feat: Add Terraform and GitHub Actions for GCP Cloud Function

google-labs-jules[bot] · google-labs-jules[bot] · commit b24f0171a410 · 2025-06-16T16:17:36.000Z
This commit introduces Terraform configuration and a GitHub Actions workflow
to deploy a Java-based Google Cloud Function triggered by HTTP.

Key features:
- Terraform scripts to define the Cloud Function, GCS bucket for source code,
  and IAM permissions for public invocation.
- Parameterized Terraform configuration for different environments (dev, qa, prod)
  using .tfvars and GitHub Actions inputs.
- GitHub Actions workflow that automates:
  - Setting up GCP and Java environments.
  - Authenticating to GCP using a service account.
  - Dynamically configuring Terraform variables based on the deployment branch.
  - Running Terraform init, validate, plan, and apply.
  - Storing Terraform state in a GCS backend, segregated by environment.
- Assumes the JAR file for the function is available in the repository or built
  in a preceding step in the workflow.

Instructions for setting up GCP prerequisites (service accounts, buckets, APIs),
GitHub secrets, and customizing workflow variables (JAR path, entry point,
project IDs) have been provided to you.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,126 @@
+name: Deploy GBFS Validator Cloud Function
+
+on:
+  push:
+    branches:
+      - main  # Or your specific branches for dev, qa, prod
+      # Example:
+      # - dev
+      # - qa
+      # - production
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    env:
+      # Will be dynamically set based on the branch
+      TF_VAR_gcp_project_id: ""
+      TF_VAR_environment: ""
+      TF_VAR_source_bucket_name: "" # e.g., gbfs-validator-src-dev
+      # These should be configured based on your function's needs
+      TF_VAR_function_name: "gbfs-validator-function" # Can be customized per env if needed
+      TF_VAR_gcp_region: "us-central1" # Change if needed
+      TF_VAR_function_entry_point: "com.example.YourFunctionEntryPoint" # ** IMPORTANT: User needs to change this **
+      TF_VAR_jar_file_path: "path/to/your/validator.jar" # ** IMPORTANT: User needs to change this **
+      TF_VAR_function_runtime: "java11" # Or java17, java21
+      TF_VAR_function_memory_mb: 256
+      TF_VAR_function_timeout_s: 60
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Set up JDK
+      uses: actions/setup-java@v3
+      with:
+        distribution: 'temurin' # Or any other distribution
+        java-version: '11' # Or 17, 21, matching TF_VAR_function_runtime
+
+    # Add a step here to build the JAR if it's not pre-built and checked into the repo
+    # - name: Build JAR (if needed)
+    #   run: |
+    #     # e.g., mvn package -DskipTests
+    #     echo "JAR build step - customize this if your JAR is not pre-built"
+    #     # Ensure TF_VAR_jar_file_path points to the built JAR
+
+    - name: Set up Google Cloud SDK
+      uses: google-github-actions/setup-gcloud@v1
+      with:
+        project_id: ${{ env.TF_VAR_gcp_project_id }} # Will be set dynamically
+
+    - name: Authenticate to GCP
+      uses: google-github-actions/auth@v1
+      with:
+        credentials_json: ${{ secrets.GCP_SA_KEY }} # User needs to set this secret
+
+    - name: Set environment-specific variables
+      run: |
+        BRANCH_NAME=${GITHUB_REF#refs/heads/}
+        if [[ "$BRANCH_NAME" == "main" ]]; then # Assuming 'main' is for 'prod'
+          echo "Setting environment for PROD"
+          echo "TF_VAR_gcp_project_id=${{ secrets.GCP_PROJECT_ID_PROD }}" >> $GITHUB_ENV
+          echo "TF_VAR_environment=prod" >> $GITHUB_ENV
+          echo "TF_VAR_source_bucket_name=gbfs-validator-src-prod" >> $GITHUB_ENV
+          # Add other prod-specific TF_VARs if needed
+        elif [[ "$BRANCH_NAME" == "qa" ]]; then
+          echo "Setting environment for QA"
+          echo "TF_VAR_gcp_project_id=${{ secrets.GCP_PROJECT_ID_QA }}" >> $GITHUB_ENV
+          echo "TF_VAR_environment=qa" >> $GITHUB_ENV
+          echo "TF_VAR_source_bucket_name=gbfs-validator-src-qa" >> $GITHUB_ENV
+          # Add other qa-specific TF_VARs if needed
+        elif [[ "$BRANCH_NAME" == "dev" ]]; then
+          echo "Setting environment for DEV"
+          echo "TF_VAR_gcp_project_id=${{ secrets.GCP_PROJECT_ID_DEV }}" >> $GITHUB_ENV
+          echo "TF_VAR_environment=dev" >> $GITHUB_ENV
+          echo "TF_VAR_source_bucket_name=gbfs-validator-src-dev" >> $GITHUB_ENV
+          # Add other dev-specific TF_VARs if needed
+        else
+          echo "Branch $BRANCH_NAME is not configured for deployment."
+          exit 1
+        fi
+        echo "VERIFYING ENV VARS:"
+        echo "Project ID: ${{ env.TF_VAR_gcp_project_id }}"
+        echo "Environment: ${{ env.TF_VAR_environment }}"
+        echo "Source Bucket: ${{ env.TF_VAR_source_bucket_name }}"
+        echo "Entry Point: ${{ env.TF_VAR_function_entry_point }}"
+        echo "JAR Path: ${{ env.TF_VAR_jar_file_path }}"
+
+
+    - name: Set up Terraform
+      uses: hashicorp/setup-terraform@v2
+      with:
+        terraform_version: 1.2.0 # Or your desired version
+
+    - name: Terraform Init
+      run: terraform init
+      env:
+        # Pass GCS backend config if you decide to use it
+        # GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.auth.outputs.credentials_path }} # Not needed if using default auth
