disable oslogin for deploy box

3cea5615 · Ilya Frolov · 27ca4838 · 3cea5615 · 3cea5615 · 3cea5615
Commit 3cea5615 authored Apr 05, 2018 by Ilya Frolov
5 changed files
--- a/environments/gprd/main.tf
+++ b/environments/gprd/main.tf
@@ -14,6 +14,7 @@ variable "gitlab_net_zone_id" {}
 ## Google

 provider "google" {
+  version = "~> 1.8.0"
  project = "${var.project}"
  region  = "${var.region}"
 }
@@ -823,23 +824,25 @@ module "alerts" {
 ##################################

 module "deploy" {
-  bootstrap_version = 3
-  chef_provision    = "${var.chef_provision}"
-  chef_run_list     = "\"role[${var.environment}-base-deploy-node]\""
-  dns_zone_name     = "${var.dns_zone_name}"
-  environment       = "${var.environment}"
-  ip_cidr_range     = "${var.subnetworks["deploy"]}"
-  machine_type      = "${var.machine_types["deploy"]}"
-  name              = "deploy"
-  node_count        = "${var.node_count["deploy"]}"
-  project           = "${var.project}"
-  public_ports      = "${var.public_ports["deploy"]}"
-  region            = "${var.region}"
-  source            = "../../modules/google/generic-sv-with-group"
-  health_check      = "tcp"
-  service_port      = 22
-  tier              = "sv"
-  vpc               = "${module.network.self_link}"
+  block_project_ssh_keys = "TRUE"
+  bootstrap_version      = 3
+  chef_provision         = "${var.chef_provision}"
+  chef_run_list          = "\"role[${var.environment}-base-deploy-node]\""
+  dns_zone_name          = "${var.dns_zone_name}"
+  enable_oslogin         = "FALSE"
+  environment            = "${var.environment}"
+  ip_cidr_range          = "${var.subnetworks["deploy"]}"
+  machine_type           = "${var.machine_types["deploy"]}"
+  name                   = "deploy"
+  node_count             = "${var.node_count["deploy"]}"
+  project                = "${var.project}"
+  public_ports           = "${var.public_ports["deploy"]}"
+  region                 = "${var.region}"
+  source                 = "../../modules/google/generic-sv-with-group"
+  health_check           = "tcp"
+  service_port           = 22
+  tier                   = "sv"
+  vpc                    = "${module.network.self_link}"
 }

 ##################################

--- a/modules/google/generic-nodisk/instance.tf
+++ b/modules/google/generic-nodisk/instance.tf
@@ -13,14 +13,16 @@ resource "google_compute_instance" "instance_without_attached_disk" {
  machine_type = "${var.machine_type}"

  metadata = {
-    "CHEF_URL"           = "${var.chef_provision.["server_url"]}"
-    "CHEF_VERSION"       = "${var.chef_provision.["version"]}"
-    "CHEF_NODE_NAME"     = "${format("%v-%02d.%v.%v.%v", var.name, count.index + 1, var.tier, var.environment, var.dns_zone_name)}"
-    "CHEF_ENVIRONMENT"   = "${var.environment}"
-    "CHEF_RUN_LIST"      = "${var.chef_run_list}"
-    "CHEF_DNS_ZONE_NAME" = "${var.dns_zone_name}"
-    "CHEF_PROJECT"       = "${var.project}"
-    "shutdown-script"    = "${file("${path.module}/../../../scripts/google/teardown-v1.sh")}"
+    "CHEF_DNS_ZONE_NAME"     = "${var.dns_zone_name}"
+    "CHEF_ENVIRONMENT"       = "${var.environment}"
+    "CHEF_NODE_NAME"         = "${format("%v-%02d.%v.%v.%v", var.name, count.index + 1, var.tier, var.environment, var.dns_zone_name)}"
+    "CHEF_PROJECT"           = "${var.project}"
+    "CHEF_RUN_LIST"          = "${var.chef_run_list}"
+    "CHEF_URL"               = "${var.chef_provision.["server_url"]}"
+    "CHEF_VERSION"           = "${var.chef_provision.["version"]}"
+    "block-project-ssh-keys" = "${var.block_project_ssh_keys}"
+    "enable-oslogin"         = "${var.enable_oslogin}"
+    "shutdown-script"        = "${file("${path.module}/../../../scripts/google/teardown-v1.sh")}"
  }

  metadata_startup_script = "${file("${path.module}/../../../scripts/google/bootstrap-v${var.bootstrap_version}.sh")}"

