From 413083007710801286476272012225820a9c7f4c Mon Sep 17 00:00:00 2001 From: Al Cutter Date: Tue, 10 Feb 2026 10:34:21 +0000 Subject: [PATCH] Remove migrated witness terra.* configs --- deployment/live/witness/README.md | 27 --- deployment/live/witness/dev/terragrunt.hcl | 18 -- deployment/live/witness/root.hcl | 24 --- deployment/modules/witness/main.tf | 204 --------------------- deployment/modules/witness/outputs.tf | 21 --- deployment/modules/witness/variables.tf | 68 ------- 6 files changed, 362 deletions(-) delete mode 100644 deployment/live/witness/README.md delete mode 100644 deployment/live/witness/dev/terragrunt.hcl delete mode 100644 deployment/live/witness/root.hcl delete mode 100644 deployment/modules/witness/main.tf delete mode 100644 deployment/modules/witness/outputs.tf delete mode 100644 deployment/modules/witness/variables.tf diff --git a/deployment/live/witness/README.md b/deployment/live/witness/README.md deleted file mode 100644 index 81817c3..0000000 --- a/deployment/live/witness/README.md +++ /dev/null @@ -1,27 +0,0 @@ -# Witness deployment - -The directories under here contain the top-level terragrunt files for the deployment environments. - -In all cases, before deploying for the first time, you MUST have created the witness `private` key -and stored it in Secret Manager, or the `terragrunt apply` will fail. - -> [!Note] -> While the witness binary itself doesn't need the `public` key, *you will* in order to share it -> with others. - -Below is a `bash` snippet which will generate and store both the public and private key in Secret -Manager under secrets called `witness_public_XXX` and `witness_secret_XXX` respectively, where -```XXX``` is the name of the target deployment environment. - -```bash -$ export TARGET="dev" # This MUST match the name of the directory you're deploying -$ export WITNESS_NAME="..." # This is the witness name we're generating keys for. It should follow the schemaless-url recommendation from `tlog-witness`. -$ go run github.com/transparency-dev/serverless-log/cmd/generate_keys@HEAD \ - --key_name="${WITNESS_NAME}" \ - --print | - tee >(grep -v PRIVATE | gcloud secrets create witness_public_${TARGET} --data-file=-) | - grep PRIVATE | - gcloud secrets create witness_secret_${TARGET} --data-file=- -Created version [1] of the secret [witness_public_dev]. -Created version [1] of the secret [witness_secret_dev]. -``` diff --git a/deployment/live/witness/dev/terragrunt.hcl b/deployment/live/witness/dev/terragrunt.hcl deleted file mode 100644 index a04326b..0000000 --- a/deployment/live/witness/dev/terragrunt.hcl +++ /dev/null @@ -1,18 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - expose = true -} - -inputs = merge( - include.root.locals, - { - public_witness_config_urls = ["https://raw.githubusercontent.com/transparency-dev/witness-network/refs/heads/main/lists/testing/log-list.1"] - witness_docker_repo = "https://ghcr.io" - witness_docker_image = "transparency-dev/witness/omniwitness_gcp:latest" - witness_secret_name = "witness_secret_dev" - witness_service_account = "cloudrun-witness-dev-sa@checkpoint-distributor.iam.gserviceaccount.com" - - ephemeral = true - } -) - diff --git a/deployment/live/witness/root.hcl b/deployment/live/witness/root.hcl deleted file mode 100644 index 7887441..0000000 --- a/deployment/live/witness/root.hcl +++ /dev/null @@ -1,24 +0,0 @@ -terraform { - source = "${get_repo_root()}/deployment/modules/witness" -} - -locals { - project_id = "checkpoint-distributor" - region = "us-central1" - env = path_relative_to_include() -} - -remote_state { - backend = "gcs" - - config = { - project = local.project_id - location = local.region - bucket = "${local.project_id}-witness-${local.env}-terraform-state" - prefix = "${path_relative_to_include()}/terraform.tfstate" - - gcs_bucket_labels = { - name = "terraform_state_storage" - } - } -} diff --git a/deployment/modules/witness/main.tf b/deployment/modules/witness/main.tf deleted file mode 100644 index 7339648..0000000 --- a/deployment/modules/witness/main.tf +++ /dev/null @@ -1,204 +0,0 @@ -/* - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# Project data -provider "google" { - project = var.project_id -} - -data "google_project" "project" { - project_id = var.project_id -} - -# This will be configured by terragrunt when deploying -terraform { - backend "gcs" {} - required_providers { - google = { - source = "hashicorp/google" - version = "7.18.0" - } - google-beta = { - source = "hashicorp/google-beta" - version = "7.18.0" - } - } -} - -# Enable Secret Manager API -resource "google_project_service" "secretmanager_api" { - service = "secretmanager.googleapis.com" - disable_on_destroy = false -} - -# Enable Spanner -resource "google_project_service" "spanner_api" { - service = "spanner.googleapis.com" - disable_on_destroy = false -} - -# Enable Cloud Run API -resource "google_project_service" "cloudrun_api" { - service = "run.googleapis.com" - disable_on_destroy = false -} - -data "google_secret_manager_secret" "witness_secret" { - secret_id = var.witness_secret_name -} - -data "google_secret_manager_secret_version" "witness_secret_data" { - secret = data.google_secret_manager_secret.witness_secret.id - version = 1 -} - -# Update service accounts to allow secret access -resource "google_secret_manager_secret_iam_member" "secretaccess_compute_witness" { - secret_id = data.google_secret_manager_secret.witness_secret.id - role = "roles/secretmanager.secretAccessor" - member = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com" # Project's compute service account -} - -resource "google_spanner_instance" "witness_spanner" { - name = "witness-${var.env}" - config = "regional-${var.region}" - display_name = "Witness ${var.env}" - processing_units = 100 - - force_destroy = var.ephemeral - depends_on = [ - google_project_service.spanner_api, - ] -} - -resource "google_spanner_database" "witness_db" { - instance = google_spanner_instance.witness_spanner.name - name = "witness_db_${var.env}" - - deletion_protection = !var.ephemeral -} - -resource "google_spanner_database_iam_member" "database" { - instance = google_spanner_instance.witness_spanner.name - database = google_spanner_database.witness_db.name - role = "roles/spanner.databaseAdmin" - - member = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com" # Project's compute service account -} - -locals { - spanner_db_full = "projects/${var.project_id}/instances/${google_spanner_instance.witness_spanner.name}/databases/${google_spanner_database.witness_db.name}" -} - -# Set up an artifact registry to cache remote images we depend on via Cloud Run, below. -# -# This is intended to guard against the upstream image being unavailable for some reason. -resource "google_artifact_registry_repository" "witness" { - location = var.region - repository_id = "witness-remote-${var.env}" - description = "Remote repository with witness docker images upstream" - format = "DOCKER" - mode = "REMOTE_REPOSITORY" - remote_repository_config { - description = "Pull-through cache of witness repository" - common_repository { - uri = var.witness_docker_repo - } - } -} - -### -### Set up Cloud Run service -### - -locals { - public_witness_config_args = formatlist("--public_witness_config_url=%s", var.public_witness_config_urls) -} - -resource "google_cloud_run_v2_service" "default" { - name = "witness-service-${var.env}" - location = var.region - launch_stage = "GA" - - - template { - ## This Service account will be used for running the Cloud Run service which hosts the witness. - ## - ## The service account provided here must be a member of the following roles in order to function properly: - ## "roles/iam.serviceAccountUser" - ## "roles/monitoring.metricWriter" - ## "roles/spanner.databaseUser" - ## "roles/run.serviceAgent" - ## "roles/secretmanager.secretAccessor" - service_account = var.witness_service_account - - scaling { - min_instance_count = 1 - max_instance_count = 3 - } - max_instance_request_concurrency = 1000 - containers { - # Access the witness docker image via our "pull-through" cache artifcat registry. - image = "${google_artifact_registry_repository.witness.registry_uri}/${var.witness_docker_image}" - name = "witness" - args = concat([ - "--logtostderr", - "--v=1", - "--listen=:8080", - "--spanner=${local.spanner_db_full}", - "--signer_private_key_secret_name=${data.google_secret_manager_secret_version.witness_secret_data.name}" - ], - local.public_witness_config_args, - var.extra_args) - ports { - container_port = 8080 - } - - startup_probe { - initial_delay_seconds = 1 - timeout_seconds = 1 - period_seconds = 10 - failure_threshold = 3 - tcp_socket { - port = 8080 - } - } - } - containers { - image = "us-docker.pkg.dev/cloud-ops-agents-artifacts/cloud-run-gmp-sidecar/cloud-run-gmp-sidecar:1.3.0" - name = "collector" - depends_on = ["witness"] - } - } - client = "terraform" - depends_on = [ - google_project_service.secretmanager_api, - google_project_service.cloudrun_api, - google_project_service.spanner_api, - ] - - deletion_protection = !var.ephemeral -} - -resource "google_cloud_run_service_iam_binding" "default" { - location = google_cloud_run_v2_service.default.location - service = google_cloud_run_v2_service.default.name - role = "roles/run.invoker" - members = [ - "allUsers" - ] -} - diff --git a/deployment/modules/witness/outputs.tf b/deployment/modules/witness/outputs.tf deleted file mode 100644 index 728c896..0000000 --- a/deployment/modules/witness/outputs.tf +++ /dev/null @@ -1,21 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -output "witness_uri" { - description = "The main URI in which this Service is serving traffic." - value = google_cloud_run_v2_service.default.uri -} - diff --git a/deployment/modules/witness/variables.tf b/deployment/modules/witness/variables.tf deleted file mode 100644 index 362abd6..0000000 --- a/deployment/modules/witness/variables.tf +++ /dev/null @@ -1,68 +0,0 @@ -/** - * Copyright 2019 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "project_id" { - description = "The project ID to host the cluster in" - type = string -} - -variable "region" { - description = "The region to host the cluster in" - type = string -} - -variable "env" { - description = "Unique identifier for the env, e.g. ci or prod" - type = string -} - -variable "witness_docker_repo" { - description = "The full URL of the docker registry where the witness docker image can be found" - type = string -} - -variable "witness_docker_image" { - description = "The image name and tag of the witness docker image to deploy, as found on the witness_docker_repo." - type = string -} - -variable "extra_args" { - description = "Extra arguments to be provided to the witness invoked in cloud run" - type = list(string) - default = [] -} - -variable "ephemeral" { - description = "Set to true if this is a CI/temporary deploy" - type = bool - default = false -} - -variable "public_witness_config_urls" { - description = "Set to a list of URLs where public witness config files can be retrieved" - type = list(string) - default = [] -} - -variable "witness_service_account" { - description = "Service account identifier to use when running the witness. Should be in email form: 'email@address'. This service will need to be a member of several IAM roles - see the main.tf for details." - type = string -} - -variable "witness_secret_name" { - description = "Secret manager secret name containing the note-formatted key to use for signing checkpoints." - type = string -}