Initial commit

Author: damienjburks

.gitignore

@@ -0,0 +1,162 @@
+# ---> Python
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+

.pylintrc

@@ -0,0 +1,3 @@
+[main]
+
+ignore=tests,.env

Dockerfile

@@ -0,0 +1,23 @@
+# Use an official Python runtime as a parent image
+FROM python:3.12.5-bullseye
+
+# Set the working directory in the container
+WORKDIR /app
+
+# Install system dependencies if needed, 
+# not supported by Nexus unfortunately
+RUN apt-get update -y
+RUN apt upgrade -y
+
+# Install Python dependencies
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy the current directory contents into the container
+COPY . .
+
+# Expose port 8080 to the outside world
+EXPOSE 8080
+
+# Run app.py when the container launches
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8080"]

LICENSE

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) 2024 damien
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,85 @@
+# GCP Python FastAPI
+
+This project sets up a simple FastAPI application (with some vulnerabilites) within a Docker container. It uses the official Python runtime and includes all necessary configurations to deploy a FastAPI app with Docker. The container will expose the app on port 80 and automatically run the FastAPI app on startup.
+
+## Requirements
+
+- Docker
+- Python 3.12+
+- FastAPI
+- Uvicorn
+
+## Features
+
+- **Dockerized FastAPI application**: A containerized setup for easy deployment.
+- **Python 3.12.5 runtime**: Uses the latest stable Python version as a base.
+- **Efficient package installation**: Installs required dependencies via `requirements.txt`.
+
+## Project Structure
+
+```bash
+gcp-python-fastapi/
+├── Dockerfile
+├── requirements.txt
+├── main.py  # FastAPI app entry point
+└── ...
+```
+
+- **Dockerfile**: Configures the Docker container for the FastAPI app.
+- **requirements.txt**: Specifies the required Python dependencies for the application.
+- **main.py**: The entry point for the FastAPI application (Make sure to include this file in the project structure).
+
+## Setup and Installation
+
+### 1. Clone the repository
+
+If you haven't cloned the project yet, use the following command:
+
+```bash
+git clone https://github.com/your-username/awesome-fastapi.git
+cd awesome-fastapi
+```
+
+### 2. Build the Docker image
+
+To build the Docker image, run the following command in the root of the project directory:
+
+```bash
+docker build -t awesome-fastapi .
+```
+
+### 3. Run the Docker container
+
+After the image is built, run the container:
+
+```bash
+docker run -d -p 80:80 awesome-fastapi
+```
+
+This command will run the FastAPI app on port 80 of your localhost.
+
+### 4. Access the app
+
+Once the container is running, you can access the FastAPI application by navigating to:
+
+```
+http://localhost:80
+```
+
+## Dependencies
+
+The project uses the following Python packages, which are listed in the `requirements.txt` file:
+
+- `fastapi`: The core framework for building the API.
+- `uvicorn`: ASGI server to run the FastAPI application.
+
+To install dependencies locally, use the following:
+
+```bash
+pip install -r requirements.txt
+```
+
+## Notes
+
+- This setup assumes that your FastAPI app’s entry point is `main.py`, and the FastAPI application instance is named `app`. If your app is structured differently, you may need to modify the `CMD` directive in the Dockerfile accordingly.
+- The container will expose the application on port 80. If you want to use a different port, adjust the `EXPOSE` and `CMD` directives in the Dockerfile.

cloudbuild.yaml

@@ -0,0 +1,62 @@
+steps:
+  # Step 1: Build Docker Image
+  - name: "gcr.io/cloud-builders/docker"
+    args: ["build", "-t", "gcr.io/$PROJECT_ID/my-app:latest", "."]
+
+  # Step 2: Push Docker Image to Container Registry
+  - name: "gcr.io/cloud-builders/docker"
+    args: ["push", "gcr.io/$PROJECT_ID/my-app:latest"]
+
+  # Step 3: Run Unit Tests
+  - name: "python"
+    entrypoint: "bash"
+    args:
+      - "-c"
+      - |
+        pip install -r requirements.txt
+        pytest tests/
+
+  # Step 4: Scan Docker Image with Trivy
+  - name: "aquasec/trivy"
+    args: ["image", "--exit-code", "0", "gcr.io/$PROJECT_ID/my-app:latest"]
+
+  # Step 5: Snyk Code and Dependency Scanning
+  - name: "node"
+    entrypoint: "bash"
+    secretEnv: ["SNYK_TOKEN"]
+    args:
+      - "-c"
+      - |
+        npm install -g snyk
+        snyk auth $$SNYK_TOKEN
+        snyk test || true
+        snyk code test || true
+
+  # Step 6: Deploy to Cloud Run
+  - name: "gcr.io/google.com/cloudsdktool/cloud-sdk"
+    entrypoint: "bash"
+    args:
+      - "-c"
+      - |
+        gcloud run deploy gcp-python-fastapi-service \
+        --image gcr.io/$PROJECT_ID/my-app:latest \
+        --region us-central1 \
+        --platform managed
+
+        gcloud run services add-iam-policy-binding \
+        gcp-python-fastapi-service \
+        --platform=managed \
+        --region=us-central1 \
+        --member="allUsers" \
+        --role="roles/run.invoker" \
+
+options:
+  defaultLogsBucketBehavior: REGIONAL_USER_OWNED_BUCKET
+artifacts:
+  objects:
+    location: "gs://dsb-devsecops-lab-bucket"
+    paths: ["*/**"]
+availableSecrets:
+  secretManager:
+    - versionName: projects/724455289756/secrets/cloudbuild-snyk-token/versions/2
+      env: "SNYK_TOKEN"