Initial terraform setup for workshop.

sandonjacobs · sandonjacobs · commit 0eb77fa9cbb3 · 2025-02-25T18:28:55.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -58,3 +58,5 @@ gradle-app.setting
 .gradletasknamecache
 .project
 .classpath
+
+cloud.properties
diff --git a/cloud.properties.example b/cloud.properties.example
@@ -0,0 +1,12 @@
+client.cloud=*****
+client.compute-pool-id=*****
+client.environment-id=*****
+client.flink-api-key=*****
+client.flink-api-secret=*****
+client.kafka.boostrap.servers=*****
+client.kafka.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username='*****' password='*****';
+client.organization-id=*****
+client.region=*****
+client.registry.key=*****
+client.registry.secret=*****
+client.registry.url=*****
diff --git a/terraform/.gitignore b/terraform/.gitignore
@@ -0,0 +1,6 @@
+.terraform.lock.hcl
+.terraform/
+.tfplan
+tfplan
+terraform.tfstate
+terraform.tfstate.backup
diff --git a/terraform/README.adoc b/terraform/README.adoc
@@ -0,0 +1,59 @@
+= Provisioning Confluent Cloud Infrastructure
+
+Let's assume you have completed the following prereqs:
+
+* https://confluent.cloud[Confluent Cloud Account]
+* https://docs.confluent.io/confluent-cli/current/install.html[Confluent CLI]
+* https://www.terraform.io/[Terraform]
+* https://jqlang.github.io/jq/[jq]
+
+== Shell Setup
+
+Log into Confluent Cloud and find the API Key and API Secret. Use the commands below to set environment variables needed to authenticate to Confluent Cloud:
+
+```shell
+export CONFLUENT_CLOUD_API_KEY=<API KEY>
+export CONFLUENT_CLOUD_API_SECRET<API SECRET>
+```
+
+== Execute Terraform Manifests
+
+The terraform manifests require the Confluent Cloud organization ID in order to provision infrastructure. This can be found in the Confluent Cloud console in the "Organization Settings" and exported to an environment variable:
+
+```bash
+export TF_VAR_org_id=<ORG ID VALUE FROM CONSOLE>
+```
+
+This value can also be queried by using the Confluent CLI to query your account, piping the resulting to a `jq` query:
+
+```bash
+export TF_VAR_org_id=$(confluent organization list -o json | jq -c -r '.[] | select(.is_current)' | jq '.id')
+```
+
+From this directory, execute the following commands:
+
+```bash
+terraform init 					
+terraform plan -out "tfplan" 			
+terraform apply 					
+```
+
+Once completed, verify the infrastructure is created in the Confluent Cloud console.
+
+== Using Infrastructure in the Workshop
+
+In the Table API exercises, we'll need API keys and secrets to connect Flink to Confluent Cloud. This `terraform output` command will create a file with those parameters:
+
+```bash
+terraform output -json \
+ | jq -r 'to_entries | map( {key: .key|tostring|split("_")|join("."), value: .value} ) | map("client.\(.key)=\(.value.value)") | .[]' \
+ | while read -r line ; do echo "$line"; done > ../cloud.properties
+```
+
+== Teardown
+
+When the workshop is complete, run the following command to destroy all Confluent Cloud assets:
+
+```bash
+terraform destroy --auto-approve
+```
diff --git a/terraform/flink-compute.tf b/terraform/flink-compute.tf
@@ -0,0 +1,81 @@
+
+
+resource "confluent_flink_compute_pool" "main_flink_pool" {
+  display_name     = "main_flink_pool"
+  cloud            = var.cloud_provider
+  region           = var.cloud_region
+  max_cfu          = 5
+  environment {
+    id = confluent_environment.cc_env.id
+  }
+}
+
+data "confluent_flink_region" "main_flink_region" {
+  cloud            = var.cloud_provider
+  region           = var.cloud_region
+}
+
+resource "confluent_service_account" "flink_developer" {
+  display_name = "${var.cc_env_name}-flink_developer"
+  description  = "Service account for flink developer"
+}
+
+resource "confluent_role_binding" "fd_flink_developer" {
+  principal   = "User:${confluent_service_account.flink_developer.id}"
+  role_name   = "FlinkDeveloper"
+  crn_pattern = confluent_environment.cc_env.resource_name
+
+  depends_on = [ confluent_flink_compute_pool.main_flink_pool]
+}
+
+resource "confluent_role_binding" "fd_kafka_write" {
+  principal   = "User:${confluent_service_account.flink_developer.id}"
+  role_name   = "DeveloperWrite"
+  crn_pattern = "${confluent_kafka_cluster.kafka_cluster.rbac_crn}/kafka=${confluent_kafka_cluster.kafka_cluster.id}/topic=*"
+
+  depends_on = [ confluent_kafka_cluster.kafka_cluster]
+}
+
+resource "confluent_role_binding" "fd_kafka_read" {
+  principal   = "User:${confluent_service_account.flink_developer.id}"
+  role_name   = "DeveloperRead"
