Add Cloud Run for GCP CI env

Author: roger2hk

cmd/gcp/Dockerfile

@@ -20,5 +20,8 @@ RUN go build -o bin/sctfe-gcp ./cmd/gcp
 # Build release image
 FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
 
-COPY --from=builder /build/bin/sctfe-gcp /bin/sctfe-gcp
+# TODO: Extract this into another Dockerfile
+# Copy the testdata/fake-ca.cert
+COPY --from=builder /build/bin/sctfe-gcp /build/testdata/fake-ca.cert /bin/
+
 ENTRYPOINT ["/bin/sctfe-gcp"]

deployment/live/gcp/ci/README.md

@@ -0,0 +1 @@
+# GCP SCTFE CI Environment

deployment/live/gcp/ci/terragrunt.hcl

@@ -0,0 +1,19 @@
+terraform {
+  source = "${get_repo_root()}/deployment/modules/gcp//conformance"
+}
+
+locals {
+  env                 = "ci"
+  base_name           = "${local.env}-conformance"
+  server_docker_image = "us-central1-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/conformance-gcp:latest"
+}
+
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+inputs = merge(
+  local,
+  include.root.locals,
+)

deployment/live/gcp/terragrunt.hcl

@@ -0,0 +1,21 @@
+locals {
+  env        = path_relative_to_include()
+  project_id = get_env("GOOGLE_PROJECT", "phboneff-dev")
+  location   = get_env("GOOGLE_REGION", "us-central1")
+  base_name  = get_env("TESSERA_BASE_NAME", "${local.env}-static-ct")
+}
+
+remote_state {
+  backend = "gcs"
+
+  config = {
+    project  = local.project_id
+    location = local.location
+    bucket   = "${local.project_id}-${local.base_name}-terraform-state"
+    prefix   = "terraform.tfstate"
+
+    gcs_bucket_labels = {
+      name = "terraform_state_conformance"
+    }
+  }
+}

deployment/live/gcp/test/README.md

@@ -1,4 +1,4 @@
-# GCP SCTFE Configs
+# GCP SCTFE Local Test Environment
 
 ## Prerequisites
 You'll need to have a VM running in the same GCP project that you can SSH to,
@@ -31,7 +31,7 @@ Set the required environment variables:
 ```bash
 export GOOGLE_PROJECT={VALUE}
 export GOOGLE_REGION={VALUE} # e.g: us-central1
-export TESSERA_BASE_NAME={VALUE} # e.g: staticct
+export TESSERA_BASE_NAME={VALUE} # e.g: test-static-ct
 ```
 
 Terraforming the project can be done by:

deployment/live/gcp/test/terragrunt.hcl

@@ -1,26 +1,18 @@
 terraform {
-  source = "${get_repo_root()}/deployment/modules/gcp//conformance"
+  source = "${get_repo_root()}/deployment/modules/gcp//test"
 }
 
 locals {
-  project_id = get_env("GOOGLE_PROJECT", "phboneff-dev")
-  location   = get_env("GOOGLE_REGION", "us-central1")
-  base_name  = get_env("TESSERA_BASE_NAME", "tessera-staticct")
+  env        = "test"
+  base_name  = get_env("TESSERA_BASE_NAME", "${local.env}-static-ct")
 }
 
-inputs = local
-
-remote_state {
-  backend = "gcs"
-
-  config = {
-    project  = local.project_id
-    location = local.location
-    bucket   = "${local.project_id}-${local.base_name}-terraform-state"
-    prefix   = "terraform.tfstate"
-
-    gcs_bucket_labels = {
-      name = "terraform_state_conformance"
-    }
-  }
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
 }
+
+inputs = merge(
+  local,
+  include.root.locals,
+)

