Staging sftp endpoint for enghouse (#4232)

* Staging sftp endpoint for enghouse

references: #4048

# Conflicts:
#	iac/cal-itp-data-infra-staging/gcs/us/storage_bucket.tf
#	iac/cal-itp-data-infra-staging/gcs/us/storage_bucket_iam_member.tf

* Add static ip address to enghouse sftp load balancer on staging

Author: jparr

iac/cal-itp-data-infra-staging/gcs/us/outputs.tf

@@ -249,3 +249,7 @@ output "google_storage_bucket_calitp-staging-sentry_name" {
 output "google_storage_bucket_calitp-staging-state-geoportal-scrape_name" {
   value = google_storage_bucket.calitp-staging["calitp-staging-state-geoportal-scrape"].name
 }
+
+output "google_storage_bucket_cal-itp-data-infra-enghouse-raw_name" {
+  value = google_storage_bucket.cal-itp-data-infra-enghouse-raw.name
+}

iac/cal-itp-data-infra-staging/gcs/us/storage_bucket.tf

@@ -134,6 +134,18 @@ resource "google_storage_bucket" "calitp-staging-pytest" {
   uniform_bucket_level_access = "true"
 }
 
+resource "google_storage_bucket" "cal-itp-data-infra-enghouse-raw" {
+  default_event_based_hold    = "false"
+  force_destroy               = "true"
+  location                    = "US-WEST2"
+  name                        = "cal-itp-data-infra-staging-enghouse-raw"
+  project                     = "cal-itp-data-infra-staging"
+  public_access_prevention    = "inherited"
+  requester_pays              = "false"
+  storage_class               = "STANDARD"
+  uniform_bucket_level_access = "true"
+}
+
 resource "google_storage_bucket" "calitp-staging" {
   for_each                    = local.environment_buckets
   name                        = each.key

iac/cal-itp-data-infra-staging/gcs/us/storage_bucket_iam_member.tf

@@ -40,6 +40,12 @@ resource "google_storage_bucket_iam_member" "calitp-staging-composer" {
   role   = "roles/storage.legacyBucketOwner"
 }
 
+resource "google_storage_bucket_iam_member" "enghouse-raw-sftp-service-account" {
+  bucket = google_storage_bucket.cal-itp-data-infra-enghouse-raw.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${data.terraform_remote_state.iam.outputs.google_service_account_sftp-pod-service-account_email}"
+}
+
 resource "google_storage_bucket_iam_member" "calitp-staging-pytest" {
   bucket = google_storage_bucket.calitp-staging-pytest.name
   member = "projectViewer:cal-itp-data-infra-staging"

iac/cal-itp-data-infra-staging/gke/us/container_cluster.tf

@@ -15,3 +15,39 @@ resource "google_container_cluster" "airflow-jobs-staging" {
     workload_pool = "cal-itp-data-infra-staging.svc.id.goog"
   }
 }
+
+resource "google_container_cluster" "sftp-endpoints" {
+
+  name     = "sftp-endpoints"
+  location = "us-west2"
+  project  = "cal-itp-data-infra-staging"
+
+  enable_autopilot    = true
+  deletion_protection = false
+  network             = data.terraform_remote_state.networks.outputs.google_compute_network_tfer--default_self_link
+
+  secret_manager_config {
+    enabled = true
+  }
+
+  workload_identity_config {
+    workload_pool = "cal-itp-data-infra-staging.svc.id.goog"
+  }
+
+  node_config {
+    workload_metadata_config {
+      mode = "GKE_METADATA"
+    }
+  }
+
+  addons_config {
+    gcs_fuse_csi_driver_config {
+      enabled = true
+    }
+  }
+
+  timeouts {
+    create = "10m"
+    delete = "10m"
+  }
+}

