-
Notifications
You must be signed in to change notification settings - Fork 12
/
buyer.tf
177 lines (163 loc) · 10.3 KB
/
buyer.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
locals {
gcp_project_id = "" # Example: "your-gcp-project-123"
environment = "" # Must be <= 3 characters. Example: "abc"
image_repo = "" # Example: "us-docker.pkg.dev/your-gcp-project-123/services"
}
provider "google" {
project = local.gcp_project_id
}
provider "google-beta" {
project = local.gcp_project_id
}
resource "google_compute_project_metadata" "default" {
project = local.gcp_project_id
metadata = {
enable-oslogin = "FALSE"
}
}
# See README.md for instructions on how to use the secrets module.
module "secrets" {
source = "../../../modules/secrets"
}
module "buyer" {
source = "../../../modules/buyer"
environment = local.environment
gcp_project_id = local.gcp_project_id
bidding_image = "${local.image_repo}/bidding_service:${local.environment}" # Image built and uploaded by production/packaging/build_and_test_all_in_docker
buyer_frontend_image = "${local.image_repo}/buyer_frontend_service:${local.environment}" # Image built and uploaded by production/packaging/build_and_test_all_in_docker
runtime_flags = {
BIDDING_PORT = "50051" # Do not change unless you are modifying the default GCP architecture.
BUYER_FRONTEND_PORT = "50051" # Do not change unless you are modifying the default GCP architecture.
BUYER_FRONTEND_HEALTHCHECK_PORT = "50050" # Do not change unless you are modifying the default GCP architecture.
BIDDING_SERVER_ADDR = "xds:///bidding" # Do not change unless you are modifying the default GCP architecture.
BFE_INGRESS_TLS = "true" # Do not change unless you are modifying the default GCP architecture.
BIDDING_EGRESS_TLS = "false" # Do not change unless you are modifying the default GCP architecture.
AD_RETRIEVAL_KV_SERVER_EGRESS_TLS = "false" # Do not change unless you are modifying the default GCP architecture.
KV_SERVER_EGRESS_TLS = "false" # Do not change unless you are modifying the default GCP architecture.
TEST_MODE = "false" # Do not change unless you are testing without key fetching.
ENABLE_BIDDING_SERVICE_BENCHMARK = "" # Example: "false"
BUYER_KV_SERVER_ADDR = "" # Example: "https://googleads.g.doubleclick.net/td/bts"
TEE_AD_RETRIEVAL_KV_SERVER_ADDR = "" # Example: "xds:///ad-retrieval-host"
TEE_KV_SERVER_ADDR = "" # Example: "xds:///kv-service-host"
AD_RETRIEVAL_TIMEOUT_MS = "" # Example: "60000"
GENERATE_BID_TIMEOUT_MS = "" # Example: "60000"
PROTECTED_APP_SIGNALS_GENERATE_BID_TIMEOUT_MS = "" # Example: "60000"
BIDDING_SIGNALS_LOAD_TIMEOUT_MS = "" # Example: "60000"
ENABLE_BUYER_FRONTEND_BENCHMARKING = "" # Example: "false"
CREATE_NEW_EVENT_ENGINE = "" # Example: "false"
ENABLE_BIDDING_COMPRESSION = "" # Example: "true"
ENABLE_PROTECTED_APP_SIGNALS = "" # Example: "false"
ENABLE_PROTECTED_AUDIENCE = "" # Example: "true"
PS_VERBOSITY = "" # Example: "10"
# This flag should only be set if console.logs from the AdTech code(Ex:generateBid()) execution need to be exported as VLOG.
# Note: turning on this flag will lead to higher memory consumption for AdTech code execution
# and additional latency for parsing the logs.
BUYER_CODE_FETCH_CONFIG = "" # Example:
# "{
# "fetchMode": 0,
# "biddingJsPath": "",
# "biddingJsUrl": "https://example.com/generateBid.js",
# "protectedAppSignalsBiddingJsUrl": "placeholder",
# "biddingWasmHelperUrl": "",
# "protectedAppSignalsBiddingWasmHelperUrl": "",
# "urlFetchPeriodMs": 13000000,
# "urlFetchTimeoutMs": 30000,
# "enableBuyerDebugUrlGeneration": true,
# "enableAdtechCodeLogging": false,
# "prepareDataForAdsRetrievalJsUrl": "",
# "prepareDataForAdsRetrievalWasmHelperUrl": "",
# }"
JS_NUM_WORKERS = "" # Example: "64" Must be <=vCPUs in bidding_machine_type.
JS_WORKER_QUEUE_LEN = "" # Example: "200".
