Add Cloud Build for GCP CI env (#58)

* Add Cloud Build for GCP CI env

* Add Cloud Build for GCP CI env

* Switch from ci to prod for cloud build service account

* Add docker_env to cloud build config

* Add docker_env to cloud build config

* Remove roles/cloudbuild.builds.editor from cloud build service account

* Add line to EOF

* Move terraform source to cloud build root module

* Remove unused terraform local var

* Update `GOOGLE_PROJECT` default value to `static-ct`

* Allow injecting the GitHub owner for Cloud Build repo mapping

Author: roger2hk

deployment/live/gcp/cloudbuild/prod/.terraform.lock.hcl

@@ -0,0 +1,13 @@
+locals {
+  docker_env = "ci"
+}
+
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+inputs = merge(
+  local,
+  include.root.locals,
+)

deployment/live/gcp/cloudbuild/prod/terragrunt.hcl

@@ -0,0 +1,27 @@
+terraform {
+  source = "${get_repo_root()}/deployment/modules/gcp//cloudbuild"
+}
+
+locals {
+  env          = path_relative_to_include()
+  project_id   = get_env("GOOGLE_PROJECT", "static-ct")
+  location     = get_env("GOOGLE_REGION", "us-central1")
+  base_name    = get_env("TESSERA_BASE_NAME", "${local.env}-cloudbuild")
+  github_owner = get_env("GITHUB_OWNER", "transparency-dev")
+}
+
+remote_state {
+  backend = "gcs"
+
+  config = {
+    project  = local.project_id
+    location = local.location
+    bucket   = "${local.project_id}-${local.base_name}-terraform-state"
+    prefix   = "terraform.tfstate"
+
+    gcs_bucket_labels = {
+      name = "terraform_state"
+      env  = "${local.env}"
+    }
+  }
+}

