put preloader in its own module

# Conflicts:
#	deployment/live/gcp/static-ct-staging/cloudbuild/staging/terragrunt.hcl

Author: phbnf

deployment/live/gcp/static-ct-staging/cloudbuild/preloader/.terraform.lock.hcl

@@ -0,0 +1,30 @@
+terraform {
+  source = "${get_repo_root()}/deployment/modules/gcp//cloudbuild/preloader"
+}
+
+locals {
+  env            = "staging"
+  docker_env     = "staging"
+  project_id     = get_env("GOOGLE_PROJECT", "static-ct-staging")
+  location       = get_env("GOOGLE_REGION", "us-central1")
+  github_owner   = get_env("GITHUB_OWNER", "transparency-dev")
+}
+
+inputs = local
+
+remote_state {
+  backend = "gcs"
+
+  config = {
+    project  = local.project_id
+    location = local.location
+    bucket   = "${local.project_id}-cloudbuild-preloader-terraform-state"
+    prefix   = "terraform.tfstate"
+
+    gcs_bucket_labels = {
+      name = "terraform_state"
+      env  = "${local.env}"
+    }
+  }
+}
+

deployment/live/gcp/static-ct-staging/cloudbuild/preloader/terragrunt.hcl

@@ -0,0 +1,123 @@
+terraform {
+  backend "gcs" {}
+
+  required_providers {
+    google = {
+      source  = "registry.terraform.io/hashicorp/google"
+      version = "6.12.0"
+    }
+  }
+}
+
+# Cloud Build
+
+locals {
+  cloudbuild_service_account   = "cloudbuild-${var.env}-sa@${var.project_id}.iam.gserviceaccount.com"
+  scheduler_service_account    = "scheduler-${var.env}-sa@${var.project_id}.iam.gserviceaccount.com"
+}
+
+resource "google_project_service" "cloudbuild_api" {
+  service            = "cloudbuild.googleapis.com"
+  disable_on_destroy = false
+}
+
+## Service usage API is required on the project to enable APIs.
+## https://cloud.google.com/apis/docs/getting-started#enabling_apis
+## serviceusage.googleapis.com acts as a central point for managing the API 
+## lifecycle within your project. By ensuring the required APIs are enabled 
+## and accessible, it allows Cloud Build to function seamlessly and interact 
+## with other Google Cloud services as needed.
+## 
+## The Cloud Build service account also needs roles/serviceusage.serviceUsageViewer.
+resource "google_project_service" "serviceusage_api" {
+  service            = "serviceusage.googleapis.com"
+  disable_on_destroy = false
+}
+
+resource "google_cloudbuild_trigger" "preloader_trigger" {
+  name            = "preloader-${var.env}"
+  service_account = "projects/${var.project_id}/serviceAccounts/${local.cloudbuild_service_account}"
+  location        = var.location
+
+  # TODO(phboneff): use a better mechanism to trigger releases that re-uses Docker containters, or based on branches rather.
+  # This is a temporary mechanism to speed up development.
+  github {
+    owner = var.github_owner
+    name  = "static-ct"
+    push {
+      tag = "^staging-deploy-(.+)$"
+    }
+  }
+
+  build {
+    ## Since TesseraCT's infrastructure is not publicly accessible, we need to use 
+    ## bearer tokens for the test to access them.
+    ## This step creates those, and stores them for later use.
+    step {
+      id       = "bearer_token"
+      name     = "gcr.io/cloud-builders/gcloud"
+      script   = <<EOT
+        gcloud auth print-access-token --lifetime=4200 > /workspace/cb_access
+        curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${local.cloudbuild_service_account}/identity?audience=${var.submission_url}" > /workspace/cb_identity
+      EOT
+    }
+
+    ## TODO(phboneff): move to its own container / cloudrun / batch job.
+    ## Preload entries.
+    ## Leave enough time for the preloader to run, until the token expires.
+    timeout = "4200s" // 60 minutes
+    step {
+      id       = "ct_preloader"
+      name     = "golang"
+      script   = <<EOT
+	      START_INDEX=$(curl -H "Authorization: Bearer $(cat /workspace/cb_access)" https://storage.googleapis.com/${var.monitoring_url}/checkpoint | head -2 | tail -1)
+	      echo "Will start preloader at index $START_INDEX"
+        go run github.com/google/certificate-transparency-go/preload/preloader@master \
+          --target_log_uri=${var.submission_url}/ \
+	        --target_bearer_token="$(cat /workspace/cb_identity)" \
+          --source_log_uri=https://ct.googleapis.com/logs/us1/argon2025h1 \
+	        --start_index=$START_INDEX \
+          --num_workers=20 \
+          --parallel_fetch=20 \
+          --parallel_submit=20
+      EOT
+      wait_for = ["bearer_token"]
+      timeout = "3600s" // 60 minutes, duration of token validity.
+    }
+
+    options {
+      logging      = "CLOUD_LOGGING_ONLY"
+      machine_type = "E2_HIGHCPU_8"
+    }
+  }
+}
+
+resource "google_cloud_scheduler_job" "deploy_cron" {
+  paused = false
+  project = var.project_id
+  region  = var.location
+  name    = "deploy-cron"
+
+  schedule  = "50 * * * *"
+  time_zone = "America/Los_Angeles"
+
+  attempt_deadline = "120s"
+
+  // TODO(phboneff): use a batch job instead maybe
+  http_target {
+    http_method = "POST"
+    uri         = "https://cloudbuild.googleapis.com/v1/projects/${var.project_id}/locations/${var.location}/triggers/${google_cloudbuild_trigger.preloader_trigger.trigger_id}:run"
+    body        = base64encode(jsonencode({
+      source = {
+        branchName = "preloader"
+      }
+    }))
+    headers = {
+      "Content-Type" = "application/json"
+    }
+
+    oauth_token {
+      service_account_email = local.scheduler_service_account
+    }
+  }
+}

