Modify tiles_tlog for TesseraCT

Update tiles_tlog to accomodate minor differences in TesseraCT from
rekor-tiles:

- Add resources to manage secrets in Secret Manager instead of KMS
  - The private key secret version needs to be uploaded out of band
- Make URL map paths configurable
  - When updating for rekor-tiles, operator needs to be aware that
    http_write_path, grpc_write_path, http_read_path, and
    http_read_rewrite_path need to be set to appropriate values for
    rekor-tiles
- Rename some resources so they do not collide if rekor-tiles and
  TesseraCT happen to have the same shard name
- Make gRPC load balancer routes optional

Signed-off-by: Colleen Murphy <[email protected]>

Author: cmurphy

gcp/modules/tiles_tlog/main.tf

@@ -24,6 +24,7 @@ resource "google_project_service" "service" {
     "spanner.googleapis.com",  // For Spanner database. roles/spanner.admin
     "storage.googleapis.com",  // For GCS bucket. roles/storage.admin
     "cloudkms.googleapis.com", // For KMS keyring and crypto key. roles/cloudkms.admin
+    "secretmanager.googleapis.com", // For Secret manager if log is using Secret Manager instead of KMS. roles/secretmanager.admin
   ])
   project = var.project_id
   service = each.key

gcp/modules/tiles_tlog/network.tf

@@ -56,7 +56,7 @@ resource "google_compute_firewall" "backend_service_health_check" {
   target_tags   = [local.cluster_network_tag]
   allow {
     protocol = "tcp"
-    ports    = [var.http_service_port, var.grpc_service_port]
+    ports    = var.network_endpoint_group_grpc_name_suffix == "" ? [var.http_service_port] : [var.http_service_port, var.grpc_service_port]
   }
 }
 
@@ -81,7 +81,7 @@ resource "google_compute_health_check" "http_health_check" {
 }
 
 resource "google_compute_health_check" "grpc_health_check" {
-  count   = var.freeze_shard ? 0 : 1
+  count   = var.freeze_shard || var.network_endpoint_group_grpc_name_suffix == "" ? 0 : 1
   name    = "${var.shard_name}-${var.dns_subdomain_name}-grpc-health-check"
   project = var.project_id
 
@@ -108,7 +108,7 @@ data "google_compute_network_endpoint_group" "k8s_http_neg" {
 }
 
 data "google_compute_network_endpoint_group" "k8s_grpc_neg" {
-  for_each = var.freeze_shard ? [] : toset(var.network_endpoint_group_zones)
+  for_each = var.freeze_shard || var.network_endpoint_group_grpc_name_suffix == "" ? [] : toset(var.network_endpoint_group_zones)
 
   name    = "${var.shard_name}-${var.network_endpoint_group_grpc_name_suffix}"
   project = var.project_id
@@ -117,7 +117,7 @@ data "google_compute_network_endpoint_group" "k8s_grpc_neg" {
 
 resource "google_compute_security_policy" "k8s_http_grpc_security_policy" {
   count   = var.freeze_shard ? 0 : 1
-  name    = "${var.shard_name}-k8s-http-grpc-security-policy"
+  name    = "${var.shard_name}-${var.dns_subdomain_name}-k8s-http-grpc-security-policy"
   project = var.project_id
   type    = "CLOUD_ARMOR"
 
@@ -213,7 +213,7 @@ resource "google_compute_backend_service" "k8s_http_backend_service" {
 }
 
 resource "google_compute_backend_service" "k8s_grpc_backend_service" {
-  count   = var.freeze_shard ? 0 : 1
+  count   = var.freeze_shard || var.network_endpoint_group_grpc_name_suffix == "" ? 0 : 1
   name    = "${var.shard_name}-${var.dns_subdomain_name}-k8s-grpc-neg-backend-service"
   project = var.project_id
 
@@ -245,7 +245,7 @@ resource "google_compute_backend_service" "k8s_grpc_backend_service" {
 }
 
 resource "google_compute_security_policy" "bucket_security_policy" {
-  name    = "${var.shard_name}-bucket-security-policy"
+  name    = "${var.shard_name}-${var.dns_subdomain_name}-bucket-security-policy"
   project = var.project_id
   type    = "CLOUD_ARMOR_EDGE"
 
