Support conformance env lifecycle in GCP CI Cloud Build

Author: roger2hk

deployment/live/gcp/cloudbuild/README.md

@@ -7,9 +7,9 @@ is responsible for:
 
 1. Building the `cmd/gcp` and `cmd/gcp/ci` docker images from the `main` branch,
 1. Deploying the `cmd/gcp/ci` image to Cloud Run,
-1. TODO: Creating a fresh conformance testing environment,
-1. TODO: Running the conformance test against the newly build conformance docker image,
-1. TODO: Turning-down the conformance testing environment.
+1. Creating a fresh conformance testing environment,
+1. Running the conformance test against the newly build conformance docker image,
+1. Turning-down the conformance testing environment.
 
 ## Initial setup
 
@@ -22,3 +22,13 @@ Error: Error creating Trigger: googleapi: Error 400: Repository mapping does not
 
 This is a manual one-time step that needs to be followed to integrate GCP Cloud Build 
 and the GitHub repository.
+
+## Externally managed IAM
+
+In case your GCP organization manages the IAM externally, execute the following command before executing `terragrunt apply`.
+
+```sh
+export SKIP_IAM=true
+```
+
+Note that the `SKIP_IAM` value in Cloud Build is propagated to the conformance testing environment.

deployment/modules/gcp/artifactregistry/outputs.tf

@@ -0,0 +1,4 @@
+output "docker" {
+  description = "The artifact registry repository for Docker container images"
+  value       = google_artifact_registry_repository.docker
+}

deployment/modules/gcp/cloudbuild/iam/main.tf

@@ -0,0 +1,76 @@
+resource "google_service_account" "cloudbuild_service_account" {
+  account_id   = "cloudbuild-${var.env}-sa"
+  display_name = "Service Account for Cloud Build (${var.env})"
+}
+
+resource "google_project_iam_member" "logging_log_writer" {
+  project = var.project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "service_usage_viewer" {
+  project = var.project_id
+  role    = "roles/serviceusage.serviceUsageViewer"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "storage_admin" {
+  project = var.project_id
+  role    = "roles/storage.admin"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "spanner_admin" {
+  project = var.project_id
+  role    = "roles/spanner.admin"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "secretmanager_admin" {
+  project = var.project_id
+  role    = "roles/secretmanager.admin"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "iam_service_account_user" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountUser"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "iam_service_account_open_id_token_creator" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountOpenIdTokenCreator"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "iam_service_account_viewer" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountViewer"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "iam_service_account_admin" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountAdmin"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "resourcemanager_project_iam_admin" {
+  project = var.project_id
+  role    = "roles/resourcemanager.projectIamAdmin"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "artifactregistry_writer" {
+  project = var.project_id
+  role    = "roles/artifactregistry.writer"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "run_admin" {
+  project = var.project_id
+  role    = "roles/run.admin"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}

deployment/modules/gcp/cloudbuild/iam/variables.tf

@@ -0,0 +1,9 @@
+variable "project_id" {
+  description = "GCP project ID where the log is hosted"
+  type        = string
+}
+
+variable "env" {
+  description = "Unique identifier for the env, e.g. dev or ci or prod"
+  type        = string
+}

deployment/modules/gcp/cloudbuild/main.tf

@@ -21,7 +21,7 @@ module "artifactregistry" {
 # Cloud Build
 
 locals {
-  artifact_repo                = "${var.location}-docker.pkg.dev/${var.project_id}/${google_artifact_registry_repository.docker.name}"
+  artifact_repo                = "${var.location}-docker.pkg.dev/${var.project_id}/${module.artifactregistry.docker.name}"
   conformance_gcp_docker_image = "${local.artifact_repo}/conformance-gcp"
 }
 
@@ -30,36 +30,18 @@ resource "google_project_service" "cloudbuild_api" {
   disable_on_destroy = false
 }
 
-resource "google_service_account" "cloudbuild_service_account" {
-  account_id   = "cloudbuild-${var.env}-sa"
-  display_name = "Service Account for Cloud Build (${var.env})"
+resource "google_project_service" "serviceusage_api" {
+  service            = "serviceusage.googleapis.com"
+  disable_on_destroy = false
 }
 
-resource "google_project_iam_member" "logging_log_writer" {
-  project = var.project_id
-  role    = "roles/logging.logWriter"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
+module "cloudbuild_iam" {
+  source = "./iam"
 
