tfstate
+*.tfstate.backup
+*.tfstate.*.backup
+*.tfstate.lock.info

.terraform/.gitignore

@@ -0,0 +1,7 @@
+generated.tfplan
+generated.tfplan.json
+generated.auto.tfvars
+generated-env.sh
+generated-main.tf
+generated-outputs.tf
+generated-variables.tf

.terraform/destroy.sh

@@ -0,0 +1,61 @@
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+scriptDir="$(cd -P -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd -P)"
+pushd "$scriptDir" >/dev/null || exit
+
+# Ensure GCP project environment variables are initialized.
+if [[ $(terraform state list) == "" ]]; then
+  echo "Nothing to destroy."
+  exit
+fi
+
+# @returns exit code 0 if list $1 contains entry $2.
+function contains() {
+  echo "$1" | grep -w -q "$2"
+}
+
+source ./helpers/sync-env.sh
+
+# Execute 'predestroy.sh' scripts for any active modules
+allModules=$(source ./helpers/list-all-modules.sh)
+activeModules=$(terraform state list | awk -F'[/.]' '{print $2}' | uniq)
+IFS=','
+for module in $allModules; do
+  friendlyName=$(source ./helpers/get-output-friendly-name.sh "$module")
+  if ! contains "$activeModules" "$friendlyName"; then
+    continue # Skip unless active.
+  fi
+
+  if [[ -f "../$module/.terraform/predestroy.sh" ]]; then
+    # shellcheck disable=SC1090
+    source "../$module/.terraform/predestroy.sh"
+  fi
+done
+
+terraform destroy -auto-approve || exit
+
+# Always verify whether or not to destroy the project.
+echo -n "Delete project ($terraform_project_id)? (y/N): "
+read -r shouldDestroy
+if [[ "$shouldDestroy" == y* ]] || [[ "$shouldDestroy" == Y* ]]; then
+  # Do not use service account when attempting to delete the project
+  unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
+
+  source ./helpers/create-project.sh
+  deleteProject
+  rm ./generated.auto.tfvars
+fi

.terraform/helpers/apply.sh

@@ -0,0 +1,20 @@
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+helperDir="$(cd -P -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd -P)"
+pushd "$helperDir/.." >/dev/null || exit
+terraform apply "generated.tfplan" || exit
+popd >/dev/null || exit

.terraform/helpers/create-project.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#####################
+# Expected Environment Variables:
+#   TF_VAR_folder_id : Folder in which new GCP projects will be created
+#   TF_VAR_billing_account : Billing account to be used for created GCP projects
+#   TF_VAR_project_prefix : Prefix to use for all created GCP projects
+#####################
+
+function createProject() {
+  if [ -n "${GOOGLE_CLOUD_PROJECT}" ]; then
+    echo "Using current GOOGLE_CLOUD_PROJECT: $GOOGLE_CLOUD_PROJECT"
+    return
+  fi
+
+  currentProject=$(gcloud config get project)
+  if [ -n "${currentProject}" ]; then
+    echo -n "Do you want to use the current gcloud project ($currentProject)? (Y|n): "
+    read -r shouldUseCurrent
+    if [[ "$shouldUseCurrent" != n* ]] && [[ "$shouldUseCurrent" != N* ]]; then
+      GOOGLE_CLOUD_PROJECT=$currentProject
+      export GOOGLE_CLOUD_PROJECT
+      return
+    fi
+  fi
+
+  echo -n "GOOGLE_CLOUD_PROJECT not set. Do you want to create a project? (Y|n): "
+  read -r shouldCreate
+  if [[ "$shouldCreate" == n* ]] || [[ "$shouldCreate" == N* ]]; then
+    echo "Project required. Exiting."
+    exit 1
+  fi
+
+  # Ensure required environment variables are set.
+  if [ -z "${GOOGLE_CLOUD_FOLDER_ID}" ]; then
+    echo -n "GOOGLE_CLOUD_FOLDER_ID not set. GCP Folder ID: "
+    read -r folder_id
+    export GOOGLE_CLOUD_FOLDER_ID="${folder_id}"
+  fi
+  if [ -z "${GOOGLE_CLOUD_BILLING_ACCOUNT}" ]; then
+    echo -n "GOOGLE_CLOUD_BILLING_ACCOUNT not set. GCP Billing Account ID: "
+    read -r billing_acct
+    export GOOGLE_CLOUD_BILLING_ACCOUNT="${billing_acct}"
+  fi
+  if [ -z "${GOOGLE_CLOUD_PROJECT_PREFIX}" ]; then
+    echo -n "GOOGLE_CLOUD_PROJECT_PREFIX not set. Prefix for New Project: "
+    read -r prefix
+    export GOOGLE_CLOUD_PROJECT_PREFIX="${prefix}"
+  fi
+
+  # Provision GCP Project
+  projectId="${GOOGLE_CLOUD_PROJECT_PREFIX}"-"$RANDOM"
+  gcloud projects create --folder="$GOOGLE_CLOUD_FOLDER_ID" "$projectId" || exit
+  gcloud config set project "$projectId"
+  gcloud services enable cloudresourcemanager.googleapis.com
+  gcloud beta billing projects link "$projectId" --billing-account="$GOOGLE_CLOUD_BILLING_ACCOUNT"
+  GOOGLE_CLOUD_PROJECT=$projectId
+}
+
+function deleteProject() {
+  if [ -n "${GOOGLE_CLOUD_PROJECT}" ]; then
+    gcloud projects delete "$GOOGLE_CLOUD_PROJECT"
+    gcloud config unset project
+    unset GOOGLE_CLOUD_PROJECT
+  fi
+}

