Redirector Terraform (#558)

* add enx to build

* first pass at terraform config

* variables

* enx makes things too long

* no db

* simplify and fix vars

* map to string

* remove newline

* fix image name

* fix env var

* remove unneeded configs

* fix variable type

* what is this, python

builders/build.yaml

@@ -166,6 +166,32 @@ steps:
   waitFor:
   - 'build-e2e-runner'
 
+#
+# enx-redirect
+#
+- id: 'build-enx-redirect'
+  name: 'golang:1.15.1'
+  args:
+  - 'go'
+  - 'build'
+  - '-trimpath'
+  - '-ldflags=-s -w -X=${_REPO}/pkg/buildinfo.BuildID=${BUILD_ID} -X=${_REPO}/pkg/buildinfo.BuildTag=${_TAG} -extldflags=-static'
+  - '-o=./bin/enx-redirect'
+  - './cmd/enx-redirect'
+  waitFor:
+  - 'download-modules'
+
+- id: 'dockerize-enx-redirect'
+  name: 'docker:19'
+  args:
+  - 'build'
+  - '--file=builders/service.dockerfile'
+  - '--tag=gcr.io/${PROJECT_ID}/${_REPO}/enx-redirect:${_TAG}'
+  - '--build-arg=SERVICE=enx-redirect'
+  - '.'
+  waitFor:
+  - 'build-enx-redirect'
+
 #
 # migrate
 #
@@ -249,6 +275,7 @@ images:
 - 'gcr.io/${PROJECT_ID}/${_REPO}/apiserver:${_TAG}'
 - 'gcr.io/${PROJECT_ID}/${_REPO}/cleanup:${_TAG}'
 - 'gcr.io/${PROJECT_ID}/${_REPO}/e2e-runner:${_TAG}'
+- 'gcr.io/${PROJECT_ID}/${_REPO}/enx-redirect:${_TAG}'
 - 'gcr.io/${PROJECT_ID}/${_REPO}/migrate:${_TAG}'
 - 'gcr.io/${PROJECT_ID}/${_REPO}/modeler:${_TAG}'
 - 'gcr.io/${PROJECT_ID}/${_REPO}/server:${_TAG}'

terraform/service_redirect.tf

@@ -0,0 +1,138 @@
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "google_service_account" "redirect" {
+  project      = var.project
+  account_id   = "en-verification-redirect-sa"
+  display_name = "Verification redirect"
+}
+
+resource "google_service_account_iam_member" "cloudbuild-deploy-redirect" {
+  service_account_id = google_service_account.redirect.id
+  role               = "roles/iam.serviceAccountUser"
+  member             = "serviceAccount:${data.google_project.project.number}@cloudbuild.gserviceaccount.com"
+
+  depends_on = [
+    google_project_service.services["cloudbuild.googleapis.com"],
+    google_project_service.services["iam.googleapis.com"],
+  ]
+}
+
+resource "google_project_iam_member" "redirect-observability" {
+  for_each = toset([
+    "roles/cloudtrace.agent",
+    "roles/logging.logWriter",
+    "roles/monitoring.metricWriter",
+    "roles/stackdriver.resourceMetadata.writer",
+  ])
+
+  project = var.project
+  role    = each.key
+  member  = "serviceAccount:${google_service_account.redirect.email}"
+}
+
+resource "google_cloud_run_service" "redirect" {
+  name     = "redirect"
+  location = var.region
+
+  autogenerate_revision_name = true
+
+  template {
+    spec {
+      service_account_name = google_service_account.redirect.email
+      timeout_seconds      = 25
+
+      containers {
+        image = "gcr.io/${var.project}/github.com/google/exposure-notifications-verification-redirect/enx-redirect:initial"
+
+        resources {
+          limits = {
+            cpu    = "1"
+            memory = "512Mi"
+          }
+        }
+
+        dynamic "env" {
+          for_each = merge(
+            local.gcp_config,
+            local.redirect_config,
+
+            // This MUST come last to allow overrides!
+            lookup(var.service_environment, "redirect", {}),
+          )
+
+          content {
+            name  = env.key
+            value = env.value
+          }
+        }
+      }
+    }
+
+    metadata {
+      annotations = {
+        "run.googleapis.com/vpc-access-connector" : google_vpc_access_connector.connector.id
+      }
+    }
+  }
+
+  depends_on = [
+    google_project_service.services["run.googleapis.com"],
+    null_resource.build,
+  ]
+
+  lifecycle {
+    ignore_changes = [
+      template[0].metadata[0].annotations,
+      template[0].spec[0].containers[0].image,
+    ]
+  }
+}
+
+resource "google_compute_region_network_endpoint_group" "redirect" {
+  name     = "redirect"
+  provider = google-beta
+  project  = var.project
+  region   = var.region
+
+  network_endpoint_type = "SERVERLESS"
+
+  cloud_run {
+    service = google_cloud_run_service.redirect.name
+  }
+}
+
+resource "google_compute_backend_service" "redirect" {
+  count    = local.enable_lb ? 1 : 0
+  provider = google-beta
+  name     = "redirect"
+  project  = var.project
+
+  backend {
+    group = google_compute_region_network_endpoint_group.redirect.id
+  }
+}
+
+resource "google_cloud_run_service_iam_member" "redirect-public" {
+  location = google_cloud_run_service.redirect.location
+  project  = google_cloud_run_service.redirect.project
+  service  = google_cloud_run_service.redirect.name
+  role     = "roles/run.invoker"
+  member   = "allUsers"
+}
+
+output "redirect_url" {
+  value = google_cloud_run_service.redirect.status.0.url
+}

terraform/services.tf

@@ -83,6 +83,10 @@ locals {
     VERIFICATION_ADMIN_API  = google_cloud_run_service.adminapi.status.0.url
     VERIFICATION_SERVER_API = google_cloud_run_service.apiserver.status.0.url
   }
+
+  redirect_config = {
+    HOSTNAME_TO_REGION = join(",", [for o in var.redirect_domain_map : format("%s=%s", o.host, o.region)])
+  }
 }
 
 output "cookie_keys" {

terraform/variables.tf

@@ -178,6 +178,15 @@ variable "adminapi-host" {
   description = "Domain adminapi is hosted on."
 }
 
+variable "redirect_domain_map" {
+  type = list(object({
+    region = string
+    host   = string
+  }))
+  default     = []
+  description = "Redirect domains and environments."
+}
+
 terraform {
   required_version = ">= 0.13.1"