From 7e46292e3247f33efbc108606b137d12d5dfcf7a Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleenmurphy@google.com>
Date: Mon, 18 Mar 2024 12:29:32 -0700
Subject: [PATCH] Make security groups and attestations optional

RBAC security groups and rekor attestations are not needed for
development use cases, and require a lot of overhead to set up. Make
these attributes optional.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
---
 terraform/gcp/modules/gke_cluster/cluster.tf   | 7 +++++--
 terraform/gcp/modules/gke_cluster/variables.tf | 1 +
 terraform/gcp/modules/rekor/storage.tf         | 4 +++-
 terraform/gcp/modules/rekor/variables.tf       | 7 +++++++
 4 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/terraform/gcp/modules/gke_cluster/cluster.tf b/terraform/gcp/modules/gke_cluster/cluster.tf
index be22aa7a8..e0eefaad3 100644
--- a/terraform/gcp/modules/gke_cluster/cluster.tf
+++ b/terraform/gcp/modules/gke_cluster/cluster.tf
@@ -145,8 +145,11 @@ resource "google_container_cluster" "cluster" {
     }
   }
 
-  authenticator_groups_config {
-    security_group = var.security_group
+  dynamic authenticator_groups_config {
+    for_each = var.security_group == "" ? [] : [1]
+    content {
+      security_group =  var.security_group
+    }
   }
 
   depends_on = [google_project_service.service]
diff --git a/terraform/gcp/modules/gke_cluster/variables.tf b/terraform/gcp/modules/gke_cluster/variables.tf
index 9102dddd7..7ba6f4387 100644
--- a/terraform/gcp/modules/gke_cluster/variables.tf
+++ b/terraform/gcp/modules/gke_cluster/variables.tf
@@ -223,4 +223,5 @@ variable "monitoring_components" {
 variable "security_group" {
   description = "Name of security group used for Google Groups RBAC within GKE Cluster"
   type        = string
+  default     = ""
 }
diff --git a/terraform/gcp/modules/rekor/storage.tf b/terraform/gcp/modules/rekor/storage.tf
index 418b2f618..4f41c7429 100644
--- a/terraform/gcp/modules/rekor/storage.tf
+++ b/terraform/gcp/modules/rekor/storage.tf
@@ -16,6 +16,7 @@
 
 // Attestation bucket and relevant IAM
 resource "google_storage_bucket" "attestation" {
+  count    = var.enable_attestations ? 1 : 0
   name     = var.attestation_bucket
   location = var.attestation_region == "" ? var.region : var.attestation_region
   project  = var.project_id
@@ -37,7 +38,8 @@ resource "google_storage_bucket" "attestation" {
 
 // GCS Bucket 
 resource "google_storage_bucket_iam_member" "rekor_gcs_member" {
-  bucket     = google_storage_bucket.attestation.name
+  count      = var.enable_attestations ? 1 : 0
+  bucket     = google_storage_bucket.attestation[count.index].name
   role       = "roles/storage.objectAdmin"
   member     = "serviceAccount:${google_service_account.rekor-sa.email}"
   depends_on = [google_storage_bucket.attestation, google_service_account.rekor-sa]
diff --git a/terraform/gcp/modules/rekor/variables.tf b/terraform/gcp/modules/rekor/variables.tf
index 3d150d6d8..f62a491e4 100644
--- a/terraform/gcp/modules/rekor/variables.tf
+++ b/terraform/gcp/modules/rekor/variables.tf
@@ -39,8 +39,15 @@ variable "network" {
 }
 
 // Storage
+variable "enable_attestations" {
+  type        = bool
+  default     = true
+  description = "enable/disable storage for attestations"
+}
+
 variable "attestation_bucket" {
   type        = string
+  default     = ""
   description = "Name of GCS bucket for attestation."
 }