From 6aec71a58cc51cd1ad6d0d5111a78a31d954aaeb Mon Sep 17 00:00:00 2001
From: Christian Witts <christian@honestbank.com>
Date: Wed, 24 Jul 2024 15:36:42 +0700
Subject: [PATCH] feat: Support no read-replication for Memorystore (#18)

Refs: #DEVOP-4801

Signed-off-by: Christian Witts <christian@honestbank.com>
---
 .github/workflows/checkov.yaml            |  1 +
 .github/workflows/semantic-pr.yaml        |  4 +++-
 .github/workflows/terraform.yml           |  1 +
 .github/workflows/terratest.yml           |  3 +++
 examples/create_redis_public_ip/README.md |  2 +-
 examples/create_redis_public_ip/main.tf   |  4 ++++
 modules/memstore_redis/README.md          |  4 ++--
 modules/memstore_redis/main.tf            | 16 +++++++++++++++-
 modules/memstore_redis/variables.tf       |  9 ++++-----
 9 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml
index c0e4451..9f4d000 100644
--- a/.github/workflows/checkov.yaml
+++ b/.github/workflows/checkov.yaml
@@ -1,4 +1,5 @@
 name: "Checkov GitHub Action"
+permissions: read-all
 on:
   pull_request:
     branches: [test, dev, qa, prod, main]
diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml
index 34da00e..7a8093e 100644
--- a/.github/workflows/semantic-pr.yaml
+++ b/.github/workflows/semantic-pr.yaml
@@ -1,5 +1,7 @@
 name: "Semantic Pull Request"
-
+permissions:
+  contents: write
+  pull-requests: write
 on:
   pull_request:
     types:
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index 5e5102b..ee9965b 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -1,4 +1,5 @@
 name: "terraform"
+permissions: read-all
 on:
   pull_request:
     branches:
diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index 3e44fc5..8a5d781 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -1,4 +1,7 @@
 name: terratest
+permissions:
+  contents: write
+  pull-requests: write
 on:
   pull_request:
     branches:
diff --git a/examples/create_redis_public_ip/README.md b/examples/create_redis_public_ip/README.md
index db8bac5..38f298c 100644
--- a/examples/create_redis_public_ip/README.md
+++ b/examples/create_redis_public_ip/README.md
@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.3.2 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
 
 ## Modules
 
diff --git a/examples/create_redis_public_ip/main.tf b/examples/create_redis_public_ip/main.tf
index aa8fb88..646d318 100644
--- a/examples/create_redis_public_ip/main.tf
+++ b/examples/create_redis_public_ip/main.tf
@@ -13,11 +13,14 @@ resource "random_id" "instance_suffix" {
 }
 
 module "private_network" {
+  #checkov:skip=CKV_TF_1:We use the version tag instead of the commit hash
+  #checkov:skip=CKV2_GCP_18:We ignore the creation of firewall rules
   source = "git::https://github.com/honestbank/terraform-gcp-sql.git//modules/google_compute_network?ref=v1.1.1"
   name   = "test-redis-terraform-${random_id.instance_suffix.hex}"
 }
 
 module "google_compute_global_address_private_ip_address" {
+  #checkov:skip=CKV_TF_1:We use the version tag instead of the commit hash
   source = "git::https://github.com/honestbank/terraform-gcp-sql.git//modules/google_compute_global_address?ref=v1.1.1"
 
   name          = "redis-pip-${random_id.instance_suffix.hex}"
@@ -28,6 +31,7 @@ module "google_compute_global_address_private_ip_address" {
 }
 
 module "google_service_networking_connection_private_vpc_connection" {
+  #checkov:skip=CKV_TF_1:We use the version tag instead of the commit hash
   source = "git::https://github.com/honestbank/terraform-gcp-sql.git//modules/google_service_networking_connection?ref=v1.1.1"
 
   network                 = module.private_network.id
diff --git a/modules/memstore_redis/README.md b/modules/memstore_redis/README.md
index 1ae7507..fa7fee6 100644
--- a/modules/memstore_redis/README.md
+++ b/modules/memstore_redis/README.md
@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.29.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 5.38.0 |
 
