/** * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ locals { base_gcve_agent_endpoint = "https://storage.googleapis.com/gcve-observability-agent/latest/vmware-linux-amd64" base_gcloud_secret_manager = "gcloud secrets versions access latest --secret=" sa_gcve_monitoring_roles = toset([ "roles/secretmanager.secretAccessor", "roles/monitoring.admin", "roles/logging.logWriter", ]) } resource "google_project_service" "enable_destination_api" { project = var.project service = "monitoring.googleapis.com" disable_on_destroy = false } resource "google_service_account" "sa_gcve_monitoring" { project = var.project account_id = var.sa_gcve_monitoring } resource "google_project_iam_member" "gcve_monitoring_permissions" { for_each = local.sa_gcve_monitoring_roles role = each.key project = var.project member = "serviceAccount:${google_service_account.sa_gcve_monitoring.email}" } #tfsec:ignore:vm-disk-encryption-customer-key # provide single Monitoring instance with healing capabilities. resource "google_compute_region_instance_group_manager" "mig_monitoring_gcve" { base_instance_name = var.vm_mon_name project = var.project target_size = 1 version { name = "${var.vm_mon_name}-mig-version-0" instance_template = google_compute_instance_template.vm_mon_tpl.self_link } name = "${var.vm_mon_name}-mig" region = var.gcve_region distribution_policy_zones = [var.vm_mon_zone] auto_healing_policies { health_check = google_compute_health_check.tcp_healthcheck.self_link initial_delay_sec = var.initial_delay_sec } update_policy { max_surge_fixed = 0 max_unavailable_fixed = 1 replacement_method = "RECREATE" minimal_action = "REPLACE" type = "PROACTIVE" instance_redistribution_type = "NONE" } stateful_internal_ip { delete_rule = "NEVER" interface_name = "nic0" } } # check if the bpagent is up by checking the syslog port. resource "google_compute_health_check" "tcp_healthcheck" { project = var.project name = "gcve-mon-tcp-healthcheck" check_interval_sec = var.hc_interval_sec timeout_sec = var.hc_timeout_sec healthy_threshold = var.hc_healthy_threshold unhealthy_threshold = var.hc_unhealthy_threshold tcp_health_check { port = 5142 } } # firewall for the healthcheck # get network id from subnetwork data "google_compute_subnetwork" "gcve-subnetwork" { name = var.subnetwork region = var.gcve_region project = var.project } #tfsec:ignore:google-compute-no-public-ingress resource "google_compute_firewall" "healthcheck" { project = var.project name = "gcve-mon-hc-rule" network = data.google_compute_subnetwork.gcve-subnetwork.network allow { protocol = "tcp" ports = ["5142"] } source_ranges = ["35.191.0.0/16", "130.211.0.0/22"] target_service_accounts = [google_service_account.sa_gcve_monitoring.email] } #################### # Instance Template #################### # get the latest image data "google_compute_image" "gcve_mon_image" { family = "debian-11" project = "debian-cloud" } #tfsec:ignore:vm-disk-encryption-customer-key resource "google_compute_instance_template" "vm_mon_tpl" { name_prefix = "${var.vm_mon_name}-template1" machine_type = var.vm_mon_type region = var.gcve_region project = var.project metadata = { block-project-ssh-keys = true } metadata_startup_script = templatefile("${path.module}/scripts/installer.sh", { endpoint_agent = "${local.base_gcve_agent_endpoint}/artifacts/bpagent-headless-vmware.tar.gz" endpoint_install = "${local.base_gcve_agent_endpoint}/installer/install.sh" gcloud_secret_vsphere_server = "${local.base_gcloud_secret_manager}${var.secret_vsphere_server}" gcloud_secret_vsphere_user = "${local.base_gcloud_secret_manager}${var.secret_vsphere_user}" gcloud_secret_vsphere_password = "${local.base_gcloud_secret_manager}${var.secret_vsphere_password}" gcve_region = var.gcve_region project_id = var.project }) disk { source_image = data.google_compute_image.gcve_mon_image.self_link auto_delete = true disk_size_gb = 100 boot = true } service_account { email = google_service_account.sa_gcve_monitoring.email scopes = ["cloud-platform"] } network_interface { subnetwork = var.subnetwork subnetwork_project = var.project } lifecycle { create_before_destroy = "true" } shielded_instance_config { enable_vtpm = true enable_integrity_monitoring = true } } resource "google_monitoring_dashboard" "gcve_mon_dashboards" { for_each = var.create_dashboards ? fileset("${path.module}/dashboards", "*.json") : [] dashboard_json = file("${path.module}/dashboards/${each.value}") project = var.project }