Adjust terraform to store cleanup policies (#11915)

* Update image-builder.tf * Update image-builder.tf * upd8 account * Correct account * Correct account * Correct account * Correct account * Correct account * Correct account * Correct Terraform vars * Correct Terraform vars * Correct Terraform vars * Correct Terraform vars * Correct Terraform vars * Correct Terraform vars * terraform fixes of other resources * Update configs/terraform/environments/prod/image-builder.tf Co-authored-by: Przemek Pokrywka <[email protected]> * Move docker hub mirror config to object type variable * Add identity for image-builder in kyma-project project. * Use exisitng identity, use updated variables --------- Co-authored-by: Przemek Pokrywka <[email protected]> Co-authored-by: Kacper Małachowski <[email protected]>
kyma-project · Oct 2, 2024 · bb77d5b · bb77d5b
1 parent ac0700e
commit bb77d5b
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 8 deletions.
diff --git a/configs/terraform/environments/prod/dns-collector.tf b/configs/terraform/environments/prod/dns-collector.tf
@@ -3,7 +3,7 @@
 resource "google_service_account" "sa_gke_kyma_integration" {
   account_id   = "sa-gke-kyma-integration"
   display_name = "sa-gke-kyma-integration"
-  description  = "Service account is used by Prow to integrate with GKE."
+  description  = "Service account is used by Prow to integrate with GKE. Will be removed with Prow"
 }
 
 resource "google_project_iam_binding" "dns_collector_container_analysis_occurrences_viewer" {

diff --git a/configs/terraform/environments/prod/image-builder-variables.tf b/configs/terraform/environments/prod/image-builder-variables.tf
@@ -24,4 +24,36 @@ variable "image_builder_ado_pat_gcp_secret_manager_secret_name" {
   description = "Name of the secret in GCP Secret Manager that contains the ADO PAT for image-builder to trigger ADO pipeline."
   type        = string
   default     = "image-builder-ado-pat"
-}
+}
+
+# Variable for image-builder's artifact registries identity
+variable "image_builder_kyma-project_identity" {
+  description = "Configuration for identity of image-builder in main kyma-project GCP project. It's used to access artifact registries."
+  type = object({
+    id = string
+    description = string
+  })
+
+  default = {
+    id = "azure-pipeline-image-builder"
+    description = "OCI image builder running in kyma development service azure pipelines"
+  }
+}
+
+# Variable for Docker Hub Mirror configuration
+variable "dockerhub_mirror" {
+  description = "Configuration for the Docker Hub mirror repository"
+  type = object({
+    repository_id = string
+    description = string
+    location = string
+    cleanup_age = string
+  })
+
+  default = {
+    repository_id = "dockerhub-mirror"
+    description = "Remote repository mirroring Docker Hub. For more details, see https://github.tools.sap/kyma/oci-image-builder/blob/main/README.md"
+    location = "europe"
+    cleanup_age = "730d" # 730 days = 2 years
+  }
+}
diff --git a/configs/terraform/environments/prod/image-builder.tf b/configs/terraform/environments/prod/image-builder.tf
@@ -89,10 +89,10 @@ resource "github_actions_organization_variable" "image_builder_ado_pat_gcp_secre
 }
 
 resource "google_artifact_registry_repository" "dockerhub_mirror" {
-  repository_id = "dockerhub-mirror"
-  description   = "Remote repository mirroring Docker Hub"
+  repository_id = var.dockerhub_mirror.repository_id
+  description   = var.dockerhub_mirror.description
   format        = "DOCKER"
-  location      = "europe"
+  location      = var.dockerhub_mirror.location
   mode          = "REMOTE_REPOSITORY"
 
   remote_repository_config {
@@ -101,13 +101,36 @@ resource "google_artifact_registry_repository" "dockerhub_mirror" {
       public_repository = "DOCKER_HUB"
     }
   }
+
+  cleanup_policy_dry_run = false
+
+  cleanup_policies {
+    id = "cleanup-old-images"
+    action = "DELETE"
+
+    condition {
+      older_than = var.dockerhub_mirror.cleanup_age
+      tag_state  = "ANY"
+    }
+  }
+}
+
+import {
+  id = "projects/${var.kyma_project_gcp_project_id}/serviceAccounts/${var.image_builder_kyma-project_identity.id}@${var.kyma_project_gcp_project_id}.iam.gserviceaccount.com"
+  to = google_service_account.kyma_project_image_builder
+}
+
+resource "google_service_account" "kyma_project_image_builder" {
+  provider = google.kyma_project
+  account_id = var.image_builder_kyma-project_identity.id
+  description = var.image_builder_kyma-project_identity.description
 }
 
 resource "google_artifact_registry_repository_iam_member" "dockerhub_mirror_access" {
   provider   = google.kyma_project
   project    = var.kyma_project_gcp_project_id
   location   = google_artifact_registry_repository.dockerhub_mirror.location
-  repository = google_artifact_registry_repository.dockerhub_mirror.name
+  repository = google_artifact_registry_repository.dockerhub_mirror.repository_id
   role       = "roles/artifactregistry.reader"
-  member     = "serviceAccount:azure-pipeline-image-builder@kyma-project.iam.gserviceaccount.com"
+  member     = "serviceAccount:${google_service_account.kyma_project_image_builder.email}"
 }
diff --git a/configs/terraform/modules/service-account-keys-cleaner/main.tf b/configs/terraform/modules/service-account-keys-cleaner/main.tf
@@ -73,7 +73,7 @@ resource "google_cloud_scheduler_job" "service_account_keys_cleaner" {
 
   http_target {
     http_method = "GET"
-    uri         = format("%s?project=%s&age=%s", google_cloud_run_service.service_account_keys_cleaner.status[0].url, data.google_project.project.project_id, var.service_account_key_latest_version_min_age)
+    uri         = format("%s/?project=%s&age=%s", google_cloud_run_service.service_account_keys_cleaner.status[0].url, data.google_project.project.project_id, var.service_account_key_latest_version_min_age)
 
     oidc_token {
       service_account_email = var.secrets_rotator_sa_email