iac/cal-itp-data-infra-staging/gke/us/outputs.tf

@@ -9,3 +9,16 @@ output "google_container_cluster_airflow-jobs-staging_endpoint" {
 output "google_container_cluster_airflow-jobs-staging_ca_certificate" {
   value = google_container_cluster.airflow-jobs-staging.master_auth[0].cluster_ca_certificate
 }
+
+output "google_container_cluster_sftp-endpoints_name" {
+  value = google_container_cluster.sftp-endpoints.name
+}
+
+output "google_container_cluster_sftp-endpoints_endpoint" {
+  value = google_container_cluster.sftp-endpoints.endpoint
+}
+
+output "google_container_cluster_sftp-endpoints_ca_certificate" {
+  value     = google_container_cluster.sftp-endpoints.master_auth[0].cluster_ca_certificate
+  sensitive = true
+}

iac/cal-itp-data-infra-staging/iam/us/outputs.tf

@@ -178,6 +178,10 @@ output "google_service_account_composer-service-account_name" {
   value = google_service_account.composer-service-account.name
 }
 
+output "google_service_account_sftp-pod-service-account_id" {
+  value = google_service_account.sftp-pod-service-account.id
+}
+
 output "google_service_account_sftp-pod-service-account_name" {
   value = google_service_account.sftp-pod-service-account.name
 }

iac/cal-itp-data-infra-staging/networks/us/global_address.tf

@@ -1,3 +1,7 @@
 resource "google_compute_global_address" "static-load-balancer-address" {
   name = "static-load-balancer-address"
 }
+
+resource "google_compute_global_address" "enghouse-sftp" {
+  name = "enghouse-sftp-load-balancer"
+}

iac/cal-itp-data-infra-staging/networks/us/outputs.tf

@@ -5,3 +5,7 @@ output "google_compute_network_tfer--default_self_link" {
 output "google_compute_network_static-load-balancer-address_id" {
   value = google_compute_global_address.static-load-balancer-address.id
 }
+
+output "google_compute_global_address_enghouse-sftp_ip" {
+  value = google_compute_global_address.enghouse-sftp.address
+}

