Merge pull request #507 from abyssparanoia/feature/add-terraform

Feature/add terraform

deployments/terraform/apps/cloud_run_backend/locals.tf

@@ -0,0 +1,17 @@
+locals {
+  backend_roles = [
+    "roles/cloudsql.client",
+    "roles/storage.admin",
+    "roles/firebase.admin",
+    "roles/secretmanager.secretAccessor",
+    "roles/iam.serviceAccountTokenCreator",
+    "roles/pubsub.publisher",
+    "roles/pubsub.subscriber",
+    "roles/cloudprofiler.agent",
+    "roles/cloudkms.signerVerifier"
+  ]
+
+  cloud_run_services = {
+    api = { name = "api", args = ["http-server", "run"], min_scale = 0, max_scale = 5, },
+  }
+}

deployments/terraform/apps/cloud_run_backend/main.tf

@@ -0,0 +1,103 @@
+resource "google_service_account" "backend" {
+  account_id   = "app-backend"
+  display_name = "Backend Service Account"
+}
+
+resource "google_project_iam_member" "backend" {
+  for_each = toset(local.backend_roles)
+  project  = var.project
+  role     = each.value
+  member   = "serviceAccount:${google_service_account.api.email}"
+}
+
+resource "google_cloud_run_service" "services" {
+  for_each = local.cloud_run_services
+  name     = each.value.name
+  location = var.location
+  project  = var.project
+
+  template {
+    spec {
+      service_account_name = google_service_account.backend.email
+
+      containers {
+        image = "${var.registry_path}/backend:latest"
+        ports {
+          container_port = 80
+        }
+        args = each.value.args
+
+        env {
+          name  = "ENV"
+          value = var.enviroment
+        }
+        env {
+          name  = "PROJECT_ID"
+          value = var.project
+        }
+        env {
+          name  = "SERVICE_NAME"
+          value = each.value.name
+        }
+        env {
+          name  = "MIN_LOG_SEVERITY"
+          value = "DEBUG"
+        }
+        env {
+          name  = "DB_HOST"
+          value = "unix(/cloudsql/${var.db_connection_name})"
+        }
+        env {
+          name  = "DB_DATABASE"
+          value = var.db_name
+        }
+        env {
+          name  = "DB_USER"
+          value = var.db_user
+        }
+        env {
+          name = "DB_PASSWORD"
+          value_from {
+            secret_key_ref {
+              name = var.db_password_secret_id
+              key  = var.db_password_secret_version
+            }
+          }
+        }
+      }
+    }
+
+    metadata {
+      annotations = {
+        "autoscaling.knative.dev/minScale"        = each.value.min_scale
+        "autoscaling.knative.dev/maxScale"        = each.value.max_scale
+        "run.googleapis.com/cpu-throttling"       = each.value.min_scale == 0 ? "true" : "false"
+        "run.googleapis.com/cloudsql-instances"   = var.db_connection_name
+        "run.googleapis.com/client-name"          = "terraform"
+      }
+    }
+  }
+
+  autogenerate_revision_name = true
+
+  traffic {
+    percent         = 100
+    latest_revision = true
+  }
+
+  lifecycle {
+    ignore_changes = [
+      template[0].spec[0].containers[0].image,
+      template[0].metadata[0].annotations["run.googleapis.com/client-name"],
+      template[0].metadata[0].annotations["run.googleapis.com/client-version"],
+      template[0].metadata[0].annotations["client.knative.dev/user-image"],
+    ]
+  }
+}
+
+resource "google_cloud_run_service_iam_member" "run_all_users" {
+  service  = "api"
+  location = var.location
+  role     = "roles/run.invoker"
+  member   = "allUsers"
+}

deployments/terraform/apps/cloud_run_backend/variables.tf

@@ -0,0 +1,35 @@
+variable "location" {
+  type = string
+}
+
+variable "project" {
+  type = string
+}
+
+variable "registry_path" {
+  type = string
+}
+
+variable "enviroment" {
+  type = string
+}
+
+variable "db_connection_name" {
+  type = string
+}
+
+variable "db_name" {
+  type = string
+}
+
+variable "db_user" {
+  type = string
+}
+
+variable "db_password_secret_id" {
+  type = string
+}
+
+variable "db_password_secret_version" {
+  type = number
+}

deployments/terraform/env/development/.envrc.tmpl

@@ -0,0 +1 @@
+export GOOGLE_APPLICATION_CREDENTIALS="./service_account.json"

deployments/terraform/env/development/locals.tf

@@ -0,0 +1,6 @@
+locals {
+  enviroment           = "development"
+  db_tier              = "db-f1-micro"
+  db_disk_type         = "PD_HDD"
+  db_availability_type = "ZONAL"
+}

