feat(Infra): Terraform changes specific to the Rangelands project

README.md

@@ -19,11 +19,10 @@ External services:
 
 This repository contains all the code and documentation necessary to set up and deploy the project. It is organized into the following subdirectories:
 
-| Subdirectory name | Description                                                 | Documentation                                                                                            |
-|-------------------|-------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|
-| frontend          | The Next.js client application                            | [client/README.md](client/README.md)             |
-| cms               | The Strapi CMS / API                                        | [cms/README.md](cms/README.md)             |
-| titiler   | Titler Server                                                      | [titiler/README.md](cloud_functions/analysis/README.md)               |
+| Subdirectory name | Description                                                 | Documentation                                           |
+|-------------------|-------------------------------------------------------------|---------------------------------------------------------|
+| frontend          | The Next.js client application                            | [frontend/README.md](frontend/README.md)                |
+| cms               | The Strapi CMS / API                                        | [cms/README.md](cms/README.md)                          |
 | infrastructure    | The Terraform project & GH Actions workflow (provisioning & deployment to Google Cloud Platform) | [infrastructure/README.md](infrastructure/README.md) |
 
 ### Deployment and Infrastructure

infrastructure/README.md

@@ -129,7 +129,7 @@ You will need the following information from the Google Cloud console:
 You will also need to ensure that the user has IAP-secured Tunnel User role.
 
 Steps:
-- (one time per user) Run `gcloud compute ssh <bastion instance name>` to SSH into the bastion host
+- (one time per user) Run `gcloud compute ssh <bastion instance name> --zone=<zone where bastion is located>` to SSH into the bastion host
 - (one time per bastion host) Inside the bastion host, follow the [steps to download and install
   the Cloud SQL Auth proxy](https://cloud.google.com/sql/docs/postgres/sql-proxy#install)
 - (when connecting) Run `gcloud compute start-iap-tunnel <bastion instance name> 22 --local-host-port=localhost:4226` locally. This will start a tunnel, which you must keep open for the duration of your access to the SQL database

infrastructure/base/main.tf

@@ -13,24 +13,51 @@ module "staging" {
   gcp_region          = var.gcp_region
   github_org          = var.github_org
   github_project      = var.github_project
-  github_branch       = "develop"
+  github_branch       = "staging"
   project_name        = var.staging_project_name
   frontend_min_scale  = 0
   backend_min_scale   = 0
   frontend_max_scale  = 1
   backend_max_scale   = 2
   dns_zone_name       = module.dns.dns_zone_name
   domain              = var.domain
-  subdomain           = "subdomain"
+  subdomain           = var.staging_subdomain
   backend_path_prefix = "cms"
   uptime_alert_email  = var.uptime_alert_email
   environment         = "staging"
   database_name       = "strapi"
   database_user       = "strapi"
 }
+/*
+module "production" {
+  source              = "./modules/env"
+  gcp_project_id      = var.gcp_project_id
+  gcp_region          = var.gcp_region
+  github_org          = var.github_org
+  github_project      = var.github_project
+  github_branch       = "main"
+  project_name        = var.production_project_name
+  frontend_min_scale  = 0
+  backend_min_scale   = 0
+  frontend_max_scale  = 1
+  backend_max_scale   = 2
+  dns_zone_name       = module.dns.dns_zone_name
+  domain              = var.domain
+  subdomain           = var.production_subdomain
+  backend_path_prefix = "cms"
+  uptime_alert_email  = var.uptime_alert_email
+  environment         = "production"
+  database_name       = "strapi"
+  database_user       = "strapi"
+}
+*/
 
 module "dns" {
   source = "./modules/dns"
   domain = var.domain
   name   = "domain"
 }
+
+//// domain, emailalert
+///rangelandsdata.org
+/// rangelandsdata.org/rangelandsdataplatform

infrastructure/base/modules/bastion/main.tf

@@ -1,3 +1,9 @@
+resource "google_project_service" "compute_api" {
+  service            = "compute.googleapis.com"
+  project = var.project_id
+  disable_on_destroy = false
+}
+
 resource "google_compute_instance" "bastion" {
   name         = "${var.name}-bastion"
   machine_type = "e2-micro"
@@ -30,6 +36,7 @@ resource "google_compute_instance" "bastion" {
 }
 
 data "google_compute_default_service_account" "default" {
+  depends_on = [google_project_service.compute_api]
 }
 
 resource "google_project_iam_member" "sql_reader" {

infrastructure/base/modules/cloudrun/main.tf

@@ -30,8 +30,8 @@ resource "google_cloud_run_service" "cloud_run" {
       service_account_name = google_service_account.service_account.email
 
       containers {
-        ##### FIRST RUN #####
-        # Google provides a pre-deployed “Hello Cloud Run”
+        ##### FIRST TERRAFORM RUN #####
+        # Google provides a pre-deployed “Hello Cloud Run”, use the relevant image right below, after first successful TF run
         image = "gcr.io/cloudrun/hello"
         # image = "${var.region}-docker.pkg.dev/${var.project_id}/${var.repository}/${var.name}:latest"
 

infrastructure/base/modules/env/main.tf

@@ -2,6 +2,11 @@ locals {
   domain = var.subdomain == "" ? var.domain : "${var.subdomain}.${var.domain}"
 }
 
+resource "google_project_service" "iam_service" {
+  project = var.gcp_project_id
+  service = "iam.googleapis.com"
+}
+
 module "network" {
   source     = "../network"
   project_id = var.gcp_project_id
@@ -73,13 +78,13 @@ module "database" {
   depends_on = [module.network.vpc_access_connector_name]
 }
 
-# if you need access to the DB from your local machine, uncomment this
-# module "bastion" {
-#   source          = "../bastion"
-#   name            = var.project_name
-#   project_id      = var.gcp_project_id
-#   subnetwork_name = module.network.subnetwork_name
-# }
+
+module "bastion" {
+  source          = "../bastion"
+  name            = var.project_name
+  project_id      = var.gcp_project_id
+  subnetwork_name = module.network.subnetwork_name
+}
 
 module "client_uptime_check" {
   source     = "../uptime-check"
@@ -97,12 +102,14 @@ module "cms_uptime_check" {
   project_id = var.gcp_project_id
 }
 
-module "error_reporting" {
+module "backend_error_reporting" {
   source                        = "../error-reporting"
   project_id                    = var.gcp_project_id
   backend_service_account_email = module.backend_cloudrun.service_account_email
 }
 
+//////////////////
+// Secrets and tokens
 resource "random_password" "api_token_salt" {
   length           = 32
   special          = true
@@ -133,6 +140,8 @@ resource "random_password" "app_key" {
   override_special = "!#$%&*()-_=+[]{}<>:?"
 }
 
+///////////////////////////
+// Service Account
 resource "google_service_account" "deploy_service_account" {
   account_id   = "${var.project_name}-deploy-sa"
   display_name = "${var.project_name} Deploy Service Account"
@@ -164,10 +173,7 @@ variable "roles" {
   ]
 }
 
-resource "google_project_service" "iam_service" {
-  project = var.gcp_project_id
-  service = "iam.googleapis.com"
-}
+
 
 module "load_balancer" {
   source                  = "../load-balancer"

infrastructure/base/modules/github_values/main.tf

@@ -1,3 +1,5 @@
+// This module defines a Secret/Variable on Github for each key/value pair in the corresponding map
+
 resource "github_actions_secret" "github_secret" {
   for_each = var.secret_map