From c7f8fa37c6530ee40c79b7f46cac14b71fd24e1d Mon Sep 17 00:00:00 2001 From: Adam Taylor Date: Wed, 5 Jun 2024 11:18:16 +0100 Subject: [PATCH] Move back to artefact registry --- .github/workflows/deploy.yml | 18 +++++++++++------- iam.tf | 24 ++++++++++++++++-------- terraform.tfvars | 2 +- 3 files changed, 28 insertions(+), 16 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 5188f9a..462a0a9 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -9,6 +9,8 @@ on: env: REGISTRY: ghcr.io + GCP_PROJECT: htan-dcc + CONTAINER_NAME: data-release-validatio jobs: build-container: @@ -22,18 +24,19 @@ jobs: - name: Checkout GitHub Action uses: actions/checkout@v3 - - name: Login to GitHub Container Registry (GHCR) - uses: docker/login-action@v2 + - name: Authenticate to Google Cloud + uses: google-github-actions/auth@v2 with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + credentials_json: '${{ secrets.GCP_SA_KEY }}' + + - name: Configure Docker to use Artifact Registry + run: gcloud auth configure-docker ${{ env.REGISTRY }} - name: Extract Docker metadata id: metadata uses: docker/metadata-action@v4 with: - images: ${{ env.REGISTRY }}/${{ github.repository }} + images: ${{ env.REGISTRY }}/${{ env.GCP_PROJECT }}/${{ env.CONTAINER_NAME }} tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} @@ -42,7 +45,7 @@ jobs: type=sha latest - - name: Build and push to GHCR + - name: Build and push to Artifact Registry uses: docker/build-push-action@v4 with: context: ./src @@ -50,6 +53,7 @@ jobs: tags: ${{ steps.metadata.outputs.tags }} labels: ${{ steps.metadata.outputs.labels }} + deploy-cloud-run: runs-on: ubuntu-latest needs: build-container diff --git a/iam.tf b/iam.tf index d2c8387..07858db 100644 --- a/iam.tf +++ b/iam.tf @@ -2,33 +2,41 @@ data "google_project" "project" { project_id = var.project_id } -resource "google_service_account" "sa" { - project = var.project_id +data "google_service_account" "existing_sa" { + project = var.project_id account_id = var.account_id + depends_on = [data.google_project.project] +} + +resource "google_service_account" "sa" { + project = var.project_id + account_id = var.account_id display_name = "Service Account used by Cloud Run Job to run data release validation" + + # Create only if the service account does not already exist + count = length(data.google_service_account.existing_sa.email) == 0 ? 1 : 0 } resource "google_project_iam_member" "sa_bigquery_editor" { project = var.project_id role = "roles/bigquery.dataEditor" - member = "serviceAccount:${google_service_account.sa.email}" + member = "serviceAccount:${var.account_id}@${var.project_id}.iam.gserviceaccount.com" } resource "google_project_iam_member" "sa_bigquery_viewer" { project = var.project_id role = "roles/bigquery.dataViewer" - member = "serviceAccount:${google_service_account.sa.email}" + member = "serviceAccount:${var.account_id}@${var.project_id}.iam.gserviceaccount.com" } resource "google_project_iam_member" "sa_bigquery_job_user" { project = var.project_id role = "roles/bigquery.jobUser" - member = "serviceAccount:${google_service_account.sa.email}" + member = "serviceAccount:${var.account_id}@${var.project_id}.iam.gserviceaccount.com" } resource "google_project_iam_member" "sa_secret_accessor" { project = var.project_id role = "roles/secretmanager.secretAccessor" - member = "serviceAccount:${google_service_account.sa.email}" -} - + member = "serviceAccount:${var.account_id}@${var.project_id}.iam.gserviceaccount.com" +} \ No newline at end of file diff --git a/terraform.tfvars b/terraform.tfvars index 5522eaf..d96e3ad 100644 --- a/terraform.tfvars +++ b/terraform.tfvars @@ -1,6 +1,6 @@ project_id = "htan-dcc" region = "us-east1" -image_url = "ghcr.io/ncihtan/data-release-cloud-run:latest" +image_url = "us-docker.pkg.dev/htan-dcc/gcr.io/data-release-validation:latest" secret_id = "synapse_service_pat" # service account variables