+  crn_pattern = "${confluent_kafka_cluster.kafka_cluster.rbac_crn}/kafka=${confluent_kafka_cluster.kafka_cluster.id}/topic=*"
+
+  depends_on = [ confluent_kafka_cluster.kafka_cluster]
+}
+
+resource "confluent_role_binding" "fd_schema_registry_write" {
+  principal   = "User:${confluent_service_account.flink_developer.id}"
+  role_name   = "DeveloperWrite"
+  crn_pattern = "${data.confluent_schema_registry_cluster.advanced.resource_name}/subject=*"
+}
+
+resource "confluent_role_binding" "fd_schema_registry_read" {
+  principal   = "User:${confluent_service_account.flink_developer.id}"
+  role_name   = "DeveloperRead"
+  crn_pattern = "${data.confluent_schema_registry_cluster.advanced.resource_name}/subject=*"
+}
+
+resource "confluent_api_key" "flink_developer_api_key" {
+  display_name = "flink_developer_api_key"
+  description  = "Flink Developer API Key that is owned by 'flink_developer' service account"
+  owner {
+    id          = confluent_service_account.flink_developer.id
+    api_version = confluent_service_account.flink_developer.api_version
+    kind        = confluent_service_account.flink_developer.kind
+  }
+
+  managed_resource {
+    id          = data.confluent_flink_region.main_flink_region.id
+    api_version = data.confluent_flink_region.main_flink_region.api_version
+    kind        = data.confluent_flink_region.main_flink_region.kind
+
+    environment {
+      id = confluent_environment.cc_env.id
+    }
+  }
+
+  depends_on = [
+    confluent_service_account.flink_developer
+  ]
+}
diff --git a/terraform/kafka.tf b/terraform/kafka.tf
@@ -0,0 +1,97 @@
+resource "confluent_kafka_cluster" "kafka_cluster" {
+  display_name = var.cc_default_kafka_cluster_name
+  availability = "SINGLE_ZONE"
+  cloud        = var.cloud_provider
+  region       = var.cloud_region
+  standard {}
+  environment {
+    id = confluent_environment.cc_env.id
+  }
+
+  depends_on = [confluent_environment.cc_env]
+}
+
+# ---------------------------------------------------------------------------
+# API KEY and Role for Administration of Kafka
+# ---------------------------------------------------------------------------
+resource "confluent_service_account" "kafka_manager" {
+  display_name = "${var.cc_env_name}-kafka_manager"
+  description  = "Service account to manage Kafka cluster"
+}
+
+resource "confluent_role_binding" "kafka_manager_kafka_cluster_admin" {
+  principal   = "User:${confluent_service_account.kafka_manager.id}"
+  role_name   = "CloudClusterAdmin"
+  crn_pattern = confluent_kafka_cluster.kafka_cluster.rbac_crn
+}
+
+resource "confluent_api_key" "kafka_manager_kafka_api_key" {
+  display_name = "kafka_manager_kafka_api_key"
+  description  = "Kafka API Key that is owned by 'kafka_manager' service account"
+  owner {
+    id          = confluent_service_account.kafka_manager.id
+    api_version = confluent_service_account.kafka_manager.api_version
+    kind        = confluent_service_account.kafka_manager.kind
+  }
+
+  managed_resource {
+    id          = confluent_kafka_cluster.kafka_cluster.id
+    api_version = confluent_kafka_cluster.kafka_cluster.api_version
+    kind        = confluent_kafka_cluster.kafka_cluster.kind
+
+    environment {
+      id = confluent_environment.cc_env.id
+    }
+  }
+
+  depends_on = [
+    confluent_environment.cc_env,
+    confluent_role_binding.kafka_manager_kafka_cluster_admin
+  ]
+}
+
+# ---------------------------------------------------------------------------
+# API KEY and Role for Developers on Kafka
+# ---------------------------------------------------------------------------
+
+resource "confluent_service_account" "kafka_developer" {
+  display_name = "${var.cc_env_name}-kafka_developer"
+  description  = "Service account for developer using Kafka cluster"
+}
+
+resource "confluent_role_binding" "kafka_developer_read_all_topics" {
+  principal   = "User:${confluent_service_account.kafka_manager.id}"
+  role_name   = "DeveloperRead"
+  crn_pattern = "${confluent_kafka_cluster.kafka_cluster.rbac_crn}/kafka=${confluent_kafka_cluster.kafka_cluster.id}/topic=*"
+}
+
+resource "confluent_role_binding" "kafka_developer_write_all_topics" {
+  principal   = "User:${confluent_service_account.kafka_manager.id}"
+  role_name   = "DeveloperWrite"
+  crn_pattern = "${confluent_kafka_cluster.kafka_cluster.rbac_crn}/kafka=${confluent_kafka_cluster.kafka_cluster.id}/topic=*"
+}
+
+resource "confluent_api_key" "kafka_developer_kafka_api_key" {
+  display_name = "kafka_developer_kafka_api_key"
