Add Cloud Run for GCP CI env (#56)

* Add Cloud Run for GCP CI env

* Add .terraform.lock.hcl

* Build conformance Docker image on top of base image

* Fix circular dependency on stage in Dockerfile

* Add `roles/monitoring.metricWriter` to Cloud Run service account

* Add missing configure-docker command

* Remove leading slash in path

* Replace us-central1 with ${GOOGLE_REGION}

* Add `unset TESSERA_BASE_NAME`

* Update to `GCP SCTFE Test Environment` in README

* Add `env` to GCS bucket labels

* Update the Cloud Run resources limit to align with the measurement unit

Author: roger2hk

cmd/gcp/Dockerfile

@@ -21,4 +21,5 @@ RUN go build -o bin/sctfe-gcp ./cmd/gcp
 FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
 
 COPY --from=builder /build/bin/sctfe-gcp /bin/sctfe-gcp
+
 ENTRYPOINT ["/bin/sctfe-gcp"]

cmd/gcp/ci/Dockerfile

@@ -0,0 +1,12 @@
+FROM sctfe-gcp:latest AS base
+
+# Build release image
+FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
+
+# Copy the fake CA certificate into the container
+COPY ./testdata/fake-ca.cert /bin/
+
+# Copy the sctfe-gcp binary
+COPY --from=base /bin/sctfe-gcp /bin/
+
+ENTRYPOINT ["/bin/sctfe-gcp"]

deployment/live/gcp/ci/.terraform.lock.hcl

@@ -0,0 +1,48 @@
+# GCP SCTFE CI Environment
+
+## Overview
+
+This config uses the [gcp/conformance](/deployment/modules/gcp/conformance) module to
+define a CI environment to run the SCTFE, backed by Trillian Tessera.
+
+At a high level, this environment consists of:
+- One Spanner instance with two databases:
+  - one for Tessera
+  - one for deduplication
+- A GCS Bucket
+- Secret Manager
+- Cloud Run
+
+### Manual Deployment
+
+First authenticate via `gcloud` as a principle with sufficient ACLs for
+the project:
+
+```sh
+gcloud auth application-default login
+```
+
+Set the required environment variables:
+
+```sh
+export GOOGLE_PROJECT={VALUE}
+export GOOGLE_REGION={VALUE} # e.g: us-central1
+unset TESSERA_BASE_NAME
+```
+
+TODO: Add the Artifact Registry which is in the Cloud Build pull request. The expected repository is `${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-ci`.
+
+Build and push the Docker image to Artifact Registry repository:
+
+```sh
+gcloud auth configure-docker ${GOOGLE_REGION}-docker.pkg.dev
+docker build -f ./cmd/gcp/Dockerfile -t sctfe-gcp:latest .
+docker build -f ./cmd/gcp/ci/Dockerfile -t conformance-gcp:latest .
+docker tag conformance-gcp:latest ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-ci/conformance-gcp:latest
+docker push ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-ci/conformance-gcp
+```
+
+Terraforming the project can be done by:
+  1. `cd` to the relevant directory (deployment/live/gcp/ci/) for the environment to deploy/change.
+  2. Run `terragrunt apply`.
+

deployment/live/gcp/ci/README.md

@@ -0,0 +1,19 @@
+terraform {
+  source = "${get_repo_root()}/deployment/modules/gcp//conformance"
+}
+
+locals {
+  env                 = "ci"
+  base_name           = "${local.env}-conformance"
+  server_docker_image = "us-central1-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/conformance-gcp:latest"
+}
+
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+inputs = merge(
+  local,
+  include.root.locals,
+)

deployment/live/gcp/ci/terragrunt.hcl

@@ -0,0 +1,22 @@
+locals {
+  env        = path_relative_to_include()
+  project_id = get_env("GOOGLE_PROJECT", "phboneff-dev")
+  location   = get_env("GOOGLE_REGION", "us-central1")
+  base_name  = get_env("TESSERA_BASE_NAME", "${local.env}-static-ct")
+}
+
+remote_state {
+  backend = "gcs"
+
+  config = {
+    project  = local.project_id
+    location = local.location
+    bucket   = "${local.project_id}-${local.base_name}-terraform-state"
+    prefix   = "terraform.tfstate"
+
+    gcs_bucket_labels = {
+      name = "terraform_state"
+      env  = "${local.env}"
+    }
+  }
+}

deployment/live/gcp/terragrunt.hcl

@@ -1,4 +1,4 @@
-# GCP SCTFE Configs
+# GCP SCTFE Test Environment
 
 ## Prerequisites
 You'll need to have a VM running in the same GCP project that you can SSH to,
@@ -8,14 +8,15 @@ installed, and your favourite terminal multiplexer.
 
 ## Overview
 
-This config uses the [gcp/storage](/deployment/modules/gcp/conformance) module to
+This config uses the [gcp/test](/deployment/modules/gcp/test) module to
 define a test environment to run the SCTFE, backed by Trillian Tessera.
 
