Add example-gcp module

transparency-dev · Aug 19, 2024 · 179a1fe · 179a1fe
1 parent a419214
commit 179a1fe
Show file tree

Hide file tree

Showing 7 changed files with 168 additions and 13 deletions.
diff --git a/deployment/live/gcp/example-gcp/ci/terragrunt.hcl b/deployment/live/gcp/example-gcp/ci/terragrunt.hcl
@@ -0,0 +1,15 @@
+terraform {
+  source = "${get_repo_root()}/deployment/modules/gcp//example-gcp"
+}
+
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+inputs = merge(
+  include.root.locals,
+  {
+    example_gcp_docker_image = "todo"
+  }
+)
diff --git a/deployment/live/gcp/example-gcp/terragrunt.hcl b/deployment/live/gcp/example-gcp/terragrunt.hcl
@@ -1,25 +1,22 @@
 terraform {
-  source = "${get_repo_root()}/deployment/modules/gcp/gcs"
+  source = "${get_repo_root()}/deployment/modules/gcp//example-gcp"
 }
 
 locals {
+  env         = path_relative_to_include()
   project_id = get_env("GOOGLE_PROJECT", "trillian-tessera")
   location   = get_env("GOOGLE_REGION", "us-central1")
-  base_name   = get_env("TESSERA_BASE_NAME", "example-gcp")
+  base_name   = get_env("TESSERA_BASE_NAME", "${path_relative_to_include()}-example-gcp")
 }
 
-inputs = merge(
-  local,
-  {}
-)
-
 remote_state {
   backend = "gcs"
 
   config = {
     project  = local.project_id
     location = local.location
     bucket   = "${local.project_id}-${local.base_name}-terraform-state"
+    prefix   = "${path_relative_to_include()}/terraform.tfstate"
 
     gcs_bucket_labels = {
       name  = "terraform_state_storage"

diff --git a/deployment/modules/gcp/example-gcp/main.tf b/deployment/modules/gcp/example-gcp/main.tf
@@ -0,0 +1,113 @@
+terraform {
+  backend "gcs" {}
+}
+
+## Call the Tessera GCP module
+##
+## This will configure all the storage infrastructure required to run a Tessera log on GCP.
+module "gcs" {
+  source = "..//gcs"
+
+  base_name  = var.base_name
+  env        = var.env
+  location   = var.location
+  project_id = var.project_id
+}
+
+# Enable Cloud Run API
+resource "google_project_service" "cloudrun_api" {
+  service            = "run.googleapis.com"
+  disable_on_destroy = false
+}
+
+###
+### Set up Cloud Run service
+###
+resource "google_service_account" "cloudrun_service_account" {
+  account_id   = "cloudrun-${var.env}-sa"
+  display_name = "Service Account for Cloud Run (${var.env})"
+}
+
+resource "google_project_iam_member" "iam_act_as" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountUser"
+  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+resource "google_project_iam_member" "iam_metrics_writer" {
+  project = var.project_id
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+resource "google_spanner_database_iam_binding" "iam_spanner_database_user" {
+  project  = var.project_id
+  instance = module.gcs.log_spanner_instance.name
+  database = module.gcs.log_spanner_db.name
+  role     = "roles/spanner.databaseUser"
+
+  members = [
+    "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+  ]
+}
+resource "google_project_iam_member" "iam_service_agent" {
+  project = var.project_id
+  role    = "roles/run.serviceAgent"
+  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_cloud_run_v2_service" "default" {
+  name         = "example-service-${var.env}"
+  location     = var.location
+  launch_stage = "GA"
+
+  template {
+    service_account = google_service_account.cloudrun_service_account.email
+    containers {
+      image = var.example_gcp_docker_image
+      name  = "example-gcp"
+      args = [
+        "--logtostderr",
+        "--v=1",
+        "--bucket=${module.gcs.log_bucket.id}",
+        "--spanner=${module.gcs.log_spanner_db.id}",
+        "--project=${var.project_id}",
+        "--signer=./testgcp.sec",
+      ]
+      ports {
+        container_port = 8080
+      }
+
+      startup_probe {
+        initial_delay_seconds = 1
+        timeout_seconds       = 1
+        period_seconds        = 10
+        failure_threshold     = 3
+        tcp_socket {
+          port = 8080
+        }
+      }
+    }
+    containers {
+      image      = "us-docker.pkg.dev/cloud-ops-agents-artifacts/cloud-run-gmp-sidecar/cloud-run-gmp-sidecar:1.0.0"
+      name       = "collector"
+      depends_on = ["example-gcp"]
+    }
+  }
+  client = "terraform"
+  depends_on = [
+    module.gcs,
+    google_project_service.cloudrun_api,
+    google_project_iam_member.iam_act_as,
+    google_project_iam_member.iam_metrics_writer,
+    google_project_iam_member.iam_service_agent,
+    google_spanner_database_iam_binding.iam_spanner_database_user,
+  ]
+}
+
+resource "google_cloud_run_service_iam_binding" "default" {
+  location = google_cloud_run_v2_service.default.location
+  service  = google_cloud_run_v2_service.default.name
+  role     = "roles/run.invoker"
+  members = [
+    "allUsers"
+  ]
+}
diff --git a/deployment/modules/gcp/example-gcp/variables.tf b/deployment/modules/gcp/example-gcp/variables.tf
@@ -0,0 +1,24 @@
+variable "project_id" {
+  description = "GCP project ID where the log is hosted"
+  type        = string
+}
+
+variable "base_name" {
+  description = "Base name to use when naming resources"
+  type        = string
+}
+
+variable "location" {
+  description = "Location in which to create resources"
+  type        = string
+}
+
+variable "env" {
+  description = "Environment name, e.g ci, prod, etc."
+  type        = string
+}
+
+variable "example_gcp_docker_image" {
+  description = "The full image URL (path & tag) for the example-gcp Docker image to deploy"
+  type        = string
+}
diff --git a/deployment/modules/gcp/gcs/main.tf b/deployment/modules/gcp/gcs/main.tf
@@ -1,7 +1,3 @@
-terraform {
-  backend "gcs" {}
-}
-
 # Services
 resource "google_project_service" "serviceusage_googleapis_com" {
   service            = "serviceusage.googleapis.com"
@@ -52,7 +48,7 @@ resource "google_storage_bucket_iam_binding" "log_bucket_writer" {
 resource "google_spanner_instance" "log_spanner" {
   name             = var.base_name
   config           = "regional-${var.location}"
-  display_name     = "${var.base_name} Spanner Instance"
+  display_name     = var.base_name
   processing_units = 100
 }
 

diff --git a/deployment/modules/gcp/gcs/outputs.tf b/deployment/modules/gcp/gcs/outputs.tf
@@ -3,11 +3,16 @@ output "log_bucket" {
   value       = google_storage_bucket.log_bucket
 }
 
-output "log_spanner" {
+output "log_spanner_db" {
   description = "Log Spanner database"
   value       = google_spanner_database.log_db
 }
 
+output "log_spanner_instance" {
+  description = "Log Spanner instance"
+  value       = google_spanner_instance.log_spanner
+}
+
 output "service_account_name" {
   description = "Name of the service account with write permission for storage"
   value       = google_service_account.log_writer.member

diff --git a/deployment/modules/gcp/gcs/variables.tf b/deployment/modules/gcp/gcs/variables.tf
@@ -12,3 +12,8 @@ variable "location" {
   description = "Location in which to create resources"
   type        = string
 }
+
+variable "env" {
+  description = "Unique identifier for the env, e.g. ci or prod"
+  type        = string
+}