+  description  = "Kafka API Key that is owned by 'kafka_developer' service account"
+  owner {
+    id          = confluent_service_account.kafka_developer.id
+    api_version = confluent_service_account.kafka_developer.api_version
+    kind        = confluent_service_account.kafka_developer.kind
+  }
+
+  managed_resource {
+    id          = confluent_kafka_cluster.kafka_cluster.id
+    api_version = confluent_kafka_cluster.kafka_cluster.api_version
+    kind        = confluent_kafka_cluster.kafka_cluster.kind
+
+    environment {
+      id = confluent_environment.cc_env.id
+    }
+  }
+
+  depends_on = [
+    confluent_role_binding.kafka_developer_read_all_topics,
+    confluent_role_binding.kafka_developer_write_all_topics
+  ]
+}
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -0,0 +1,28 @@
+# Configure the Confluent Provider
+terraform {
+  backend "local" {
+    workspace_dir = ".tfstate/terraform.state"
+  }
+
+  required_providers {
+    confluent = {
+      source  = "confluentinc/confluent"
+      version = "2.12.0"
+    }
+  }
+}
+
+provider "confluent" {
+}
+
+resource "confluent_environment" "cc_env" {
+  display_name = var.cc_env_name
+
+  stream_governance {
+    package = "ADVANCED"
+  }
+
+  lifecycle {
+    prevent_destroy = false
+  }
+}
diff --git a/terraform/output.tf b/terraform/output.tf
@@ -0,0 +1,51 @@
+# output "schema_registry_url" {
+#   value = data.confluent_schema_registry_cluster.advanced.rest_endpoint
+# }
+
+output "kafka_boostrap_servers" {
+  value = replace(confluent_kafka_cluster.kafka_cluster.bootstrap_endpoint, "SASL_SSL://", "")
+}
+
+output "cloud" {
+    value = var.cloud_provider
+}
+
+output "region" {
+    value = var.cloud_region
+}
+
+output "organization-id" {
+    value = replace(var.org_id, "\"", "")
+}
+
+output "environment-id" {
+    value = confluent_environment.cc_env.id
+}
+
+output "compute-pool-id" {
+    value = confluent_flink_compute_pool.main_flink_pool.id
+}
+
+output "kafka_sasl_jaas_config" {
+    value = "org.apache.kafka.common.security.plain.PlainLoginModule required username='${confluent_api_key.kafka_developer_kafka_api_key.id}' password='${nonsensitive(confluent_api_key.kafka_developer_kafka_api_key.secret)}';"
+}
+
+output "registry_url" {
+    value = data.confluent_schema_registry_cluster.advanced.rest_endpoint
+}
+
+output "registry_key" {
+    value = confluent_api_key.sr_manager_kafka_api_key.id
+}
+
+output "registry_secret" {
+    value = nonsensitive(confluent_api_key.sr_manager_kafka_api_key.secret)
+}
+
+output "flink-api-key" {
+    value = confluent_api_key.flink_developer_api_key.id
+}
+
+output "flink-api-secret" {
+    value = nonsensitive(confluent_api_key.flink_developer_api_key.secret)
+}
diff --git a/terraform/schema-registry.tf b/terraform/schema-registry.tf
@@ -0,0 +1,47 @@
+# Add Stream Governance, Schema Registry.
+data "confluent_schema_registry_cluster" "advanced" {
+  environment {
+    id = confluent_environment.cc_env.id
+  }
+  depends_on = [confluent_kafka_cluster.kafka_cluster]
+}
+
+# ---------------------------------------------------------------------------
+# API KEY and Role for management of Schema Registry
+# ---------------------------------------------------------------------------
+resource "confluent_service_account" "sr_manager" {
+  display_name = "${var.cc_env_name}-sr_manager"
+  description  = "Service account to manage Kafka cluster"
+}
+
+resource "confluent_role_binding" "sr_manager_data_steward" {
+  principal   = "User:${confluent_service_account.sr_manager.id}"
+  role_name   = "DataSteward"
+  crn_pattern = confluent_environment.cc_env.resource_name
+
+  depends_on = [ data.confluent_schema_registry_cluster.advanced ]
+}
+
+resource "confluent_api_key" "sr_manager_kafka_api_key" {
+  display_name = "sr_manager_kafka_api_key"
+  description  = "SR API Key that is owned by 'sr_manager' service account"
+  owner {
+    id          = confluent_service_account.sr_manager.id
+    api_version = confluent_service_account.sr_manager.api_version
+    kind        = confluent_service_account.sr_manager.kind
+  }
+
+  managed_resource {
+    id          = data.confluent_schema_registry_cluster.advanced.id
+    api_version = data.confluent_schema_registry_cluster.advanced.api_version
+    kind        = data.confluent_schema_registry_cluster.advanced.kind
+
+    environment {
+      id = confluent_environment.cc_env.id
+    }
+  }
+
+  depends_on = [
+    confluent_role_binding.sr_manager_data_steward
+  ]
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
