Bucket backend (#17)

* add storage base path to outputs * add routing path to url map and backend service for the bucket * reconfigure so load balancer uses base path from storage module output * add cloud infra deployer service account to global definition * update resume in repo * remove Cloud SQL from production since we are not using this (for cost and maintenance purposes) * remove all dev environment workflows
dpgraham-com · Nov 3, 2023 · 04916ab · 04916ab
1 parent 08b71c0
commit 04916ab
Show file tree

Hide file tree

Showing 15 changed files with 154 additions and 237 deletions.
diff --git a/.github/workflows/tf-apply-dev.yaml b/.github/workflows/tf-apply-dev.yaml
diff --git a/.github/workflows/tf-lint-dev.yaml b/.github/workflows/tf-lint-dev.yaml
diff --git a/.github/workflows/tf-plan-dev.yaml b/.github/workflows/tf-plan-dev.yaml
diff --git a/content/DavidGrahamResume.pdf b/content/DavidGrahamResume.pdf
diff --git a/dev/main.tf b/dev/main.tf
@@ -30,7 +30,10 @@ module "apis" {
     "sqladmin.googleapis.com",
     "artifactregistry.googleapis.com",
     "run.googleapis.com",
-    "vpcaccess.googleapis.com"
+    "vpcaccess.googleapis.com",
+    "cloudresourcemanager.googleapis.com",
+    "serviceusage.googleapis.com",
+    "iam.googleapis.com"
   ]
 }
 
@@ -151,4 +154,6 @@ module "load_balancer" {
   environment      = var.environment
   project_id       = var.project_id
   domain_name      = var.domain
+  bucket_name      = module.storage.storage_bucket_name
+  static_base_path = module.storage.static_content_base_path
 }
diff --git a/global/iam.tf b/global/iam.tf
@@ -20,6 +20,13 @@ resource "google_service_account" "cloud_infra_sa_dev" {
   description  = "Service account used by automation to provision cloud resources"
 }
 
+resource "google_service_account" "cloud_infra_sa_prod" {
+  project      = module.dpgraham-com-prod.project_id
+  account_id   = "${var.cloud_infra_sa}-prod"
+  display_name = "Cloud Infra Service Account for prod environment"
+  description  = "Service account used by automation to provision cloud resources"
+}
+
 
 module "developer-folder-nonprod" {
   source  = "terraform-google-modules/iam/google//modules/folders_iam"
@@ -70,6 +77,23 @@ module "service_accounts_nonprod_shared_vpc_connectors" {
   }
 }
 
+module "service_accounts_prod_shared_vpc_connectors" {
+  source   = "terraform-google-modules/iam/google//modules/projects_iam"
+  projects = [module.vpc-prod-shared.project_id]
+  version  = "~> 7.4"
+  bindings = {
+    "roles/compute.networkUser" = [
+      "serviceAccount:service-${module.dpgraham-com-prod.project_number}@gcp-sa-vpcaccess.iam.gserviceaccount.com",
+      "serviceAccount:${module.dpgraham-com-prod.project_number}@cloudservices.gserviceaccount.com",
+      "serviceAccount:${google_service_account.cloud_infra_sa_prod.email}",
+    ]
+  }
+  depends_on = [
+    module.vpc-prod-shared,
+    google_service_account.cloud_infra_sa_prod
+  ]
+}
+
 module "devops-folder-dev" {
   source  = "terraform-google-modules/iam/google//modules/folders_iam"
   version = "~> 7.4"
@@ -109,14 +133,25 @@ module "devops-folder-prod" {
   bindings = {
     "roles/cloudsql.admin" = [
       "group:gcp-devops@${var.primary_domain}",
+      "serviceAccount:${google_service_account.cloud_infra_sa_prod.email}",
     ]
     "roles/editor" = [
       "group:gcp-devops@${var.primary_domain}",
+      "serviceAccount:${google_service_account.cloud_infra_sa_prod.email}",
     ]
     "roles/run.developer" = [
       "group:gcp-devops@${var.primary_domain}",
     ]
+    "roles/compute.networkAdmin" = [
+      "serviceAccount:${google_service_account.cloud_infra_sa_prod.email}",
+    ]
+    "roles/iam.workloadIdentityUser" = [
+      "serviceAccount:${google_service_account.cloud_infra_sa_prod.email}",
+    ]
   }
+  depends_on = [
+    google_service_account.cloud_infra_sa_prod
+  ]
 }
 
