feat: ASM CA option without providing CA_CERT maps and adding revision_name flag (terraform-google-modules#952)

* modifying CA config options

* Adding  flag as an option and adding the ability for  to be used without providing the four  maps.

* adding missed variable in line 207 and 211

* correcting REVISION_NAME_COMMAND_SNIPPET variable in line 211

* updated revision_label process

* Made every CA CERTS map its own command snippet

* Made every CA CERTS map its own command snippet

* testing validations

* testing validations

* Fixed a missing bracket

* Reverting

* added revision_name flag and included option to run --ca flag without --ca_certs flag, to use self-signed certificate

* Fixed whitespacing

* removing another whitespace

* ran make build

* fixed Error: No newline at end of file ./modules/asm/variables.tf

* testing

* ran make build

* In install_asm.sh: Consolidating IF statement for CA_CERT keys, adding {} around single digits numbers for line 24-32, adding echos for CA variables.

Co-authored-by: Bharath KKB <[email protected]>

Author: christopher-hendrich-sada

modules/asm/README.md

@@ -52,10 +52,10 @@ To deploy this config:
 | asm\_git\_tag | ASM git tag to deploy. This module supports versions `1.8` and `1.9`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable. | `string` | `""` | no |
 | asm\_version | ASM version to deploy. This module supports versions `1.8` and `1.9`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.9"` | no |
 | ca | Sets CA option. Possible values are `meshca` or `citadel`. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `string` | `"meshca"` | no |
-| ca\_certs | Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `map` | `{}` | no |
+| ca\_certs | Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `map(any)` | `{}` | no |
 | cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes |
 | cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes |
-| custom\_overlays | Comma separated list of custom\_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file | `list` | `[]` | no |
+| custom\_overlays | Comma separated list of custom\_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file | `list(any)` | `[]` | no |
 | enable\_all | Sets `--enable_all` option if true. | `bool` | `false` | no |
 | enable\_cluster\_labels | Sets `--enable_cluster_labels` option if true. | `bool` | `false` | no |
 | enable\_cluster\_roles | Sets `--enable_cluster_roles` option if true. | `bool` | `false` | no |
@@ -70,9 +70,10 @@ To deploy this config:
 | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes |
 | managed\_control\_plane | ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional. | `bool` | `false` | no |
 | mode | ASM mode for deployment. Supported modes are `install` and `upgrade`. | `string` | `"install"` | no |
-| options | Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features. | `list` | `[]` | no |
+| options | Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features. | `list(any)` | `[]` | no |
 | outdir | Sets `--outdir` option. | `string` | `"none"` | no |
 | project\_id | The project in which the resource belongs. | `string` | n/a | yes |
+| revision\_name | Sets `--revision-name` option. | `string` | `"none"` | no |
 | service\_account | The GCP Service Account email address used to deploy ASM. | `string` | `""` | no |
 | service\_account\_key\_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | `string` | `""` | no |
 | skip\_validation | Sets `_CI_NO_VALIDATE` variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc. | `bool` | `false` | no |

modules/asm/main.tf

@@ -28,6 +28,7 @@ locals {
   ca_key                 = lookup(var.ca_certs, "ca_key", "none")
   root_cert              = lookup(var.ca_certs, "root_cert", "none")
   cert_chain             = lookup(var.ca_certs, "cert_chain", "none")
+  revision_name_string   = (var.revision_name == "" ? "none" : var.revision_name)
   # https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages/blob/1cf61b679cd369f42a0e735f8e201de1a6a6433b/scripts/asm-installer/install_asm#L1970
   iam_roles = [
     "roles/container.admin",
@@ -96,6 +97,6 @@ module "asm_install" {
   service_account_key_file    = var.service_account_key_file
   impersonate_service_account = var.impersonate_service_account
 
-  kubectl_create_command  = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${local.service_account_string} ${local.key_file_string} ${local.asm_git_tag_string}"
+  kubectl_create_command  = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${local.service_account_string} ${local.key_file_string} ${local.asm_git_tag_string} ${local.revision_name_string}"
   kubectl_destroy_command = "${path.module}/scripts/destroy_asm.sh"
 }

