Make security groups and attestations optional

RBAC security groups and rekor attestations are not needed for development use cases, and require a lot of overhead to set up. Make these attributes optional. Signed-off-by: Colleen Murphy <[email protected]>
sigstore · Mar 18, 2024 · 37290e1 · 37290e1
1 parent 36131f6
commit 37290e1
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 3 deletions.
diff --git a/terraform/gcp/modules/gke_cluster/cluster.tf b/terraform/gcp/modules/gke_cluster/cluster.tf
@@ -145,8 +145,11 @@ resource "google_container_cluster" "cluster" {
     }
   }
 
-  authenticator_groups_config {
-    security_group = var.security_group
+  dynamic "authenticator_groups_config" {
+    for_each = var.security_group == "" ? [] : [1]
+    content {
+      security_group = var.security_group
+    }
   }
 
   depends_on = [google_project_service.service]

diff --git a/terraform/gcp/modules/gke_cluster/variables.tf b/terraform/gcp/modules/gke_cluster/variables.tf
@@ -223,4 +223,5 @@ variable "monitoring_components" {
 variable "security_group" {
   description = "Name of security group used for Google Groups RBAC within GKE Cluster"
   type        = string
+  default     = ""
 }
diff --git a/terraform/gcp/modules/rekor/storage.tf b/terraform/gcp/modules/rekor/storage.tf
@@ -16,6 +16,7 @@
 
 // Attestation bucket and relevant IAM
 resource "google_storage_bucket" "attestation" {
+  count    = var.enable_attestations ? 1 : 0
   name     = var.attestation_bucket
   location = var.attestation_region == "" ? var.region : var.attestation_region
   project  = var.project_id
@@ -37,7 +38,8 @@ resource "google_storage_bucket" "attestation" {
 
 // GCS Bucket 
 resource "google_storage_bucket_iam_member" "rekor_gcs_member" {
-  bucket     = google_storage_bucket.attestation.name
+  count      = var.enable_attestations ? 1 : 0
+  bucket     = google_storage_bucket.attestation[count.index].name
   role       = "roles/storage.objectAdmin"
   member     = "serviceAccount:${google_service_account.rekor-sa.email}"
   depends_on = [google_storage_bucket.attestation, google_service_account.rekor-sa]

diff --git a/terraform/gcp/modules/rekor/variables.tf b/terraform/gcp/modules/rekor/variables.tf
@@ -39,8 +39,15 @@ variable "network" {
 }
 
 // Storage
+variable "enable_attestations" {
+  type        = bool
+  default     = true
+  description = "enable/disable storage for attestations"
+}
+
 variable "attestation_bucket" {
   type        = string
+  default     = ""
   description = "Name of GCS bucket for attestation."
 }