update code for chapter 7

Author: Scott Winkler

chapter7/complete/infrastructure/main.tf

@@ -1,5 +1,5 @@
 locals {
-  services = [
+  services = [ #A
     "sourcerepo.googleapis.com",
     "cloudbuild.googleapis.com",
     "run.googleapis.com",
@@ -12,12 +12,12 @@ resource "google_project_service" "enabled_service" {
   project  = var.project_id
   service  = each.key
 
-  provisioner "local-exec" {
+  provisioner "local-exec" { #B
     command = "sleep 60"
   }
 
-  provisioner "local-exec" {
-    when    = "destroy"
+  provisioner "local-exec" { #C
+    when    = destroy
     command = "sleep 15"
   }
 }
@@ -27,17 +27,12 @@ resource "google_sourcerepo_repository" "repo" {
     google_project_service.enabled_service["sourcerepo.googleapis.com"]
   ]
 
-  name = "${var.namespace}-repo"
+  name       = "${var.namespace}-repo"
 }
 
-locals {
+locals { #A
   image = "gcr.io/${var.project_id}/${var.namespace}"
   steps = [
-    {
-      name = "gcr.io/cloud-builders/go"
-      args = ["install", "."]
-      env  = ["PROJECT_ROOT=${var.namespace}"]
-    },
     {
       name = "gcr.io/cloud-builders/go"
       args = ["test"]
@@ -50,11 +45,12 @@ locals {
     {
       name = "gcr.io/cloud-builders/docker"
       args = ["push", local.image]
-    },
+},
     {
       name = "gcr.io/cloud-builders/gcloud"
-      args = ["beta", "run", "deploy", google_cloud_run_service.service.name, "--image", local.image, "--region", var.region, "--platform", "managed", "-q"]
-    }
+      args = ["run", "deploy", google_cloud_run_service.service.name, "--image", local.image, "--region", var.region, "--platform", "managed", "-q"]
+}
+
   ]
 }
 
@@ -74,7 +70,7 @@ resource "google_cloudbuild_trigger" "trigger" {
       content {
         name = step.value.name
         args = step.value.args
-        env  = lookup(step.value, "env", null)
+        env  = lookup(step.value, "env", null) #B
       }
     }
   }
@@ -83,47 +79,41 @@ resource "google_cloudbuild_trigger" "trigger" {
 data "google_project" "project" {}
 
 resource "google_project_iam_member" "cloudbuild_roles" {
-  depends_on = [google_cloudbuild_trigger.trigger]
-  for_each   = toset(["roles/run.admin", "roles/iam.serviceAccountUser"])
+  depends_on = [google_cloudbuild_trigger.trigger] 
+  for_each   = toset(["roles/run.admin", "roles/iam.serviceAccountUser"])#A
   project    = var.project_id
   role       = each.key
   member     = "serviceAccount:${data.google_project.project.number}@cloudbuild.gserviceaccount.com"
 }
 
 resource "google_cloud_run_service" "service" {
   depends_on = [
-    google_project_service.enabled_service["cloudrun.googleapis.com"]
+    google_project_service.enabled_service["run.googleapis.com"]
   ]
-
-  provider = "google-beta"
-  location = var.region
   name     = var.namespace
-  metadata {
-    namespace = var.project_id
-  }
-  spec {
-    containers {
-      image = "${local.image}:latest"
+  location = var.region
+
+  template {
+    spec {
+      containers {
+        image = "${local.image}:latest" #A
+      }
     }
   }
 }
 
-resource "null_resource" "cloud_run_allow" {
-  provisioner "local-exec" {
-    command = <<EOF
-cd ${path.module}
-gcloud beta run services set-iam-policy ${google_cloud_run_service.service.name} --region ${var.region} policy.yaml -q --project ${var.project_id} --platform managed
-EOF
+data "google_iam_policy" "admin" {
+  binding {
+    role = "roles/run.invoker"
+    members = [
+      "allUsers",
+    ]
   }
 }
 
-data "shell_script" "cloud_run_url" {
-  working_directory = path.module
-  lifecycle_commands {
-    read = <<EOF
-sleep 10
-URL=$(gcloud beta run services describe ${google_cloud_run_service.service.name} --platform managed --region ${var.region} --project ${var.project_id} --format "value(status.url)")
-echo '{"url": "'"$URL"'"}' >&3
-EOF
-  }
-}
+resource "google_cloud_run_service_iam_policy" "policy" {
+  location    = var.region
+  project     = var.project_id
+  service     = google_cloud_run_service.service.name
+  policy_data = data.google_iam_policy.admin.policy_data
+}

chapter7/complete/infrastructure/outputs.tf

@@ -1,6 +1,6 @@
 output "urls" {
   value = {
-    app  = data.shell_script.cloud_run_url.output["url"]
     repo = google_sourcerepo_repository.repo.url
+    app  = google_cloud_run_service.service.status[0].url
   }
 }

chapter7/complete/infrastructure/policy.yaml

@@ -2,10 +2,4 @@ provider "google" {
   credentials = file("account.json")
   project     = var.project_id
   region      = var.region
-}
-
-provider "google-beta" {
-  credentials = file("account.json")
-  project     = var.project_id
-  region      = var.region
 }