modules/asm/scripts/install_asm.sh

@@ -21,15 +21,15 @@ if [ "$#" -lt 5 ]; then
     exit 1
 fi
 
-PROJECT_ID=$1
-CLUSTER_NAME=$2
-CLUSTER_LOCATION=$3
-ASM_VERSION=$4
-MODE=$5
-MCP=$6
-SKIP_VALIDATION=$7
-OPTIONS_LIST=$8
-CUSTOM_OVERLAYS_LIST=$9
+PROJECT_ID=${1}
+CLUSTER_NAME=${2}
+CLUSTER_LOCATION=${3}
+ASM_VERSION=${4}
+MODE=${5}
+MCP=${6}
+SKIP_VALIDATION=${7}
+OPTIONS_LIST=${8}
+CUSTOM_OVERLAYS_LIST=${9}
 ENABLE_ALL=${10}
 ENABLE_CLUSTER_ROLES=${11}
 ENABLE_CLUSTER_LABELS=${12}
@@ -44,6 +44,7 @@ CERT_CHAIN=${20}
 SERVICE_ACCOUNT=${21}
 KEY_FILE=${22}
 ASM_GIT_TAG=${23}
+REVISION_NAME=${24}
 
 # Set SKIP_VALIDATION variable
 if [[ ${SKIP_VALIDATION} = "true" ]]; then
@@ -93,7 +94,12 @@ echo -e "ENABLE_REGISTRATION is $ENABLE_REGISTRATION"
 echo -e "OUTDIR is $OUTDIR"
 echo -e "SERVICE_ACCOUNT is $SERVICE_ACCOUNT"
 echo -e "KEY_FILE is $KEY_FILE"
-
+echo -e "REVISION_NAME is $REVISION_NAME"
+echo -e "CA is $CA"
+echo -e "CA_CERT is $CA_CERT"
+echo -e "CA_KEY is $CA_KEY"
+echo -e "ROOT_CERT is $ROOT_CERT"
+echo -e "CERT_CHAIN is $CERT_CHAIN"
 #download the correct version of the install_asm script
 if [[ "${ASM_GIT_TAG}" = "none" ]]; then
     echo -e "Downloading install_asm with latest git tag..."
@@ -177,15 +183,21 @@ else
     mkdir -p "${OUTDIR}"
 fi
 
-if [[ "${CA}" = "citadel" ]]; then
-    CA_COMMAND_SNIPPET="--ca citadel --ca_cert ${CA_CERT} --ca_key ${CA_KEY} --root_cert ${ROOT_CERT} --cert_chain ${CERT_CHAIN}"
+if [[ "${CA}" == "citadel" ]]; then
+    CA_COMMAND_SNIPPET="--ca citadel"
 else
     CA_COMMAND_SNIPPET=""
 fi
 
+if [[ "${CA_CERT}" == "none" ]]; then
+    CA_CERTS_COMMAND_SNIPPET=""
+else
+    CA_CERTS_COMMAND_SNIPPET="--ca_cert ${CA_CERT} --ca_key ${CA_KEY} --root_cert ${ROOT_CERT} --cert_chain ${CERT_CHAIN}"
+fi
+
 # Echo the command before executing
-echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}"
+echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${CA_CERTS_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET} ${REVISION_NAME_COMMAND_SNIPPET}"
 
 # run the script with appropriate flags
 # shellcheck disable=SC2086
-./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}
+./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${CA_CERTS_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}  ${REVISION_NAME_COMMAND_SNIPPET}

modules/asm/variables.tf

@@ -95,13 +95,13 @@ variable "impersonate_service_account" {
 
 variable "options" {
   description = "Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features."
-  type        = list
+  type        = list(any)
   default     = []
 }
 
 variable "custom_overlays" {
   description = "Comma separated list of custom_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file"
-  type        = list
+  type        = list(any)
   default     = []
 }
 
@@ -167,18 +167,28 @@ variable "ca" {
 
 variable "ca_certs" {
   description = "Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca."
-  type        = map
+  type        = map(any)
   default     = {}
   # default = {
   #   "ca_cert"    = "none"
   #   "ca_key"     = "none"
   #   "root_cert"  = "none"
   #   "cert_chain" = "none"
   # }
+  validation {
+    condition     = contains([4, 0], length(compact([for k in ["ca_cert", "ca_key", "root_cert", "cert_chain"] : lookup(var.ca_certs, k, "")])))
+    error_message = "One or more required keys for ca_certs are missing. If you plan to use the self-signed certificate, do not declare the ca_certs variable."
+  }
 }
 
 variable "iam_member" {
   description = "The GCP member email address to grant IAM roles to. If impersonate_service_account or service_account is set, roles are granted to that SA."
   type        = string
   default     = ""
 }
+
+variable "revision_name" {
+  description = "Sets `--revision-name` option."
+  type        = string
+  default     = "none"
+}