la-famiglia-jst2324 · egekocabas · Dec 2, 2023 · Nov 27, 2023 · Nov 27, 2023 · Nov 27, 2023
diff --git a/.dockerignore b/.dockerignore
@@ -1,3 +1,4 @@
 .conda_lock_files/** linguist-generated=true
 * text=auto
 *.{py,yaml,yml,sh} text eol=lf
+**/*.tfstate linguist-generated=true
@@ -0,0 +1,65 @@
+name: Deploy
+permissions: write-all
+on:
+  push:
+    branches: [main]
+  release:
+    types: [published]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+defaults:
+  run:
+    shell: bash -el {0}
+
+env:
+  TF_VAR_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  deploy:
+    name: Deploy - ${{ matrix.DEPLOYMENT_ENV }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 40
+    strategy:
+      matrix:
+        DEPLOYMENT_ENV:
+          ["${{ github.event_name == 'release' && 'prod' || 'staging' }}"]
+    defaults:
+      run:
+        working-directory: ./terraform/${{ matrix.DEPLOYMENT_ENV }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Configure gcloud CLI
+        uses: google-github-actions/setup-gcloud@63496e652100112a8db8a71668b77c67aa1ab071
+        with:
+          version: "416.0.0"
+          service_account_email: ${{ secrets.GCP_SA_EMAIL }}
+          service_account_key: ${{ secrets.GCP_SA_KEY }}
+          export_default_credentials: true
+      - name: Test gcloud cli
+        run: gcloud auth list --filter=status:ACTIVE --format="value(account)"
+      - name: Terraform setup
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.5.3
+      - name: Store credentials file
+        run: |
+          mkdir -p ./../.secrets/
+          echo -n "$KEYSTORE" > ./../.secrets/la-famiglia-parma-ai.json
+        env:
+          KEYSTORE: ${{ secrets.GCP_SA_KEY }}
+      - name: Activate service account
+        run: gcloud auth activate-service-account --key-file=./../.secrets/la-famiglia-parma-ai.json
+      - name: Authenticate with GCR
+        run: gcloud auth configure-docker europe-west1-docker.pkg.dev
+      - name: Terraform init
+        run: terraform init
+      - name: Terraform plan
+        run: terraform plan
+      - name: Terraform apply
+        run: terraform apply -auto-approve
@@ -573,4 +573,7 @@ $RECYCLE.BIN/
 # End of https://www.toptal.com/developers/gitignore/api/vim,node,linux,macos,windows,pycharm+all,webstorm+all,visualstudiocode,direnv,python
 
 # [CUSTOMIZATIONS]
-.data
+.secrets/
+.image.name
+**/.terraform/
+**/*.tfstate.backup
@@ -43,3 +43,8 @@ repos:
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
+  - repo: https://github.com/bridgecrewio/checkov.git
+    rev: 3.1.15
+    hooks:
+      - id: checkov
+        files: ^terraform/.*\.yml$
@@ -0,0 +1,17 @@
+FROM --platform=linux/amd64 mambaorg/micromamba:1.5.3
+
+COPY --chown=$MAMBA_USER:$MAMBA_USER environment.yml /tmp/environment.yml
+
+RUN micromamba install -y -n base -f /tmp/environment.yml && \
+    micromamba clean --all --yes
+
+WORKDIR /app
+
+COPY --chown=$MAMBA_USER:$MAMBA_USER parma_mining /app/parma_mining
+
+ENV GITHUB_TOKEN=$GITHUB_TOKEN
+
+EXPOSE 8080
+
+ENTRYPOINT ["/usr/local/bin/_entrypoint.sh"]
+CMD ["uvicorn", "parma_mining.github.api:app", "--host", "0.0.0.0", "--port", "8080"]
@@ -0,0 +1,19 @@
+terraform {
+  required_version = "1.5.3"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "5.6"
+    }
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "~> 3.0.1"
+    }
+  }
+}
+
+provider "google" {
+  credentials = file("../.secrets/la-famiglia-parma-ai.json")
+  project     = var.project
+  region      = var.region
+}
@@ -0,0 +1,69 @@
+
+/* ---------------------------------- Service Image --------------------------------- */
+
+# Note: Generally it is NOT best practise to build images in Terraform. We are still
+# doing it here for simplicity. In industry, you should think twice before doing this.
