[Custom DC] Terraform api key fix, save bt automation status in tf st…

…ate (#2286)

Currently API keys are duplicated on re-runs. Fix this by converting
shell scripted "null_resource" into actual Terraform resource. Original
reason Terraform resource was commented out was because of a bug, which
is now fixed.

Also save BT automation terraform status to tf state. 


TESTED=https://buoyant-country-377016-datacommons.com/place/geoId/0667000

Co-authored-by: Alex Chen <[email protected]>

deploy/terraform-datacommons-website/examples/website_v1/main.tf

@@ -17,6 +17,12 @@ terraform {
   backend "gcs" {}
 }
 
+provider "google" {
+  project               = var.project_id
+  billing_project       = var.project_id
+  user_project_override = true
+}
+
 locals {
   resource_suffix    = var.use_resource_suffix ? format("-%s", var.resource_suffix) : ""
   web_robot_sa_email = (

deploy/terraform-datacommons-website/modules/apikeys/main.tf

@@ -14,83 +14,28 @@
  * limitations under the License.
  */
 
-# The following resource currently has issues with ADC authentication.
-# Instead, snippets from the following script
-# https://github.com/datacommonsorg/website/blob/master/gke/create_api_key.sh
-# are used as a local-exec resource.
-# Since Terraform resources are preferred over shell scripts, this snippet
-# is commented out for reference.
-# When the issue from Github is resolve, please switch over to the Terraform
-# resource by following the steps below.
-#   1. Uncomment the resource below.
-#   2. Delete null_resource.maps_api_key block.
-#   3. Delete local_file.website_api_key block.
-#   4. Replace all references of null_resource.maps_api_key
-#      with "google_apikeys_key.maps_api_key".
-#   5. Replace data.local_file.website_api_key.content
-#      with "google_apikeys_key.maps_api_key.key_string".
-# For more on the issue, see the following Github issue.
+# Caller main.tf must set billing_project to target GCP project
+# and set user_project_override to true within "google" provider block
+# See below for details.
 # https://github.com/hashicorp/terraform-provider-google/issues/11865
-# are used in a local-exec script.
-# resource "google_apikeys_key" "maps_api_key" {
-#  name         = "maps-api-key"
-#  display_name = "maps-api-key"
-#  project      =  var.project_id
-#
-#  restrictions {
-#    browser_key_restrictions {
-#      allowed_referrers= ["https://${var.website_domain}/*"]
-#    }
-#
-#    api_targets {
-#      service = "maps-backend.googleapis.com"
-#    }
-#
-#    api_targets {
-#      service = "places-backend.googleapis.com"
-#    }
-#  }
-# }
+resource "google_apikeys_key" "maps_api_key" {
+ name         = "maps-api-key"
+ display_name = "maps-api-key"
+ project      =  var.project_id
 
-resource "null_resource" "maps_api_key" {
-  provisioner "local-exec" {
-    command = <<EOT
-gcloud alpha services api-keys create \
---project=${var.project_id} \
---display-name=maps-api-key${var.resource_suffix} \
---allowed-referrers=https://${var.dc_website_domain}/* \
---api-target=service=maps-backend.googleapis.com \
---api-target=service=places-backend.googleapis.com
+ restrictions {
+   browser_key_restrictions {
+     allowed_referrers= ["https://${var.dc_website_domain}/*"]
+   }
 
-EOT
-  }
-}
-
-resource "null_resource" "maps_api_key_fetch" {
-  # Regardless of the state, we always want to fetch the API key to a tmp file so
-  # the api key can be found in /tmp even in re-runs.
-  triggers = {
-    always_run = "${timestamp()}"
-  }
-
-  provisioner "local-exec" {
-    command = <<EOT
-touch /tmp/dc-website-api-key
-
-API_KEY_NAME=$(gcloud alpha services api-keys list --project=${var.project_id} --filter='displayName=maps-api-key${var.resource_suffix}' --format='value(name)' | head -n 1)
-gcloud alpha services api-keys get-key-string $API_KEY_NAME --format='value(keyString)' >> /tmp/dc-website-api-key
-
-EOT
-  }
-
-  depends_on = [null_resource.maps_api_key]
-}
+   api_targets {
+     service = "maps-backend.googleapis.com"
+   }
 
-# Needed because file(https://www.terraform.io/language/functions/file)
-# cannot be used for dynamically generated files.
-data "local_file" "website_api_key" {
-  filename = "/tmp/dc-website-api-key"
-  depends_on = [null_resource.maps_api_key_fetch]
+   api_targets {
+     service = "places-backend.googleapis.com"
+   }
+ }
 }
 
 resource "google_secret_manager_secret" "maps_api_key_secret" {
@@ -105,16 +50,15 @@ resource "google_secret_manager_secret" "maps_api_key_secret" {
     }
   }
 
-  depends_on = [null_resource.maps_api_key]
+  depends_on = [google_apikeys_key.maps_api_key]
 }
 
 resource "google_secret_manager_secret_version" "maps_api_key_secret_version" {
   secret = google_secret_manager_secret.maps_api_key_secret.id
 
-  secret_data = data.local_file.website_api_key.content
+  secret_data = google_apikeys_key.maps_api_key.key_string
 
   depends_on = [
     google_secret_manager_secret.maps_api_key_secret,
-    null_resource.maps_api_key
   ]
 }

scripts/install_custom_dc.sh

@@ -14,7 +14,7 @@
 # limitations under the License.
 set -e
 
-CUSTOM_DC_RELEASE_TAG=custom-dc-v0.2.0
+CUSTOM_DC_RELEASE_TAG=custom-dc-v0.3.0
 
 # In some environments (such as Cloud Shell), IPv6 is not enabled on the OS.
 # This causes problems during terraform runs. Fix is from the issue below.
@@ -149,7 +149,12 @@ WEBSITE_ROBOT="website-robot@$PROJECT_ID.iam.gserviceaccount.com"
 RESOURCE_BUCKET="$PROJECT_ID-resources"
 
 cd tools/bigtable_automation/terraform
-terraform init && terraform apply \
+
+terraform init \
+  -backend-config="bucket=$TF_STATE_BUCKET" \
+  -backend-config="prefix=bt_automation"
+
+terraform apply \
   -var="project_id=$PROJECT_ID" \
   -var="service_account_email=$WEBSITE_ROBOT" \
   -var="dc_resource_bucket=$RESOURCE_BUCKET" \