Stabilize WPT Server Infrastructure (Bridge Networking, Port Alignment & State Migration) (#84)

* feat(security): run WPT server as unprivileged users and migrate state to GCS

Hardened the WPT server environment by removing root execution and sudo dependencies.
Migrated Terraform state to GCS and removed legacy Container VM agent overrides.

Infrastructure (Terraform):
- Created GCS bucket `gs://wpt-live-app-tfstate` with versioning for state storage.
- Switched instance templates to use a dedicated Service Account (`wpt-tot-app-sa`).
- Added IAM role `roles/storage.objectViewer` to the SA for certificate retrieval.
- Migrated local state to `gs://wpt-live-app-tfstate/terraform/state`.
- Retired legacy Container VM agent in favor of standard cloud-init.
Web Server (Docker/Supervisor):
- Created `wpt-server` (UID 1000) and `wpt-sync` (UID 1001) users.
- Granted `CAP_NET_BIND_SERVICE` to python3.10 to allow unprivileged binding to ports 80/443.
- Shifted all file paths and `git` operations inside `/home/wpt-sync` instead of `/root`.
- Unified supervisord process execution without `sudo`.

* address feedback

* more tidy up

Author: jcscottiii

.gitignore

@@ -1,3 +1,4 @@
-/.terraform/
+.terraform/
 google-cloud-platform-credentials.json
+terraform.tfstate
 terraform.tfstate.backup

.terraform.lock.hcl

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     docker = {
       source  = "kreuzwerker/docker"
-      version = "3.0.2"
+      version = "3.9.0"
     }
   }
 }

infrastructure/docker-image/versions.tf

@@ -10,37 +10,46 @@
 # More information about how it was used previously: https://github.com/web-platform-tests/wpt.live/blob/67dc5976ccce2e64483f2028a35659d4d6e58891/infrastructure/web-platform-tests/main.tf#L69-L137
 ########################################
 
-resource "google_compute_health_check" "wpt_health_check" {
-  name = "${var.name}-wpt-servers"
 
-  check_interval_sec  = 10
-  timeout_sec         = 10
-  healthy_threshold   = 3
-  unhealthy_threshold = 6
+resource "google_service_account" "wpt_live_sa" {
+  account_id   = "${var.name}-sa"
+  display_name = "WPT Live Node Service Account"
+}
 
-  https_health_check {
-    port = "443"
-    # A query parameter is used to distinguish the health check in the server's
-    # request logs.
-    request_path = "/?gcp-health-check"
-  }
+resource "google_project_iam_member" "sa_logging" {
+  project = data.google_project.project.project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.wpt_live_sa.email}"
 }
 
-resource "google_compute_instance_group_manager" "wpt_servers" {
-  name               = "${var.name}-wpt-servers"
-  zone               = var.zone
-  description        = "compute VM Instance Group"
-  wait_for_instances = false
-  base_instance_name = "${var.name}-wpt-servers"
+resource "google_storage_bucket_iam_member" "sa_storage" {
+  bucket = google_storage_bucket.certificates.name
+  role   = "roles/storage.objectViewer"
+  member = "serviceAccount:${google_service_account.wpt_live_sa.email}"
+}
+
+resource "google_project_iam_member" "sa_artifactregistry" {
+  project = data.google_project.project.project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.wpt_live_sa.email}"
+}
+
+resource "google_compute_region_instance_group_manager" "wpt_server_cloud_init" {
+  name                      = "${var.name}-instance-group-cloud-init"
+  base_instance_name        = "${var.name}-cloud-init"
+  region                    = var.region
+  distribution_policy_zones = [var.zone]
+
   version {
-    name              = "${var.name}-wpt-servers-default"
-    instance_template = google_compute_instance_template.wpt_server.self_link
+    instance_template = google_compute_instance_template.wpt_server_cloud_init.id
   }
+
   update_policy {
-    type                  = local.update_policy.type
-    minimal_action        = local.update_policy.minimal_action
+    minimal_action       = local.update_policy.minimal_action
+    type                 = local.update_policy.type
     max_unavailable_fixed = local.update_policy.max_unavailable_fixed
   }
+
   target_pools = [google_compute_target_pool.default.self_link]
   target_size  = 2
 
@@ -54,43 +63,15 @@ resource "google_compute_instance_group_manager" "wpt_servers" {
 
   auto_healing_policies {
     health_check      = google_compute_health_check.wpt_health_check.self_link
-    initial_delay_sec = 30
-  }
-}
-
-resource "google_compute_firewall" "wpt-server-mig-health-check" {
-  name    = "${var.name}-wpt-servers-vm-hc"
-  network = var.network_name
-
-  allow {
-    protocol = "tcp"
-    # https port
-    ports = [var.wpt_server_ports[2].port]
+    initial_delay_sec = 180
   }
-
-  # This range comes from this module that was used previously:
-  # https://github.com/Ecosystem-Infra/terraform-google-multi-port-managed-instance-group/blob/master/main.tf#L347
-  source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
 }
 
