Terraform for GCP CI base #144
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #144 +/- ##
==========================================
- Coverage 35.80% 35.28% -0.53%
==========================================
Files 16 33 +17
Lines 1363 2874 +1511
==========================================
+ Hits 488 1014 +526
- Misses 801 1750 +949
- Partials 74 110 +36 ☔ View full report in Codecov by Sentry. |
AlCutter
force-pushed
the
gcp_tf_ci_base
branch
29 times, most recently
from
b94d163 to
cc921d2
Compare
AlCutter
force-pushed
the
gcp_tf_ci_base
branch
7 times, most recently
from
5e05e32 to
179a1fe
Compare
AlCutter
force-pushed
the
gcp_tf_ci_base
branch
from
fb0b06e to
fffe57b
Compare
AlCutter
force-pushed
the
gcp_tf_ci_base
branch
4 times, most recently
from
db5632a to
b20a73e
Compare
AlCutter
force-pushed
the
gcp_tf_ci_base
branch
from
b20a73e to
bba2f74
Compare
| @@ -0,0 +1,16 @@ | |||
| terraform { | |||
| source = "${get_repo_root()}/deployment/modules/gcp//example-gcp" | |||
There was a problem hiding this comment.
This double slash is a bit weird?
There was a problem hiding this comment.
This is how you tell terraform about module "boundaries", with the double slash it brings in anything under there, without them it fails when you try to reference the sibling gcs from within the example-gc module.
This is a bit of a dusty corner in terraform, but it's why e.g. you had to put double slashes in for your distributor config which referenced other modules: https://github.com/transparency-dev/distributor/blob/main/deployment/modules/distributor/main.tf#L110
| project_id = get_env("GOOGLE_PROJECT", "trillian-tessera") | ||
| location = get_env("GOOGLE_REGION", "us-central1") | ||
| base_name = get_env("TESSERA_BASE_NAME", "example-gcp") | ||
| base_name = get_env("TESSERA_BASE_NAME", "${path_relative_to_include()}-example-gcp") |
There was a problem hiding this comment.
Can you use $env here instead of the path calculation? It'd be clearer for a human reading it, even if the result is the same.
There was a problem hiding this comment.
I assumed I couldn't, but rather unexpectedly it seems like you can (or at least ${local.env} you can)...
| } | ||
|
|
||
| locals { | ||
| env = path_relative_to_include() | ||
| project_id = get_env("GOOGLE_PROJECT", "trillian-tessera") |
There was a problem hiding this comment.
nit: alignment of = has got wonky.
| remote_state { | ||
| backend = "gcs" | ||
|
|
||
| config = { | ||
| project = local.project_id | ||
| location = local.location | ||
| bucket = "${local.project_id}-${local.base_name}-terraform-state" | ||
| prefix = "${path_relative_to_include()}/terraform.tfstate" |
There was a problem hiding this comment.
Again, using ${local.env} would be clearer, IMO.
| ## | ||
| ## This will configure all the storage infrastructure required to run a Tessera log on GCP. | ||
| module "gcs" { | ||
| source = "..//gcs" |
There was a problem hiding this comment.
Is the double slash needed here? I think this is one of those cases where there is something needed about the 2 slashes but best to check.
There was a problem hiding this comment.
yup, same as above.
| containers { | ||
| image = "us-docker.pkg.dev/cloud-ops-agents-artifacts/cloud-run-gmp-sidecar/cloud-run-gmp-sidecar:1.0.0" | ||
| name = "collector" | ||
| depends_on = ["example-gcp"] | ||
| } |
There was a problem hiding this comment.
This does the prometheus integration into GCP monitoring. Not sure if you need it in the example?
It could do with some comments put through here for things like this though, or people will just steal all of this whether it's needed or not. The curse of writing examples that try to strike a balance between "hello world" and showing actual real-life deployment.
| "--logtostderr", | ||
| "--v=1", | ||
| "--bucket=${module.gcs.log_bucket.id}", | ||
| "--spanner=projects/${var.project_id}/instances/${module.gcs.log_spanner_instance.name}/databases/${module.gcs.log_spanner_db.name}", |
There was a problem hiding this comment.
nit: You could consider evaluation this monster as a local, and even exporting it as an output variable. It would make this line shorter and thus easier to eyeball the flags.
| resource "google_service_account" "cloudrun_service_account" { | ||
| account_id = "cloudrun-${var.env}-sa" | ||
| display_name = "Service Account for Cloud Run (${var.env})" | ||
| } |
There was a problem hiding this comment.
This isn't strictly necessary as there's a default service account you could use. It's good practice though. We should probably write in some docs our approach to the example on how to balance best practice vs minimalism.
There was a problem hiding this comment.
Yeah, guidance is a good idea. I'll merge this as-is while we chew on that.
AlCutter
force-pushed
the
gcp_tf_ci_base
branch
from
71a1ebe to
51f0e90
Compare
AlCutter
force-pushed
the
gcp_tf_ci_base
branch
from
51f0e90 to
ab8c657
Compare
AlCutter
force-pushed
the
gcp_tf_ci_base
branch
from
3db7706 to
9c1ec4b
Compare
This PR adds support for spinning up an instance of the example personality on GCP.
This is intended to be used for CI tests.
Towards #7