ROMA_TIMEOUT_MS = "" # Example: "10000"
TELEMETRY_CONFIG = "" # Example: "mode: EXPERIMENT"
COLLECTOR_ENDPOINT = "" # Example: "collector-buyer-1-${local.environment}.bfe-gcp.com:4317"
ENABLE_OTEL_BASED_LOGGING = "" # Example: "false"
CONSENTED_DEBUG_TOKEN = "" # Example: "<unique_id>"
# Coordinator-based attestation flags.
# These flags are production-ready and you do not need to change them.
# Reach out to the Privacy Sandbox B&A team to enroll with Coordinators.
# More information on enrollment can be found here: https://github.com/privacysandbox/fledge-docs/blob/main/bidding_auction_services_api.md#enroll-with-coordinators
PUBLIC_KEY_ENDPOINT = "https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-keys"
PRIMARY_COORDINATOR_PRIVATE_KEY_ENDPOINT = "https://privatekeyservice-a.pa-3.gcp.privacysandboxservices.com/v1alpha/encryptionKeys"
SECONDARY_COORDINATOR_PRIVATE_KEY_ENDPOINT = "https://privatekeyservice-b.pa-4.gcp.privacysandboxservices.com/v1alpha/encryptionKeys"
PRIMARY_COORDINATOR_ACCOUNT_IDENTITY = "[email protected]"
SECONDARY_COORDINATOR_ACCOUNT_IDENTITY = "[email protected]"
PRIMARY_COORDINATOR_REGION = "us-central1"
SECONDARY_COORDINATOR_REGION = "us-central1"
GCP_PRIMARY_WORKLOAD_IDENTITY_POOL_PROVIDER = "projects/732552956908/locations/global/workloadIdentityPools/a-opwip/providers/a-opwip-pvdr"
GCP_SECONDARY_WORKLOAD_IDENTITY_POOL_PROVIDER = "projects/99438709206/locations/global/workloadIdentityPools/b-opwip/providers/b-opwip-pvdr"
GCP_PRIMARY_KEY_SERVICE_CLOUD_FUNCTION_URL = "https://a-us-central1-encryption-key-service-cloudfunctio-j27wiaaz5q-uc.a.run.app"
GCP_SECONDARY_KEY_SERVICE_CLOUD_FUNCTION_URL = "https://b-us-central1-encryption-key-service-cloudfunctio-wdqaqbifva-uc.a.run.app"
PRIVATE_KEY_CACHE_TTL_SECONDS = "3974400"
KEY_REFRESH_FLOW_RUN_FREQUENCY_SECONDS = "20000"
BFE_TLS_KEY = module.secrets.tls_key # You may remove the secrets module and instead either inline or use an auto.tfvars for this variable.
BFE_TLS_CERT = module.secrets.tls_cert # You may remove the secrets module and instead either inline or use an auto.tfvars for this variable.
MAX_ALLOWED_SIZE_DEBUG_URL_BYTES = "" # Example: "65536"
MAX_ALLOWED_SIZE_ALL_DEBUG_URLS_KB = "" # Example: "3000"
INFERENCE_SIDECAR_BINARY_PATH = "" # Example: "/server/bin/inference_sidecar"
INFERENCE_MODEL_BUCKET_NAME = "" # Example: "<bucket_name>"
INFERENCE_MODEL_BUCKET_PATHS = "" # Example: "<model_path1>,<model_path2>"
# TCMalloc related config parameters.
# See: https://github.com/google/tcmalloc/blob/master/docs/tuning.md
BIDDING_TCMALLOC_BACKGROUND_RELEASE_RATE_BYTES_PER_SECOND = "4096" # Example: 4096
BIDDING_TCMALLOC_MAX_TOTAL_THREAD_CACHE_BYTES = "10737418240" # Example: 10737418240
BFE_TCMALLOC_BACKGROUND_RELEASE_RATE_BYTES_PER_SECOND = "4096"
BFE_TCMALLOC_MAX_TOTAL_THREAD_CACHE_BYTES = "10737418240"
}
# Please manually create a Google Cloud domain name, dns zone, and SSL certificate.
frontend_domain_name = "" # Example: bfe-gcp.com
frontend_dns_zone = "" # Example: "bfe-gcp-com"
frontend_domain_ssl_certificate_id = "" # Example: "projects/${local.gcp_project_id}/global/sslCertificates/bfe-${local.environment}"
operator = "" # Example: "buyer-1"
service_account_email = "" # Example: "terraform-sa@{local.gcp_project_id}.iam.gserviceaccount.com"
vm_startup_delay_seconds = 200 # Example: 200
cpu_utilization_percent = 0.6 # Example: 0.6
use_confidential_space_debug_image = false # Example: false
tee_impersonate_service_accounts = "a-opallowedusr@ps-pa-coord-prd-g3p-svcacc.iam.gserviceaccount.com,[email protected]"
collector_service_port = 4317
collector_startup_script = templatefile("../../../services/autoscaling/collector_startup.tftpl", {
collector_port = 4317
otel_collector_image_uri = "otel/opentelemetry-collector-contrib:0.81.0"
})
region_config = {
# Example config provided for us-central1 and you may add your own regions.
"us-central1" = {
collector = {
machine_type = "e2-micro"
min_replicas = 1
max_replicas = 1
zones = null # Null signifies no zone preference.
max_rate_per_instance = null # Null signifies no max.
}
backend = {
machine_type = "n2d-standard-64"
min_replicas = 1
max_replicas = 5
zones = null # Null signifies no zone preference.
max_rate_per_instance = null # Null signifies no max.
}
frontend = {
machine_type = "n2d-standard-64"
min_replicas = 1
max_replicas = 2
zones = null # Null signifies no zone preference.
max_rate_per_instance = null # Null signifies no max.
}
}
}
enable_tee_container_log_redirect = false
}