@@ -263,7 +263,7 @@ resource "google_compute_security_policy" "bucket_security_policy" {
 }
 
 resource "google_compute_backend_bucket" "tessera_backend_bucket" {
-  name    = "${var.shard_name}-${var.bucket_name_suffix}"
+  name    = "${var.shard_name}-${var.dns_subdomain_name}-${var.bucket_name_suffix}"
   project = var.project_id
 
   depends_on = [google_storage_bucket.tessera_store, google_compute_security_policy.bucket_security_policy]
@@ -307,33 +307,36 @@ resource "google_compute_url_map" "url_map" {
         priority = 1
         service  = google_compute_backend_service.k8s_http_backend_service[0].id
         match_rules {
-          full_path_match = "/api/v2/log/entries"
+          path_template_match = var.http_write_path
         }
         match_rules {
           full_path_match = "/healthz"
         }
       }
     }
     dynamic "route_rules" {
-      for_each = var.lb_backend_turndown ? [] : [1]
+      for_each = var.lb_backend_turndown || var.grpc_write_path == "" ? [] : [1]
 
       content {
         priority = 2
         service  = google_compute_backend_service.k8s_grpc_backend_service[0].id
         match_rules {
-          full_path_match = "/dev.sigstore.rekor.v2.Rekor/CreateEntry"
+          path_template_match = var.grpc_write_path
         }
       }
     }
     route_rules {
       priority = 3
       service  = google_compute_backend_bucket.tessera_backend_bucket.id
       match_rules {
-        path_template_match = "/api/v2/{path=**}"
+        path_template_match = var.http_read_path
       }
-      route_action {
-        url_rewrite {
-          path_template_rewrite = "/{path}"
+      dynamic "route_action" {
+        for_each = var.http_read_rewrite_path == "" ? [] : [1]
+        content {
+          url_rewrite {
+            path_template_rewrite = var.http_read_rewrite_path
+          }
         }
       }
     }

gcp/modules/tiles_tlog/secret.tf

@@ -0,0 +1,54 @@
+/**
+ * Copyright 2025 The Sigstore Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_secret_manager_secret" "private-key" {
+  count   = var.enable_secrets ? 1 : 0
+  project = var.project_id
+
+  secret_id = "${var.shard_name}-${var.dns_subdomain_name}-private"
+
+  replication {
+    auto {}
+  }
+  depends_on = [google_project_service.service]
+}
+
+resource "google_secret_manager_secret" "public-key" {
+  count   = var.enable_secrets ? 1 : 0
+  project = var.project_id
+
+  secret_id = "${var.shard_name}-${var.dns_subdomain_name}-public"
+
+  replication {
+    auto {}
+  }
+  depends_on = [google_project_service.service]
+}
+
+resource "google_secret_manager_secret_version" "public-key" {
+  count   = var.enable_secrets ? 1 : 0
+  project = var.project_id
+
+  secret = google_secret_manager_secret.public-key[count.index].id
+  secret_data = var.tlog_public_key
+}
+
+resource "google_project_iam_member" "secret-getter" {
+  count   = var.enable_secrets ? 1 : 0
+  project = var.project_id
+  role    = "roles/secretmanager.secretAccessor"
+  member  = local.workload_iam_member_id
+}

gcp/modules/tiles_tlog/variables.tf

@@ -186,6 +186,28 @@ variable "service_health_check_path" {
   default     = "/healthz"
 }
 
+variable "http_write_path" {
+  description = "the template or full path to match for HTTP log write requests"
+  type        = string
+}
+
+variable "grpc_write_path" {
+  description = "the template or full path to match for gRPC log write requests"
+  type        = string
+  default     = ""
+}
+
+variable "http_read_path" {
+  description = "the template or full path for the patch to match for HTTP log read requests"
+  type        = string
+}
+
+variable "http_read_rewrite_path" {
+  description = "the template for the path to rewrite read requests to"
+  type        = string
+  default     = ""
+}
+
 variable "cluster_network_tag" {
   type        = string
   description = "GKE cluster network tag for firewall"
@@ -200,6 +222,7 @@ variable "network_endpoint_group_http_name_suffix" {
 variable "network_endpoint_group_grpc_name_suffix" {
   type        = string
   description = "suffix of the name of the network endpoint group that will be created for the gRPC service by the tiles Kubernetes service"
+  default     = ""
 }
 
 variable "network_endpoint_group_zones" {
@@ -247,3 +270,15 @@ variable "monitoring_role_id" {
   description = "name of the project role for managing metrics - role must include permissions `monitoring.metricDescriptors.create`"
   type        = string
 }
+
+variable "enable_secrets" {
+  description = "whether to use GCP Secret Manager for the transparency log's public and private keys"
+  type        = bool
+  default     = false
+}
+
+variable "tlog_public_key" {
+  description = "the value of the transparency log public key to be uploaded to Secret Manager. The private key must be uploaded manually."
+  type        = string
+  default     = ""
+}