+resource "null_resource" "docker_build" {
+
+  provisioner "local-exec" {
+    working_dir = path.module
+    command     = "IMG=${var.region}-docker.pkg.dev/${var.project}/parma-registry/parma-mining-github:${var.env}-$(git rev-parse --short HEAD) && docker build -t $IMG ./../../ && docker push $IMG && echo $IMG > .image.name"
+  }
+
+  triggers = {
+    always_run = timestamp()
+  }
+}
+
+# get output from docker_build
+data "local_file" "image_name" {
+  filename   = "${path.module}/.image.name"
+  depends_on = [null_resource.docker_build]
+}
+
+
+/* ------------------------------------ Cloud Run ----------------------------------- */
+
+resource "google_cloud_run_service" "parma_mining_github_cloud_run" {
+  name     = "parma-mining-github-${var.env}"
+  location = var.region
+
+  template {
+    spec {
+      containers {
+        image = data.local_file.image_name.content
+        ports {
+          container_port = 8080
+        }
+        env {
+          name  = "GITHUB_TOKEN"
+          value = var.GITHUB_TOKEN
+        }
+      }
+    }
+  }
+
+  traffic {
+    percent         = 100
+    latest_revision = true
+  }
+}
+
+/* --------------------------------------- IAM -------------------------------------- */
+
+// Define a policy that allows any user to invoke the Cloud Run service.
+data "google_iam_policy" "noauth" {
+  binding {
+    role    = "roles/run.invoker"
+    members = ["allUsers"]
+  }
+}
+
+// Apply the policy to the Cloud Run service.
+resource "google_cloud_run_service_iam_policy" "noauth" {
+  location = google_cloud_run_service.parma_mining_github_cloud_run.location
+  project  = google_cloud_run_service.parma_mining_github_cloud_run.project
+  service  = google_cloud_run_service.parma_mining_github_cloud_run.name
+
+  policy_data = data.google_iam_policy.noauth.policy_data
+}
@@ -0,0 +1,20 @@
+variable "env" {
+  description = "staging or prod environment"
+  type        = string
+}
+
+variable "project" {
+  description = "Google Cloud Project ID"
+  type        = string
+}
+
+variable "region" {
+  description = "Google Cloud Region"
+  type        = string
+}
+
+variable "GITHUB_TOKEN" {
+  description = "value"
+  type        = string
+  sensitive   = true
+}
@@ -0,0 +1,37 @@
+terraform {
+  required_version = "1.5.3"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "5.6"
+    }
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "~> 3.0.1"
+    }
+  }
+  backend "gcs" {
+    bucket      = "la-famiglia-jst2324-tf-state"
+    prefix      = "terraform/state/prod/mining/github"
+    credentials = "../.secrets/la-famiglia-parma-ai.json"
+  }
+}
+
+locals {
+  project = "la-famiglia-parma-ai"
+  region  = "europe-west1"
+}
+
+provider "google" {
+  credentials = file("../.secrets/la-famiglia-parma-ai.json")
+  project     = local.project
+  region      = local.region
+}
+
+module "main" {
+  source           = "../module"
+  env              = "prod"
+  project          = local.project
+  region           = local.region
+  GITHUB_TOKEN     = var.GITHUB_TOKEN
+}
@@ -0,0 +1,5 @@
+variable "GITHUB_TOKEN" {
+  description = "value"
+  type        = string
+  sensitive   = true
+}
@@ -0,0 +1,37 @@
+terraform {
+  required_version = "1.5.3"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "5.6"
+    }
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "~> 3.0.1"
+    }
+  }
+  backend "gcs" {
+    bucket      = "la-famiglia-jst2324-tf-state"
+    prefix      = "terraform/state/staging/mining/github"
+    credentials = "../.secrets/la-famiglia-parma-ai.json"
+  }
+}
+
+locals {
+  project = "la-famiglia-parma-ai"
+  region  = "europe-west1"
+}
+
+provider "google" {
+  credentials = file("../.secrets/la-famiglia-parma-ai.json")
+  project     = local.project
+  region      = local.region
+}
+
+module "main" {
+  source           = "../module"
+  env              = "staging"
+  project          = local.project
+  region           = local.region
+  GITHUB_TOKEN     = var.GITHUB_TOKEN
+}
@@ -0,0 +1,5 @@
+variable "GITHUB_TOKEN" {
+  description = "value"
+  type        = string
+  sensitive   = true
+}