Initial module implementation

[Jberlinsky]

Notable design decisions that need addressing, but shouldn't prevent an initial implementation:

• The module currently creates a jenkins service account, and does not allow a user-created one to be passed in. This should probably follow a similar pattern to the one proposed in Create a service account for nodes if one isn't provided. terraform-google-kubernetes-engine#2

TODO

• Docker image management needs to be updated to our new standards (see GKE & project-factory modules)

[adrienthebo]

Summary

Blockers:

• Update terraform Docker image to build successfully
• Convert IAM resources to be additive, not authoritative
• Verify behavior around worker startup script, and possibly add test coverage
• Amend test setup documentation

Standards conformance:

• Quote boolean barewords as strings for v0.12

Review:

• [x] Verify behavior around shared VPCs and firewall rules - or push shared VPC support to a later PR Deferred
• [x] Consider merging firewall rules into a single rule

Suggestions:

• Rename gce.tf to main.tf
• Merge jenkins.tf and gce.tf/main.tf

[adrienthebo]

What would happen if a shared VPC would be used?

[adrienthebo]

This is an old review that didn't get posted so these comments may be out of date. When I ran through the integration tests I had some issues building the packer image. If this PR is ready for more functional review we can dig into this next week.

[adrienthebo]

@Jberlinsky checking in - would you like me to do another review pass or would you like to get more work on it first?

[Jberlinsky]

@adrienthebo Working on the current tranche of feedback now -- I'll ping you shortly for re-review :)

[Jberlinsky]

@adrienthebo Might I suggest that we extract concerns related to shared VPCs to a separate PR, and proceed with reviewing this one as it stands?

[adrienthebo]

Summary

Previous review (#1 (review)) - fully addressed

Blockers

• (trivial) We shouldn't attach the default compute service account when building the image; a patch has been added to fix this.

Suggested

• (trivial) Drop the docker_build_kitchen_terraform dep from the docker_create target; an inline suggestion will fix this.

Defer

• Shared VPC configuration
• Control over Jenkins instance service accounts

---

Soft 👍 , let's get that fixup for Packer definition dealing with the default compute service account. Bonus points for the Makefile fixup, but it's a nonblocker. Ping me when the blocker has been resolved and let's get this merged!

[Jberlinsky]

@adrienthebo Ready for one more pass :)

Updates made, needs an additional pass.

[adrienthebo]

LGTM! @morgante do you want to review this before we merge it?

[Jberlinsky]

Pinging @morgante

[morgante]

Just some minor nits, I've also moved non-blockers out into issues.

[Jberlinsky]

@morgante I've address the issues mentioned here, would appreciate if you could take a final look so we can get this PR merged in!