Add terraform code for wetterdienst project

earthobservations · Nov 29, 2023 · 5c1ecf1 · 5c1ecf1
1 parent 3d33343
commit 5c1ecf1
Show file tree

Hide file tree

Showing 13 changed files with 778 additions and 0 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,56 @@
+name: Deploy service
+
+permissions:
+  contents: read
+  id-token: write
+
+on:
+  push:
+
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  terraform-plan:
+#    needs: [ docker-sync ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Acquire sources
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+
+      - name: Google Auth
+        uses: google-github-actions/auth@v2
+        with:
+          project_id: wetterdienst
+          workload_identity_provider: projects/867542820543/locations/global/workloadIdentityPools/github/providers/github
+
+      - name: Terraform init
+        working-directory: ./terraform
+        run: terraform init
+
+      - name: Terraform plan
+        working-directory: ./terraform
+        run: terraform plan
+
+  terraform-apply:
+    needs: [ terraform-plan ]
+#    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Acquire sources
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+
+      - name: Terraform init
+        working-directory: ./terraform
+        run: terraform init
+
+      - name: Terraform apply
+        working-directory: ./terraform
+        run: terraform apply -auto-approve
diff --git a/.github/workflows/docker-publish-standard.yml b/.github/workflows/docker-publish-standard.yml
@@ -151,3 +151,29 @@ jobs:
           set -x
           git describe --tags
           git status
+
+  docker-sync:
+    needs: [ docker]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Acquire sources
+        uses: actions/checkout@v4
+
+      - name: Setup Docker
+        uses: docker/setup-buildx-action@v1
+
+      - name: Docker login
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker pull
+        run: docker pull ghcr.io/${{ github.repository }}-standard:latest
+
+      - name: Docker tag
+        run: docker tag ghcr.io/earthobservations/wetterdienst-standard:latest europe-north1-docker.pkg.dev/wetterdienst/docker-wetterdienst/wetterdienst-standard:latest
+
+      - name: Docker push
+        run: docker push europe-north1-docker.pkg.dev/wetterdienst/docker-wetterdienst/wetterdienst-standard:latest
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -0,0 +1,60 @@
+name: Terraform
+
+permissions:
+  contents: read
+  id-token: write
+
+on:
+  push:
+
+  # Allow job to be triggered manually.
+  workflow_dispatch:
+
+# Cancel in-progress jobs when pushing to the same branch.
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Acquire sources
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+
+      - name: Google Auth
+        uses: google-github-actions/auth@v1
+        env:
+          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
+        with:
+          workload_identity_provider: ${{ env.workload_identity_provider }}
+          service_account: [email protected]
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Export Github PAT
+        run: echo "TF_VAR_gh_pat=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
+
+      - name: Terraform init
+        working-directory: ./terraform
+        run: terraform init
+
+      - name: Terraform plan
+        working-directory: ./terraform
+        env:
+          TV_VAR_gh_pat: ${{ env.TV_VAR_gh_pat }}
+        run: terraform plan
+
+      - name: Terraform apply
+        working-directory: ./terraform
+        env:
+          TV_VAR_gh_pat: ${{ env.TV_VAR_gh_pat }}
+        run: terraform apply -auto-approve
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
diff --git a/terraform/artifact_registry.tf b/terraform/artifact_registry.tf
@@ -0,0 +1,6 @@
+resource "google_artifact_registry_repository" "docker-wetterdienst" {
+    repository_id = "docker-wetterdienst"
+    location      = var.region
+    format        = "DOCKER"
+    description   = "Standard image repository for the wetterdienst project."
+}
diff --git a/terraform/cloud_storage.tf b/terraform/cloud_storage.tf
@@ -0,0 +1,7 @@
+resource "google_storage_bucket" "wetterdienst-state" {
+  location = var.region
+  name     = "wetterdienst-state"
+  versioning {
+    enabled = true
+  }
+}
diff --git a/terraform/cloudrun.tf b/terraform/cloudrun.tf
@@ -0,0 +1,36 @@
+resource "google_cloud_run_v2_service" "wetterdienst-restapi" {
+  name     = "wetterdienst-restapi"
+  project = var.project
+  location = var.region
+  ingress = "INGRESS_TRAFFIC_ALL"
+
+  template {
+    containers {
+      image = "${var.region}-docker.pkg.dev/${var.project}/${google_artifact_registry_repository.docker-wetterdienst.name}/wetterdienst-standard:latest"
+      command = ["wetterdienst", "restapi", "--listen=0.0.0.0:8080"]
+      resources {
+        limits = {
+          cpu    = "1000m"
+          memory = "512Mi"
+        }
+      }
+    }
+    scaling {
+      min_instance_count = 1
+      max_instance_count = 10
+    }
+  }
+}
+
+resource "google_cloud_run_domain_mapping" "wetterdienst-earth-observations-net" {
+  name     = "wetterdienst.earth-observations.net"
+  location = var.region
+
+  metadata {
+    namespace = var.project
+  }
+
+  spec {
+    route_name = google_cloud_run_v2_service.wetterdienst-restapi.name
+  }
+}
diff --git a/terraform/iam.tf b/terraform/iam.tf
@@ -0,0 +1,5 @@
+resource "google_storage_bucket_iam_member" "state" {
+  bucket = google_storage_bucket.wetterdienst-state.name
+  role   = "roles/storage.admin"
+  member = "serviceAccount:[email protected]"
+}
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -0,0 +1,38 @@
+terraform {
+  required_providers {
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "3.0.2"
+    }
+    google = {
+      source  = "hashicorp/google"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+    }
+    github = {
+      source  = "integrations/github"
+    }
+  }
+
+  backend "gcs" {
+    bucket  = "wetterdienst-state"
+    prefix  = "terraform/state"
+  }
+}
+
+provider "docker" {
+#  host = "unix:///var/run/docker.sock"
+  registry_auth {
+    address = "ghcr.io"
+    username = var.gh_username
+    password = var.gh_pat
+  }
+}
+
+provider "github" {}
+
+provider "google" {
+  project = var.project
+  region  = var.region
+}
diff --git a/terraform/network.tf b/terraform/network.tf
@@ -0,0 +1,38 @@
+resource "google_compute_region_network_endpoint_group" "serverless_neg" {
+  name                  = "serverless-neg"
+  project = var.project
+  network_endpoint_type = "SERVERLESS"
+  region                = var.region
+  cloud_run {
+    service = google_cloud_run_v2_service.wetterdienst-restapi.name
+  }
+}
+
+module "lb-http" {
+  source  = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
+  name    = "loadbalancer"
+  project = var.project
+
+  https_redirect = true
+
+  security_policy = google_compute_security_policy.default.name
+
+  backends = {
+    default = {
+      description = null
+      groups = [
+        {
+          group = google_compute_region_network_endpoint_group.serverless_neg.id
+        }
+      ]
+      enable_cdn = false
+
+      iap_config = {
+        enable = false
+      }
+      log_config = {
+        enable = false
+      }
+    }
+  }
+}