osinfra-io · brettcurtis · Oct 12, 2024 · Oct 12, 2024
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -3,7 +3,7 @@
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
     hooks:
       - id: check-yaml
       - id: end-of-file-fixer
@@ -29,7 +29,7 @@ repos:
       - id: terraform_docs
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: 3.2.255
+    rev: 3.2.257
     hooks:
       - id: checkov
         verbose: true

diff --git a/regional/README.md b/regional/README.md
@@ -47,7 +47,6 @@ No modules.
 | <a name="input_chart_repository"></a> [chart\_repository](#input\_chart\_repository) | The repository to pull the Istio Helm chart from | `string` | `"https://istio-release.storage.googleapis.com/charts"` | no |
 | <a name="input_cluster_prefix"></a> [cluster\_prefix](#input\_cluster\_prefix) | Prefix for your cluster name | `string` | n/a | yes |
 | <a name="input_enable_istio_gateway"></a> [enable\_istio\_gateway](#input\_enable\_istio\_gateway) | Enable the Istio gateway, used for ingress traffic into the mesh | `bool` | `false` | no |
-| <a name="input_environment"></a> [environment](#input\_environment) | The environment must be one of `sandbox`, `non-production`, `production` | `string` | `"sandbox"` | no |
 | <a name="input_gateway_autoscale_min"></a> [gateway\_autoscale\_min](#input\_gateway\_autoscale\_min) | The minimum number of gateway replicas to run | `number` | `1` | no |
 | <a name="input_gateway_cpu_limits"></a> [gateway\_cpu\_limits](#input\_gateway\_cpu\_limits) | The CPU limit for the Istio gateway | `string` | `"100m"` | no |
 | <a name="input_gateway_cpu_requests"></a> [gateway\_cpu\_requests](#input\_gateway\_cpu\_requests) | The CPU request for the Istio gateway | `string` | `"25m"` | no |
@@ -70,8 +69,6 @@ No modules.
 | <a name="input_proxy_cpu_requests"></a> [proxy\_cpu\_requests](#input\_proxy\_cpu\_requests) | The CPU request for the Istio proxy | `string` | `"10m"` | no |
 | <a name="input_proxy_memory_limits"></a> [proxy\_memory\_limits](#input\_proxy\_memory\_limits) | The memory limit for the Istio proxy | `string` | `"64Mi"` | no |
 | <a name="input_proxy_memory_requests"></a> [proxy\_memory\_requests](#input\_proxy\_memory\_requests) | The memory request for the Istio proxy | `string` | `"32Mi"` | no |
-| <a name="input_region"></a> [region](#input\_region) | The region in which the resource belongs | `string` | n/a | yes |
-| <a name="input_zone"></a> [zone](#input\_zone) | The zone to deploy the resources to | `string` | n/a | yes |
 
 ## Outputs
 

diff --git a/regional/locals.tf b/regional/locals.tf
@@ -2,27 +2,90 @@
 # https://www.terraform.io/docs/language/values/locals.html
 
 locals {
-  env = lookup(local.env_map, var.environment, "none")
+  env = lookup(local.env_map, local.environment, "none")
+
+  environment = (
+    terraform.workspace == "default" ?
+    "mock-environment" :
+    (regex(".*-(?P<environment>[^-]+)$", terraform.workspace)["environment"])
+  )
 
   env_map = {
     "non-production" = "nonprod"
     "production"     = "prod"
     "sandbox"        = "sb"
+  }
+
+  gateway_helm_values = {
+    "autoscaling.minReplicas"                  = var.gateway_autoscale_min
+    "labels.tags\\.datadoghq\\.com/env"        = local.environment
+    "labels.tags\\.datadoghq\\.com/version"    = var.istio_version
+    "podAnnotations.apm\\.datadoghq\\.com/env" = local.istio_gateway_datadog_apm_env
+    "podAnnotations.proxy\\.istio\\.io/config" = <<EOF
+    tracing:
+      datadog:
+        address: $(HOST_IP):8126
+    proxyMetadata:
+      DD_ENV: ${local.environment}
+      DD_SERVICE: istio-gateway
+      DD_VERSION: ${var.istio_version}
+    EOF
+    "resources.limits.cpu"                     = var.gateway_cpu_limits
+    "resources.limits.memory"                  = var.gateway_memory_limits
+    "resources.requests.cpu"                   = var.gateway_cpu_requests
+    "resources.requests.memory"                = var.gateway_memory_requests
+  }
 
