fix!: use an external git repository (#475)

- Don't enable the Cloud Source Repositories API.
- Don't provision a Cloud Source Repository.
- Get the Config Sync Git repository with an input variable.
- Let users specify the credentials type to authenticate Config Sync
  with their repositories.

Fix #449

Author: ferrarimarco

.gitignore

@@ -4,3 +4,6 @@ super-linter.log
 
 # GitHub Actions leftovers
 github_conf
+
+# Terraform
+terraform/.terraform

README.md

@@ -34,6 +34,7 @@ To deploy this blueprint you need:
 - The `serviceusage.googleapis.com` must be enabled on the project. For more
   information about enabling APIs, see
   [Enabling and disabling services](https://cloud.google.com/service-usage/docs/enable-disable)
+- A Git repository to store the environment configuration.
 
 You create the infastructure using Terraform. The blueprint uses a local [Terraform backend](https://www.terraform.io/docs/language/settings/backends/configuration.html),
 but we recommend to configure a [remote backend](https://www.terraform.io/language/settings/backends/configuration#backend-types)
@@ -128,9 +129,14 @@ Users and teams managing tenant apps should not have permissions to change clust
 
    ```hcl
    project_id          = # Google Cloud project ID where to provision resources with the blueprint.
-   acm_repository_path = # Path on the host running Terraform to store the GKE descriptors to configure the cluster
+   acm_repository_path = # Path on the host running Terraform to store environment configuration
+   acm_repository_url  = # URL of the repository to store environment configuration
+   acm_secret_type     = # Secret type to authenticate with the Config Sync Git repository
    ```
 
+   For more information about setting `acm_secret_type`, see
+   [Grant access to Git](https://cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/how-to/installing-config-sync#git-creds-secret).
+
    If you don't provide all the necessary inputs, Terraform will exit with an
    error, and will provide information about the missing inputs. For example,
    you can create a Terraform variables initialization file and set inputs there.
@@ -145,6 +151,9 @@ Users and teams managing tenant apps should not have permissions to change clust
 
    The provisioning process may take about 15 minutes to complete.
 
+1. [Grant the Config Sync agent access to the Git repository](https://cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/how-to/installing-config-sync#git-creds-secret)
+   where the environment configuration will be stored.
+
 1. Wait for the GKE cluster to be reported as ready in the [GKE Kuberentes clusters dashboard](https://cloud.google.com/kubernetes-engine/docs/concepts/dashboards#kubernetes_clusters).
 
 ### Next steps

terraform/acm.tf

@@ -30,12 +30,12 @@ resource "google_gke_hub_feature_membership" "acm_feature_member" {
     version = var.acm_version
     config_sync {
       git {
-        gcp_service_account_email = local.source_repository_service_account_email
-        sync_repo                 = google_sourcerepo_repository.configsync-repository.url
-        sync_branch               = var.acm_branch
-        policy_dir                = var.acm_dir
-        secret_type               = "gcpserviceaccount"
+        sync_repo   = var.acm_repository_url
+        sync_branch = var.acm_branch
+        policy_dir  = var.acm_dir
+        secret_type = var.acm_secret_type
       }
+      prevent_drift = true
       source_format = "unstructured"
     }
 

terraform/iam.tf

@@ -47,19 +47,6 @@ module "project-iam-bindings" {
   ]
 }
 
-# There's no Terraform module for Cloud Source Repositories bindings, so we
-# configure it directly
-resource "google_sourcerepo_repository_iam_binding" "binding" {
-  project    = google_sourcerepo_repository.configsync-repository.project
-  repository = google_sourcerepo_repository.configsync-repository.name
-
-  role = "roles/viewer"
-
-  members = [
-    local.source_repository_service_account_iam_email,
-  ]
-}
-
 module "fl-workload-identity" {
   for_each   = local.tenants
   source     = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
@@ -85,28 +72,3 @@ module "fl-workload-identity" {
     module.service_accounts
   ]
 }
-
-module "cloud-source-repositories-workload-identity" {
-  source     = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
-  version    = "27.0.0"
-  project_id = data.google_project.project.project_id
-
-  annotate_k8s_sa     = false
-  k8s_sa_name         = "root-reconciler"
-  location            = module.gke.location
-  name                = local.source_repository_service_account_id
-  namespace           = "config-management-system"
-  use_existing_gcp_sa = true
-  use_existing_k8s_sa = true
-
-  # The workload identity pool must exist before binding
-  module_depends_on = [
-    module.gke
-  ]
-
-  depends_on = [
-    # Wait for the service accounts to be ready before trying to load data about them
-    # Ref: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1059
-    module.service_accounts
-  ]
-}

terraform/main.tf

@@ -77,14 +77,8 @@ locals {
   list_sa_names = concat(
     [for tenant in local.tenants : tenant.tenant_nodepool_sa_name],
     [for tenant in local.tenants : tenant.tenant_apps_sa_name],
-    [local.source_repository_service_account_name]
   )
 
-  source_repository_service_account_id        = module.service_accounts.service_accounts_map[local.source_repository_service_account_name].account_id
-  source_repository_service_account_name      = "fl-source-repository"
-  source_repository_service_account_email     = module.service_accounts.service_accounts_map[local.source_repository_service_account_name].email
-  source_repository_service_account_iam_email = "serviceAccount:${local.source_repository_service_account_email}"
-
   acm_config_sync_tenant_configuration_package_source_directory_path = abspath("${path.module}/../tenant-config-pkg")
 
   acm_config_sync_destination_directory_path                       = "${var.acm_repository_path}/${var.acm_dir}"

terraform/services.tf

@@ -50,7 +50,6 @@ module "project-services" {
     "meshconfig.googleapis.com",
     "meshtelemetry.googleapis.com",
     "monitoring.googleapis.com",
-    "sourcerepo.googleapis.com",
     "spanner.googleapis.com",
     "stackdriver.googleapis.com"
   ]

terraform/source-repository.tf

@@ -19,7 +19,7 @@ resource "null_resource" "init_acm_repository" {
     create_command      = <<-EOT
       "${local.init_local_acm_repository_script_path}" \
         "${var.acm_repository_path}" \
-        "${google_sourcerepo_repository.configsync-repository.url}" \
+        "${var.acm_repository_url}" \
         "${var.acm_branch}"
     EOT
 

terraform/tenant-configuration.tf

@@ -114,20 +114,30 @@ variable "enable_confidential_nodes" {
 }
 
 variable "acm_version" {
-  description = "Anthos Config Management version"
+  description = "Config Management version"
   default     = ""
   type        = string
 }
 
 variable "acm_branch" {
   default     = "main"
-  description = "The Git branch Anthos Config Management will sync to"
+  description = "The Git branch in the repository that Config Sync will sync with"
   type        = string
 }
 
 variable "acm_dir" {
   default     = "configsync"
-  description = "The directory in the repository that Anthos Config Management will sync to"
+  description = "The directory in the repository that Config Sync will sync with"
+  type        = string
+}
+
+variable "acm_repository_url" {
+  description = "The URL of the repository that Config Sync will sync with"
+  type        = string
+}
+
+variable "acm_secret_type" {
+  description = "Secret type to authenticate with the Config Sync Git repository. Ref: https://cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/how-to/installing-config-sync#git-creds-secret"
   type        = string
 }