 At a high level, this environment consists of:
 - One Spanner instance with two databases:
   - one for Tessera
   - one for deduplication
 - A GCS Bucket
+- Secret Manager
 
 ## Manual deployment 
 
@@ -31,12 +32,12 @@ Set the required environment variables:
 ```bash
 export GOOGLE_PROJECT={VALUE}
 export GOOGLE_REGION={VALUE} # e.g: us-central1
-export TESSERA_BASE_NAME={VALUE} # e.g: staticct
+export TESSERA_BASE_NAME={VALUE} # e.g: test-static-ct
 ```
 
 Terraforming the project can be done by:
- 1. `cd` to the relevant directory for the environment to deploy/change (e.g. `ci`)
- 2. Run `terragrunt apply`
+  1. `cd` to the relevant directory for the environment to deploy/change (e.g. `ci`)
+  2. Run `terragrunt apply`
 
 Store the Secret Manager resource ID of signer key pair into the environment variables:
 

deployment/live/gcp/test/README.md

@@ -1,26 +1,18 @@
 terraform {
-  source = "${get_repo_root()}/deployment/modules/gcp//conformance"
+  source = "${get_repo_root()}/deployment/modules/gcp//test"
 }
 
 locals {
-  project_id = get_env("GOOGLE_PROJECT", "phboneff-dev")
-  location   = get_env("GOOGLE_REGION", "us-central1")
-  base_name  = get_env("TESSERA_BASE_NAME", "tessera-staticct")
+  env        = "test"
+  base_name  = get_env("TESSERA_BASE_NAME", "${local.env}-static-ct")
 }
 
-inputs = local
-
-remote_state {
-  backend = "gcs"
-
-  config = {
-    project  = local.project_id
-    location = local.location
-    bucket   = "${local.project_id}-${local.base_name}-terraform-state"
-    prefix   = "terraform.tfstate"
-
-    gcs_bucket_labels = {
-      name = "terraform_state_conformance"
-    }
-  }
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
 }
+
+inputs = merge(
+  local,
+  include.root.locals,
+)

deployment/live/gcp/test/terragrunt.hcl

@@ -0,0 +1,119 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "registry.terraform.io/hashicorp/google"
+      version = "6.1.0"
+    }
+  }
+}
+
+# Cloud Run
+
+resource "google_project_service" "cloudrun_api" {
+  service            = "run.googleapis.com"
+  disable_on_destroy = false
+}
+
+resource "google_service_account" "cloudrun_service_account" {
+  account_id   = "cloudrun-${var.env}-sa"
+  display_name = "Service Account for Cloud Run (${var.env})"
+}
+
+resource "google_project_iam_member" "monitoring_metric_writer" {
+  project = var.project_id
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_storage_bucket_iam_member" "member" {
+  bucket = var.bucket
+  role   = "roles/storage.objectUser"
+  member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_project_iam_member" "iam_secret_accessor" {
+  project = var.project_id
+  role    = "roles/secretmanager.secretAccessor"
+  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_spanner_database_iam_member" "iam_log_spanner_database_user" {
+  instance = var.log_spanner_instance
+  database = var.log_spanner_db
+  role     = "roles/spanner.databaseUser"
+  member   = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_spanner_database_iam_member" "iam_dedup_spanner_database_user" {
+  instance = var.log_spanner_instance
+  database = var.dedup_spanner_db
+  role     = "roles/spanner.databaseUser"
+  member   = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+locals {
+  spanner_log_db_path   = "projects/${var.project_id}/instances/${var.log_spanner_instance}/databases/${var.log_spanner_db}"
+  spanner_dedup_db_path = "projects/${var.project_id}/instances/${var.log_spanner_instance}/databases/${var.dedup_spanner_db}"
+}
+
+resource "google_cloud_run_v2_service" "default" {
+  name         = var.base_name
+  location     = var.location
+  launch_stage = "GA"
+
+  template {
+    service_account                  = google_service_account.cloudrun_service_account.account_id
+    max_instance_request_concurrency = 700
+    timeout                          = "5s"
+
+    scaling {
+      max_instance_count = 3
+    }
+
+    containers {
+      image = var.server_docker_image
+      name  = "conformance"
+      args = [
+        "--logtostderr",
+        "--v=1",
+        "--http_endpoint=:6962",
+        "--project_id=${var.project_id}",
+        "--bucket=${var.bucket}",
+        "--spanner_db_path=${local.spanner_log_db_path}",
+        "--spanner_dedup_db_path=${local.spanner_dedup_db_path}",
+        "--roots_pem_file=/bin/fake-ca.cert",
+        "--origin=${var.base_name}",
+        "--signer_public_key_secret_name=${var.signer_public_key_secret_name}",
+        "--signer_private_key_secret_name=${var.signer_private_key_secret_name}",
+      ]
+      ports {
+        container_port = 6962
+      }
+
+      resources {
+        limits = {
+          cpu    = "2000m"
+          memory = "1Gi"
+        }
+      }
+
+      startup_probe {
+        initial_delay_seconds = 1
+        timeout_seconds       = 1
+        period_seconds        = 10
+        failure_threshold     = 6
+        tcp_socket {
+          port = 6962
+        }
+      }
+    }
+  }
+
+  deletion_protection = false
+
+  client = "terraform"
+
+  depends_on = [
+    google_project_service.cloudrun_api,
+  ]
+}