+  istiod_helm_values = {
+    "global.hub"                                            = "${var.artifact_registry}/istio"
+    "global.multiCluster.clusterName"                       = local.multi_cluster_name
+    "global.proxy.resources.limits.cpu"                     = var.proxy_cpu_limits
+    "global.proxy.resources.limits.memory"                  = var.proxy_memory_limits
+    "global.proxy.resources.requests.cpu"                   = var.proxy_cpu_requests
+    "global.proxy.resources.requests.memory"                = var.proxy_memory_requests
+    "pilot.autoscaleMin"                                    = var.pilot_autoscale_min
+    "pilot.deploymentLabels.tags\\.datadoghq\\.com/env"     = local.environment
+    "pilot.deploymentLabels.tags\\.datadoghq\\.com/version" = var.istio_version
+    "pilot.podLabels.tags\\.datadoghq\\.com/env"            = local.environment
+    "pilot.podLabels.tags\\.datadoghq\\.com/version"        = var.istio_version
+    "pilot.resources.limits.cpu"                            = var.pilot_cpu_limits
+    "pilot.resources.limits.memory"                         = var.pilot_memory_limits
+    "pilot.resources.requests.cpu"                          = var.pilot_cpu_requests
+    "pilot.resources.requests.memory"                       = var.pilot_memory_requests
+    "pilot.replicaCount"                                    = var.pilot_replica_count
   }
 
   istio_gateway_datadog_apm_env = <<EOF
     {
-    \"DD_ENV\":\"${var.environment}\"\,
+    \"DD_ENV\":\"${local.environment}\"\,
     \"DD_SERVICE\":\"istio-gateway\"\,
     \"DD_VERSION\":\"${var.istio_version}\"
     }
   EOF
 
   istio_gateway_proxy_config = <<EOF
-    {\"tracing\":{\"datadog\":{\"address\":\"$(HOST_IP):8126\"}}\,\"proxyMetadata\":{\"DD_ENV\":\"${var.environment}\"\,\"DD_SERVICE\":\"istio-gateway\"\,\"DD_VERSION\":\"${var.istio_version}\"\,\"ISTIO_META_DNS_AUTO_ALLOCATE\":\"true\"\,\"ISTIO_META_DNS_CAPTURE\":\"true\"\,\"meshId\":\"default\"}
+    {
+    \"tracing\":{\"datadog\":{\"address\":\"$(HOST_IP):8126\"}}\,
+    \"proxyMetadata\":{\"DD_ENV\":\"${local.environment}\"\,
+    \"DD_SERVICE\":\"istio-gateway\"\,\"DD_VERSION\":\"${var.istio_version}\"\,
+    \"ISTIO_META_DNS_AUTO_ALLOCATE\":\"true\"\,
+    \"ISTIO_META_DNS_CAPTURE\":\"true\"\,
+    \"meshId\":\"default\"
+    }
   EOF
 
   gateway_domains    = keys(var.gateway_dns)
-  multi_cluster_name = "${var.cluster_prefix}-${var.region}-${var.zone}-${local.env}"
+  multi_cluster_name = "${var.cluster_prefix}-${local.region}-${local.zone}-${local.env}"
+
+  region = (
+    terraform.workspace == "default" ?
+    "mock-region" :
+    (regex("^(?P<region>[^-]+-[^-]+)", terraform.workspace)["region"])
+  )
+
+  zone = (
+    terraform.workspace == "default" ?
+    "mock-zone" :
+    (regex("^(?P<region>[^-]+-[^-]+)-(?P<zone>[^-]+)", terraform.workspace)["zone"])
+  )
 }
diff --git a/regional/main.tf b/regional/main.tf
@@ -6,7 +6,7 @@ resource "google_compute_global_address" "istio_gateway" {
 
 
   labels  = var.labels
-  name    = "istio-gateway-${var.region}"
+  name    = "istio-gateway-${local.region}"
   project = var.project
 }
 
