Move to official provider for runner-manager app

GSA-TTS · Jan 15, 2025 · 3bbe67c · 3bbe67c
1 parent 8103d60
commit 3bbe67c
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 36 deletions.
diff --git a/README.terraform.md b/README.terraform.md
@@ -47,7 +47,7 @@ For local development, there is a `sandbox-deploy` module set up to deploy the r
 
 1. Create a [cloud.gov service account](https://cloud.gov/docs/services/cloud-gov-service-account/) with the `OrgManager` permission
     ```
-    ./create_service_account -s SPACEPREFIX-mgmt -u glr-local-deploy -m > secrets.auto.tfvars
+    ./create_service_account -s SPACEPREFIX-mgmt -u glr-local-deploy > secrets.auto.tfvars
     ```
 
 1. Copy `vars.tfvars-example` to `vars.auto.tfvars`.

diff --git a/main.tf b/main.tf
@@ -74,14 +74,16 @@ locals {
 
 # gitlab-runner-manager: the actual runner manager app
 resource "cloudfoundry_app" "gitlab-runner-manager" {
-  provider          = cloudfoundry-community
   name              = var.runner_manager_app_name
-  space             = module.manager_space.space_id
+  space_name        = module.manager_space.space_name
+  org_name          = var.cf_org_name
   path              = data.archive_file.src.output_path
   source_code_hash  = data.archive_file.src.output_base64sha256
   buildpacks        = ["https://github.com/cloudfoundry/apt-buildpack", "binary_buildpack"]
   instances         = var.manager_instances
+  strategy          = "rolling"
   command           = "gitlab-runner run"
+  no_route          = true
   memory            = var.manager_memory
   health_check_type = "process"
 
@@ -122,12 +124,14 @@ resource "cloudfoundry_app" "gitlab-runner-manager" {
     DOCKER_HUB_USER           = var.docker_hub_user
     DOCKER_HUB_TOKEN          = var.docker_hub_token
   }
-  service_binding {
-    service_instance = module.object_store_instance.bucket_id
-  }
-  service_binding {
-    service_instance = cloudfoundry_service_instance.egress-proxy-credentials.id
-  }
+  service_bindings = [
+    { service_instance = var.object_store_instance },
+    { service_instance = cloudfoundry_service_instance.egress-proxy-credentials.name }
+  ]
+  depends_on = [
+    module.object_store_instance,
+    cloudfoundry_service_instance.egress-proxy-credentials
+  ]
 }
 
 # egress_space: cloud.gov space for running the egress proxy

diff --git a/sandbox-deploy/create_service_account.sh b/sandbox-deploy/create_service_account.sh
@@ -7,18 +7,17 @@ $0: Create a Service User Account for a given space
 
 Usage:
   $0 -h
-  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>] [-m]
+  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>]
 
 Options:
 -h: show help and exit
 -s <SPACE NAME>: configure the space to act on. Required
 -u <USER NAME>: set the service user name. Required
 -r <ROLE NAME>: set the service user's role to either space-deployer or space-auditor. Default: space-deployer
--m: If provided, make the service user an OrgManager
 -o <ORG NAME>: configure the organization to act on. Default: $org
 
 Notes:
-* OrgManager is required for terraform to create <env>-egress spaces
+* Will make the service account an OrgManager in order to create spaces
 * Requires cf-cli@8 & jq
 "
 
@@ -35,10 +34,8 @@ set -o pipefail
 space=""
 service=""
 role="space-deployer"
-org_manager="false"
-org_manager_output=""
 
-while getopts ":hms:u:r:o:" opt; do
+while getopts ":hs:u:r:o:" opt; do
   case "$opt" in
     s)
       space=${OPTARG}
@@ -52,41 +49,35 @@ while getopts ":hms:u:r:o:" opt; do
     o)
       org=${OPTARG}
       ;;
-    m)
-      org_manager_output="-m"
-      org_manager="true"
-      ;;
     h)
       echo "$usage"
       exit 0
       ;;
   esac
 done
 
-if [[ $space = "" || $service = "" ]]; then
+if [[ -z "$space" || -z "$service" ]]; then
   echo "$usage" >&2
   exit 1
 fi
 
-cf target -o $org -s $space >&2
+cf target -o "$org" -s "$space" >&2
 
 # create user account service
-cf create-service cloud-gov-service-account $role $service >&2
+cf create-service cloud-gov-service-account "$role" "$service" >&2
 
 # create service key
-cf create-service-key $service service-account-key >&2
+cf create-service-key "$service" service-account-key >&2
 
 # output service key to stdout in secrets.auto.tfvars format
-creds=`cf service-key $service service-account-key | tail -n +2 | jq '.credentials'`
-username=`echo $creds | jq -r '.username'`
-password=`echo $creds | jq -r '.password'`
+creds=`cf service-key "$service" service-account-key | tail -n +2 | jq '.credentials'`
+username=`echo "$creds" | jq -r '.username'`
+password=`echo "$creds" | jq -r '.password'`
 
-if [[ $org_manager = "true" ]]; then
-  cf set-org-role $username $org OrgManager >&2
-fi
+cf set-org-role "$username" "$org" OrgManager >&2
 
 cat << EOF
-# generated with $0 -s $space -u $service -r $role -o $org $org_manager_output
+# generated with $0 -s $space -u $service -r $role -o $org
 # revoke with $(dirname $0)/destroy_service_account.sh -s $space -u $service -o $org
 
 cf_user = "$username"

diff --git a/sandbox-deploy/destroy_service_account.sh b/sandbox-deploy/destroy_service_account.sh
@@ -39,12 +39,12 @@ while getopts ":hs:u:o:" opt; do
   esac
 done
 
-if [[ $space = "" || $service = "" ]]; then
+if [[ -z "$space" || -z "$service" ]]; then
   echo "$usage"
   exit 1
 fi
 
-cf target -o $org -s $space
+cf target -o "$org" -s "$space"
 
 # destroy service
-cf delete-service $service -f
+cf delete-service -f "$service"
diff --git a/variables.tf b/variables.tf
@@ -60,9 +60,9 @@ variable "runner_concurrency" {
 }
 
 variable "manager_memory" {
-  type        = number
-  default     = 512
-  description = "Manager Runner Memory, given as number of megabytes"
+  type        = string
+  default     = "256M"
+  description = "Manager Runner Memory - Unit required (e.g. 512M or 2G)"
 }
 
 variable "worker_memory" {