+        TF_CLI_ARGS_init: "-backend-config=bucket=${{ env.TF_VAR_environment }}-gbfs-tf-state -backend-config=prefix=gbfs-validator"
+
+
+    - name: Terraform Validate
+      run: terraform validate
+
+    - name: Terraform Plan
+      id: plan
+      run: terraform plan -input=false -no-color -out=tfplan
+      continue-on-error: true # To allow viewing the plan even if there are errors for PRs
+
+    - name: Terraform Plan Status
+      if: steps.plan.outcome == 'failure'
+      run: |
+        echo "Terraform Plan failed!"
+        exit 1
+
+    # On pull requests, you might only want to run init, validate, and plan.
+    # The apply step should only run on merges to specific branches.
+    - name: Terraform Apply
+      if: github.event_name == 'push' # Only apply on direct pushes to configured branches
+      run: terraform apply -auto-approve -input=false tfplan
+
+    # Optional: Add a step to output the function URL
+    - name: Show Function URL
+      if: github.event_name == 'push'
+      run: |
+        echo "Cloud Function URL: $(terraform output -raw function_url)"
diff --git a/iam.tf b/iam.tf
@@ -0,0 +1,10 @@
+# IAM policy for invoking the function
+# This makes the function publicly accessible.
+resource "google_cloudfunctions_function_iam_member" "invoker" {
+  project        = google_cloudfunctions_function.function.project
+  region         = google_cloudfunctions_function.function.region
+  cloud_function = google_cloudfunctions_function.function.name
+
+  role   = "roles/cloudfunctions.invoker"
+  member = "allUsers"
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,61 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 4.0"
+    }
+  }
+}
+
+provider "google" {
+  project = var.gcp_project_id
+  region  = var.gcp_region
+}
+
+resource "google_storage_bucket" "source_bucket" {
+  name                        = var.source_bucket_name
+  location                    = var.gcp_region
+  uniform_bucket_level_access = true
+  # Adding labels for better resource management and cost tracking
+  labels = {
+    environment = var.environment
+    app         = var.function_name
+  }
+}
+
+data "archive_file" "source_zip" {
+  type        = "zip"
+  source_file = var.jar_file_path # Path to the JAR file provided by the user
+  output_path = "/tmp/function-source.zip" # Temporary path for the zipped JAR
+}
+
+resource "google_storage_bucket_object" "source_archive" {
+  name   = "function-source-${data.archive_file.source_zip.output_md5}.zip"
+  bucket = google_storage_bucket.source_bucket.name
+  source = data.archive_file.source_zip.output_path # Path to the zipped JAR
+}
+
+resource "google_cloudfunctions_function" "function" {
+  name        = var.function_name
+  description = "GBFS Validator Cloud Function"
+  runtime     = var.function_runtime
+  region      = var.gcp_region
+  project     = var.gcp_project_id
+
+  available_memory_mb   = var.function_memory_mb
+  timeout_seconds       = var.function_timeout_s
+  entry_point           = var.function_entry_point
+  trigger_http          = true
+  source_archive_bucket = google_storage_bucket.source_bucket.name
+  source_archive_object = google_storage_bucket_object.source_archive.name
+
+  labels = {
+    environment = var.environment
+    app         = var.function_name
+  }
+
+  # Depending on the function's needs, you might need to configure environment variables
+  # environment_variables = {
+  #   FOO = "bar"
+  # }
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,9 @@
+output "function_url" {
+  description = "The HTTPS trigger URL for the Cloud Function."
+  value       = google_cloudfunctions_function.function.https_trigger_url
+}
+
+output "source_bucket_url" {
+  description = "The URL of the GCS bucket used for storing the function source."
+  value       = google_storage_bucket.source_bucket.url
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,54 @@
+variable "gcp_project_id" {
+  description = "The GCP project ID."
+  type        = string
+}
+
+variable "gcp_region" {
+  description = "The GCP region for the Cloud Function."
+  type        = string
+  default     = "us-central1"
+}
+
+variable "function_name" {
+  description = "The name of the Cloud Function."
+  type        = string
+  default     = "gbfs-validator-function"
+}
+
+variable "function_entry_point" {
+  description = "The entry point of the function in the JAR file (e.g., com.example.MyFunction)."
+  type        = string
+}
+
+variable "jar_file_path" {
+  description = "The path to the JAR file within the repository."
+  type        = string
+}
+
+variable "environment" {
+  description = "The deployment environment (e.g., dev, qa, prod)."
+  type        = string
+}
+
+variable "source_bucket_name" {
+  description = "The name of the GCS bucket to store the function's source code."
+  type        = string
+}
+
+variable "function_runtime" {
+  description = "The runtime for the Cloud Function."
+  type        = string
+  default     = "java11" # Or java17, java21 depending on the JAR
+}
+
+variable "function_memory_mb" {
+  description = "The memory allocated to the Cloud Function in MB."
+  type        = number
+  default     = 256
+}
+
+variable "function_timeout_s" {
+  description = "The timeout for the Cloud Function in seconds."
+  type        = number
+  default     = 60
+}
