Merge branch 'feature/google-cloud-run-fixes'

gumbo-millennium · Jan 18, 2021 · 4d82c69 · 4d82c69
2 parents fcef688 + 1843e87
commit 4d82c69
Show file tree

Hide file tree

Showing 13 changed files with 184 additions and 58 deletions.
diff --git a/.cloud/docker/entrypoint.sh b/.cloud/docker/entrypoint.sh
@@ -39,6 +39,9 @@ if [ "$GOOGLE_CLOUD" = "run" ]; then
     echo "Replacing port with requested port ${PORT}"
     sed -i -r "s/listen [0-9]+;/listen ${PORT};/g" \
         /etc/nginx/sites-available/*
+
+    echo "Configuring SQL socket"
+    export DB_SOCKET="${DB_SOCKET_DIR:-/cloudsql}/${CLOUD_SQL_CONNECTION_NAME}"
 fi
 
 

diff --git a/.cloud/terraform/.terraform.lock.hcl b/.cloud/terraform/.terraform.lock.hcl
diff --git a/.cloud/terraform/cloud-run.tf b/.cloud/terraform/cloud-run.tf
@@ -1,6 +1,6 @@
 # Now create our Google Cloud Run service
 resource "google_cloud_run_service" "default" {
-  name     = "${var.app_prefix}-laravel-app"
+  name     = "${local.server_prefix}-laravel-app"
   location = var.region
 
   template {
@@ -31,6 +31,20 @@ resource "google_cloud_run_service" "default" {
           name  = "LOG_CHANNEL"
           value = "stackdriver"
         }
+        env {
+          name  = "GOOGLE_CLOUD"
+          value = "run"
+        }
+
+        # Mail
+        env {
+          name  = "MAIL_HOST"
+          value = "smtp-relay.gmail.com"
+        }
+        env {
+          name  = "MAIL_PORT"
+          value = "587"
+        }
 
         # Dynamic
         env {
@@ -42,18 +56,48 @@ resource "google_cloud_run_service" "default" {
           value = google_storage_bucket.site_object_cache.name
         }
 
-        # Secret
+        # App key
+        env {
+          name  = "APP_KEY"
+          value = local.app_token
+        }
+
+        # Database secrets
         env {
           name  = "DB_DATABASE"
-          value = var.cloud_sql_database
+          value = local.cloud_sql_database
         }
         env {
           name  = "DB_USERNAME"
-          value = var.cloud_sql_username
+          value = local.cloud_sql_username
         }
         env {
           name  = "DB_PASSWORD"
-          value = var.cloud_sql_password
+          value = local.cloud_sql_password
+        }
+
+        # Messagebird secrets
+        env {
+          name  = "MESSAGEBIRD_ACCESS_KEY"
+          value = local.messagebird_access_key
+        }
+        env {
+          name  = "MESSAGEBIRD_ORIGINATOR"
+          value = local.messagebird_origin
+        }
+
+        # Concribo secrets
+        env {
+          name  = "CONSCRIBO_ACCOUNT"
+          value = local.conscribo_account
+        }
+        env {
+          name  = "CONSCRIBO_USERNAME"
+          value = local.conscribo_username
+        }
+        env {
+          name  = "CONSCRIBO_PASSWORD"
+          value = local.conscribo_password
         }
       }
     }

diff --git a/.cloud/terraform/cloud-secret-definitions.tf b/.cloud/terraform/cloud-secret-definitions.tf
@@ -0,0 +1,51 @@
+# App token
+resource "google_secret_manager_secret" "app_token" {
+  secret_id = "${var.app_prefix}-app-token"
+
+  replication {
+    user_managed {
+      replicas {
+        location = var.region
+      }
+    }
+  }
+}
+
+# MySQL settings
+resource "google_secret_manager_secret" "cloud_sql" {
+  secret_id = "${var.app_prefix}-cloud-sql"
+
+  replication {
+    user_managed {
+      replicas {
+        location = var.region
+      }
+    }
+  }
+}
+
+# Messagebird
+resource "google_secret_manager_secret" "messagebird" {
+  secret_id = "${var.app_prefix}-messagebird"
+
+  replication {
+    user_managed {
+      replicas {
+        location = var.region
+      }
+    }
+  }
+}
+
+# Conscribo
+resource "google_secret_manager_secret" "conscribo" {
+  secret_id = "conscribo"
+
+  replication {
+    user_managed {
+      replicas {
+        location = var.region
+      }
+    }
+  }
+}
diff --git a/.cloud/terraform/cloud-secret-values.tf b/.cloud/terraform/cloud-secret-values.tf
@@ -0,0 +1,19 @@
+# App token
+data "google_secret_manager_secret_version" "app_token" {
+  secret = google_secret_manager_secret.app_token.name
+}
+
+# Cloud SQL
+data "google_secret_manager_secret_version" "cloud_sql" {
+  secret = google_secret_manager_secret.cloud_sql.name
+}
+
+# Messagebird Settings
+data "google_secret_manager_secret_version" "messagebird" {
+  secret = google_secret_manager_secret.messagebird.name
+}
+
+# Conscribo Settings
+data "google_secret_manager_secret_version" "conscribo" {
+  secret = google_secret_manager_secret.conscribo.name
+}
diff --git a/.cloud/terraform/cloud-sql.tf b/.cloud/terraform/cloud-sql.tf
@@ -1,13 +1,13 @@
 # Create a MySQL sever
 resource "google_sql_database_instance" "db_mysql" {
-  name             = "${var.app_prefix}-mysql"
-  database_version = "MYSQL_8_0"
+  name                = "${local.server_prefix}-mysql"
+  database_version    = "MYSQL_8_0"
+  deletion_protection = false
 
   settings {
     tier = var.cloud_sql_machine
 
-    disk_autoresize     = false
-    deletion_protection = false
+    disk_autoresize = false
 
     maintenance_window {
       day  = 7
@@ -19,14 +19,14 @@ resource "google_sql_database_instance" "db_mysql" {
 # Create a database in the MySQL server
 resource "google_sql_database" "laravel" {
   instance = google_sql_database_instance.db_mysql.name
-  name     = var.cloud_sql_database
+  name     = local.cloud_sql_database
 }
 