-resource "google_artifact_registry_repository_iam_member" "artifactregistry_writer" {
-  project    = google_artifact_registry_repository.docker.project
-  location   = google_artifact_registry_repository.docker.location
-  repository = google_artifact_registry_repository.docker.name
-  role       = "roles/artifactregistry.writer"
-  member     = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
-
-# TODO: Use google_cloud_run_service_iam_member to limit the service scope.
-resource "google_project_iam_member" "run_developer" {
-  project = var.project_id
-  role    = "roles/run.developer"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
+  project_id = var.project_id
+  env        = var.env
 
-resource "google_project_iam_member" "iam_service_account_user" {
-  project = var.project_id
-  role    = "roles/iam.serviceAccountUser"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+  count = var.skip_iam ? 0 : 1
 }
 
 resource "google_cloudbuild_trigger" "build_trigger" {
@@ -76,8 +58,23 @@ resource "google_cloudbuild_trigger" "build_trigger" {
   }
 
   build {
-    ## TODO: Destroy any pre-existing deployment/live/gcp/ci environment.
+    ## Destroy any pre-existing deployment/live/gcp/ci environment.
     ## This might happen if a previous cloud build failed for some reason.
+    step {
+      id     = "preclean_env"
+      name   = "alpine/terragrunt"
+      script = <<EOT
+        terragrunt --terragrunt-non-interactive --terragrunt-no-color destroy -auto-approve -no-color 2>&1
+      EOT
+      dir    = "deployment/live/gcp/ci"
+      env = [
+        "GOOGLE_PROJECT=${var.project_id}",
+        "SKIP_IAM=${var.skip_iam}",
+        "TF_IN_AUTOMATION=1",
+        "TF_INPUT=false",
+        "TF_VAR_project_id=${var.project_id}"
+      ]
+    }
 
     ## Build the SCTFE GCP Docker image.
     ## This will be used by the building the conformance Docker image which includes 
@@ -119,25 +116,70 @@ resource "google_cloudbuild_trigger" "build_trigger" {
       wait_for = ["docker_build_conformance_gcp"]
     }
 
-    ## Deploy container image to Cloud Run.
-    ## TODO: Remove this as the `terragrunt apply` will bring up the Cloud Run.
+    ## Apply the deployment/live/gcp/ci terragrunt config.
+    ## This will bring up the conformance infrastructure, including a service
+    ## running the conformance server docker image built above.
     step {
-      id         = "cloud_run_deploy"
-      name       = "gcr.io/google.com/cloudsdktool/cloud-sdk"
-      entrypoint = "gcloud"
-      args = [
-        "run",
-        "deploy",
-        "${var.docker_env}-static-ct",
-        "--image",
-        "${local.conformance_gcp_docker_image}:$SHORT_SHA",
-        "--region",
-        var.location
+      id     = "terraform_apply_conformance_ci"
+      name   = "alpine/terragrunt"
+      script = <<EOT
+        terragrunt --terragrunt-non-interactive --terragrunt-no-color apply -auto-approve -no-color 2>&1
+        terragrunt --terragrunt-no-color output --raw conformance_url -no-color > /workspace/conformance_url
+      EOT
+      dir    = "deployment/live/gcp/ci"
+      env = [
+        "GOOGLE_PROJECT=${var.project_id}",
+        "SKIP_IAM=${var.skip_iam}",
+        "TF_IN_AUTOMATION=1",
+        "TF_INPUT=false",
+        "TF_VAR_project_id=${var.project_id}"
       ]
       wait_for = ["docker_push_conformance_gcp"]
     }
 
-    ## TODO: Apply the terragrunt configuration to create the CI environment.
+    ## Since the conformance infrastructure is not publicly accessible, we need to use 
+    ## bearer tokens for the test to access them.
+    ## This step creates those, and stores them for later use.
+    step {
+      id       = "access_token"
+      name     = "gcr.io/cloud-builders/gcloud"
+      script   = <<EOT
+      gcloud auth print-access-token > /workspace/cb_access_token
+      curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${google_service_account.cloudbuild_service_account.id}/identity?audience=$(cat /workspace/conformance_url)" > /workspace/cb_identity
+      EOT
+      wait_for = ["terraform_apply_conformance_ci"]
+    }
+
+    ## Test against the conformance server.
+    ## TODO: Replace this with CT Hammer when it is ready.
+    step {
+      id       = "curl_test"
+      name     = "curlimages/curl"
+      script   = <<EOT
+        curl -X POST $(cat /workspace/conformance_url)/ct/v1/add-pre-chain -H "Authorization: Bearer $(cat /workspace/cb_identity)"
+      EOT
+      wait_for = ["access_token"]
+    }
+
+    ## Destroy the deployment/live/gcp/ci terragrunt config.
+    ## This will tear down the conformance infrastructure we brought up
+    ## above.
+    step {
+      id     = "terraform_destroy_conformance_ci"
+      name   = "alpine/terragrunt"
+      script = <<EOT
+        terragrunt --terragrunt-non-interactive --terragrunt-no-color destroy -auto-approve -no-color 2>&1
+      EOT
+      dir    = "deployment/live/gcp/ci"
+      env = [
+        "GOOGLE_PROJECT=${var.project_id}",
+        "SKIP_IAM=${var.skip_iam}",
+        "TF_IN_AUTOMATION=1",
+        "TF_INPUT=false",
+        "TF_VAR_project_id=${var.project_id}"
+      ]
+      wait_for = ["curl_test"]
+    }
 