 ## Modules
 
@@ -33,7 +33,7 @@ No modules.
 | <a name="input_read_replicas_enabled"></a> [read\_replicas\_enabled](#input\_read\_replicas\_enabled) | Whether to enable read replicas | `bool` | `false` | no |
 | <a name="input_redis_version"></a> [redis\_version](#input\_redis\_version) | The version of Redis to use | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The region to create the instance in | `string` | `"asia-southeast2"` | no |
-| <a name="input_replicas"></a> [replicas](#input\_replicas) | The number of instances to create | `number` | `1` | no |
+| <a name="input_replicas"></a> [replicas](#input\_replicas) | The number of read replicas to create | `number` | `0` | no |
 | <a name="input_reserved_ip_range"></a> [reserved\_ip\_range](#input\_reserved\_ip\_range) | The reserved IP range to use for the instance | `string` | `null` | no |
 | <a name="input_tier"></a> [tier](#input\_tier) | The tier of the instance | `string` | n/a | yes |
 | <a name="input_zone"></a> [zone](#input\_zone) | The location to create the instance in | `string` | n/a | yes |
diff --git a/modules/memstore_redis/main.tf b/modules/memstore_redis/main.tf
index d4e15ca..8832d3c 100644
--- a/modules/memstore_redis/main.tf
+++ b/modules/memstore_redis/main.tf
@@ -17,7 +17,7 @@ resource "google_redis_instance" "cache" {
   location_id             = "${var.region}-${var.zone}"
   alternative_location_id = var.tier == "STANDARD_HA" ? "${var.region}-${var.alternative_zone}" : ""
 
-  replica_count      = var.tier == "STANDARD_HA" ? var.replicas : 0
+  replica_count      = var.replicas
   read_replicas_mode = var.read_replicas_enabled ? "READ_REPLICAS_ENABLED" : "READ_REPLICAS_DISABLED"
 
   authorized_network = var.network_id
@@ -30,4 +30,18 @@ resource "google_redis_instance" "cache" {
   display_name      = var.name
   reserved_ip_range = var.reserved_ip_range != null ? var.reserved_ip_range : null
 
+  lifecycle {
+    precondition {
+      condition     = (var.read_replicas_enabled && var.memory_size >= 5) || var.read_replicas_enabled == false
+      error_message = "Read replicas cannot be enabled with less than 5GB of memory."
+    }
+    precondition {
+      condition     = ((var.tier == "BASIC" && (var.replicas != 0 || var.read_replicas_enabled)) || var.tier == "STANDARD_HA")
+      error_message = "Read replicas are not supported on the BASIC tier."
+    }
+    precondition {
+      condition     = (var.read_replicas_enabled && var.replicas > 0) || (var.replicas == 0 && var.read_replicas_enabled == false)
+      error_message = "You require at least 1 read replica if read replicas are enabled."
+    }
+  }
 }
diff --git a/modules/memstore_redis/variables.tf b/modules/memstore_redis/variables.tf
index b8d4624..ce63779 100644
--- a/modules/memstore_redis/variables.tf
+++ b/modules/memstore_redis/variables.tf
@@ -40,7 +40,6 @@ variable "reserved_ip_range" {
   description = "The reserved IP range to use for the instance"
 }
 
-
 variable "memory_size" {
   type        = string
   default     = "2"
@@ -49,11 +48,11 @@ variable "memory_size" {
 
 variable "replicas" {
   type        = number
-  default     = 1
-  description = "The number of instances to create"
+  default     = 0
+  description = "The number of read replicas to create"
   validation {
-    condition     = var.replicas >= 1 && var.replicas <= 5
-    error_message = "The valid range for the Standard Tier with read replicas enabled is [1-5] and defaults to 1."
+    condition     = var.replicas <= 5
+    error_message = "The valid range for the Standard Tier with read replicas enabled is [1-5] and defaults to 0 as the default is zero read-replicas."
   }
 }