deployment/modules/gcp/cloudbuild/preloader/main.tf

@@ -0,0 +1,34 @@
+variable "project_id" {
+  description = "GCP project ID where the log is hosted"
+  type        = string
+}
+
+variable "location" {
+  description = "Location in which to create resources"
+  type        = string
+}
+
+variable "env" {
+  description = "Unique identifier for the env, e.g. dev or ci or prod"
+  type        = string
+}
+
+variable "docker_env" {
+  description = "Unique identifier for the Docker env, e.g. dev or ci or prod"
+  type        = string
+}
+
+variable "github_owner" {
+  description = "GitHub owner used in Cloud Build trigger repository mapping"
+  type        = string
+}
+
+variable "submission_url" {
+  description = "Submission URL of the destination log"
+  type        = string
+}
+
+variable "monitoring_url" {
+  description = "Monitoring URL of the destination log"
+  type        = string
+}

deployment/modules/gcp/cloudbuild/preloader/variables.tf

@@ -127,42 +127,27 @@ resource "google_cloudbuild_trigger" "build_trigger" {
       wait_for = ["docker_push_conformance_gcp"]
     }
 
-    ## Since the conformance infrastructure is not publicly accessible, we need to use 
-    ## bearer tokens for the test to access them.
-    ## This step creates those, and stores them for later use.
+    ## Apply the deployment/live/gcp/static-staging/cloudbuild/preloader terragrunt config.
+    ## This will bring up the preloader agaist the conformance infrastructure.
     step {
-      id       = "bearer_token"
-      name     = "gcr.io/cloud-builders/gcloud"
-      script   = <<EOT
-        gcloud auth print-access-token > /workspace/cb_access
-        curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${local.cloudbuild_service_account}/identity?audience=$(cat /workspace/conformance_url)" > /workspace/cb_identity
+      id     = "terraform_apply_preloader"
+      name   = "alpine/terragrunt"
+      script = <<EOT
+        terragrunt --terragrunt-non-interactive --terragrunt-no-color apply -auto-approve -no-color -var="submission_url=$(cat /workspace/conformance_url)/arche2025h1.ct.transparency.dev/" -var="monitoring_url=$(cat /workspace/conformance_bucket_name)" 2>&1
       EOT
+      dir    = "deployment/live/gcp/static-ct-staging/cloudbuild/preloader"
+      env = [
+        "GOOGLE_PROJECT=${var.project_id}",
+        "TF_IN_AUTOMATION=1",
+        "TF_INPUT=false",
+        "TF_VAR_project_id=${var.project_id}",
+        "TF_VAR_location=${var.location}",
+        "TF_VAR_env=${var.env}",
+        "TF_VAR_github_owner=${var.github_owner}",
+      ]
       wait_for = ["terraform_apply_conformance_staging"]
     }
 
-    ## TODO(phboneff): move to its own container.
-    ## Test against the conformance server with CT Preloader.
-    ## Leave enough time for the preloader to run, until the token expires.
-    timeout = "3600s" // 60 minutes
-    step {
-      id       = "ct_preloader"
-      name     = "golang"
-      script   = <<EOT
-	      START_INDEX=$(curl -H "Authorization: Bearer $(cat /workspace/cb_access)" https://storage.googleapis.com/$(cat /workspace/conformance_bucket_name)/checkpoint | head -2 | tail -1)
-	      echo "Will start preloader at index $START_INDEX"
-        go run github.com/google/certificate-transparency-go/preload/preloader@master \
-          --target_log_uri=$(cat /workspace/conformance_url)/arche2025h1.ct.transparency.dev \
-	        --target_bearer_token="$(cat /workspace/cb_identity)" \
-          --source_log_uri=https://ct.googleapis.com/logs/us1/argon2025h1 \
-	        --start_index=$START_INDEX \
-          --num_workers=20 \
-          --parallel_fetch=20 \
-          --parallel_submit=20
-      EOT
-      wait_for = ["bearer_token"]
-      timeout = "3000s" // 50 minutes
-    }
-
     options {
       logging      = "CLOUD_LOGGING_ONLY"
       machine_type = "E2_HIGHCPU_8"
@@ -173,33 +158,3 @@ resource "google_cloudbuild_trigger" "build_trigger" {
     module.artifactregistry
   ]
 }
-
-resource "google_cloud_scheduler_job" "deploy_cron" {
-  paused = false
-  project = var.project_id
-  region  = var.location
-  name    = "deploy-cron"
-
-  schedule  = "*/50 * * * *"
-  time_zone = "America/Los_Angeles"
-
-  attempt_deadline = "120s"
-
-  // TODO(phboneff): use a batch job instead maybe
-  http_target {
-    http_method = "POST"
-    uri         = "https://cloudbuild.googleapis.com/v1/projects/${var.project_id}/locations/${var.location}/triggers/${google_cloudbuild_trigger.build_trigger.trigger_id}:run"
-    body        = base64encode(jsonencode({
-      source = {
-        branchName = "preloader"
-      }
-    }))
-    headers = {
-      "Content-Type" = "application/json"
-    }
-
-    oauth_token {
-      service_account_email = local.scheduler_service_account
-    }
-  }
-}