separated aws and gcp components

Author: ShibraAmin18

aws/main.tf

@@ -0,0 +1,130 @@
+locals {
+  oidc_provider = replace(
+    data.aws_eks_cluster.kubernetes_cluster.identity[0].oidc[0].issuer,
+    "/^https:///",
+    ""
+  )
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_eks_cluster" "kubernetes_cluster" {
+  name = var.cluster_name
+}
+
+resource "aws_secretsmanager_secret" "mysql_user_password" {
+  name                    = format("%s/%s/%s", var.mysqldb_config.environment, var.mysqldb_config.name, "mysql")
+  recovery_window_in_days = var.recovery_window_aws_secret
+}
+
+resource "aws_secretsmanager_secret_version" "mysql_user_password" {
+  secret_id     = aws_secretsmanager_secret.mysql_user_password.id
+  secret_string = <<EOF
+   {
+    "root_user": "root",
+    "root_password": "${var.root_password}",
+    "custom_username": "${var.mysqldb_config.custom_user_username}",
+    "custom_user_password": "${var.custom_user_password}",
+    "replication_user": "replicator",
+    "replication_password": "${var.replication_password}",
+    "exporter_user": "mysqld_exporter",
+    "exporter_password": "${var.exporter_password}"
+   }
+EOF
+}
+
+
+resource "aws_iam_role" "mysql_backup_role" {
+  name = format("%s-%s-%s", var.cluster_name, var.mysqldb_config.name, "mysql-backup")
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_provider}"
+        },
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Condition = {
+          StringEquals = {
+            "${local.oidc_provider}:aud" = "sts.amazonaws.com",
+            "${local.oidc_provider}:sub" = "system:serviceaccount:${var.namespace}:sa-mysql-backup"
+          }
+        }
+      }
+    ]
+  })
+  inline_policy {
+    name = "AllowS3PutObject"
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Action = [
+            "s3:GetObject",
+            "s3:PutObject",
+            "s3:DeleteObject",
+            "s3:ListBucket",
+            "s3:AbortMultipartUpload",
+            "s3:ListMultipartUploadParts"
+          ]
+          Effect   = "Allow"
+          Resource = "*"
+        }
+      ]
+    })
+  }
+}
+
+
+resource "aws_iam_role" "mysql_restore_role" {
+  name = format("%s-%s-%s", var.cluster_name, var.mysqldb_config.name, "mysql-restore")
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_provider}"
+        },
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Condition = {
+          StringEquals = {
+            "${local.oidc_provider}:aud" = "sts.amazonaws.com",
+            "${local.oidc_provider}:sub" = "system:serviceaccount:${var.namespace}:sa-mysql-restore"
+          }
+        }
+      }
+    ]
+  })
+  inline_policy {
+    name = "AllowS3PutObject"
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Action = [
+            "s3:GetObject",
+            "s3:PutObject",
+            "s3:DeleteObject",
+            "s3:ListBucket",
+            "s3:AbortMultipartUpload",
+            "s3:ListMultipartUploadParts"
+          ]
+          Effect   = "Allow"
+          Resource = "*"
+        }
+      ]
+    })
+  }
+}
+
+output "iam_role_arn_backup" {
+  value = aws_iam_role.mysql_backup_role.arn
+  description = "IAM role arn for mysql backup"
+}
+
+output "iam_role_arn_restore" {
+  value = aws_iam_role.mysql_restore_role.arn
+  description = "IAM role arn for mysql restore"
+}