.terraform/helpers/gcloud-login.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Perform gcloud auth login if no current credentials are available.
+if gcloud auth print-access-token &>/dev/null; then
+  true
+else
+  if ! gcloud auth login; then
+    exit
+  fi
+fi
+if gcloud auth application-default print-access-token &>/dev/null; then
+  true
+else
+  if ! gcloud auth application-default login; then
+    exit
+  fi
+fi

.terraform/helpers/generate-config.sh

@@ -0,0 +1,65 @@
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+function initializeGeneratedFiles() {
+  cp ./helpers/generated-main.template.tf generated-main.tf
+  cp ./helpers/generated-outputs.template.tf generated-outputs.tf
+  cp ./helpers/generated-variables.template.tf generated-variables.tf
+}
+
+function appendModule() {
+  friendlyName=$(source ./helpers/get-output-friendly-name.sh "$1")
+
+  # Append the given module to the generated-main.tf configuration to be
+  # included in the project's resources during 'terraform apply'.
+  echo "module \"$friendlyName\" {
+    source = \"./../$1/.terraform\"
+    inputs = local.data
+    depends_on = [time_sleep.for_1m_allowBaseCloudApisToFullyEnable]
+  }" >>generated-main.tf
+
+  # Append the given module to the generated-output.tf file to provide
+  # all of this module's outputs as an object.
+  # See https://www.terraform.io/cli/commands/output
+  echo "output \"$friendlyName\" {
+    value = module.$friendlyName
+    sensitive = true
+  }" >>generated-outputs.tf
+}
+
+function appendAllModules() {
+  # Either use given module list, or get a list of all modules in the parent directory.
+  if [ -n "$1" ]; then
+    modules=$1
+  else
+    modules=$(source ./helpers/list-all-modules.sh)
+  fi
+  IFS=','
+  for module in $modules; do
+    # Only include modules with a .terraform subdirectory in the generated config.
+    if [ -d "../$module/.terraform" ]; then
+      appendModule "${module%/}" # Remove possible trailing '/'
+    fi
+  done
+}
+
+# Ensure current directory is <root>/.terraform.
+generateDir="$(cd -P -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd -P)"
+pushd "$generateDir/.." >/dev/null || exit
+
+initializeGeneratedFiles
+appendAllModules "$1"
+
+popd >/dev/null || exit

.terraform/helpers/generated-main.template.tf

@@ -0,0 +1,48 @@
+# Auto-generated by generate-config.sh
+terraform {
+  required_providers {
+    google = {
+      source = "hashicorp/google"
+    }
+  }
+}
+provider "google" {
+  project = var.project_id
+  region  = var.region
+  zone    = var.zone
+}
+locals {
+  # Objects with additional key-value entries may be passed as variables
+  # to modules needing an object with only a subset of those entries.
+  # So this 'data' object is a superset of key-value entries that may be
+  # needed, and we pass it to every module.
+  data = {
+    project_id                     = var.project_id
+    project_number                 = var.project_number
+    region                         = var.region
+    zone                           = var.zone
+    service_account                = var.service_account
+    should_enable_apis_on_apply    = var.should_enable_apis_on_apply
+    should_disable_apis_on_destroy = var.should_disable_apis_on_destroy
+  }
+}
+module "project-services" {
+  source = "terraform-google-modules/project-factory/google//modules/project_services"
+
+  project_id                  = local.data.project_id
+  enable_apis                 = local.data.should_enable_apis_on_apply
+  disable_services_on_destroy = local.data.should_disable_apis_on_destroy
+  activate_apis               = [
+    "cloudresourcemanager.googleapis.com",
+    "iam.googleapis.com",
+    "iamcredentials.googleapis.com",
+    "serviceusage.googleapis.com",
+  ]
+}
+resource "time_sleep" "for_1m_allowBaseCloudApisToFullyEnable" {
+  create_duration = "1m"
+  depends_on      = [module.project-services]
+  triggers        = {
+    when_project_created = local.data.project_id
+  }
+}

.terraform/helpers/generated-outputs.template.tf

@@ -0,0 +1,8 @@
+# Auto-generated by generate-config.sh
+# See https://www.terraform.io/cli/commands/output
+output "project_id" {
+  value = local.data.project_id
+}
+output "service_account" {
+  value = local.data.service_account
+}

.terraform/helpers/generated-variables.template.tf

@@ -0,0 +1,37 @@
+# Auto-generated by generate-config.sh
+variable "gcloud_account" {
+  type        = string
+  description = "Account email associated with the gcloud session"
+}
+variable "project_id" {
+  type        = string
+  description = "GCP Project ID of the project being used"
+}
+variable "project_number" {
+  type        = string
+  description = "GCP Project number of the project being used"
+}
+variable "region" {
+  type        = string
+  description = "GCP region used to deploy resources"
+  default     = "us-central1" # NOTE: Some integration tests have hardcoded this region.
+}
+variable "service_account" {
+  type        = string
+  description = "Service account email associated with this gcloud session"
+}
+variable "should_enable_apis_on_apply" {
+  type        = bool
+  default     = true
+  description = "If true, required APIs for active client libraries will be automatically enabled on apply."
+}
+variable "should_disable_apis_on_destroy" {
+  type        = bool
+  default     = false
+  description = "If true, any APIs enabled by Terraform during apply will be disabled on destroy."
+}
+variable "zone" {
+  type        = string
+  description = "GCP zone used to deploy resources. Must be a zone in the chosen region."
+  default     = "us-central1-c"
+}