Add Terraform config for Reporting system. (#994)

src/main/terraform/gcloud/cmms/README.md

@@ -1,4 +1,4 @@
 # Cross-Media Measurement System
 
-Root module for a single-project CMMS. This is generally only used for test
-environments, e.g. quality assurance (QA).
+Root module for a single-project CMMS and Reporting system. This is generally
+only used for test environments, e.g. quality assurance (QA).

src/main/terraform/gcloud/cmms/main.tf

@@ -19,8 +19,9 @@ terraform {
 }
 
 locals {
-  kingdom_cluster_name = "kingdom"
-  duchy_names          = toset(["aggregator", "worker1", "worker2"])
+  kingdom_cluster_name   = "kingdom"
+  duchy_names            = toset(["aggregator", "worker1", "worker2"])
+  reporting_cluster_name = "reporting"
 }
 
 provider "google" {}
@@ -41,4 +42,40 @@ resource "google_spanner_instance" "spanner_instance" {
   processing_units = var.spanner_processing_units
 }
 
-# TODO(@SanjayVas): Add Duchies and EDP simulators.
+resource "google_sql_database_instance" "postgres" {
+  name             = var.postgres_instance_name
+  database_version = "POSTGRES_14"
+  settings {
+    tier = var.postgres_instance_tier
+
+    insights_config {
+      query_insights_enabled  = true
+      record_application_tags = true
+    }
+
+    database_flags {
+      name  = "cloudsql.iam_authentication"
+      value = "on"
+    }
+    database_flags {
+      name  = "max_pred_locks_per_page"
+      value = "64"
+    }
+  }
+}
+
+resource "google_sql_user" "postgres" {
+  name     = "postgres"
+  instance = google_sql_database_instance.postgres.name
+  password = var.postgres_password
+}
+
+provider "postgresql" {
+  scheme   = "gcppostgres"
+  host     = google_sql_database_instance.postgres.connection_name
+  username = google_sql_user.postgres.name
+  password = google_sql_user.postgres.password
+}
+
+
+# TODO(@SanjayVas): Add EDP simulators.

src/main/terraform/gcloud/cmms/reporting.tf

@@ -0,0 +1,62 @@
+# Copyright 2023 The Cross-Media Measurement Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "reporting_cluster" {
+  source = "../modules/cluster"
+
+  name       = local.reporting_cluster_name
+  location   = var.cluster_location
+  secret_key = module.common.cluster_secret_key
+}
+
+data "google_container_cluster" "reporting" {
+  name     = local.reporting_cluster_name
+  location = var.cluster_location
+
+  # Defer reading of cluster resource until it exists.
+  depends_on = [module.reporting_cluster]
+}
+
+module "reporting_default_node_pool" {
+  source = "../modules/node-pool"
+
+  name            = "default"
+  cluster         = data.google_container_cluster.reporting
+  service_account = module.common.cluster_service_account
+  machine_type    = "e2-small"
+  max_node_count  = 4
+}
+
+provider "kubernetes" {
+  # Due to the fact that this is using interpolation, the cluster must already exist.
+  # See https://registry.terraform.io/providers/hashicorp/kubernetes/2.20.0/docs
+
+  alias = "reporting"
+  host  = "https://${data.google_container_cluster.reporting.endpoint}"
+  token = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(
+    data.google_container_cluster.reporting.master_auth[0].cluster_ca_certificate,
+  )
+}
+
+module "reporting" {
+  source = "../modules/reporting"
+
+  providers = {
+    google     = google
+    kubernetes = kubernetes.reporting
+  }
+
+  postgres_instance = google_sql_database_instance.postgres
+}

src/main/terraform/gcloud/cmms/variables.tf

@@ -59,3 +59,24 @@ variable "storage_bucket_location" {
   type        = string
   nullable    = false
 }
+
+variable "postgres_instance_name" {
+  description = "Name of the PostgreSQL Cloud SQL instance."
+  type        = string
+  default     = "halo"
+  nullable    = false
+}
+
+variable "postgres_instance_tier" {
+  description = "Tier (machine type) of the PostgreSQL Cloud SQL instance."
+  type        = string
+  default     = "db-f1-micro"
+  nullable    = false
+}
+
+variable "postgres_password" {
+  description = "Password for postgres user."
+  type        = string
+  sensitive   = true
+  nullable    = false
+}

src/main/terraform/gcloud/cmms/versions.tf

@@ -22,5 +22,9 @@ terraform {
       source  = "hashicorp/kubernetes"
       version = "~> 2.20.0"
     }
+    postgresql = {
+      source  = "cyrilgdn/postgresql"
+      version = "~> 1.19.0"
+    }
   }
 }

src/main/terraform/gcloud/modules/reporting/README.md

@@ -0,0 +1,9 @@
+# Reporting System
+
+Reusable module for the Halo Reporting system on Google Cloud.
+
+## Provider Configuration
+
+*   `kubernetes` - Configured for the Kubernetes cluster.
+*   `postgresql` - Configured for the PostgreSQL Cloud SQL instance with a user
+    that can create and grant privileges to databases.

src/main/terraform/gcloud/modules/reporting/main.tf

@@ -0,0 +1,60 @@
+# Copyright 2023 The Cross-Media Measurement Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+data "google_project" "project" {}
+
+locals {
+  # All privileges for a PostgreSQL database.
+  #
+  # See https://www.postgresql.org/docs/14/ddl-priv.html#PRIVILEGES-SUMMARY-TABLE
+  all_db_privileges = ["CREATE", "TEMPORARY", "CONNECT"]
+}
+
+module "reporting_internal" {
+  source = "../workload-identity-user"
+
+  k8s_service_account_name        = "internal-reporting-server"
+  iam_service_account_name        = "reporting-internal"
+  iam_service_account_description = "Reporting internal API server."
+}
+
+resource "google_sql_user" "reporting_internal" {
+  instance = var.postgres_instance.name
+  name     = trimsuffix(module.reporting_internal.iam_service_account.email, ".gserviceaccount.com")
+  type     = "CLOUD_IAM_SERVICE_ACCOUNT"
+}
+
+resource "google_project_iam_member" "sql_user" {
+  project = data.google_project.project.name
+  role    = "roles/cloudsql.instanceUser"
+  member  = module.reporting_internal.iam_service_account.member
+}
+
+resource "google_project_iam_member" "sql_client" {
+  project = data.google_project.project.name
+  role    = "roles/cloudsql.client"
+  member  = module.reporting_internal.iam_service_account.member
+}
+
+resource "google_sql_database" "db" {
+  name     = "reporting"
+  instance = var.postgres_instance.name
+}
+
+resource "postgresql_grant" "db" {
+  role        = google_sql_user.reporting_internal.name
+  database    = google_sql_database.db.name
+  object_type = "database"
+  privileges  = local.all_db_privileges
+}

src/main/terraform/gcloud/modules/reporting/variables.tf

@@ -0,0 +1,22 @@
+# Copyright 2023 The Cross-Media Measurement Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "postgres_instance" {
+  description = "PostgreSQL `google_sql_database_instance`."
+  type = object({
+    name            = string
+    connection_name = string
+  })
+  nullable = false
+}

src/main/terraform/gcloud/modules/reporting/versions.tf

@@ -0,0 +1,30 @@
+# Copyright 2023 The Cross-Media Measurement Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 4.63.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.20.0"
+    }
+    postgresql = {
+      source  = "cyrilgdn/postgresql"
+      version = ">= 1.19.0"
+    }
+  }
+}