 
@@ -129,19 +164,35 @@ module "gh_oidc_dev" {
   provider_id      = "github"
   pool_description = "A pool of identities to be used by GitHub Actions workflow runners"
   sa_mapping = {
-    #    "cloud_run_service_account" = {
-    #      sa_name   = google_service_account.cloud_run_sa.name
-    #      attribute = "attribute.repository/${var.github_org}/dpgraham-client"
-    #    }
+    "cloud_run_service_account" = {
+      sa_name   = google_service_account.cloud_infra_sa_dev.name
+      attribute = "attribute.repository/${var.github_org}/dpgraham-client"
+    }
     "infra_editor_service_account" = {
       sa_name   = google_service_account.cloud_infra_sa_dev.name
       attribute = "attribute.repository/${var.github_org}/dpgraham-infra"
     }
   }
-  #  depends_on = [
-  #    google_service_account.cloud_infra_sa_dev
-  #    data.google_service_account.cloud_infra_sa,
-  #  ]
+}
+
+module "gh_oidc_prod" {
+  source  = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
+  version = "3.1.1"
+
+  project_id       = module.dpgraham-com-prod.project_id
+  pool_id          = var.pool_id
+  provider_id      = "github"
+  pool_description = "A pool of identities to be used by GitHub Actions workflow runners"
+  sa_mapping = {
+    "cloud_run_service_account" = {
+      sa_name   = google_service_account.cloud_infra_sa_prod.name
+      attribute = "attribute.repository/${var.github_org}/dpgraham-client"
+    }
+    "infra_editor_service_account" = {
+      sa_name   = google_service_account.cloud_infra_sa_prod.name
+      attribute = "attribute.repository/${var.github_org}/dpgraham-infra"
+    }
+  }
 }
 
 

diff --git a/modules/global-lb/main.tf b/modules/global-lb/main.tf
@@ -1,3 +1,7 @@
+locals {
+  static_asset_url_path = "/${var.static_base_path}*"
+}
+
 resource "google_compute_region_network_endpoint_group" "serverless_neg" {
   provider              = google-beta
   name                  = "serverless-neg"
@@ -20,6 +24,12 @@ resource "google_compute_region_network_endpoint_group" "client_serverless_neg"
   }
 }
 
+resource "google_compute_backend_bucket" "static" {
+  name        = "static-asset-backend-bucket"
+  bucket_name = var.bucket_name
+  enable_cdn  = true
+}
+
 resource "google_compute_url_map" "lb-server-client-map" {
   name            = var.name
   default_service = module.lb-http.backend_services["default"].self_link
@@ -39,6 +49,10 @@ resource "google_compute_url_map" "lb-server-client-map" {
       ]
       service = module.lb-http.backend_services["server"].self_link
     }
+    path_rule {
+      paths   = [local.static_asset_url_path]
+      service = google_compute_backend_bucket.static.id
+    }
   }
 }
 

diff --git a/modules/global-lb/variables.tf b/modules/global-lb/variables.tf
@@ -35,6 +35,16 @@ variable "frontend_service" {
   type        = string
 }
 
+variable "bucket_name" {
+  description = "The name of the bucket to store the static assets"
+  type        = string
+}
+
+variable "static_base_path" {
+  description = "The base path prefix to use for the load balancer URL map"
+  type        = string
+}
+
 variable "region" {
   description = "The region to deploy to"
   type        = string