deployment/live/gcp/cloudbuild/terragrunt.hcl

@@ -0,0 +1,159 @@
+terraform {
+  backend "gcs" {}
+
+  required_providers {
+    google = {
+      source  = "registry.terraform.io/hashicorp/google"
+      version = "6.1.0"
+    }
+  }
+}
+
+# Artifact Registry
+
+resource "google_project_service" "artifact_registry_api" {
+  service            = "artifactregistry.googleapis.com"
+  disable_on_destroy = false
+}
+
+resource "google_artifact_registry_repository" "docker" {
+  repository_id = "docker-${var.docker_env}"
+  location      = var.location
+  description   = "Static CT docker images"
+  format        = "DOCKER"
+  depends_on = [
+    google_project_service.artifact_registry_api,
+  ]
+}
+
+# Cloud Build
+
+locals {
+  artifact_repo                = "${var.location}-docker.pkg.dev/${var.project_id}/${google_artifact_registry_repository.docker.name}"
+  conformance_gcp_docker_image = "${local.artifact_repo}/conformance-gcp"
+}
+
+resource "google_project_service" "cloudbuild_api" {
+  service            = "cloudbuild.googleapis.com"
+  disable_on_destroy = false
+}
+
+resource "google_service_account" "cloudbuild_service_account" {
+  account_id   = "cloudbuild-${var.env}-sa"
+  display_name = "Service Account for Cloud Build (${var.env})"
+}
+
+resource "google_project_iam_member" "logging_log_writer" {
+  project = var.project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_artifact_registry_repository_iam_member" "artifactregistry_writer" {
+  project    = google_artifact_registry_repository.docker.project
+  location   = google_artifact_registry_repository.docker.location
+  repository = google_artifact_registry_repository.docker.name
+  role       = "roles/artifactregistry.writer"
+  member     = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+# TODO: Use google_cloud_run_service_iam_member to limit the service scope.
+resource "google_project_iam_member" "run_developer" {
+  project = var.project_id
+  role    = "roles/run.developer"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "iam_service_account_user" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountUser"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_cloudbuild_trigger" "build_trigger" {
+  name            = "build-docker-${var.docker_env}"
+  service_account = google_service_account.cloudbuild_service_account.id
+  location        = var.location
+
+  github {
+    owner = var.github_owner
+    name  = "static-ct"
+    push {
+      branch = "^main$"
+    }
+  }
+
+  build {
+    ## TODO: Destroy any pre-existing deployment/live/gcp/ci environment.
+    ## This might happen if a previous cloud build failed for some reason.
+
+    ## Build the SCTFE GCP Docker image.
+    ## This will be used by the building the conformance Docker image which includes 
+    ## the test data.
+    step {
+      id   = "docker_build_sctfe_gcp"
+      name = "gcr.io/cloud-builders/docker"
+      args = [
+        "build",
+        "-t", "sctfe-gcp:$SHORT_SHA",
+        "-t", "sctfe-gcp:latest",
+        "-f", "./cmd/gcp/Dockerfile",
+        "."
+      ]
+    }
+
+    ## Build the SCTFE GCP Conformance Docker container image.
+    step {
+      id   = "docker_build_conformance_gcp"
+      name = "gcr.io/cloud-builders/docker"
+      args = [
+        "build",
+        "-t", "${local.conformance_gcp_docker_image}:$SHORT_SHA",
+        "-t", "${local.conformance_gcp_docker_image}:latest",
+        "-f", "./cmd/gcp/ci/Dockerfile",
+        "."
+      ]
+    }
+
+    ## Push the conformance Docker container image to Artifact Registry.
+    step {
+      id   = "docker_push_conformance_gcp"
+      name = "gcr.io/cloud-builders/docker"
+      args = [
+        "push",
+        "--all-tags",
+        local.conformance_gcp_docker_image
+      ]
+      wait_for = ["docker_build_conformance_gcp"]
+    }
+
+    ## Deploy container image to Cloud Run.
+    ## TODO: Remove this as the `terragrunt apply` will bring up the Cloud Run.
+    step {
+      id         = "cloud_run_deploy"
+      name       = "gcr.io/google.com/cloudsdktool/cloud-sdk"
+      entrypoint = "gcloud"
+      args = [
+        "run",
+        "deploy",
+        "${var.docker_env}-static-ct",
+        "--image",
+        "${local.conformance_gcp_docker_image}:$SHORT_SHA",
+        "--region",
+        var.location
+      ]
+      wait_for = ["docker_push_conformance_gcp"]
+    }
+
+    ## TODO: Apply the terragrunt configuration to create the CI environment.
+
+    options {
+      logging      = "CLOUD_LOGGING_ONLY"
+      machine_type = "E2_HIGHCPU_8"
+    }
+  }
+
+  depends_on = [
+    google_artifact_registry_repository.docker
+  ]
+}

deployment/modules/gcp/cloudbuild/main.tf

@@ -0,0 +1,24 @@
+variable "project_id" {
+  description = "GCP project ID where the log is hosted"
+  type        = string
+}
+
+variable "location" {
+  description = "Location in which to create resources"
+  type        = string
+}
+
+variable "env" {
+  description = "Unique identifier for the env, e.g. dev or ci or prod"
+  type        = string
+}
+
+variable "docker_env" {
+  description = "Unique identifier for the Docker env, e.g. dev or ci or prod"
+  type        = string
+}
+
+variable "github_owner" {
+  description = "GitHub owner used in Cloud Build trigger repository mapping"
+  type        = string
+}

deployment/modules/gcp/cloudbuild/variables.tf

@@ -19,6 +19,12 @@ resource "google_service_account" "cloudrun_service_account" {
   display_name = "Service Account for Cloud Run (${var.env})"
 }
 
+resource "google_project_iam_member" "run_service_agent" {
+  project = var.project_id
+  role    = "roles/run.serviceAgent"
+  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
 resource "google_project_iam_member" "monitoring_metric_writer" {
   project = var.project_id
   role    = "roles/monitoring.metricWriter"