aws/variables.tf

@@ -0,0 +1,47 @@
+variable "mysqldb_config" {
+  type = any
+  default = {
+    name                       = ""
+    environment                = ""
+    values_yaml                = ""
+    architecture               = ""
+    storage_class_name         = ""
+    custom_user_username       = ""
+    primary_db_volume_size     = ""
+    secondary_db_volume_size   = ""
+    secondary_db_replica_count = 1
+  }
+  description = "Specify the configuration settings for MySQL, including the name, environment, storage options, replication settings, and custom YAML values."
+}
+
+variable "recovery_window_aws_secret" {
+  type        = number
+  default     = 0
+  description = "Number of days that AWS Secrets Manager will wait before deleting a secret. This value can be set to 0 to force immediate deletion, or to a value between 7 and 30 days to allow for recovery."
+}
+
+variable "cluster_name" {
+  type        = string
+  default     = ""
+  description = "Specifies the name of the EKS cluster to deploy the MySQL application on."
+}
+
+variable "root_password" {
+  description = "Root user password for MySQL"
+  type        = string
+}
+
+variable "custom_user_password" {
+  description = "Password for the custom MySQL user"
+  type        = string
+}
+
+variable "replication_password" {
+  description = "Password for the replication user"
+  type        = string
+}
+
+variable "exporter_password" {
+  description = "Password for the mysqld_exporter user"
+  type        = string
+}

backup/templates/backup-secret.yaml

@@ -6,13 +6,3 @@ metadata:
   labels:
 data:
   MYSQL_BUCKET_URI: {{ .Values.backup.bucket_uri | b64enc | quote }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: aws-mysql
-  namespace:  {{ .Release.Namespace }}
-  labels:
-data:
-  AWS_DEFAULT_REGION: {{ .Values.backup.aws_default_region | b64enc }}
----

backup/templates/cronjob.yaml

@@ -19,7 +19,8 @@ spec:
           serviceAccountName: sa-mysql-backup
           containers:
           - name: backup-mysqldb
-            image: squareops01/mysqlbackup:latest
+            image: asia-south1-docker.pkg.dev/fresh-sanctuary-389006/roboshop/mysql-backup:1
+            imagePullPolicy: Always
             env:
             - name: MYSQL_HOST
               value: mysqldb-secondary-headless.{{ .Release.Namespace }}.svc.cluster.local
@@ -35,9 +36,7 @@ spec:
                 secretKeyRef:
                   name: mysql-bucket-uri
                   key: MYSQL_BUCKET_URI
+            - name: CLOUD
+              value:  {{ .Values.provider_type }}
             - name: AWS_DEFAULT_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: aws-mysql
-                  key: AWS_DEFAULT_REGION
-
+              value: {{ .Values.backup.aws_default_region }}

backup/templates/service_account.yaml

@@ -2,5 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: sa-mysql-backup
-  annotations:
-    eks.amazonaws.com/role-arn: {{ .Values.s3.role_arn }}
+  namespace: mysqldb
+  annotations: {{.Values.annotations}}
+    # iam.gke.io/gcp-service-account: test-mysql-backup@fresh-sanctuary-389006.iam.gserviceaccount.com
+  #   eks.amazonaws.com/role-arn: {{ .Values.s3.role_arn }}

examples/complete/main.tf

@@ -10,26 +10,26 @@ locals {
 }
 
 module "mysql" {
-  source       = "squareops/mysql/kubernetes"
+  source       = "../../"
   cluster_name = ""
   mysqldb_config = {
     name                       = local.name
     values_yaml                = file("./helm/values.yaml")
     environment                = local.environment
     architecture               = "replication"
-    storage_class_name         = "gp3"
+    storage_class_name         = "standard"
     custom_user_username       = "admin"
     primary_db_volume_size     = "10Gi"
     secondary_db_volume_size   = "10Gi"
     secondary_db_replica_count = 2
   }
-  mysqldb_backup_enabled = true
+  mysqldb_backup_enabled = false
   mysqldb_backup_config = {
     s3_bucket_uri        = "s3://bucket_name"
     s3_bucket_region     = "bucket_region"
     cron_for_full_backup = "* * * * *"
   }
-  mysqldb_restore_enabled = true
+  mysqldb_restore_enabled = false
   mysqldb_restore_config = {
     s3_bucket_uri    = "s3://bucket_name/filename"
     s3_bucket_region = "bucket_region"

examples/complete/provider.tf

@@ -1,32 +1,53 @@
-provider "aws" {
-  region = local.region
-  default_tags {
-    tags = local.additional_tags
-  }
-}
+# provider "aws" {
+#   region = local.region
+#   default_tags {
+#     tags = local.additional_tags
+#   }
+# }
 