deployment/modules/gcp/cloudrun/main.tf

@@ -0,0 +1,113 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "registry.terraform.io/hashicorp/google"
+      version = "6.1.0"
+    }
+  }
+}
+
+# Cloud Run
+
+resource "google_project_service" "cloudrun_api" {
+  service            = "run.googleapis.com"
+  disable_on_destroy = false
+}
+
+resource "google_service_account" "cloudrun_service_account" {
+  account_id   = "cloudrun-${var.env}-sa"
+  display_name = "Service Account for Cloud Run (${var.env})"
+}
+
+resource "google_storage_bucket_iam_member" "member" {
+  bucket = var.bucket
+  role   = "roles/storage.objectUser"
+  member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_project_iam_member" "iam_secret_accessor" {
+  project = var.project_id
+  role    = "roles/secretmanager.secretAccessor"
+  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_spanner_database_iam_member" "iam_log_spanner_database_user" {
+  instance = var.log_spanner_instance
+  database = var.log_spanner_db
+  role     = "roles/spanner.databaseUser"
+  member   = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_spanner_database_iam_member" "iam_dedup_spanner_database_user" {
+  instance = var.log_spanner_instance
+  database = var.dedup_spanner_db
+  role     = "roles/spanner.databaseUser"
+  member   = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+locals {
+  spanner_log_db_path   = "projects/${var.project_id}/instances/${var.log_spanner_instance}/databases/${var.log_spanner_db}"
+  spanner_dedup_db_path = "projects/${var.project_id}/instances/${var.log_spanner_instance}/databases/${var.dedup_spanner_db}"
+}
+
+resource "google_cloud_run_v2_service" "default" {
+  name         = var.base_name
+  location     = var.location
+  launch_stage = "GA"
+
+  template {
+    service_account                  = google_service_account.cloudrun_service_account.account_id
+    max_instance_request_concurrency = 700
+    timeout                          = "5s"
+
+    scaling {
+      max_instance_count = 3
+    }
+
+    containers {
+      image = var.server_docker_image
+      name  = "conformance"
+      args = [
+        "--logtostderr",
+        "--v=1",
+        "--http_endpoint=:6962",
+        "--project_id=${var.project_id}",
+        "--bucket=${var.bucket}",
+        "--spanner_db_path=${local.spanner_log_db_path}",
+        "--spanner_dedup_db_path=${local.spanner_dedup_db_path}",
+        "--roots_pem_file=/bin/fake-ca.cert",
+        "--origin=${var.base_name}",
+        "--signer_public_key_secret_name=${var.signer_public_key_secret_name}",
+        "--signer_private_key_secret_name=${var.signer_private_key_secret_name}",
+      ]
+      ports {
+        container_port = 6962
+      }
+
+      resources {
+        limits = {
+          cpu    = "2"
+          memory = "1024Mi"
+        }
+      }
+
+      startup_probe {
+        initial_delay_seconds = 1
+        timeout_seconds       = 1
+        period_seconds        = 10
+        failure_threshold     = 6
+        tcp_socket {
+          port = 6962
+        }
+      }
+    }
+  }
+
+  deletion_protection = false
+
+  client = "terraform"
+
+  depends_on = [
+    google_project_service.cloudrun_api,
+  ]
+}

deployment/modules/gcp/cloudrun/variables.tf

@@ -0,0 +1,54 @@
+variable "project_id" {
+  description = "GCP project ID where the log is hosted"
+  type        = string
+}
+
+variable "base_name" {
+  description = "Base name to use when naming resources"
+  type        = string
+}
+
+variable "location" {
+  description = "Location in which to create resources"
+  type        = string
+}
+
+variable "env" {
+  description = "Unique identifier for the env, e.g. dev or ci or prod"
+  type        = string
+}
+
+variable "server_docker_image" {
+  description = "The full image URL (path & tag) for the Docker image to deploy in Cloud Run"
+  type        = string
+}
+
+variable "bucket" {
+  description = "Log GCS bucket"
+  type        = string
+}
+
+variable "log_spanner_instance" {
+  description = "Log Spanner instance"
+  type        = string
+}
+
+variable "log_spanner_db" {
+  description = "Log Spanner database"
+  type        = string
+}
+
+variable "dedup_spanner_db" {
+  description = "Dedup Spanner database"
+  type        = string
+}
+
+variable "signer_public_key_secret_name" {
+  description = "Public key secret name for checkpoints and SCTs signer. Format: projects/{projectId}/secrets/{secretName}/versions/{secretVersion}."
+  type        = string
+}
+
+variable "signer_private_key_secret_name" {
+  description = "Private key secret name for checkpoints and SCTs signer. Format: projects/{projectId}/secrets/{secretName}/versions/{secretVersion}."
+  type        = string
+}