--- a/modules/google/generic-nodisk/variables.tf
+++ b/modules/google/generic-nodisk/variables.tf
+variable "block_project_ssh_keys" {
+  type        = "string"
+  description = "Whether to block project level ssh keys on GCP instances"
+  default     = "FALSE"
+}
+
 variable "bootstrap_version" {
  description = "version of the bootstrap script"
  default     = 1
@@ -18,6 +24,15 @@ variable "dns_zone_name" {
  description = "The GCP name of the DNS zone to use for this environment"
 }

+variable "enable_oslogin" {
+  type        = "string"
+  description = "Whether to enable OS Login GCP feature"
+
+  # Note: setting this to TRUE breaks chef!
+  # https://gitlab.com/gitlab-com/gitlab-com-infrastructure/merge_requests/297#note_66690562
+  default = "FALSE"
+}
+
 variable "environment" {
  type        = "string"
  description = "The environment name"

--- a/modules/google/generic-sv-with-group/instance.tf
+++ b/modules/google/generic-sv-with-group/instance.tf
@@ -53,14 +53,16 @@ resource "google_compute_instance" "default" {
  machine_type = "${var.machine_type}"

  metadata = {
-    "CHEF_URL"           = "${var.chef_provision.["server_url"]}"
-    "CHEF_VERSION"       = "${var.chef_provision.["version"]}"
-    "CHEF_NODE_NAME"     = "${format("%v-%02d.%v.%v.%v", var.name, count.index + 1, var.tier, var.environment, var.dns_zone_name)}"
-    "CHEF_ENVIRONMENT"   = "${var.environment}"
-    "CHEF_RUN_LIST"      = "${var.chef_run_list}"
-    "CHEF_DNS_ZONE_NAME" = "${var.dns_zone_name}"
-    "CHEF_PROJECT"       = "${var.project}"
-    "shutdown-script"    = "${file("${path.module}/../../../scripts/google/teardown-v1.sh")}"
+    "CHEF_URL"               = "${var.chef_provision.["server_url"]}"
+    "CHEF_VERSION"           = "${var.chef_provision.["version"]}"
+    "CHEF_NODE_NAME"         = "${format("%v-%02d.%v.%v.%v", var.name, count.index + 1, var.tier, var.environment, var.dns_zone_name)}"
+    "CHEF_ENVIRONMENT"       = "${var.environment}"
+    "CHEF_RUN_LIST"          = "${var.chef_run_list}"
+    "CHEF_DNS_ZONE_NAME"     = "${var.dns_zone_name}"
+    "CHEF_PROJECT"           = "${var.project}"
+    "block-project-ssh-keys" = "${var.block_project_ssh_keys}"
+    "enable-oslogin"         = "${var.enable_oslogin}"
+    "shutdown-script"        = "${file("${path.module}/../../../scripts/google/teardown-v1.sh")}"
  }

  metadata_startup_script = "${file("${path.module}/../../../scripts/google/bootstrap-v${var.bootstrap_version}.sh")}"

--- a/modules/google/generic-sv-with-group/variables.tf
+++ b/modules/google/generic-sv-with-group/variables.tf
@@ -12,6 +12,12 @@ variable "service_path" {
  default = "/"
 }

+variable "block_project_ssh_keys" {
+  type        = "string"
+  description = "Whether to block project level SSH keys"
+  default     = "TRUE"
+}
+
 variable "bootstrap_version" {
  description = "version of the bootstrap script"
  default     = 1
@@ -32,6 +38,15 @@ variable "dns_zone_name" {
  description = "The GCP name of the DNS zone to use for this environment"
 }

+variable "enable_oslogin" {
+  type        = "string"
+  description = "Whether to enable OS Login GCP feature"
+
+  # Note: setting this to TRUE breaks chef!
+  # https://gitlab.com/gitlab-com/gitlab-com-infrastructure/merge_requests/297#note_66690562
+  default = "FALSE"
+}
+
 variable "environment" {
  type        = "string"
  description = "The environment name"