-
Notifications
You must be signed in to change notification settings - Fork 11
/
seller.tf
163 lines (153 loc) · 9.76 KB
/
seller.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
locals {
gcp_project_id = "" # Example: "your-gcp-project-123"
environment = "" # # Must be <= 3 characters. Example: "abc"
image_repo = "" # Example: "us-docker.pkg.dev/your-gcp-project-123/services"
}
provider "google" {
project = local.gcp_project_id
}
provider "google-beta" {
project = local.gcp_project_id
}
resource "google_compute_project_metadata" "default" {
project = local.gcp_project_id
metadata = {
enable-oslogin = "FALSE"
}
}
module "seller" {
source = "../../../modules/seller"
environment = local.environment
gcp_project_id = local.gcp_project_id
auction_image = "${local.image_repo}/auction_service:${local.environment}" # Image built and uploaded by production/packaging/build_and_test_all_in_docker
seller_frontend_image = "${local.image_repo}/seller_frontend_service:${local.environment}" # Image built and uploaded by production/packaging/build_and_test_all_in_docker
envoy_port = 51052 # Do not change. Must match production/packaging/gcp/seller_frontend_service/bin/envoy.yaml
runtime_flags = {
SELLER_FRONTEND_PORT = "50051" # Do not change unless you are modifying the default GCP architecture.
SELLER_FRONTEND_HEALTHCHECK_PORT = "50050" # Do not change unless you are modifying the default GCP architecture.
AUCTION_PORT = "50051" # Do not change unless you are modifying the default GCP architecture.
AUCTION_SERVER_HOST = "xds:///auction" # Do not change unless you are modifying the default GCP architecture.
SFE_INGRESS_TLS = "false" # Do not change unless you are modifying the default GCP architecture.
BUYER_EGRESS_TLS = "true" # Do not change unless you are modifying the default GCP architecture.
AUCTION_EGRESS_TLS = "false" # Do not change unless you are modifying the default GCP architecture.
ENABLE_ENCRYPTION = "true" # Do not change unless you are testing without encryption.
TEST_MODE = "false" # Do not change unless you are testing without key fetching.
ENABLE_AUCTION_SERVICE_BENCHMARK = "" # Example: "false"
GET_BID_RPC_TIMEOUT_MS = "" # Example: "60000"
KEY_VALUE_SIGNALS_FETCH_RPC_TIMEOUT_MS = "" # Example: "60000"
SCORE_ADS_RPC_TIMEOUT_MS = "" # Example: "60000"
SELLER_ORIGIN_DOMAIN = "" # Example: "https://securepubads.g.doubleclick.net"
KEY_VALUE_SIGNALS_HOST = "" # Example: "https://pubads.g.doubleclick.net/td/sts"
BUYER_SERVER_HOSTS = "" # Example: "{ \"https://example-bidder.com\": { \"url\": \"dns:///bidding-service-host:443\", \"cloudPlatform\": \"GCP\" } }"
ENABLE_SELLER_FRONTEND_BENCHMARKING = "" # Example: "false"
ENABLE_AUCTION_COMPRESSION = "" # Example: "false"
ENABLE_BUYER_COMPRESSION = "" # Example: "false"
ENABLE_PROTECTED_APP_SIGNALS = "" # Example: "false"
PS_VERBOSITY = "" # Example: "10"
CREATE_NEW_EVENT_ENGINE = "" # Example: "false"
SELLER_CODE_FETCH_CONFIG = "" # Example:
# "{
# "auctionJsPath": "",
# "auctionJsUrl": "https://example.com/scoreAd.js",
# "urlFetchPeriodMs": 13000000,
# "urlFetchTimeoutMs": 30000,
# "enableSellerDebugUrlGeneration": false,
# "enableAdtechCodeLogging": false,
# "enableReportResultUrlGeneration": true,
# "enableReportWinUrlGeneration": true,
# "buyerReportWinJsUrls": {"https://buyerA_origin.com":"https://buyerA.com/generateBid.js",
# "https://buyerB_origin.com":"https://buyerB.com/generateBid.js",
# "https://buyerC_origin.com":"https://buyerC.com/generateBid.js"},
# "protectedAppSignalsBuyerReportWinJsUrls": {"https://buyerA_origin.com":"https://buyerA.com/generateBid.js"}
# }"
JS_NUM_WORKERS = "" # Example: "64" Must be <=vCPUs in auction_machine_type.
JS_WORKER_QUEUE_LEN = "" # Example: "200".