@@ -46,84 +46,12 @@ resource "helm_release" "istiod" {
   namespace  = "istio-system"
   repository = var.chart_repository
 
-  set {
-    name  = "global.hub"
-    value = "${var.artifact_registry}/istio"
-  }
-
-  set {
-    name  = "global.multiCluster.clusterName"
-    value = local.multi_cluster_name
-  }
-
-  set {
-    name  = "global.proxy.resources.limits.cpu"
-    value = var.proxy_cpu_limits
-  }
-
-  set {
-    name  = "global.proxy.resources.limits.memory"
-    value = var.proxy_memory_limits
-  }
-
-  set {
-    name  = "global.proxy.resources.requests.cpu"
-    value = var.proxy_cpu_requests
-  }
-
-  set {
-    name  = "global.proxy.resources.requests.memory"
-    value = var.proxy_memory_requests
-  }
-
-  set {
-    name  = "pilot.autoscaleMin"
-    value = var.pilot_autoscale_min
-  }
-
-  set {
-    name  = "pilot.deploymentLabels.tags\\.datadoghq\\.com/env"
-    value = var.environment
-  }
-
-  set {
-    name  = "pilot.deploymentLabels.tags\\.datadoghq\\.com/version"
-    value = var.istio_version
-  }
-
-  set {
-    name  = "pilot.podLabels.tags\\.datadoghq\\.com/env"
-    value = var.environment
-  }
-
-  set {
-    name  = "pilot.podLabels.tags\\.datadoghq\\.com/version"
-    value = var.istio_version
-  }
-
-  set {
-    name  = "pilot.resources.limits.cpu"
-    value = var.pilot_cpu_limits
-  }
-
-  set {
-    name  = "pilot.resources.limits.memory"
-    value = var.pilot_memory_limits
-  }
-
-  set {
-    name  = "pilot.resources.requests.cpu"
-    value = var.pilot_cpu_requests
-  }
-
-  set {
-    name  = "pilot.resources.requests.memory"
-    value = var.pilot_memory_requests
-  }
-
-  set {
-    name  = "pilot.replicaCount"
-    value = var.pilot_replica_count
+  dynamic "set" {
+    for_each = local.istiod_helm_values
+    content {
+      name  = set.key
+      value = set.value
+    }
   }
 
   values = [
@@ -145,57 +73,12 @@ resource "helm_release" "gateway" {
   namespace  = "istio-ingress"
   repository = var.chart_repository
 
-  set {
-    name  = "autoscaling.minReplicas"
-    value = var.gateway_autoscale_min
-  }
-
-  set {
-    name  = "labels.tags\\.datadoghq\\.com/env"
-    value = var.environment
-  }
-
-  set {
-    name  = "labels.tags\\.datadoghq\\.com/version"
-    value = var.istio_version
-  }
-
-  set {
-    name  = "podAnnotations.apm\\.datadoghq\\.com/env"
-    value = local.istio_gateway_datadog_apm_env
-  }
-
-  set {
-    name  = "podAnnotations.proxy\\.istio\\.io/config"
-    value = <<EOF
-    tracing:
-      datadog:
-        address: $(HOST_IP):8126
-    proxyMetadata:
-      DD_ENV: ${var.environment}
-      DD_SERVICE: istio-gateway
-      DD_VERSION: ${var.istio_version}
-    EOF
-  }
-
-  set {
-    name  = "resources.limits.cpu"
-    value = var.gateway_cpu_limits
-  }
-
-  set {
-    name  = "resources.limits.memory"
-    value = var.gateway_memory_limits
-  }
-
-  set {
-    name  = "resources.requests.cpu"
-    value = var.gateway_cpu_requests
-  }
-
-  set {
-    name  = "resources.requests.memory"
-    value = var.gateway_memory_requests
+  dynamic "set" {
+    for_each = local.gateway_helm_values
+    content {
+      name  = set.key
+      value = set.value
+    }
   }
 
   values = [
@@ -420,7 +303,7 @@ resource "kubernetes_manifest" "istio_gateway_ca_certificate" {
       isCA       = true
 
