Add egress-space terraform module

2025-12-10 07:12:20 -05:00 · 2022-11-04 16:37:32 -04:00
parent a3f594693f
commit 13134ac6ae
6 changed files with 105 additions and 6 deletions
--- a/terraform/create_service_account.sh
+++ b/terraform/create_service_account.sh
@@ -7,14 +7,18 @@ $0: Create a Service User Account for a given space

 Usage:
  $0 -h
-  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>]
+  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>] [-m]

 Options:
 -h: show help and exit
 -s <SPACE NAME>: configure the space to act on. Required
 -u <USER NAME>: set the service user name. Required
 -r <ROLE NAME>: set the service user's role to either space-deployer or space-auditor. Default: space-deployer
+-m: If provided, make the service user an OrgManager
 -o <ORG NAME>: configure the organization to act on. Default: $org
+
+Notes:
+OrgManager is required for terraform to create <env>-egress spaces
 "

 set -e
@@ -23,8 +27,9 @@ set -o pipefail
 space=""
 service=""
 role="space-deployer"
+org_manager="false"

-while getopts ":hs:u:r:o:" opt; do
+while getopts ":hms:u:r:o:" opt; do
  case "$opt" in
    s)
      space=${OPTARG}
@@ -38,6 +43,9 @@ while getopts ":hs:u:r:o:" opt; do
    o)
      org=${OPTARG}
      ;;
+    m)
+      org_manager="true"
+      ;;
    h)
      echo "$usage"
      exit 0
@@ -60,13 +68,17 @@ cf create-service-key $service service-account-key 1>&2

 # output service key to stdout in secrets.auto.tfvars format
 creds=`cf service-key $service service-account-key | tail -n 4`
-username=`echo $creds | jq '.username'`
-password=`echo $creds | jq '.password'`
+username=`echo $creds | jq -r '.username'`
+password=`echo $creds | jq -r '.password'`
+
+if [[ $org_manager = "true" ]]; then
+  cf set-org-role $username $org OrgManager 1>&2
+fi

 cat << EOF
 # generated with $0 -s $space -u $service -r $role -o $org
 # revoke with $(dirname $0)/destroy_service_account.sh -s $space -u $service -o $org

-cf_user = $username
-cf_password = $password
+cf_user = "$username"
+cf_password = "$password"
 EOF
--- a/terraform/sandbox/main.tf
+++ b/terraform/sandbox/main.tf
@@ -53,3 +53,16 @@ module "contact_list_bucket" {
  recursive_delete = local.recursive_delete
  s3_service_name  = "${local.app_name}-contact-list-bucket-${local.env}"
 }
+
+module "egress-space" {
+  source = "../shared/egress_space"
+
+  cf_user                  = var.cf_user
+  cf_password              = var.cf_password
+  cf_org_name              = local.cf_org_name
+  cf_restricted_space_name = local.cf_space_name
+  deployers = [
+    var.cf_user,
+    "ryan.ahearn@gsa.gov"
+  ]
+}
--- a/terraform/shared/egress_space/main.tf
+++ b/terraform/shared/egress_space/main.tf
@@ -0,0 +1,36 @@
+###
+# Target space/org
+###
+
+data "cloudfoundry_org" "org" {
+  name = var.cf_org_name
+}
+
+###
+# Egress Space
+###
+
+resource "cloudfoundry_space" "public_egress" {
+  name = "${var.cf_restricted_space_name}-egress"
+  org = data.cloudfoundry_org.org.id
+}
+
+###
+# User roles
+###
+
+data "cloudfoundry_user" "users" {
+  for_each = var.deployers
+  name = each.key
+  org_id = data.cloudfoundry_org.org.id
+}
+
+locals {
+  user_ids = [for user in data.cloudfoundry_user.users : user.id]
+}
+
+resource "cloudfoundry_space_users" "deployers" {
+  space = cloudfoundry_space.public_egress.id
+  managers = local.user_ids
+  developers = local.user_ids
+}
--- a/terraform/shared/egress_space/providers.tf
+++ b/terraform/shared/egress_space/providers.tf
@@ -0,0 +1,16 @@
+terraform {
+  required_version = "~> 1.0"
+  required_providers {
+    cloudfoundry = {
+      source = "cloudfoundry-community/cloudfoundry"
+      version = "~> 0.15"
+    }
+  }
+}
+
+provider "cloudfoundry" {
+  api_url = "https://api.fr.cloud.gov"
+  user = var.cf_user
+  password = var.cf_password
+  app_logs_max = 30
+}
--- a/terraform/shared/egress_space/variables.tf
+++ b/terraform/shared/egress_space/variables.tf
@@ -0,0 +1,10 @@
+variable "cf_password" {
+  type = string
+  sensitive = true
+}
+variable "cf_user" {}
+variable "cf_org_name" {}
+variable "cf_restricted_space_name" {}
+variable "deployers" {
+  type = set(string)
+}
--- a/terraform/staging/main.tf
+++ b/terraform/staging/main.tf
@@ -53,3 +53,15 @@ module "contact_list_bucket" {
  recursive_delete = local.recursive_delete
  s3_service_name  = "${local.app_name}-contact-list-bucket-${local.env}"
 }
+
+module "egress-space" {
+  source = "../shared/egress_space"
+
+  cf_user                  = var.cf_user
+  cf_password              = var.cf_password
+  cf_org_name              = local.cf_org_name
+  cf_restricted_space_name = local.cf_space_name
+  deployers = [
+    var.cf_user
+  ]
+}