ROMA_TIMEOUT_MS = "" # Example: "10000"
TELEMETRY_CONFIG = "" # Example: "mode: EXPERIMENT"
COLLECTOR_ENDPOINT = "" # Example: "collector-seller-1-${local.environment}.sfe-gcp.com:4317"
ENABLE_OTEL_BASED_LOGGING = "" # Example: "false"
CONSENTED_DEBUG_TOKEN = "" # Example: "<unique_id>"
ENABLE_REPORT_WIN_INPUT_NOISING = "" # Example: "false"
# Coordinator-based attestation flags.
# These flags are production-ready and you do not need to change them.
# Reach out to the Privacy Sandbox B&A team to enroll with Coordinators.
# More information on enrollment can be found here: https://github.com/privacysandbox/fledge-docs/blob/main/bidding_auction_services_api.md#enroll-with-coordinators
PUBLIC_KEY_ENDPOINT = "https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-keys"
SFE_PUBLIC_KEYS_ENDPOINTS = <<EOF
"{
"GCP": "https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-keys"
}"
EOF
PUBLIC_KEY_ENDPOINT = "https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-keys"
PRIMARY_COORDINATOR_PRIVATE_KEY_ENDPOINT = "https://privatekeyservice-a.pa-1.gcp.privacysandboxservices.com/v1alpha/encryptionKeys"
SECONDARY_COORDINATOR_PRIVATE_KEY_ENDPOINT = "https://privatekeyservice-b.pa-2.gcp.privacysandboxservices.com/v1alpha/encryptionKeys"
PRIMARY_COORDINATOR_ACCOUNT_IDENTITY = "[email protected]"
SECONDARY_COORDINATOR_ACCOUNT_IDENTITY = "[email protected]"
PRIMARY_COORDINATOR_REGION = "us-central1"
SECONDARY_COORDINATOR_REGION = "us-central1"
GCP_PRIMARY_WORKLOAD_IDENTITY_POOL_PROVIDER = "projects/787276892073/locations/global/workloadIdentityPools/a-opwip/providers/a-opwip-pvdr"
GCP_SECONDARY_WORKLOAD_IDENTITY_POOL_PROVIDER = "projects/787276892073/locations/global/workloadIdentityPools/b-opwip/providers/b-opwip-pvdr"
GCP_PRIMARY_KEY_SERVICE_CLOUD_FUNCTION_URL = "https://a-us-central1-encryption-key-service-cloudfunctio-mik44m5f7q-uc.a.run.app"
GCP_SECONDARY_KEY_SERVICE_CLOUD_FUNCTION_URL = "https://b-us-central1-encryption-key-service-cloudfunctio-amv3tcudsq-uc.a.run.app"
PRIVATE_KEY_CACHE_TTL_SECONDS = "3974400"
KEY_REFRESH_FLOW_RUN_FREQUENCY_SECONDS = "20000"
SFE_TLS_KEY = "" # You can either set this here or via a secrets.auto.tfvars.
SFE_TLS_CERT = "" # You can either set this here or via a secrets.auto.tfvars.
MAX_ALLOWED_SIZE_DEBUG_URL_BYTES = "" # Example: "65536"
MAX_ALLOWED_SIZE_ALL_DEBUG_URLS_KB = "" # Example: "3000"
}
# Please manually create a Google Cloud domain name, dns zone, and SSL certificate.
frontend_domain_name = "" # Example: sfe-gcp.com
frontend_dns_zone = "" # Example: "sfe-gcp-com"
frontend_domain_ssl_certificate_id = "" # Example: "projects/${local.gcp_project_id}/global/sslCertificates/sfe-${local.environment}"
operator = "" # Example: "seller-1"
service_account_email = "" # Example: "terraform-sa@{local.gcp_project_id}.iam.gserviceaccount.com"
vm_startup_delay_seconds = 200 # Example: 200
cpu_utilization_percent = 0.6 # Example: 0.6
use_confidential_space_debug_image = false # Example: false
tee_impersonate_service_accounts = "[email protected],[email protected]"
collector_service_port = 4317
collector_startup_script = templatefile("../../../services/autoscaling/collector_startup.tftpl", {
collector_port = 4317
otel_collector_image_uri = "otel/opentelemetry-collector-contrib:0.81.0"
})
region_config = {
# Example config provided for us-central1 and you may add your own regions.
"us-central1" = {
collector = {
machine_type = "e2-micro"
min_replicas = 1
max_replicas = 1
zones = null # Null signifies no zone preference.
max_rate_per_instance = null # Null signifies no max.
}
backend = {
machine_type = "n2d-standard-64"
min_replicas = 1
max_replicas = 5
zones = null # Null signifies no zone preference.
max_rate_per_instance = null # Null signifies no max.
}
frontend = {
machine_type = "n2d-standard-64"
min_replicas = 1
max_replicas = 2
zones = null # Null signifies no zone preference.
max_rate_per_instance = null # Null signifies no max.
}
}
}
}