feat(api-1973): add 'deployments' folder

Author: Florentin CHAUSSOY

.circleci/config.yml

@@ -0,0 +1,6 @@
+resource "google_project_service" "apis" {
+  for_each                   = toset(var.google_project_services)
+  project                    = var.project_id
+  service                    = each.key
+  disable_dependent_services = true
+}

deployments/modules/dependencies/apis.tf

@@ -0,0 +1,27 @@
+resource "google_artifact_registry_repository" "docker" {
+  provider = google-beta
+  project  = var.project_id
+
+  location      = var.docker_registry_location
+  repository_id = var.docker_registry_id
+  description   = "Docker Registry"
+  format        = "DOCKER"
+
+  depends_on = [
+    google_project_service.apis,
+  ]
+}
+
+resource "google_artifact_registry_repository_iam_member" "main_docker_iam" {
+  provider = google-beta
+  project  = var.project_id
+
+  location   = google_artifact_registry_repository.docker.location
+  repository = google_artifact_registry_repository.docker.name
+  role       = "roles/artifactregistry.writer"
+  member     = "serviceAccount:main-service-account@${var.project_id}.iam.gserviceaccount.com"
+
+  depends_on = [
+    google_artifact_registry_repository.docker,
+  ]
+}

deployments/modules/dependencies/artifact-registry.tf

@@ -0,0 +1,20 @@
+resource "google_dns_managed_zone" "project_zone" {
+  name        = "api-${var.stage}-${var.dns_managed_zone}"
+  dns_name    = "api-${var.stage}.${replace(var.dns_managed_zone, "-", ".")}."
+  description = "api-${var.stage} DNS zone"
+  project     = var.project_id
+
+  dnssec_config {
+    state = "on"
+  }
+
+  depends_on = [
+    google_project_service.dns,
+  ]
+}
+
+resource "google_project_service" "dns" {
+  project                    = var.project_id
+  service                    = "dns.googleapis.com"
+  disable_dependent_services = true
+}

deployments/modules/dependencies/dns.tf

@@ -0,0 +1,114 @@
+# terraform {
+#   required_providers {
+#     datadog = {
+#       source = "datadog/datadog"
+#     }
+#   }
+# }
+
+# data "google_secret_manager_secret_version" "datadog_api_key" {
+#   secret  = "datadog-api-key"
+#   project = var.project_id
+# }
+
+# data "google_secret_manager_secret_version" "datadog_app_key" {
+#   secret  = "datadog-app-key"
+#   project = var.project_id
+# }
+
+# provider "datadog" {
+#   app_key = data.google_secret_manager_secret_version.datadog_app_key.secret_data
+#   api_key = data.google_secret_manager_secret_version.datadog_api_key.secret_data
+#   api_url = "https://api.datadoghq.eu/"
+# }
+
+# resource "datadog_integration_gcp" "gcp_project_integration" {
+#   project_id     = var.project_id
+#   private_key_id = jsondecode(base64decode(google_service_account_key.datadog_monitoring.private_key))["private_key_id"]
+#   private_key    = jsondecode(base64decode(google_service_account_key.datadog_monitoring.private_key))["private_key"]
+#   client_email   = google_service_account.datadog_gcp_integration.email
+#   client_id      = google_service_account.datadog_gcp_integration.unique_id
+# }
+
+# resource "google_service_account" "datadog_gcp_integration" {
+#   account_id   = "appstore-datadog-sa"
+#   project      = var.project_id
+#   display_name = "Datadog <> Google Cloud integration service account"
+# }
+
+# resource "google_service_account_key" "datadog_monitoring" {
+#   service_account_id = google_service_account.datadog_gcp_integration.name
+#   public_key_type    = "TYPE_X509_PEM_FILE"
+# }
+
+# resource "google_logging_project_sink" "log-export-sink" {
+#   name                   = "appstore-datadog-log-sink"
+#   destination            = module.datadog_pubsub_destination.destination_uri
+#   project                = var.project_id
+#   filter                 = "resource.type=workflows.googleapis.com/Workflow OR resource.type=cloud_run_revision"
+#   unique_writer_identity = true
+# }
+
+# module "datadog_pubsub_destination" {
+#   source                   = "terraform-google-modules/log-export/google//modules/pubsub"
+#   create_push_subscriber   = true
+#   create_subscriber        = false
+#   log_sink_writer_identity = "serviceAccount:${google_service_account.datadog_gcp_integration.email}"
+#   project_id               = var.project_id
+#   push_endpoint            = "https://gcp-intake.logs.datadoghq.eu/v1/input/${data.google_secret_manager_secret_version.datadog_api_key.secret_data}/"
+#   topic_name               = "datadog-sink"
+# }
+
+# resource "datadog_logs_custom_pipeline" "appstore_cloud_run" {
+#   filter {
+#     query = "project_id:${var.project_id} source:(\"gcp.cloud.run.revision\" OR \"gcp.workflows.googleapis.com/workflow\")"
+#   }
+#   name       = "${var.project_id} appstore cloud run logs processor"
+#   is_enabled = true
+#   processor {
+#     status_remapper {
+#       sources    = ["data.severity", "data.jsonPayload.level_name", "data.jsonPayload.level"]
+#       name       = "Retrieve status from cloud run logs"
+#       is_enabled = true
+#     }
+#   }
+#   processor {
+#     date_remapper {
+#       sources    = ["data.timestamp"]
+#       name       = "Retrieve timestamp from cloud run logs"
+#       is_enabled = true
+#     }
+#   }
+#   processor {
+#     message_remapper {
+#       sources    = ["data.jsonPayload.msg", "data.jsonPayload.message"]
+#       name       = "JSON Payload as log official message"
+#       is_enabled = true
+#     }
+#   }
+
+# }
+
+# resource "google_project_iam_member" "datadog_compute_viewer" {
+#   project = var.project_id
+#   role    = "roles/compute.viewer"
+#   member  = "serviceAccount:${google_service_account.datadog_gcp_integration.email}"
+# }
+
+# resource "google_project_iam_member" "datadog_monitoring_viewer" {
+#   project = var.project_id
+#   role    = "roles/monitoring.viewer"
+#   member  = "serviceAccount:${google_service_account.datadog_gcp_integration.email}"
+# }
+
+# resource "google_project_iam_member" "datadog_cloudasset_viewer" {
+#   project = var.project_id
+#   role    = "roles/cloudasset.viewer"
+#   member  = "serviceAccount:${google_service_account.datadog_gcp_integration.email}"
+# }
+
+# resource "google_project_iam_member" "sink_publisher" {
+#   project = var.project_id
+#   role    = "roles/pubsub.publisher"
+#   member  = google_logging_project_sink.log-export-sink.writer_identity
+# }

