A Terraform module for deploying the core storage and IAM resources for an Octue Twined services network to google cloud.
These resources are automatically deployed:
- An artifact registry repository for storing Octue Twined service revision docker images
- A BigQuery table acting as an event store for Twined service events
- IAM service accounts and roles for:
- Any number of maintainers to use with Twined services
- GitHub Actions to a) build and push Twined service images to the artifact registry; b) test services
- A workload identity pool and provider allowing GitHub actions to authenticate with google cloud
- A cloud storage bucket to store input, output, and diagnostics data for Twined services
Important
Deploying this Terraform module is a prerequisite to deploying the terraform-octue-twined-cluster. module. You must deploy both to have a cloud-based Octue Twined services network. See a live example here.
Tip
Deploy this module in a separate Terraform configuration (directory/workspace) to the terraform-octue-twined-cluster module. This allows the option to spin down the Kubernetes cluster provided by the other module while keeping the core resources that contain all data produced by your Twined services available. Spinning the cluster down entirely can save on running costs in periods of extended non-use while keeping all data available.
Add the below blocks to your Terraform configuration and run:
terraform planIf you're happy with the plan, run:
terraform applyand approve the run.
# main.tf
terraform {
required_version = ">= 1.8.0"
required_providers {
google = {
source = "hashicorp/google"
version = "~>6.12"
}
}
}
provider "google" {
project = var.google_cloud_project_id
region = var.google_cloud_region
}
module "octue_twined_core" {
source = "git::github.com/octue/terraform-octue-twined-core.git?ref=0.1.1"
google_cloud_project_id = var.google_cloud_project_id
google_cloud_region = var.google_cloud_region
github_account = var.github_account
}# variables.tf
variable "google_cloud_project_id" {
type = string
default = "<google-cloud-project-id>"
}
variable "google_cloud_region" {
type = string
default = "<google-cloud-region>"
}
variable "github_account" {
type = string
default = "<your-github-account>"
}- Terraform:
>= 1.8.0, <2 - Providers:
hashicorp/google:~>6.12
- Google cloud APIs:
- The Cloud Resource Manager API must be enabled manually before using the module
- All other required google cloud APIs are enabled automatically by the module
The module needs to authenticate with google cloud before it can be used:
- Create a service account for Terraform and assign it the
editorandownerbasic IAM permissions - Download a JSON key file for the service account
- If using Terraform Cloud, follow these instructions. before deleting the key file from your computer
- If not using Terraform Cloud, follow these instructions or use another authentication method.
Warning
If the deletion_protection input is set to true, it must first be set to false and terraform apply run before
running terraform destroy or any other operation that would result in the destruction or replacement of the cloud
storage bucket or event store BigQuery table. Not doing this can lead to a state needing targeted Terraform commands
and/or manual configuration changes to recover from.
Disable deletion_protection and run:
terraform destroy| Name | Type | Required | Default |
|---|---|---|---|
google_cloud_project_id |
string |
Yes | N/A |
google_cloud_region |
string |
Yes | N/A |
github_account |
string |
Yes | N/A |
maintainer_service_account_names |
set(string) |
No | ["default"] |
deletion_protection |
bool |
No | true |
See variables.tf for descriptions.
| Name | Type |
|---|---|
artifact_registry_repository_name |
string |
storage_bucket_url |
string |
event_store_id |
string |
See outputs.tf for descriptions.