chapter7/complete/infrastructure/providers.tf

@@ -1,9 +1,6 @@
 terraform {
   required_version = "~> 0.12"
   required_providers {
-    null        = "~> 2.1"
-    google      = "~> 2.13"
-    google-beta = "~> 2.13"
-    shell       = ">= 0.1"
+    google      = "~> 3.10"
   }
-}
+}

chapter7/complete/infrastructure/versions.tf

@@ -1,6 +1,6 @@
 output "urls" {
   value = {
-    app  = data.shell_script.cloud_run_url.output["url"]
     repo = google_sourcerepo_repository.repo.url
+    app  = google_cloud_run_service.service.status[0].url
   }
-}
+}

chapter7/listing7.12/outputs.tf renamed to chapter7/listing7.10/outputs.tf

@@ -0,0 +1,6 @@
+terraform {
+  required_version = "~> 0.12"
+  required_providers {
+    google = "~> 3.10"
+  }
+}

chapter7/listing7.10/policy.yaml

@@ -1,5 +1,5 @@
 locals {
-  services = [
+  services = [ #A
     "sourcerepo.googleapis.com",
     "cloudbuild.googleapis.com",
     "run.googleapis.com",
@@ -12,12 +12,12 @@ resource "google_project_service" "enabled_service" {
   project  = var.project_id
   service  = each.key
 
-  provisioner "local-exec" {
+  provisioner "local-exec" { #B
     command = "sleep 60"
   }
 
-  provisioner "local-exec" {
-    when    = "destroy"
+  provisioner "local-exec" { #C
+    when    = destroy
     command = "sleep 15"
   }
 }
@@ -30,14 +30,9 @@ resource "google_sourcerepo_repository" "repo" {
   name = "${var.namespace}-repo"
 }
 
-locals {
+locals { #A
   image = "gcr.io/${var.project_id}/${var.namespace}"
   steps = [
-    {
-      name = "gcr.io/cloud-builders/go"
-      args = ["install", "."]
-      env  = ["PROJECT_ROOT=${var.namespace}"]
-    },
     {
       name = "gcr.io/cloud-builders/go"
       args = ["test"]
@@ -53,8 +48,9 @@ locals {
     },
     {
       name = "gcr.io/cloud-builders/gcloud"
-      args = ["beta", "run", "deploy", google_cloud_run_service.service.name, "--image", local.image, "--region", var.region, "--platform", "managed", "-q"]
+      args = ["run", "deploy", google_cloud_run_service.service.name, "--image", local.image, "--region", var.region, "--platform", "managed", "-q"]
     }
+
   ]
 }
 
@@ -74,7 +70,7 @@ resource "google_cloudbuild_trigger" "trigger" {
       content {
         name = step.value.name
         args = step.value.args
-        env  = lookup(step.value, "env", null)
+        env  = lookup(step.value, "env", null) #B
       }
     }
   }
@@ -84,46 +80,40 @@ data "google_project" "project" {}
 
 resource "google_project_iam_member" "cloudbuild_roles" {
   depends_on = [google_cloudbuild_trigger.trigger]
-  for_each   = toset(["roles/run.admin", "roles/iam.serviceAccountUser"])
+  for_each   = toset(["roles/run.admin", "roles/iam.serviceAccountUser"]) #A
   project    = var.project_id
   role       = each.key
   member     = "serviceAccount:${data.google_project.project.number}@cloudbuild.gserviceaccount.com"
 }
 
 resource "google_cloud_run_service" "service" {
   depends_on = [
-    google_project_service.enabled_service["cloudrun.googleapis.com"]
+    google_project_service.enabled_service["run.googleapis.com"]
   ]
-
-  provider = "google-beta"
-  location = var.region
   name     = var.namespace
-  metadata {
-    namespace = var.project_id
-  }
-  spec {
-    containers {
-      image = "${local.image}:latest"
+  location = var.region
+
+  template {
+    spec {
+      containers {
+        image = "${local.image}:latest" #A
+      }
     }
   }
 }
 
-resource "null_resource" "cloud_run_allow" {
-  provisioner "local-exec" {
-    command = <<EOF
-cd ${path.module}
-gcloud beta run services set-iam-policy ${google_cloud_run_service.service.name} --region ${var.region} policy.yaml -q --project ${var.project_id} --platform managed
-EOF
+data "google_iam_policy" "admin" {
+  binding {
+    role = "roles/run.invoker"
+    members = [
+      "allUsers",
+    ]
   }
 }
 
-data "shell_script" "cloud_run_url" {
-  working_directory = path.module
-  lifecycle_commands {
-    read = <<EOF
-sleep 10
-URL=$(gcloud beta run services describe ${google_cloud_run_service.service.name} --platform managed --region ${var.region} --project ${var.project_id} --format "value(status.url)")
-echo '{"url": "'"$URL"'"}' >&3
-EOF
-  }
+resource "google_cloud_run_service_iam_policy" "policy" {
+  location    = var.region
+  project     = var.project_id
+  service     = google_cloud_run_service.service.name
+  policy_data = data.google_iam_policy.admin.policy_data
 }