agones.dev/agones@v1.54.0/examples/allocation-endpoint/terraform/main.tf (about) 1 // Copyright 2022 Google LLC All Rights Reserved. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Run: 16 // terraform apply -var "project_id=<project id>" -var "authorized_members=[\"serviceAccount:<service-account-email>\"]" -var "clusters_info=[{\"name\":\"cluster1\",\"endpoint\":\"<agones-allocator-ip>\",\"namespace\":\"default\",\"allocation_weight\":100}]" -var "workload-pool=<gke-project-id>.svc.id.goog" 17 18 locals { 19 aep_endpoints_name = "agones-allocation.endpoints.${var.project_id}.cloud.goog" 20 } 21 22 provider "google" { 23 project = var.project_id 24 region = var.region 25 } 26 27 data "template_file" "api_config" { 28 template = file("api_config.yaml.tpl") 29 30 vars = { 31 service-name = local.aep_endpoints_name 32 service-account = google_service_account.ae_sa.email 33 } 34 } 35 36 resource "google_endpoints_service" "endpoints_service" { 37 service_name = local.aep_endpoints_name 38 grpc_config = data.template_file.api_config.rendered 39 protoc_output_base64 = filebase64("agones_allocation_api_descriptor.pb") 40 } 41 42 resource "google_endpoints_service_iam_binding" "endpoints_service_binding" { 43 service_name = google_endpoints_service.endpoints_service.service_name 44 role = "roles/servicemanagement.serviceController" 45 members = [ 46 "serviceAccount:ae-esp-sa@${var.project_id}.iam.gserviceaccount.com", 47 ] 48 depends_on = [google_project_service.allocator-service] 49 } 50 51 resource "google_service_account_iam_binding" "workload-identity-binding" { 52 service_account_id = google_service_account.ae_sa.name 53 role = "roles/iam.workloadIdentityUser" 54 55 members = [ 56 "serviceAccount:${var.workload-pool}[${var.agones-namespace}/agones-allocator]", 57 ] 58 } 59 60 resource "google_service_account" "ae_sa" { 61 account_id = "ae-esp-sa" 62 display_name = "Service Account for Allocation Endpoint" 63 } 64 65 resource "google_service_account_key" "ae_sa_key" { 66 service_account_id = google_service_account.ae_sa.name 67 } 68 69 resource "google_cloud_run_service_iam_binding" "binding" { 70 service = google_cloud_run_service.aep_cloud_run.name 71 project = google_cloud_run_service.aep_cloud_run.project 72 location = google_cloud_run_service.aep_cloud_run.location 73 role = "roles/run.invoker" 74 members = var.authorized_members 75 } 76 77 78 resource "google_cloud_run_service" "aep_cloud_run" { 79 project = var.project_id 80 name = "allocation-endpoint-proxy" 81 location = var.region 82 83 template { 84 spec { 85 container_concurrency = 80 86 timeout_seconds = 30 87 containers { 88 image = var.ae_proxy_image 89 env { 90 name = "CLUSTERS_INFO" 91 value = var.clusters_info 92 } 93 env { 94 name = "AUDIENCE" 95 value = local.aep_endpoints_name 96 } 97 env { 98 name = "SA_KEY" 99 value_from { 100 secret_key_ref { 101 name = google_secret_manager_secret.ae-sa-key.secret_id 102 key = "latest" 103 } 104 } 105 } 106 ports { 107 container_port = 8080 108 # this enables the http/2 support. h2c: https://cloud.google.com/run/docs/configuring/http2 109 name = "h2c" 110 } 111 resources { 112 limits = { 113 "cpu" = "2000m" 114 "memory" = "256Mi" 115 } 116 } 117 } 118 } 119 metadata { 120 annotations = { 121 "autoscaling.knative.dev/maxScale" = "1000" 122 "autoscaling.knative.dev/minScale" = "0" 123 } 124 } 125 } 126 127 traffic { 128 percent = 100 129 latest_revision = true 130 } 131 132 metadata { 133 annotations = { 134 "run.googleapis.com/ingress" = "all" 135 "run.googleapis.com/client-name" = "terraform" 136 } 137 } 138 139 lifecycle { 140 ignore_changes = [ 141 # Ignore changes for the values set by GCP 142 metadata[0].annotations, 143 # This is currently not working and the fix is available in TF 0.14 144 # https://github.com/hashicorp/terraform/pull/27141 145 template[0].metadata[0].annotations["run.googleapis.com/sandbox"], 146 ] 147 } 148 149 depends_on = [ 150 google_secret_manager_secret_version.ae-sa-key-secret, 151 google_secret_manager_secret_iam_member.secret-access, 152 google_project_service.run, 153 ] 154 } 155 156 resource "google_secret_manager_secret" "ae-sa-key" { 157 secret_id = "ae-sa-key" 158 159 replication { 160 automatic = true 161 } 162 depends_on = [google_project_service.secretmanager] 163 } 164 165 resource "google_secret_manager_secret_version" "ae-sa-key-secret" { 166 secret = google_secret_manager_secret.ae-sa-key.id 167 secret_data = base64decode(google_service_account_key.ae_sa_key.private_key) 168 } 169 170 resource "google_secret_manager_secret_iam_member" "secret-access" { 171 secret_id = google_secret_manager_secret.ae-sa-key.id 172 role = "roles/secretmanager.secretAccessor" 173 member = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com" 174 depends_on = [google_secret_manager_secret.ae-sa-key] 175 } 176 177 // get project details 178 data "google_project" "project" { 179 } 180 181 # Enables the Secret Manager API 182 resource "google_project_service" "secretmanager" { 183 service = "secretmanager.googleapis.com" 184 } 185 186 # Enables the Service Control API 187 resource "google_project_service" "servicecontrol" { 188 service = "servicecontrol.googleapis.com" 189 } 190 191 # Enables the Cloud Run API 192 resource "google_project_service" "run" { 193 service = "run.googleapis.com" 194 } 195 196 resource "google_project_service" "allocator-service" { 197 service = google_endpoints_service.endpoints_service.id 198 disable_dependent_services = true 199 }