deployments/terraform/env/development/main.tf

@@ -0,0 +1,70 @@
+module "gcp_services" {
+  source  = "../../modules/gcp_services"
+  project = var.project
+}
+
+module "github_actions_workload_identity" {
+  source = "../../modules/github_actions_workload_identity"
+
+  project      = var.project
+  location     = var.location
+  repositories = ["abyssparanoia/rapid-go"]
+
+  depends_on = [
+    module.gcp_services
+  ]
+}
+
+
+module "cloud_sql" {
+  source            = "../../modules/cloud_sql"
+  location          = var.location
+  tier              = local.db_tier
+  disk_type         = local.db_disk_type
+  availability_type = local.db_availability_type
+  db_instance_name  = "master"
+  db_name           = "maindb"
+  db_user           = "app_user"
+
+  depends_on = [
+    module.gcp_services
+  ]
+}
+
+module "secret_manager_db_password" {
+  source    = "../../modules/secret_manager"
+  secret_id = "db-passowrd"
+  value     = module.cloudsql.db_password
+
+  depends_on = [
+    module.gcp_services
+  ]
+}
+
+module "artifact_registry" {
+  source        = "../../modules/artifact_registry"
+  project       = var.project
+  location      = var.location
+  repository_id = "rapid-go"
+
+  depends_on = [
+    module.gcp_services
+  ]
+}
+
+module "cloudrun_api" {
+  source = "../../apps/cloud_run_backend"
+
+  project                    = var.project
+  location                   = var.location
+  registry_path              = module.artifact_registry.container_registry_path
+  db_connection_name         = module.cloudsql.db_connection_name
+  db_name                    = module.cloudsql.db_name
+  db_user                    = module.cloudsql.db_user
+  db_password_secret_id      = module.secret_manager_db_password.secret_id
+  db_password_secret_version = module.secret_manager_db_password.version
+
+  depends_on = [
+    module.gcp_services
+  ]
+}

deployments/terraform/env/development/provider.tf

@@ -0,0 +1,10 @@
+provider "google" {
+  project = var.project
+  region  = var.location
+}
+
+terraform {
+  backend "gcs" {
+    bucket = "dev-rapid-go-terraform-state-store"
+  }
+}

deployments/terraform/env/development/variables.tf

@@ -0,0 +1,7 @@
+variable "project" {
+  default = "dev-rapid-go"
+}
+
+variable "location" {
+  default = "asia-northeast1"
+}

deployments/terraform/env/production/.envrc.tmpl

@@ -0,0 +1 @@
+export GOOGLE_APPLICATION_CREDENTIALS="./service_account.json"

deployments/terraform/env/production/locals.tf

@@ -0,0 +1,6 @@
+locals {
+  enviroment           = "production"
+  db_tier              = "db-f1-micro"
+  db_disk_type         = "PD_HDD"
+  db_availability_type = "ZONAL"
+}

deployments/terraform/env/production/main.tf

@@ -0,0 +1,70 @@
+module "gcp_services" {
+  source  = "../../modules/gcp_services"
+  project = var.project
+}
+
+module "github_actions_workload_identity" {
+  source = "../../modules/github_actions_workload_identity"
+
+  project      = var.project
+  location     = var.location
+  repositories = ["abyssparanoia/rapid-go"]
+
+  depends_on = [
+    module.gcp_services
+  ]
+}
+
+
+module "cloud_sql" {
+  source            = "../../modules/cloud_sql"
+  location          = var.location
+  tier              = local.db_tier
+  disk_type         = local.db_disk_type
+  availability_type = local.db_availability_type
+  db_instance_name  = "master"
+  db_name           = "maindb"
+  db_user           = "app_user"
+
+  depends_on = [
+    module.gcp_services
+  ]
+}
+
+module "secret_manager_db_password" {
+  source    = "../../modules/secret_manager"
+  secret_id = "db-passowrd"
+  value     = module.cloudsql.db_password
+
+  depends_on = [
+    module.gcp_services
+  ]
+}
+
+module "artifact_registry" {
+  source        = "../../modules/artifact_registry"
+  project       = var.project
+  location      = var.location
+  repository_id = "rapid-go"
+
+  depends_on = [
+    module.gcp_services
+  ]
+}
+
+module "cloudrun_api" {
+  source = "../../apps/cloud_run_backend"
+
+  project                    = var.project
+  location                   = var.location
+  registry_path              = module.artifact_registry.container_registry_path
+  db_connection_name         = module.cloudsql.db_connection_name
+  db_name                    = module.cloudsql.db_name
+  db_user                    = module.cloudsql.db_user
+  db_password_secret_id      = module.secret_manager_db_password.secret_id
+  db_password_secret_version = module.secret_manager_db_password.version
+
+  depends_on = [
+    module.gcp_services
+  ]
+}

deployments/terraform/env/production/provider.tf

@@ -0,0 +1,10 @@
+provider "google" {
+  project = var.project
+  region  = var.location
+}
+
+terraform {
+  backend "gcs" {
+    bucket = "dev-rapid-go-terraform-state-store"
+  }
+}

deployments/terraform/env/production/variables.tf

@@ -0,0 +1,7 @@
+variable "project" {
+  default = "dev-rapid-go"
+}
+
+variable "location" {
+  default = "asia-northeast1"
+}

deployments/terraform/env/staging/.envrc.tmpl

@@ -0,0 +1 @@
+export GOOGLE_APPLICATION_CREDENTIALS="./service_account.json"

deployments/terraform/env/staging/locals.tf

@@ -0,0 +1,6 @@
+locals {
+  enviroment           = "staging"
+  db_tier              = "db-f1-micro"
+  db_disk_type         = "PD_HDD"
+  db_availability_type = "ZONAL"
+}