feat: migrate GCP (#202)

* chore: update cloudflare provider version

* feat: divide core gcp

* feat: divide core gcp & manage gcp

* chore: cert-manager

* chore: istio

* feat: divide chore gcp

* feat: refactor project structure

---------

Co-authored-by: mulmuri <[email protected]>

Author: mulmuri

modules/cloudflare/dns/main.tf

@@ -1,4 +1,4 @@
-resource "cloudflare_dns_record" "istio-gateway" {
+resource "cloudflare_dns_record" "istio-dns" {
   zone_id = var.zone_id
   content = var.ip_address
   name = "*.goboolean.io"

modules/cloudflare/dns/provider.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     cloudflare = {
       source  = "cloudflare/cloudflare"
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 }

modules/gcp/core/gcs.tf

@@ -0,0 +1,13 @@
+resource "google_storage_bucket" "terraform_state" {
+  name          = "${var.project_id}-tfstate"
+  location      = var.location
+  project       = var.project_id
+
+  versioning {
+    enabled = true
+  }
+
+  uniform_bucket_level_access = true
+
+  public_access_prevention = "enforced"
+}

modules/gcp/core/iam.tf

@@ -0,0 +1,18 @@
+resource "google_service_account" "vault_kms_sa" {
+  project = var.project_id
+  account_id   = "vault-kms-sa"
+  display_name = "Vault KMS Service Account"
+}
+
+resource "google_project_iam_custom_role" "vault_kms_custom_role" {
+  role_id     = "vaultKmsRole"
+  title       = "Vault KMS Custom Role"
+  description = "Custom role for Vault to use KMS for auto-unseal with minimal permissions"
+  project     = var.project_id
+
+  permissions = [
+    "cloudkms.cryptoKeyVersions.useToEncrypt",
+    "cloudkms.cryptoKeyVersions.useToDecrypt",
+    "cloudkms.cryptoKeys.get",
+  ]
+}

modules/gcp/core/kms.tf

@@ -0,0 +1,13 @@
+resource "google_kms_key_ring" "vault_keyring" {
+  name     = "vault-keyring"
+  location = var.region
+  project  = var.project_id
+}
+
+resource "google_kms_crypto_key" "vault_crypto_key" {
+  name            = "vault-key"
+  key_ring        = google_kms_key_ring.vault_keyring.id
+  rotation_period = "7776000s" # 90d
+
+  depends_on = [google_kms_key_ring.vault_keyring]
+}

modules/gcp/core/output.tf

@@ -0,0 +1,15 @@
+output "vault_kms_keyring_name" {
+  value = google_kms_key_ring.vault_keyring.name
+  sensitive = true
+}
+
+output "vault_kms_crypto_key_name" {
+  value = google_kms_crypto_key.vault_crypto_key.name
+  sensitive = true
+}
+
+output "vault_kms_crypto_key_id" {
+  value = google_kms_crypto_key.vault_crypto_key.id
+  sensitive = true
+}
+

modules/gcp/core/service.tf

@@ -0,0 +1,15 @@
+locals {
+  services = toset([
+    "secretmanager.googleapis.com"
+  ])
+}
+
+resource "google_project_service" "services" {
+  for_each = local.services
+  
+  project = var.project_id
+  service = each.key
+  
+  disable_dependent_services = true
+  disable_on_destroy = false
+}

modules/gcp/core/variables.tf

@@ -0,0 +1,11 @@
+variable "project_id" {
+  type        = string
+}
+
+variable "location" {
+  type        = string
+}
+
+variable "region" {
+  type        = string
+}

modules/gcp/gke/gke.tf

@@ -4,10 +4,6 @@ resource "google_container_cluster" "primary" {
   name     = "${var.project_id}-gke"
   location = var.zone
 
-  release_channel {
-    channel = "REGULAR"
-  }
-
   workload_identity_config {
     workload_pool = "${var.project_id}.svc.id.goog"
   }

modules/gcp/gke/variables.tf

@@ -1,5 +1,5 @@
 variable "gke_num_nodes" {
-  default     = 3
+  default     = 4
 }
 
 variable "gke_machine_type" {
@@ -11,5 +11,5 @@ variable "gke_disk_size_gb" {
 }
 
 variable "gke_version" {
-  default     = "1.31.4-gke.1372000"
+  default     = "1.31.5-gke.1068000"
 }