feat: add initial flask app with cloud run deployment pipeline

- Set up basic Flask application to retrieve GCP service account info
- Add Dockerfile and requirements for containerization
- Implement GitHub Actions workflow for automated deployment to Cloud Run
- Include security scanning with Trivy as part of CI/CD pipeline

Author: chiqors

.github/workflows/deploy.yml

@@ -0,0 +1,146 @@
+name: Cloud Run Pipeline
+
+on:
+  push:
+    branches:
+      - 'prod-*'  # Matches all production branches
+
+env:
+  # Define the configuration map once as an environment variable
+  CONFIG_MAP: >
+    {
+      "purbalingga": {"project_id": "${{ vars.GCP_PURBALINGGA_ID }}", "secret_name": "GCP_PURBALINGGA_SA_KEY"},
+      "lombokbarat": {"project_id": "${{ vars.GCP_LOMBOKBARAT_ID }}", "secret_name": "GCP_LOMBOKBARAT_SA_KEY"}
+    }
+
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    outputs:
+      project_id: ${{ steps.set-env.outputs.project_id }}
+      repo_name: ${{ steps.set-env.outputs.repo_name }}
+      environment: ${{ steps.set-env.outputs.environment }}
+      secret_name: ${{ steps.set-env.outputs.secret_name }}
+    
+    steps:
+    - name: Extract environment name from branch
+      id: extract-env
+      run: |
+        BRANCH_NAME=${GITHUB_REF#refs/heads/}
+        # Extract environment name after 'prod-' prefix
+        ENV_NAME=${BRANCH_NAME#prod-}
+        echo "Environment name: $ENV_NAME"
+        echo "environment=$ENV_NAME" >> "$GITHUB_OUTPUT"
+    
+    - name: Set environment variables based on branch
+      id: set-env
+      run: |
+        ENV_NAME="${{ steps.extract-env.outputs.environment }}"
+        
+        # Extract project ID and secret name for this environment
+        PROJECT_ID=$(echo $CONFIG_MAP | jq -r --arg env "$ENV_NAME" '.[$env].project_id')
+        SECRET_NAME=$(echo $CONFIG_MAP | jq -r --arg env "$ENV_NAME" '.[$env].secret_name')
+        
+        if [ "$PROJECT_ID" == "null" ]; then
+          echo "Error: No configuration found for environment $ENV_NAME"
+          exit 1
+        fi
+        
+        echo "project_id=$PROJECT_ID" >> "$GITHUB_OUTPUT"
+        echo "environment=$ENV_NAME" >> "$GITHUB_OUTPUT"
+        echo "secret_name=$SECRET_NAME" >> "$GITHUB_OUTPUT"
+        echo "repo_name=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
+
+  build_and_push:
+    needs: setup
+    runs-on: ubuntu-latest
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Log in to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ secrets.GHCR_USERNAME }}
+        password: ${{ secrets.GHCR_TOKEN }}
+
+    - name: Build and push Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: true
+        tags: ghcr.io/${{ needs.setup.outputs.repo_name }}:${{ github.ref_name }}
+
+  deploy_cloud_run:
+    needs: [setup, build_and_push]
+    runs-on: ubuntu-latest
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    
+    - name: Authenticate to Google Cloud
+      id: 'auth'
+      uses: 'google-github-actions/auth@v2'
+      with:
+        credentials_json: ${{ secrets[needs.setup.outputs.secret_name] }}
+        project_id: ${{ needs.setup.outputs.project_id }}
+        create_credentials_file: true
+        export_environment_variables: true
+
+    - name: 'Deploy to Cloud Run'
+      uses: 'google-github-actions/deploy-cloudrun@v2'
+      with:
+        service: '${{ vars.CR_SERVICE }}'
+        image: '${{ vars.CR_REGION }}-docker.pkg.dev/${{ needs.setup.outputs.project_id }}/${{ vars.AR_REPO }}/${{ needs.setup.outputs.repo_name }}:${{ github.ref_name }}'
+        region: '${{ vars.CR_REGION }}'
+        env_vars: |
+          PROJECT_ID=${{ needs.setup.outputs.project_id }}
+
+  trivy_scan:
+    needs: [setup, build_and_push]
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Log in to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ secrets.GHCR_USERNAME }}
+        password: ${{ secrets.GHCR_TOKEN }}
+
+    - name: Pull image for scanning
+      run: docker pull ghcr.io/${{ needs.setup.outputs.repo_name }}:${{ github.ref_name }}
+
+    - name: Run Trivy vulnerability scan
+      uses: aquasecurity/trivy-action@0.30.0
+      with:
+        image-ref: ghcr.io/${{ needs.setup.outputs.repo_name }}:${{ github.ref_name }}
+        format: table
+        exit-code: 0
+        ignore-unfixed: true
+        vuln-type: os,library
+
+    - name: Generate scan info
+      id: scan-info
+      run: |
+        echo "timestamp=$(date +%Y-%m-%d_%H-%M)" >> $GITHUB_OUTPUT
+        echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
+
+    - name: Save Trivy scan log
+      run: |
+        trivy image ghcr.io/${{ needs.setup.outputs.repo_name }}:${{ github.ref_name }} > "security-scan_${{ steps.scan-info.outputs.branch }}_${{ steps.scan-info.outputs.timestamp }}.log"
+
+    - name: Upload Trivy scan log
+      uses: actions/upload-artifact@v4.6.2
+      with:
+        name: security-scan_${{ steps.scan-info.outputs.branch }}_${{ steps.scan-info.outputs.timestamp }}
+        path: security-scan_${{ steps.scan-info.outputs.branch }}_${{ steps.scan-info.outputs.timestamp }}.log

Dockerfile

@@ -0,0 +1,23 @@
+# Use the official Python image
+FROM python:3.9-slim
+
+# Set working directory
+WORKDIR /app
+
+# Copy requirements file
+COPY requirements.txt .
+
+# Install dependencies
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy application code
+COPY app.py .
+
+# Set environment variables
+ENV PORT=8080
+
+# Expose the port
+EXPOSE 8080
+
+# Use gunicorn as the production server
+CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 --timeout 0 app:app

main.py

@@ -0,0 +1,42 @@
+from flask import Flask, jsonify
+from google.auth import default
+from google.auth.transport.requests import Request
+import os
+
+app = Flask(__name__)
+
+@app.route('/', methods=['GET'])
+def get_service_account_info():
+    try:
+        # Get credentials from the environment
+        credentials, project_id = default(scopes=['https://www.googleapis.com/auth/cloud-healthcare'])
+        
+        # Get service account email
+        service_account_email = credentials.service_account_email
+        
+        # Request an access token
+        request = Request()
+        credentials.refresh(request)
+        token = credentials.token
+        
+        # Return all information in one response
+        return jsonify({
+            "service_account": service_account_email,
+            "project_id": project_id,
+            "token": token,
+            "success": True
+        })
+    except Exception as e:
+        return jsonify({
+            "service_account": "Unknown",
+            "project_id": "Unknown",
+            "token": "Error retrieving token",
+            "error": str(e),
+            "success": False
+        }), 500
+
+if __name__ == '__main__':
+    # Get port from environment variable or default to 8080
+    port = int(os.environ.get('PORT', 8080))
+    # Run the app, listening on all interfaces
+    app.run(host='0.0.0.0', port=port)

requirements.txt

@@ -0,0 +1,4 @@
+flask==2.3.3
+google-auth==2.22.0
+requests==2.31.0
+gunicorn==21.2.0