 
-data "aws_eks_cluster" "cluster" {
-  name = ""
-}
+# data "aws_eks_cluster" "cluster" {
+#   name = ""
+# }
 
-data "aws_eks_cluster_auth" "cluster" {
-  name = ""
-}
+# data "aws_eks_cluster_auth" "cluster" {
+#   name = ""
+# }
 
 
-provider "kubernetes" {
-  host                   = data.aws_eks_cluster.cluster.endpoint
-  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
-  token                  = data.aws_eks_cluster_auth.cluster.token
+# provider "kubernetes" {
+#   host                   = data.aws_eks_cluster.cluster.endpoint
+#   cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
+#   token                  = data.aws_eks_cluster_auth.cluster.token
+
+# }
+
+# provider "helm" {
+#   kubernetes {
+#     host                   = data.aws_eks_cluster.cluster.endpoint
+#     cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
+#     token                  = data.aws_eks_cluster_auth.cluster.token
 
+#   }
+# }
+data "google_client_config" "default" {}
+
+data "google_container_cluster" "primary" {
+  name     = "test-dev-gke-cluster"
+  location = "asia-south1"
+  project  = "fresh-sanctuary-389006"
+}
+
+provider "kubernetes" {
+  host                   = "https://${data.google_container_cluster.primary.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate)
 }
 
 provider "helm" {
   kubernetes {
-    host                   = data.aws_eks_cluster.cluster.endpoint
-    cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
-    token                  = data.aws_eks_cluster_auth.cluster.token
-
+    host                   = "https://${data.google_container_cluster.primary.endpoint}"
+    token                  = data.google_client_config.default.access_token
+    cluster_ca_certificate = base64decode(data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate)
   }
-}
+}

gcp/main.tf

@@ -0,0 +1,57 @@
+resource "google_service_account" "mysql_backup" {
+  project      = var.project_id
+  account_id   = format("%s-%s", var.environment, var.gcp_gsa_backup_name)
+  display_name = "Service Account for Mysql Backup"
+}
+
+resource "google_project_iam_member" "secretadmin" {
+  project = var.project_id
+  role    = "roles/storage.objectAdmin"
+  member  = "serviceAccount:${google_service_account.mysql_backup.email}"
+}
+
+resource "google_project_iam_member" "service_account_token_creator" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountTokenCreator"
+  member  = "serviceAccount:${google_service_account.mysql_backup.email}"
+}
+
+resource "google_service_account_iam_member" "pod_identity" {
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[mysqldb/${var.gcp_ksa_backup_name}]"
+  service_account_id = google_service_account.mysql_backup.name
+}
+
+resource "google_service_account" "mysql_restore" {
+  project      = var.project_id
+  account_id   = format("%s-%s", var.environment, var.gcp_gsa_restore_name)
+  display_name = "Service Account for Mysql restore"
+}
+
+resource "google_project_iam_member" "secretadmin" {
+  project = var.project_id
+  role    = "roles/storage.objectAdmin"
+  member  = "serviceAccount:${google_service_account.mysql_restore.email}"
+}
+
+resource "google_project_iam_member" "service_account_token_creator" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountTokenCreator"
+  member  = "serviceAccount:${google_service_account.mysql_restore.email}"
+}
+
+resource "google_service_account_iam_member" "pod_identity" {
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[mysqldb/${var.gcp_ksa_restore_name}]"
+  service_account_id = google_service_account.mysql_restore.name
+}
+
+output "service_account_backup" {
+  value = google_service_account.mysql_restore.email
+  description = "Google Cloud Service Account name for backup"
+}
+
+output "service_account_restore" {
+  value = google_service_account.mysql_restore.email
+  description = "Google Cloud Service Account name for restore"
+}