-resource "google_compute_instance_template" "wpt_server" {
-  name_prefix = "default-"
+resource "google_compute_instance_template" "wpt_server_cloud_init" {
+  name_prefix = "cloud-init-"
 
-  # As of 2020-06-17, we were running into OOM issues with the 1.7 GB
-  # "g1-small" instance[1]. This was suspected to be due to 'git gc' needing
-  # more memory, so we upgraded to "e2-medium" (4 GB of RAM).
-  #
-  # [1] https://github.com/web-platform-tests/wpt.live/issues/30
   machine_type = "e2-medium"
 
-  # The "google-logging-enabled" metadata is undocumented, but it is apparently
-  # necessary to enable the capture of logs from the Docker image.
-  #
-  # https://github.com/GoogleCloudPlatform/konlet/issues/56
-  labels = {
-    "${module.wpt-server-container.vm_container_label_key}" = module.wpt-server-container.vm_container_label
-  }
-
   network_interface {
     network    = var.network_name
     subnetwork = var.subnetwork_name
@@ -101,41 +82,75 @@ resource "google_compute_instance_template" "wpt_server" {
 
   can_ip_forward = false
 
-  // Create a new boot disk from an image
   disk {
     auto_delete  = true
     boot         = true
-    source_image = module.wpt-server-container.source_image
+    source_image = data.google_compute_image.cos.self_link
     type         = "PERSISTENT"
     disk_type    = "pd-ssd"
     disk_size_gb = var.wpt_server_disk_size
     mode         = "READ_WRITE"
   }
 
   service_account {
-    email  = "default"
-    scopes = ["storage-ro", "logging-write"]
+    email  = google_service_account.wpt_live_sa.email
+    scopes = ["cloud-platform"]
   }
 
   scheduling {
     automatic_restart   = true
     on_host_maintenance = "MIGRATE"
   }
 
-  # startup-script and tf_depends_id comes from the module previously used for wpt-server. (see link at top)
-  # TODO: evaluate if those two should be removed.
   metadata = {
-    "${module.wpt-server-container.metadata_key}" = module.wpt-server-container.metadata_value
-    "startup-script"                              = ""
-    "tf_depends_id"                               = ""
-    "google-logging-enabled"                      = "true"
+    "user-data" = templatefile("${path.module}/../../src/cloud-init.yaml", {
+      WPT_HOST         = var.host_name
+      WPT_ALT_HOST     = var.alt_host_name
+      WPT_BUCKET       = local.bucket_name
+      WPT_SERVER_IMAGE = var.wpt_server_image
+    })
+    "google-logging-enabled" = "true"
   }
 
   lifecycle {
     create_before_destroy = true
   }
 }
 
+resource "google_compute_firewall" "wpt-server-mig-health-check" {
+  name    = "${var.name}-wpt-servers-vm-hc"
+  network = var.network_name
+
+  allow {
+    protocol = "tcp"
+    # https port
+    ports = [var.wpt_server_ports[2].port]
+  }
+
+  # This range comes from this module that was used previously:
+  # https://github.com/Ecosystem-Infra/terraform-google-multi-port-managed-instance-group/blob/master/main.tf#L347
+  source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
+}
+
+
+
+resource "google_compute_health_check" "wpt_health_check" {
+  name = "${var.name}-wpt-servers"
+
+  check_interval_sec  = 10
+  timeout_sec         = 10
+  healthy_threshold   = 3
+  unhealthy_threshold = 6
+
+  https_health_check {
+    port = "443"
+    # A query parameter is used to distinguish the health check in the server's
+    # request logs.
+    request_path = "/?gcp-health-check"
+  }
+}
+
+
 ########################################
 # Cert Renewers
 ########################################

infrastructure/web-platform-tests/.terraform.lock.hcl

@@ -29,6 +29,7 @@ resource "google_compute_target_pool" "default" {
   ]
 }
 
+
 resource "google_compute_http_health_check" "default" {
   name = "${local.lb_name}-health-check"
 

infrastructure/web-platform-tests/compute.tf

@@ -3,41 +3,22 @@ locals {
 
   update_policy = {
     type           = "PROACTIVE"
-    minimal_action = "RESTART"
+    minimal_action = "REPLACE"
     # > maxUnavailable must be greater than 0 when minimal action is set to
     # > RESTART
     max_unavailable_fixed = 1
   }
 
 }
 
-module "wpt-server-container" {
-  source  = "terraform-google-modules/container-vm/google"
-  version = "3.0.0"
-
-  container = {
-    image = var.wpt_server_image
-    env = [
-      {
-        name  = "WPT_HOST"
-        value = var.host_name
-      },
-      {
-        name  = "WPT_ALT_HOST"
-        value = var.alt_host_name
-      },
-      {
-        name  = "WPT_BUCKET"
-        value = local.bucket_name
-      },
-    ]
-  }
-
-  restart_policy = "Always"
-}
 
 resource "google_storage_bucket" "certificates" {
   name                        = local.bucket_name
   location                    = "US"
   uniform_bucket_level_access = true
 }
+
+data "google_compute_image" "cos" {
+  family  = "cos-stable"
+  project = "cos-cloud"
+}