iac/cal-itp-data-infra-staging/sftp/us/enghouse/.terraform.lock.hcl

@@ -0,0 +1,173 @@
+
+locals {
+  sftp_user = "enghouse"
+}
+
+data "google_secret_manager_secret_version" "enghouse-sftp-public-key" {
+  secret = "enghouse-sftp-public-key"
+}
+
+data "google_secret_manager_secret_version" "enghouse-sftp-private-key" {
+  secret = "enghouse-sftp-private-key"
+}
+
+data "google_secret_manager_secret_version" "enghouse-sftp-authorizedkey" {
+  secret = "enghouse-sftp-authorizedkey"
+}
+
+resource "kubernetes_secret" "enghouse-sftp-hostkeys" {
+  metadata {
+    name      = "enghouse-sftp-hostkeys"
+    namespace = "default"
+  }
+  type = "Opaque"
+
+  data = {
+    "id_rsa"     = data.google_secret_manager_secret_version.enghouse-sftp-private-key.secret_data
+    "id_rsa.pub" = data.google_secret_manager_secret_version.enghouse-sftp-public-key.secret_data
+  }
+}
+
+resource "kubernetes_secret" "enghouse-sftp-authorizedkey" {
+  metadata {
+    name      = "enghouse-sftp-authorizedkey"
+    namespace = "default"
+  }
+  type = "Opaque"
+
+  data = {
+    "authorized_keys" = data.google_secret_manager_secret_version.enghouse-sftp-authorizedkey.secret_data
+  }
+}
+
+resource "kubernetes_service_account" "sftp-pod-service-account" {
+  metadata {
+    name = "sftp-pod-service-account"
+    annotations = {
+      "iam.gke.io/gcp-service-account" = data.terraform_remote_state.iam.outputs.google_service_account_sftp-pod-service-account_email
+    }
+  }
+}
+
+resource "kubernetes_pod_v1" "enghouse-sftp" {
+  metadata {
+    name = "enghouse-sftp-pod"
+    annotations = {
+      "gke-gcsfuse/volumes" = "true"
+    }
+    namespace = "default"
+    labels = {
+      app = "enghouse-sftp"
+    }
+  }
+  spec {
+    container {
+      name  = "sftp-server"
+      image = "alpine"
+      port {
+        container_port = 22
+      }
+      volume_mount {
+        name       = "gcs-volume"
+        mount_path = "/home/${local.sftp_user}/data"
+        read_only  = false
+      }
+      volume_mount {
+        name       = "sftp-hostkeys"
+        mount_path = "/etc/ssh/hostkey"
+        read_only  = true
+      }
+      volume_mount {
+        name       = "sftp-authorizedkey"
+        mount_path = "/tmp/ssh-keys"
+        read_only  = true
+      }
+      env {
+        name  = "SFTP_USER"
+        value = local.sftp_user
+      }
+
+      command = [
+        "/bin/sh", "-c", <<EOT
+        apk update
+        apk add openssh-server
+        addgroup sftpusers
+        adduser -S -G sftpusers -s /sbin/nologin -D -H ${local.sftp_user}
+        echo '${local.sftp_user}:enghousesftpuserpassword' | chpasswd
+
+        mkdir -p /home/${local.sftp_user}/.ssh
+        cp /tmp/ssh-keys/authorized_keys /home/${local.sftp_user}/.ssh/authorized_keys
+        chmod 700 /home/${local.sftp_user}/.ssh
+        chmod 600 /home/${local.sftp_user}/.ssh/authorized_keys
+        chown -R ${local.sftp_user}:sftpusers /home/${local.sftp_user}/.ssh
+
+        echo "HostKey /etc/ssh/hostkey/id_rsa" >> /etc/ssh/sshd_config
+        echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
+        echo "PermitRootLogin no" >> /etc/ssh/sshd_config
+        echo "X11Forwarding no" >> /etc/ssh/sshd_config
+        echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
+        echo "ForceCommand internal-sftp" >> /etc/ssh/sshd_config
+        echo "ChrootDirectory %h" >> /etc/ssh/sshd_config
+        /usr/sbin/sshd -D -e
+        EOT
+      ]
+      liveness_probe {
+        tcp_socket {
+          port = 22
+        }
+        initial_delay_seconds = 180
+        period_seconds        = 30
+      }
+    }
+
+    volume {
+      name = "gcs-volume"
+      csi {
+        driver = "gcsfuse.csi.storage.gke.io"
+        volume_attributes = {
+          bucketName   = data.terraform_remote_state.gcs.outputs.google_storage_bucket_cal-itp-data-infra-enghouse-raw_name
+          mountOptions = "file-mode=666,dir-mode=777"
+        }
+      }
+    }
+    volume {
+      name = "sftp-hostkeys"
+      secret {
+        secret_name  = "enghouse-sftp-hostkeys"
+        default_mode = "0600"
+      }
+    }
+    volume {
+      name = "sftp-authorizedkey"
+      secret {
+        secret_name  = "enghouse-sftp-authorizedkey"
+        default_mode = "0600"
+      }
+    }
+    service_account_name = kubernetes_service_account.sftp-pod-service-account.metadata.0.name # Ensure this has GCS permissions to access data bucket
+  }
+
+  timeouts {
+    create = "2m"
+    delete = "2m"
+  }
+}
+
+resource "kubernetes_service" "enghouse-sftp" {
+  metadata {
+    name = "enghouse-sftp"
+  }
+  spec {
+    selector = {
+      app = kubernetes_pod_v1.enghouse-sftp.metadata.0.labels.app
+    }
+    session_affinity = "ClientIP"
+    port {
+      port        = 22
+      target_port = 22
+    }
+
+    type             = "LoadBalancer"
+    load_balancer_ip = data.terraform_remote_state.networks.outputs.google_compute_global_address_enghouse-sftp_ip
+  }
+}