feat: Implement PoHTTP service and bootstrap job

.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+- package-ecosystem: terraform
+  directory: "/"
+  schedule:
+    interval: weekly
+  commit-message:
+    prefix: "fix(deps):"

.github/workflows/ci.yml

@@ -0,0 +1,22 @@
+name: CI and releases
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  ci-module:
+    uses: relaycorp/shared-workflows/.github/workflows/tfmodule-ci.yml@main
+    with:
+      terraform_version: 1.5.3
+  ci-example:
+    uses: relaycorp/shared-workflows/.github/workflows/tfmodule-ci.yml@main
+    with:
+      path: examples/basic
+      terraform_version: 1.5.3
+
+  release:
+    needs:
+      - ci-module
+      - ci-example
+    uses: relaycorp/shared-workflows/.github/workflows/tfmodule-release.yml@main

.github/workflows/prs.yml

@@ -0,0 +1,12 @@
+name: Process PRs
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  pr-ci:
+    uses: relaycorp/shared-workflows/.github/workflows/pr-ci.yml@main

.gitignore

@@ -0,0 +1,6 @@
+.terraform
+
+examples/*/.terraform
+examples/*/terraform.tfstate*
+examples/*/.terraform.tfstate.lock.info
+examples/*/terraform.tfvars

.releaserc.yml

@@ -0,0 +1,5 @@
+branches: [main]
+plugins:
+  - "@semantic-release/commit-analyzer"
+  - "@semantic-release/release-notes-generator"
+  - "@semantic-release/github"

examples/basic/README.md

@@ -0,0 +1,3 @@
+# Basic example of the Awala Internet Gateway on GCP
+
+Using MongoDB Atlas Serverless.

examples/basic/gateway.tf

@@ -0,0 +1,39 @@
+locals {
+  gateway_db_name = "awala-gateway"
+}
+
+module "gateway" {
+  source = "../.."
+
+  instance_name    = "test"
+  internet_address = var.internet_address
+
+  project_id = var.google_project_id
+  region     = var.google_region
+
+  pohttp_server_domain = var.pohttp_server_domain
+
+  mongodb_db       = local.gateway_db_name
+  mongodb_password = random_password.mongodb_gateway_user_password.result
+  mongodb_uri      = local.mongodb_uri
+  mongodb_user     = mongodbatlas_database_user.gateway.username
+
+  depends_on = [time_sleep.wait_for_services]
+}
+
+resource "mongodbatlas_database_user" "gateway" {
+  project_id = var.mongodbatlas_project_id
+
+  username           = "awala-gateway"
+  password           = random_password.mongodb_gateway_user_password.result
+  auth_database_name = "admin"
+
+  roles {
+    role_name     = "readWrite"
+    database_name = local.gateway_db_name
+  }
+}
+
+resource "random_password" "mongodb_gateway_user_password" {
+  length = 32
+}

examples/basic/mongodb.tf

@@ -0,0 +1,18 @@
+locals {
+  mongodb_uri = "${mongodbatlas_serverless_instance.main.connection_strings_standard_srv}/?retryWrites=true&w=majority"
+}
+
+resource "mongodbatlas_serverless_instance" "main" {
+  project_id = var.mongodbatlas_project_id
+  name       = "veraid-authority"
+
+  provider_settings_backing_provider_name = "GCP"
+  provider_settings_provider_name         = "SERVERLESS"
+  provider_settings_region_name           = "WESTERN_EUROPE"
+}
+
+resource "mongodbatlas_project_ip_access_list" "main" {
+  project_id = var.mongodbatlas_project_id
+  comment    = "See https://github.com/relaycorp/terraform-google-veraid-authority/issues/3"
+  cidr_block = "0.0.0.0/0"
+}

examples/basic/providers.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    mongodbatlas = {
+      source  = "mongodb/mongodbatlas"
+      version = "~> 1.10.2"
+    }
+  }
+}
+
+provider "google" {
+  project     = var.google_project_id
+  credentials = file(var.google_credentials_path)
+}
+
+provider "google-beta" {
+  project     = var.google_project_id
+  credentials = file(var.google_credentials_path)
+}
+
+provider "mongodbatlas" {
+  public_key  = var.mongodbatlas_public_key
+  private_key = var.mongodbatlas_private_key
+}

examples/basic/services.tf

@@ -0,0 +1,26 @@
+locals {
+  services = [
+    "run.googleapis.com",
+    "compute.googleapis.com",
+    "cloudkms.googleapis.com",
+    "pubsub.googleapis.com",
+    "secretmanager.googleapis.com",
+    "iam.googleapis.com",
+    "cloudscheduler.googleapis.com",
+    "servicenetworking.googleapis.com",
+    "redis.googleapis.com",
+  ]
+}
+
+resource "google_project_service" "services" {
+  for_each = toset(local.services)
+
+  project                    = var.google_project_id
+  service                    = each.value
+  disable_dependent_services = true
+}
+
+resource "time_sleep" "wait_for_services" {
+  depends_on      = [google_project_service.services]
+  create_duration = "30s"
+}

examples/basic/variables.tf

@@ -0,0 +1,26 @@
+variable "google_project_id" {
+  description = "Google project id"
+}
+variable "google_credentials_path" {
+  description = "Path to Google credentials file"
+}
+variable "google_region" {
+  description = "Google region"
+}
+
+variable "mongodbatlas_public_key" {
+  description = "MongoDB Atlas public key"
+}
+
+variable "mongodbatlas_private_key" {
+  description = "MongoDB Atlas private key"
+  sensitive   = true
+}
+variable "mongodbatlas_project_id" {}
+
+variable "internet_address" {
+  description = "The Awala Internet address (domain name) of the gateway"
+}
+variable "pohttp_server_domain" {
+  description = "The domain name for the PoHTTP server in the Awala Internet Gateway"
+}

gcs.tf

@@ -0,0 +1,28 @@
+resource "random_id" "gateway_messages_bucket_suffix" {
+  byte_length = 3
+}
+
+resource "google_storage_bucket" "gateway_messages" {
+  name          = "gateway-${var.instance_name}-messages-${random_id.gateway_messages_bucket_suffix.hex}"
+  storage_class = "REGIONAL"
+  location      = upper(var.region)
+
+  uniform_bucket_level_access = true
+
+  lifecycle_rule {
+    condition {
+      age = 2 // https://github.com/relaycorp/cloud-gateway/issues/64
+    }
+    action {
+      type = "Delete"
+    }
+  }
+
+  force_destroy = !var.prevent_destruction
+}
+
+resource "google_storage_bucket_iam_member" "gateway_gcs_bucket" {
+  bucket = google_storage_bucket.gateway_messages.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.main.email}"
+}

iam.tf

@@ -0,0 +1,6 @@
+resource "google_service_account" "main" {
+  project = var.project_id
+
+  account_id   = "gateway-${var.instance_name}"
+  display_name = "Awala Internet Gateway (${var.instance_name})"
+}