deployments/modules/dependencies/monitoring.tf

@@ -0,0 +1,51 @@
+variable "project_id" {
+  type        = string
+  description = "Project ID"
+}
+
+variable "region" {
+  type        = string
+  description = "Region"
+}
+
+variable "stage" {
+  type        = string
+  description = "Stage"
+}
+
+variable "dns_managed_zone" {
+  type        = string
+  description = "DNS Managed Zone"
+}
+
+variable "docker_registry_id" {
+  type        = string
+  description = "Docker Registry ID"
+}
+
+variable "docker_registry_location" {
+  type        = string
+  description = "Docker Registry Location"
+}
+
+variable "google_project_services" {
+  type        = list(string)
+  description = "List of all google project APIs to activate"
+  default = [
+    "container.googleapis.com",
+    "monitoring.googleapis.com",
+    "logging.googleapis.com",
+    "servicenetworking.googleapis.com",
+    "artifactregistry.googleapis.com",
+    "run.googleapis.com",
+    "secretmanager.googleapis.com",
+  ]
+}
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+locals {
+  project_number = data.google_project.project.number
+}

deployments/modules/dependencies/variables.tf

@@ -0,0 +1,26 @@
+module "storage" {
+  source          = "./storage"
+  project_id      = var.project_id
+  prefix          = var.prefix
+  stage           = var.stage
+  app_version     = var.app_version
+  pull_request    = var.pull_request
+  pull_request_id = var.pull_request_id
+}
+
+module "networking" {
+  source           = "./networking"
+  project_id       = var.project_id
+  region           = var.region
+  prefix           = var.prefix
+  bucket_name      = module.storage.bucket_name
+  dns_managed_zone = var.dns_managed_zone
+  domains          = var.domains
+  stage            = var.stage
+  pull_request     = var.pull_request
+  pull_request_id  = var.pull_request_id
+
+  depends_on = [
+    module.storage
+  ]
+}

deployments/modules/services/main.tf

@@ -0,0 +1,6 @@
+resource "google_compute_backend_bucket" "front" {
+  name        = "${local.context}-bb"
+  description = "Contains static files"
+  bucket_name = var.bucket_name
+  enable_cdn  = true
+}

deployments/modules/services/networking/backend-bucket.tf

@@ -0,0 +1,13 @@
+resource "google_dns_record_set" "public" {
+  name         = "${local.public_project_level_fqdn[0]}."
+  managed_zone = "api-${var.stage}-${var.dns_managed_zone}"
+  type         = "A"
+  ttl          = 300
+  project      = var.project_id
+
+  rrdatas = [google_compute_global_address.default.address]
+
+  depends_on = [
+    google_compute_global_address.default
+  ]
+}

deployments/modules/services/networking/dns.tf

@@ -0,0 +1,55 @@
+resource "google_compute_global_address" "default" {
+  name = "${local.context}-ip"
+}
+
+resource "google_compute_url_map" "default" {
+  name            = "${local.context}-https-lb"
+  default_service = google_compute_backend_bucket.front.id
+}
+
+resource "google_compute_url_map" "https_redirect" {
+  name = "${local.context}-https-redirect"
+
+  default_url_redirect {
+    https_redirect         = true
+    redirect_response_code = "MOVED_PERMANENTLY_DEFAULT"
+    strip_query            = false
+  }
+}
+
+resource "google_compute_managed_ssl_certificate" "default" {
+  name = "${local.context}-cert"
+
+  managed {
+    domains = local.public_domains
+  }
+}
+
+resource "google_compute_target_https_proxy" "default" {
+  name             = "${local.context}-https-lb-proxy"
+  url_map          = google_compute_url_map.default.id
+  ssl_certificates = [google_compute_managed_ssl_certificate.default.id]
+}
+
+resource "google_compute_target_http_proxy" "https_redirect" {
+  name    = "${local.context}-http-lb-proxy"
+  url_map = google_compute_url_map.https_redirect.id
+}
+
+resource "google_compute_global_forwarding_rule" "https_redirect" {
+  name                  = "${local.context}-http-lb-forwarding-rule"
+  ip_protocol           = "TCP"
+  load_balancing_scheme = "EXTERNAL"
+  port_range            = "80"
+  target                = google_compute_target_http_proxy.https_redirect.id
+  ip_address            = google_compute_global_address.default.id
+}
+
+resource "google_compute_global_forwarding_rule" "default" {
+  name                  = "${local.context}-https-lb-forwarding-rule"
+  ip_protocol           = "TCP"
+  load_balancing_scheme = "EXTERNAL"
+  port_range            = "443"
+  target                = google_compute_target_https_proxy.default.id
+  ip_address            = google_compute_global_address.default.id
+}