 # And create a user in our server
 resource "google_sql_user" "users" {
   instance = google_sql_database_instance.db_mysql.name
-  name     = var.cloud_sql_username
-  password = var.cloud_sql_password
+  name     = local.cloud_sql_username
+  password = local.cloud_sql_password
 }
 
 # Add a resource to bind Cloud Run properly

diff --git a/.cloud/terraform/cloud-storage.tf b/.cloud/terraform/cloud-storage.tf
@@ -1,5 +1,5 @@
 resource "google_storage_bucket" "site_object_cache" {
-  name          = "${var.app_prefix}-app-storage"
+  name          = "${local.server_prefix}-app-storage"
   location      = var.region
   force_destroy = true
 

diff --git a/.cloud/terraform/locals.tf b/.cloud/terraform/locals.tf
@@ -0,0 +1,24 @@
+locals {
+  # Randoms
+  server_prefix = random_id.server_prefix.hex
+
+  # App key
+  app_token = data.google_secret_manager_secret_version.app_token.secret_data
+
+  # Cloud SQL
+  cloud_sql_raw      = jsondecode(data.google_secret_manager_secret_version.cloud_sql.secret_data)
+  cloud_sql_database = tostring(try(local.cloud_sql_raw.database, null))
+  cloud_sql_username = tostring(try(local.cloud_sql_raw.username, null))
+  cloud_sql_password = tostring(try(local.cloud_sql_raw.password, null))
+
+  # Messagebird
+  messagebird_raw        = jsondecode(data.google_secret_manager_secret_version.messagebird.secret_data)
+  messagebird_access_key = tostring(try(local.messagebird_raw.access_key, null))
+  messagebird_origin     = tostring(try(local.messagebird_raw.origin, null))
+
+  # Conscribo API
+  conscribo_raw      = jsondecode(data.google_secret_manager_secret_version.conscribo.secret_data)
+  conscribo_account  = tostring(try(local.conscribo_raw.account, null))
+  conscribo_username = tostring(try(local.conscribo_raw.username, null))
+  conscribo_password = tostring(try(local.conscribo_raw.password, null))
+}
diff --git a/.cloud/terraform/main.tf b/.cloud/terraform/main.tf
@@ -12,6 +12,11 @@ terraform {
       source  = "hashicorp/google"
       version = "3.52.0"
     }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "3.0.1"
+    }
   }
 }
 

diff --git a/.cloud/terraform/random-values.tf b/.cloud/terraform/random-values.tf
@@ -0,0 +1,7 @@
+resource "random_id" "server_prefix" {
+  keepers = {
+    app_prefix = var.app_prefix
+  }
+
+  byte_length = 8
+}
diff --git a/.cloud/terraform/terraform.example.tfvars b/.cloud/terraform/terraform.example.tfvars
@@ -2,10 +2,5 @@
 # Should have the Project:Editor permission
 credentials_file = ""
 
-# Your SQL login data
-cloud_sql_database = "laravel"
-cloud_sql_username = "laravel"
-cloud_sql_password = "laravel"
-
 # Application name
 app_prefix = "evoting2021"
diff --git a/.cloud/terraform/variables.tf b/.cloud/terraform/variables.tf
@@ -47,40 +47,6 @@ variable "container_region" {
   default = "eu"
 }
 
-variable "cloud_sql_database" {
-  type    = string
-  default = "laravel"
-
-  validation {
-    condition     = can(regex("^[a-z]", var.cloud_sql_database))
-    error_message = "App prefix must start with a letter."
-  }
-  validation {
-    condition     = can(regex("^[a-z0-9-]+$", var.cloud_sql_database))
-    error_message = "App prefix must only use lowercase letters, numbers and hyphens."
-  }
-}
-
-variable "cloud_sql_username" {
-  type      = string
-  default   = "laravel"
-  sensitive = true
-
-  validation {
-    condition     = can(regex("^[a-z]", var.cloud_sql_username))
-    error_message = "App prefix must start with a letter."
-  }
-  validation {
-    condition     = can(regex("^[a-z0-9-]+$", var.cloud_sql_username))
-    error_message = "App prefix must only use lowercase letters, numbers and hyphens."
-  }
-}
-
-variable "cloud_sql_password" {
-  type      = string
-  sensitive = true
-}
-
 variable "cloud_sql_machine" {
   type    = string
   default = "db-n1-standard-1"

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -134,12 +134,6 @@ jobs:
     needs:
       - build-gcr-image
 
-    env:
-      # Secret based
-      TF_VAR_cloud_sql_database: ${{ secrets.SQL_DATABASE }}
-      TF_VAR_cloud_sql_username: ${{ secrets.SQL_USERNAME }}
-      TF_VAR_cloud_sql_password: ${{ secrets.SQL_PASSWORD }}
-
     steps:
       - name: Checkout code
         uses: actions/checkout@v2