First cut at cloudbuild config for tessera

transparency-dev · Aug 16, 2024 · 5160426 · 5160426
1 parent 8410ce4
commit 5160426
Show file tree

Hide file tree

Showing 6 changed files with 178 additions and 0 deletions.
diff --git a/deployment/live/cloudbuild/README.md b/deployment/live/cloudbuild/README.md
@@ -0,0 +1,14 @@
+# Cloudbuild Triggers and Steps
+
+This directory contains a terragrunt file that can be deployed using `terragrunt apply` to define the necessary triggers and steps in GCB.
+These steps will:
+ 1. Trigger on a change to the `main` branch of the trillian-tessera repo
+ 2. Build the `example-gcp` docker image from the `main` branch
+ 3. Publish this docker image in artifact repository
+
+The first time this is run for a pair of {GCP Project, GitHub Repo} you will get an error message such as the following:
+```
+Error: Error creating Trigger: googleapi: Error 400: Repository mapping does not exist. Please visit $URL to connect a repository to your project
+```
+
+This is a manual one-time step that needs to be followed to integrate GCB and the GitHub project.
diff --git a/deployment/live/cloudbuild/prod/terragrunt.hcl b/deployment/live/cloudbuild/prod/terragrunt.hcl
@@ -0,0 +1,10 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+inputs = merge(
+  include.root.locals,
+  {
+  }
+)
diff --git a/deployment/live/cloudbuild/terragrunt.hcl b/deployment/live/cloudbuild/terragrunt.hcl
@@ -0,0 +1,24 @@
+terraform {
+  source = "${get_repo_root()}/deployment/modules/cloudbuild"
+}
+
+locals {
+  project_id  = "trillian-tessera"
+  region      = "us-central1"
+  env         = path_relative_to_include()
+}
+
+remote_state {
+  backend = "gcs"
+
+  config = {
+    project  = local.project_id
+    location = local.region
+    bucket   = "${local.project_id}-cloudbuild-${local.env}-terraform-state"
+    prefix   = "${path_relative_to_include()}-terraform.tfstate"
+
+    gcs_bucket_labels = {
+      name  = "terraform_state_storage"
+    }
+  }
+}
diff --git a/deployment/modules/cloudbuild/main.tf b/deployment/modules/cloudbuild/main.tf
@@ -0,0 +1,97 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "5.14.0"
+    }
+  }
+}
+
+provider "google" {
+  project = var.project_id
+  region  = var.region
+}
+
+# This will be configured by terragrunt when deploying
+terraform {
+  backend "gcs" {}
+}
+
+resource "google_artifact_registry_repository" "docker" {
+  repository_id = "docker-${var.env}"
+  location      = var.region
+  description   = "Tessera example docker images"
+  format        = "DOCKER"
+}
+
+locals {
+  artifact_repo            = "${var.region}-docker.pkg.dev/${var.project_id}/${google_artifact_registry_repository.docker.name}"
+  example_gcp_docker_image = "${local.artifact_repo}/example-gcp"
+}
+
+resource "google_cloudbuild_trigger" "docker" {
+  name            = "build-docker-${var.env}"
+  service_account = google_service_account.cloudbuild_service_account.id
+  location        = var.region
+
+  github {
+    owner = "transparency-dev"
+    name  = "trillian-tessera"
+    push {
+      branch = "^main$"
+    }
+  }
+
+  build {
+    step {
+      name = "gcr.io/cloud-builders/docker"
+      args = [
+        "build",
+        "-t", "${local.example_gcp_docker_image}:$SHORT_SHA",
+        "-t", "${local.example_gcp_docker_image}:latest",
+        "-f", "./cmd/example-gcp/Dockerfile",
+        "."
+      ]
+    }
+    step {
+      name = "gcr.io/cloud-builders/docker"
+      args = [
+        "push",
+        "--all-tags",
+        local.example_gcp_docker_image
+      ]
+    }
+    options {
+      logging = "CLOUD_LOGGING_ONLY"
+    }
+  }
+}
+
+resource "google_service_account" "cloudbuild_service_account" {
+  account_id   = "cloudbuild-${var.env}-sa"
+  display_name = "Service Account for CloudBuild (${var.env})"
+}
+
+resource "google_project_iam_member" "act_as" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountUser"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "logs_writer" {
+  project = var.project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "artifact_registry_writer" {
+  project = var.project_id
+  role    = "roles/artifactregistry.writer"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "cloudrun_deployer" {
+  project = var.project_id
+  role    = "roles/run.developer"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
diff --git a/deployment/modules/cloudbuild/outputs.tf b/deployment/modules/cloudbuild/outputs.tf
@@ -0,0 +1,19 @@
+output "artifact_registry_id" {
+  description = "The ID of the created artifact registry for docker images"
+  value       = google_artifact_registry_repository.docker.id
+}
+
+output "artifact_registry_name" {
+  description = "The name of the created artifact registry for docker images"
+  value       = google_artifact_registry_repository.docker.name
+}
+
+output "cloudbuild_trigger_id" {
+  description = "The ID of the created trigger for building images"
+  value       = google_cloudbuild_trigger.docker.id
+}
+
+output "docker_image" {
+  description = "The address of the docker image that will be built"
+  value       = local.example_gcp_docker_image
+}
diff --git a/deployment/modules/cloudbuild/variables.tf b/deployment/modules/cloudbuild/variables.tf
@@ -0,0 +1,14 @@
+variable "project_id" {
+  description = "The project ID to host the builds in"
+  type        = string
+}
+
+variable "region" {
+  description = "The region to host the builds in"
+  type        = string
+}
+
+variable "env" {
+  description = "Unique identifier for the env, e.g. ci or prod"
+  type        = string
+}