deployment/modules/gcp/conformance/main.tf

@@ -12,4 +12,27 @@ module "storage" {
 
 module "secretmanager" {
   source = "../secretmanager"
+
+  base_name = var.base_name
+}
+
+module "cloudrun" {
+  source = "../cloudrun"
+
+  env                            = var.env
+  project_id                     = var.project_id
+  base_name                      = var.base_name
+  location                       = var.location
+  server_docker_image            = var.server_docker_image
+  bucket                         = module.storage.log_bucket.id
+  log_spanner_instance           = module.storage.log_spanner_instance.name
+  log_spanner_db                 = module.storage.log_spanner_db.name
+  dedup_spanner_db               = module.storage.dedup_spanner_db.name
+  signer_public_key_secret_name  = module.secretmanager.ecdsa_p256_public_key_id
+  signer_private_key_secret_name = module.secretmanager.ecdsa_p256_private_key_id
+
+  depends_on = [
+    module.secretmanager,
+    module.storage
+  ]
 }

deployment/modules/gcp/conformance/variables.tf

@@ -12,3 +12,13 @@ variable "location" {
   description = "Location in which to create resources"
   type        = string
 }
+
+variable "env" {
+  description = "Unique identifier for the env, e.g. dev or ci or prod"
+  type        = string
+}
+
+variable "server_docker_image" {
+  description = "The full image URL (path & tag) for the Docker image to deploy in Cloud Run"
+  type        = string
+}

deployment/modules/gcp/secretmanager/main.tf

@@ -28,7 +28,7 @@ resource "tls_private_key" "sctfe_ecdsa_p256" {
 }
 
 resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" {
-  secret_id = "sctfe-ecdsa-p256-public-key"
+  secret_id = "${var.base_name}-ecdsa-p256-public-key"
 
   labels = {
     label = "sctfe-public-key"
@@ -48,7 +48,7 @@ resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_public_key" {
 }
 
 resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" {
-  secret_id = "sctfe-ecdsa-p256-private-key"
+  secret_id = "${var.base_name}-ecdsa-p256-private-key"
 
   labels = {
     label = "sctfe-private-key"

deployment/modules/gcp/secretmanager/variables.tf

@@ -0,0 +1,4 @@
+variable "base_name" {
+  description = "Base name to use when naming resources"
+  type        = string
+}

deployment/modules/gcp/storage/outputs.tf

@@ -3,16 +3,16 @@ output "log_bucket" {
   value       = google_storage_bucket.log_bucket
 }
 
-output "log_spanner_db" {
-  description = "Log Spanner database"
-  value       = google_spanner_database.log_db
-}
-
 output "log_spanner_instance" {
   description = "Log Spanner instance"
   value       = google_spanner_instance.log_spanner
 }
 
+output "log_spanner_db" {
+  description = "Log Spanner database"
+  value       = google_spanner_database.log_db
+}
+
 output "dedup_spanner_db" {
   description = "Dedup Spanner database"
   value       = google_spanner_database.dedup_db

deployment/modules/gcp/test/main.tf

@@ -0,0 +1,17 @@
+terraform {
+  backend "gcs" {}
+}
+
+module "storage" {
+  source = "../storage"
+
+  project_id = var.project_id
+  base_name  = var.base_name
+  location   = var.location
+}
+
+module "secretmanager" {
+  source = "../secretmanager"
+
+  base_name = var.base_name
+}

deployment/modules/gcp/test/outputs.tf

@@ -0,0 +1,9 @@
+output "ecdsa_p256_public_key_id" {
+  description = "Signer public key (P256_SHA256)"
+  value       = module.secretmanager.ecdsa_p256_public_key_id
+}
+
+output "ecdsa_p256_private_key_id" {
+  description = "Signer private key (P256_SHA256)"
+  value       = module.secretmanager.ecdsa_p256_private_key_id
+}