TJM/esm.tf

## esm.tf
# External Service Monitoring

# ESM Consul Policy
# - https://github.com/hashicorp/consul-esm#consul-acl-policies
# NOTE: This could be more restrictive - this one is wide open
resource "consul_acl_policy" "esm" {
  name  = "consul-esm"
  rules = <<-RULE
    agent_prefix "" {
      policy = "read"
    }

    key_prefix "consul-esm/" {
      policy = "write"
    }

    node_prefix "" {
      policy = "write"
    }

    service_prefix "" {
      policy = "write"
    }

    session_prefix "" {
      policy = "write"
    }

    namespace_prefix "" {
      acl = "read"
    }
    RULE
}

# Create a token for esm
resource "consul_acl_token" "esm" {
  description = "Consul External Service Monitoring (ESM)"
  policies    = [consul_acl_policy.esm.name]
}

# Fetch token used for esm
data "consul_acl_token_secret_id" "esm" {
  accessor_id = consul_acl_token.esm.id
}

# Put token into kubernetes_secret for esm
resource "kubernetes_secret" "consul_esm_token" {
  metadata {
    name      = "consul-esm-token"
    namespace = local.base_outputs.discovery.gke_namespace
  }

  data = {
    token = data.consul_acl_token_secret_id.esm.secret_id
  }

}

# Kubernetes Deployment: consul-esm
## REF: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment
resource "kubernetes_deployment" "consul_esm" {
  metadata {
    name      = "consul-esm"
    namespace = local.base_outputs.discovery.gke_namespace
    labels = {
      app = "consul-esm"
    }
  }

  spec {
    replicas = 2

    selector {
      match_labels = {
        app = "consul-esm"
      }
    }

    template {
      metadata {
        labels = {
          app = "consul-esm"
        }
      }

      spec {
        container {
          image = "hashicorp/consul-esm:0.6.0"
          name  = "consul-esm"

          env {
            name  = "CONSUL_HTTP_ADDR"
            value = "https://consul-consul-server:8501" # WARN: hardcoded name must match consul deployment
          }

          env {
            name  = "CONSUL_CACERT"
            value = "/secret/consul-ca/tls.crt"
          }

          env {
            name = "CONSUL_HTTP_TOKEN"
            value_from {
              secret_key_ref {
                name = kubernetes_secret.consul_esm_token.metadata.0.name
                key  = "token"
              }
            }
          }

          resources {
            limits = {
              cpu    = "0.5"
              memory = "64Mi"
            }
            requests = {
              cpu    = "250m"
              memory = "32Mi"
            }
          }

          volume_mount {
            name       = "consul-ca"
            mount_path = "/secret/consul-ca"
          }
        }

        volume {
          name = "consul-ca"
          secret {
            secret_name = "consul-consul-ca-cert" # WARN: hardcoded name must match consul deployment
          }
        }
      }
    }
  }
}
	# External Service Monitoring

	# ESM Consul Policy
	# - https://github.com/hashicorp/consul-esm#consul-acl-policies
	# NOTE: This could be more restrictive - this one is wide open
	resource "consul_acl_policy" "esm" {
	name = "consul-esm"
	rules = <<-RULE
	agent_prefix "" {
	policy = "read"
	}

	key_prefix "consul-esm/" {
	policy = "write"
	}

	node_prefix "" {
	policy = "write"
	}

	service_prefix "" {
	policy = "write"
	}

	session_prefix "" {
	policy = "write"
	}

	namespace_prefix "" {
	acl = "read"
	}
	RULE
	}

	# Create a token for esm
	resource "consul_acl_token" "esm" {
	description = "Consul External Service Monitoring (ESM)"
	policies = [consul_acl_policy.esm.name]
	}

	# Fetch token used for esm
	data "consul_acl_token_secret_id" "esm" {
	accessor_id = consul_acl_token.esm.id
	}

	# Put token into kubernetes_secret for esm
	resource "kubernetes_secret" "consul_esm_token" {
	metadata {
	name = "consul-esm-token"
	namespace = local.base_outputs.discovery.gke_namespace
	}

	data = {
	token = data.consul_acl_token_secret_id.esm.secret_id
	}

	}

	# Kubernetes Deployment: consul-esm
	## REF: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment
	resource "kubernetes_deployment" "consul_esm" {
	metadata {
	name = "consul-esm"
	namespace = local.base_outputs.discovery.gke_namespace
	labels = {
	app = "consul-esm"
	}
	}

	spec {
	replicas = 2

	selector {
	match_labels = {
	app = "consul-esm"
	}
	}

	template {
	metadata {
	labels = {
	app = "consul-esm"
	}
	}

	spec {
	container {
	image = "hashicorp/consul-esm:0.6.0"
	name = "consul-esm"

	env {
	name = "CONSUL_HTTP_ADDR"
	value = "https://consul-consul-server:8501" # WARN: hardcoded name must match consul deployment
	}

	env {
	name = "CONSUL_CACERT"
	value = "/secret/consul-ca/tls.crt"
	}

	env {
	name = "CONSUL_HTTP_TOKEN"
	value_from {
	secret_key_ref {
	name = kubernetes_secret.consul_esm_token.metadata.0.name
	key = "token"
	}
	}
	}

	resources {
	limits = {
	cpu = "0.5"
	memory = "64Mi"
	}
	requests = {
	cpu = "250m"
	memory = "32Mi"
	}
	}

	volume_mount {
	name = "consul-ca"
	mount_path = "/secret/consul-ca"
	}
	}

	volume {
	name = "consul-ca"
	secret {
	secret_name = "consul-consul-ca-cert" # WARN: hardcoded name must match consul deployment
	}
	}
	}
	}
	}
	}