       issuerRef = {
-        name  = "selfsigned"
+        name  = kubernetes_manifest.istio_gateway_selfsigned_issuer[0].manifest.metadata.name
         kind  = "Issuer"
         group = "cert-manager.io"
       }
@@ -432,10 +315,6 @@ resource "kubernetes_manifest" "istio_gateway_ca_certificate" {
       }
     }
   }
-
-  depends_on = [
-    kubernetes_manifest.istio_gateway_selfsigned_issuer
-  ]
 }
 
 resource "kubernetes_manifest" "istio_gateway_ca_issuer" {
@@ -451,14 +330,10 @@ resource "kubernetes_manifest" "istio_gateway_ca_issuer" {
 
     spec = {
       ca = {
-        secretName = "istio-gateway-ca"
+        secretName = kubernetes_manifest.istio_gateway_ca_certificate[0].manifest.metadata.name
       }
     }
   }
-
-  depends_on = [
-    kubernetes_manifest.istio_gateway_ca_certificate
-  ]
 }
 
 resource "kubernetes_manifest" "istio_gateway_tls" {
@@ -479,7 +354,7 @@ resource "kubernetes_manifest" "istio_gateway_tls" {
       isCA       = false
 
       issuerRef = {
-        name  = "istio-gateway-ca"
+        name  = kubernetes_manifest.istio_gateway_ca_issuer[0].manifest.metadata.name
         kind  = "Issuer"
         group = "cert-manager.io"
       }
@@ -493,10 +368,6 @@ resource "kubernetes_manifest" "istio_gateway_tls" {
       ]
     }
   }
-
-  depends_on = [
-    kubernetes_manifest.istio_gateway_ca_issuer
-  ]
 }
 
 resource "kubernetes_manifest" "istio_gateway_selfsigned_issuer" {

diff --git a/regional/manifests/main.tf b/regional/manifests/main.tf
@@ -108,11 +108,6 @@ resource "kubernetes_manifest" "istio_gateway" {
           tls = {
 
             # As part of the incoming TLS connection, the gateway will decrypt the traffic in order to apply the routing rules.
-            # This is an additional manual step to configure the gateway to use the TLS certificate. This is not recommended for production use.
-            # openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=Open Source Infrastructure as Code/CN=osinfra.io' -keyout osinfra.io.key -out osinfra.io.crt
-            # openssl req -out gateway.istio-ingress.svc.cluster.local.csr -newkey rsa:2048 -nodes -keyout gateway.istio-ingress.svc.cluster.local.key -subj "/O=Open Source Infrastructure as Code/CN=osinfra.io"
-            # openssl x509 -req -sha256 -days 365 -CA osinfra.io.crt -CAkey osinfra.io.key -set_serial 0 -in gateway.istio-ingress.svc.cluster.local.csr -out gateway.istio-ingress.svc.cluster.local.crt
-            # kubectl create -n istio-ingress secret tls istio-gateway-tls --key=gateway.istio-ingress.svc.cluster.local.key --cert=gateway.istio-ingress.svc.cluster.local.crt
 
             mode           = "SIMPLE"
             credentialName = "istio-gateway-tls"

diff --git a/regional/variables.tf b/regional/variables.tf
@@ -24,17 +24,6 @@ variable "enable_istio_gateway" {
   default     = false
 }
 
-variable "environment" {
-  description = "The environment must be one of `sandbox`, `non-production`, `production`"
-  type        = string
-  default     = "sandbox"
-
-  validation {
-    condition     = contains(["mock-environment", "sandbox", "non-production", "production"], var.environment)
-    error_message = "The environment must be one of `mock-environment` for tests or `sandbox`, `non-production`, or `production`."
-  }
-}
-
 variable "gateway_autoscale_min" {
   description = "The minimum number of gateway replicas to run"
   type        = number
@@ -170,13 +159,3 @@ variable "proxy_memory_requests" {
   type        = string
   default     = "32Mi"
 }
-
-variable "region" {
-  description = "The region in which the resource belongs"
-  type        = string
-}
-
-variable "zone" {
-  description = "The zone to deploy the resources to"
-  type        = string
-}