Add database for rekor search indexes (#1085)

Update the mysql and rekor modules to instantiate a new database in the
primary SQL instance for search index storage.

The rekor IAM service accounts are bound to their GKE equivalents and
given permission to access the Cloud SQL instance, which makes the
cloud-sql-proxy sidecar in the Rekor deployment work.

The "trillian" database instance resource is renamed to "sigstore" since
the instance now encompasses two databases, one of which is not for
trillian.

The mysql module creates a trillian mysql user, which is not an IAM
user. This user already has effectively admin grants on the SQL
instance, so it is capable of connecting to the new instance and
creating a new user named for the new database would not reduce the
overall privileges, so we reuse the trillian mysql user for the new
database.

Signed-off-by: Colleen Murphy <[email protected]>

Author: cmurphy

terraform/gcp/modules/mysql/mysql.tf

@@ -102,7 +102,7 @@ resource "random_id" "db_name_suffix" {
   byte_length = 4
 }
 
-resource "google_sql_database_instance" "trillian" {
+resource "google_sql_database_instance" "sigstore" {
   project          = var.project_id
   name             = var.instance_name != "" ? var.instance_name : format("%s-mysql-%s", var.cluster_name, random_id.db_name_suffix.hex)
   database_version = var.database_version
@@ -142,11 +142,16 @@ resource "google_sql_database_instance" "trillian" {
   }
 }
 
+moved {
+  from = google_sql_database_instance.trillian
+  to   = google_sql_database_instance.sigstore
+}
+
 resource "google_sql_database_instance" "read_replica" {
   for_each = toset(var.replica_zones)
 
-  name                 = "${google_sql_database_instance.trillian.name}-replica-${each.key}"
-  master_instance_name = google_sql_database_instance.trillian.name
+  name                 = "${google_sql_database_instance.sigstore.name}-replica-${each.key}"
+  master_instance_name = google_sql_database_instance.sigstore.name
   region               = var.region
   database_version     = var.database_version
 
@@ -174,27 +179,35 @@ resource "google_sql_database_instance" "read_replica" {
 resource "google_sql_database" "trillian" {
   name       = var.db_name
   project    = var.project_id
-  instance   = google_sql_database_instance.trillian.name
+  instance   = google_sql_database_instance.sigstore.name
   collation  = "utf8_general_ci"
-  depends_on = [google_sql_database_instance.trillian]
+  depends_on = [google_sql_database_instance.sigstore]
+}
+
+resource "google_sql_database" "searchindexes" {
+  name       = var.index_db_name
+  project    = var.project_id
+  instance   = google_sql_database_instance.sigstore.name
+  collation  = "utf8_general_ci"
+  depends_on = [google_sql_database_instance.sigstore]
 }
 
 resource "random_id" "user-password" {
   keepers = {
-    name = google_sql_database_instance.trillian.name
+    name = google_sql_database_instance.sigstore.name
   }
 
   byte_length = 8
-  depends_on  = [google_sql_database_instance.trillian]
+  depends_on  = [google_sql_database_instance.sigstore]
 }
 
 resource "google_sql_user" "trillian" {
   name       = "trillian"
   project    = var.project_id
-  instance   = google_sql_database_instance.trillian.name
+  instance   = google_sql_database_instance.sigstore.name
   password   = random_id.user-password.hex
   host       = "%"
-  depends_on = [google_sql_database_instance.trillian]
+  depends_on = [google_sql_database_instance.sigstore]
 }
 
 resource "google_secret_manager_secret" "mysql-password" {
@@ -239,4 +252,3 @@ resource "google_secret_manager_secret_version" "mysql-database" {
   secret      = google_secret_manager_secret.mysql-database.id
   secret_data = google_sql_database.trillian.name
 }
-

terraform/gcp/modules/mysql/outputs.tf

@@ -22,13 +22,13 @@ output "trillian_serviceaccount" {
 // Used when setting up the GKE cluster to talk to MySQL.
 output "mysql_instance" {
   description = "The generated name of the Cloud SQL instance"
-  value       = google_sql_database_instance.trillian.name
+  value       = google_sql_database_instance.sigstore.name
 }
 
 // Full connection string for the MySQL DB>
 output "mysql_connection" {
   description = "The connection string dynamically generated for storage inside the Kubernetes configmap"
-  value       = format("%s:%s:%s", var.project_id, var.region, google_sql_database_instance.trillian.name)
+  value       = format("%s:%s:%s", var.project_id, var.region, google_sql_database_instance.sigstore.name)
 }
 
 // MySQL DB username.

terraform/gcp/modules/mysql/variables.tf

@@ -104,6 +104,12 @@ variable "db_name" {
   default     = "trillian"
 }
 
+variable "index_db_name" {
+  type        = string
+  description = "Name for the MySQL database for search indexes."
+  default     = "searchindexes"
+}
+
 variable "database_version" {
   type        = string
   description = "MySQL database version."

terraform/gcp/modules/rekor/service_accounts.tf

@@ -48,3 +48,17 @@ resource "google_project_iam_member" "rekor_profiler_agent" {
   member     = "serviceAccount:${google_service_account.rekor-sa.email}"
   depends_on = [google_service_account.rekor-sa]
 }
+
+resource "google_service_account_iam_member" "gke_sa_iam_member_rekor_server" {
+  service_account_id = google_service_account.rekor-sa.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[rekor-system/rekor-server]"
+  depends_on         = [google_service_account.rekor-sa]
+}
+
+resource "google_project_iam_member" "db_admin_member_rekor" {
+  project    = var.project_id
+  role       = "roles/cloudsql.client"
+  member     = "serviceAccount:${google_service_account.rekor-sa.email}"
+  depends_on = [google_service_account.rekor-sa]
+}