     options {
       logging      = "CLOUD_LOGGING_ONLY"
@@ -146,6 +188,6 @@ resource "google_cloudbuild_trigger" "build_trigger" {
   }
 
   depends_on = [
-    google_artifact_registry_repository.docker
+    module.artifactregistry
   ]
 }

deployment/modules/gcp/cloudbuild/variables.tf

@@ -22,3 +22,8 @@ variable "github_owner" {
   description = "GitHub owner used in Cloud Build trigger repository mapping"
   type        = string
 }
+
+variable "skip_iam" {
+  description = "Skip for GCP projects with externally managed IAM"
+  type        = bool
+}

deployment/modules/gcp/cloudrun/iam/main.tf

@@ -0,0 +1,42 @@
+resource "google_service_account" "cloudrun_service_account" {
+  account_id   = var.cloudrun_service_account_id
+  display_name = "Service Account for Cloud Run (${var.env})"
+}
+
+resource "google_project_iam_member" "run_service_agent" {
+  project = var.project_id
+  role    = "roles/run.serviceAgent"
+  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_project_iam_member" "monitoring_metric_writer" {
+  project = var.project_id
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_storage_bucket_iam_member" "member" {
+  bucket = var.bucket
+  role   = "roles/storage.objectUser"
+  member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_project_iam_member" "iam_secret_accessor" {
+  project = var.project_id
+  role    = "roles/secretmanager.secretAccessor"
+  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_spanner_database_iam_member" "iam_log_spanner_database_user" {
+  instance = var.log_spanner_instance
+  database = var.log_spanner_db
+  role     = "roles/spanner.databaseUser"
+  member   = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_spanner_database_iam_member" "iam_dedup_spanner_database_user" {
+  instance = var.log_spanner_instance
+  database = var.dedup_spanner_db
+  role     = "roles/spanner.databaseUser"
+  member   = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}

deployment/modules/gcp/cloudrun/iam/variables.tf

@@ -0,0 +1,34 @@
+variable "project_id" {
+  description = "GCP project ID where the log is hosted"
+  type        = string
+}
+
+variable "env" {
+  description = "Unique identifier for the env, e.g. dev or ci or prod"
+  type        = string
+}
+
+variable "cloudrun_service_account_id" {
+  description = "The Clour Run service account ID to be created"
+  type        = string
+}
+
+variable "bucket" {
+  description = "Log GCS bucket"
+  type        = string
+}
+
+variable "log_spanner_instance" {
+  description = "Log Spanner instance"
+  type        = string
+}
+
+variable "log_spanner_db" {
+  description = "Log Spanner database"
+  type        = string
+}
+
+variable "dedup_spanner_db" {
+  description = "Dedup Spanner database"
+  type        = string
+}

deployment/modules/gcp/cloudrun/main.tf

@@ -9,6 +9,12 @@ terraform {
 
 # Cloud Run
 
+locals {
+  cloudrun_service_account_id = "cloudrun-${var.env}-sa"
+  spanner_log_db_path         = "projects/${var.project_id}/instances/${var.log_spanner_instance}/databases/${var.log_spanner_db}"
+  spanner_dedup_db_path       = "projects/${var.project_id}/instances/${var.log_spanner_instance}/databases/${var.dedup_spanner_db}"
+}
+
 resource "google_project_service" "cloudrun_api" {
   service            = "run.googleapis.com"
   disable_on_destroy = false

deployment/modules/gcp/cloudrun/variables.tf

@@ -52,3 +52,8 @@ variable "signer_private_key_secret_name" {
   description = "Private key secret name for checkpoints and SCTs signer. Format: projects/{projectId}/secrets/{secretName}/versions/{secretVersion}."
   type        = string
 }
+
+variable "skip_iam" {
+  description = "Skip for GCP projects with externally managed IAM"
+  type        = bool
+}