From dbc3ebb70c8ebfdbe6a1a75e1ef9d1716ba792ca Mon Sep 17 00:00:00 2001 From: Nim Jayawardena Date: Wed, 13 Mar 2024 14:38:05 -0400 Subject: [PATCH 1/6] Use new PR cluster for ci-pr.yaml --- .github/workflows/ci-pr.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-pr.yaml b/.github/workflows/ci-pr.yaml index 91501d6935e..24c0aff3e4c 100644 --- a/.github/workflows/ci-pr.yaml +++ b/.github/workflows/ci-pr.yaml @@ -71,7 +71,7 @@ jobs: NAMESPACE="pr${PR_NUMBER}" echo "::set-env name=NAMESPACE::$NAMESPACE" - gcloud container clusters get-credentials $PR_CLUSTER --zone $ZONE --project $PROJECT_ID + gcloud container clusters get-credentials $PR_CLUSTER --region $REGION --project $PROJECT_ID cat < Date: Wed, 13 Mar 2024 15:13:29 -0400 Subject: [PATCH 2/6] Fix region in ci-pr.yaml --- .github/workflows/ci-pr.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-pr.yaml b/.github/workflows/ci-pr.yaml index 24c0aff3e4c..e9a5b094b13 100644 --- a/.github/workflows/ci-pr.yaml +++ b/.github/workflows/ci-pr.yaml @@ -86,7 +86,7 @@ jobs: PR_NUMBER: ${{ github.event.pull_request.number }} PROJECT_ID: "online-boutique-ci" PR_CLUSTER: "prs-gke-cluster" - REGION: "us-central1-a" + REGION: "us-central1" - name: Wait For Pods timeout-minutes: 20 run: | From d7c99069ba9bd70a5625f9182fb09e2b10aeeef6 Mon Sep 17 00:00:00 2001 From: Nim Jayawardena Date: Thu, 14 Mar 2024 13:39:54 -0400 Subject: [PATCH 3/6] Update ci-main.yaml and cleanup.yaml --- .github/workflows/ci-main.yaml | 6 +++--- .github/workflows/cleanup.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci-main.yaml b/.github/workflows/ci-main.yaml index 900ab7ac562..1967548ec0a 100644 --- a/.github/workflows/ci-main.yaml +++ b/.github/workflows/ci-main.yaml @@ -70,7 +70,7 @@ jobs: echo "::set-env name=NAMESPACE::$NAMESPACE" echo "::set-env name=PR_NUMBER::$PR_NUMBER" - gcloud container clusters get-credentials $PR_CLUSTER --zone $ZONE --project $PROJECT_ID + gcloud container clusters get-credentials $PR_CLUSTER --region $REGION --project $PROJECT_ID cat < Date: Thu, 14 Mar 2024 14:14:50 -0400 Subject: [PATCH 4/6] Add Terraform for prs-gke-cluster --- .github/terraform/main.tf | 116 +++++++++++++++++++++++++++++++++ .github/terraform/variables.tf | 23 +++++++ .github/terraform/versions.tf | 25 +++++++ 3 files changed, 164 insertions(+) create mode 100644 .github/terraform/main.tf create mode 100644 .github/terraform/variables.tf create mode 100644 .github/terraform/versions.tf diff --git a/.github/terraform/main.tf b/.github/terraform/main.tf new file mode 100644 index 00000000000..14a048015ca --- /dev/null +++ b/.github/terraform/main.tf @@ -0,0 +1,116 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# Set defaults for the google Terraform provider. +provider "google" { + project = var.project_id + region = "us-central1" + zone = "us-central1-a" +} + +terraform { + # Store the state inside a Google Cloud Storage bucket. + backend "gcs" { + bucket = "cicd-terraform-state" + prefix = "terraform-state" + } +} + +# Enable Google Cloud APIs. +module "enable_google_apis" { + source = "terraform-google-modules/project-factory/google//modules/project_services" + version = "~> 14.0" + disable_services_on_destroy = false + activate_apis = [ + "cloudresourcemanager.googleapis.com", + "container.googleapis.com", + "iam.googleapis.com", + "storage.googleapis.com", + ] + project_id = var.project_id +} + +# Google Cloud Storage for storing Terraform state (.tfstate). +resource "google_storage_bucket" "terraform_state_storage_bucket" { + name = "cicd-terraform-state" + location = "us" + storage_class = "STANDARD" + force_destroy = false + public_access_prevention = "enforced" + uniform_bucket_level_access = true + versioning { + enabled = true + } +} + +# Google Cloud IAM service account for GKE clusters. +# We avoid using the Compute Engine default service account because it's too permissive. +resource "google_service_account" "gke_clusters_service_account" { + account_id = "gke-clusters-service-account" + display_name = "My Service Account" + depends_on = [ + module.enable_google_apis + ] +} + +# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa +resource "google_project_iam_member" "gke_clusters_service_account_role_metric_writer" { + project = var.project_id + role = "roles/monitoring.metricWriter" + member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}" +} + +# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa +resource "google_project_iam_member" "gke_clusters_service_account_role_logging_writer" { + project = var.project_id + role = "roles/logging.logWriter" + member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}" +} + +# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa +resource "google_project_iam_member" "gke_clusters_service_account_role_monitoring_viewer" { + project = var.project_id + role = "roles/monitoring.viewer" + member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}" +} + +# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa +resource "google_project_iam_member" "gke_clusters_service_account_role_stackdriver_writer" { + project = var.project_id + role = "roles/stackdriver.resourceMetadata.writer" + member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}" +} + +# The GKE cluster used for pull-request (PR) staging deployments. +resource "google_container_cluster" "prs_gke_cluster" { + name = "prs-gke-cluster" + location = "us-central1" + enable_autopilot = true + project = var.project_id + deletion_protection = true + depends_on = [ + module.enable_google_apis + ] + cluster_autoscaling { + auto_provisioning_defaults { + service_account = google_service_account.gke_clusters_service_account.email + } + } + # Need an empty ip_allocation_policy to overcome an error related to autopilot node pool constraints. + # Workaround from https://github.com/hashicorp/terraform-provider-google/issues/10782#issuecomment-1024488630 + ip_allocation_policy { + } +} diff --git a/.github/terraform/variables.tf b/.github/terraform/variables.tf new file mode 100644 index 00000000000..e103a7be163 --- /dev/null +++ b/.github/terraform/variables.tf @@ -0,0 +1,23 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# This file lists variables that you can set using the -var flag during "terraform apply". +# Example: terraform apply -var project_id="${PROJECT_ID}" + +variable "project_id" { + type = string + description = "The Google Cloud project ID." +} diff --git a/.github/terraform/versions.tf b/.github/terraform/versions.tf new file mode 100644 index 00000000000..b94480454ae --- /dev/null +++ b/.github/terraform/versions.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 0.13" + required_providers { + google = { + source = "hashicorp/google" + version = "~> 5.4" + } + } +} From 178ab8df999a40c8b7867d38cf5836d380971092 Mon Sep 17 00:00:00 2001 From: Nim Jayawardena Date: Thu, 14 Mar 2024 14:31:13 -0400 Subject: [PATCH 5/6] Add README for CI Terraform --- .github/terraform/README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/terraform/README.md diff --git a/.github/terraform/README.md b/.github/terraform/README.md new file mode 100644 index 00000000000..cf4e525dbbc --- /dev/null +++ b/.github/terraform/README.md @@ -0,0 +1,15 @@ +This folder contains the Terraform for some of the infrastructure used by the CICD (continuous integration and continuous delivery/continuous deployment) of this repository. + +## Update this Terraform + +To make changes to this Terraform, follow these steps: + +1. Make sure you have access to the `online-boutique-ci` Google Cloud project. +1. Move into this folder: `cd .github/terraform` +1. Set the PROJECT_ID environment variable: `export PROJECT_ID=online-boutique-ci` +1. Prepare Terraform and download the necessary Terraform dependencies (such as the "hashicorp/google" Terraform provider): `terraform init` +1. Apply the Terraform: `terraform apply -var project_id=${PROJECT_ID}` + * Ideally, you would see `Apply complete! Resources: 0 added, 0 changed, 0 destroyed.` in the output. +1. Make your desired changes to the Terraform code. +1. Apply the Terraform: `terraform apply -var project_id=${PROJECT_ID}` + * This time, Terraform will prompt you confirm your changes before applying them. From 3619a291c3efbb659cc54ee9ef299e350171cdfa Mon Sep 17 00:00:00 2001 From: Nim Jayawardena Date: Thu, 14 Mar 2024 14:35:37 -0400 Subject: [PATCH 6/6] Run terraform fmt --- .github/terraform/main.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/terraform/main.tf b/.github/terraform/main.tf index 14a048015ca..293664265d0 100644 --- a/.github/terraform/main.tf +++ b/.github/terraform/main.tf @@ -45,11 +45,11 @@ module "enable_google_apis" { # Google Cloud Storage for storing Terraform state (.tfstate). resource "google_storage_bucket" "terraform_state_storage_bucket" { - name = "cicd-terraform-state" - location = "us" - storage_class = "STANDARD" - force_destroy = false - public_access_prevention = "enforced" + name = "cicd-terraform-state" + location = "us" + storage_class = "STANDARD" + force_destroy = false + public_access_prevention = "enforced" uniform_bucket_level_access = true versioning { enabled = true