Skip to content

Commit

Permalink
Simplified documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
agnessa committed Oct 3, 2023
1 parent a11c26d commit 11b4e56
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 85 deletions.
99 changes: 17 additions & 82 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,42 +8,19 @@
# 4. Publish it to Google Artifact Registry
# 5. Deploy it to Cloud Run
#
# To configure this workflow:
#
# 1. Ensure the required Google Cloud APIs are enabled:
#
# Cloud Run run.googleapis.com
# Artifact Registry artifactregistry.googleapis.com
#
# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
#
# 3. Ensure the required IAM permissions are granted
#
# Cloud Run
# roles/run.admin
# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
#
# Cloud Storage
# roles/storage.admin (if using Google Container Registry (gcr) instead)
#
# Artifact Registry
# roles/artifactregistry.admin (project or repository level)
#
# NOTE: You should always follow the principle of least privilege when assigning IAM roles
#
# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
#
# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below).
#
# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io
#
# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
#
# Further reading:
# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying
# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles
# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
# The workflow uses GH Secrets managed by Terraform:
# - GCP_PROJECT_ID
# - GCP_REGION
# - <environment>_GCP_SA_KEY - credentials json for authentication
# - <environment>_CLIENT_ENV_TF_MANAGED
# - <environment>_CMS_ENV_TF_MANAGED
# - <environment>_CLIENT_REPOSITORY
# - <environment>_CLIENT_SERVICE
# - <environment>_CMS_REPOSITORY
# - <environment>_CMS_SERVICE
#
# it also uses the following secrets not managed by Terraform:
# - <environment>_CLIENT_ENV

name: Run deploy

Expand Down Expand Up @@ -87,34 +64,15 @@ jobs:
run: echo "environment=$ENVIRONMENT" >> $GITHUB_OUTPUT
id: extract_environment

#- name: Google Auth
# id: auth
# uses: 'google-github-actions/auth@v0'
# with:
# token_format: 'access_token'
# workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
# service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - [email protected]

# NOTE: Alternative option - authentication via credentials json
#- name: Google Auth authentication via credentials json
- name: Google Auth
id: auth
uses: 'google-github-actions/auth@v1'
with:
credentials_json: "${{ secrets[format('{0}_GCP_SA_KEY', steps.extract_environment.outputs.environment)] }}"
token_format: 'access_token'

# BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted)

# Authenticate Docker to Google Cloud Artifact Registry
# - name: Docker Auth
# id: docker-auth
# uses: 'docker/login-action@v3'
# with:
# username: 'oauth2accesstoken'
# password: '${{ steps.auth.outputs.access_token }}'
# registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'

# NOTE: Alternative option - authentication via credentials json
# Authenticate Docker to Google Cloud Artifact Registry via credentials json
- name: Docker Auth
id: docker-auth
uses: 'docker/login-action@v3'
Expand All @@ -140,8 +98,6 @@ jobs:
docker tag "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ github.sha }}" "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:latest"
docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:latest"
# END - Docker auth and build

- name: Deploy to Cloud Run
env:
REPOSITORY: ${{ secrets[format('{0}_CLIENT_REPOSITORY', steps.extract_environment.outputs.environment)] }}
Expand Down Expand Up @@ -184,34 +140,15 @@ jobs:
run: echo "environment=$ENVIRONMENT" >> $GITHUB_OUTPUT
id: extract_environment

#- name: Google Auth
# id: auth
# uses: 'google-github-actions/auth@v0'
# with:
# token_format: 'access_token'
# workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
# service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - [email protected]

# NOTE: Alternative option - authentication via credentials json
#- name: Google Auth authentication via credentials json
- name: Google Auth
id: auth
uses: 'google-github-actions/auth@v1'
with:
credentials_json: "${{ secrets[format('{0}_GCP_SA_KEY', steps.extract_environment.outputs.environment)] }}"
token_format: 'access_token'

# BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted)

# Authenticate Docker to Google Cloud Artifact Registry
# - name: Docker Auth
# id: docker-auth
# uses: 'docker/login-action@v3'
# with:
# username: 'oauth2accesstoken'
# password: '${{ steps.auth.outputs.access_token }}'
# registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'

# NOTE: Alternative option - authentication via credentials json
# Authenticate Docker to Google Cloud Artifact Registry via credentials json
- name: Docker Auth
id: docker-auth
uses: 'docker/login-action@v3'
Expand All @@ -235,8 +172,6 @@ jobs:
docker tag "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ github.sha }}" "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:latest"
docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:latest"
# END - Docker auth and build

- name: Deploy to Cloud Run
env:
REPOSITORY: ${{ secrets[format('{0}_CMS_REPOSITORY', steps.extract_environment.outputs.environment)] }}
Expand Down
10 changes: 7 additions & 3 deletions infrastructure/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,9 +58,13 @@ Please note, there are some actions that need to be carried out manually - you'l

#### Github Actions

As part of this infrastructure, Github Actions are used to automatically build and push Docker images to [Artifact Registry](https://cloud.google.com/artifact-registry), and to deploy those images to CloudRun once they are pushed. Access by
Github to GCP
is configured through special authorization rules, automatically set up by the Terraform `base` project above.
As part of this infrastructure, Github Actions are used to automatically build and push Docker images to [Artifact Registry](https://cloud.google.com/artifact-registry), and to deploy those images to CloudRun once they are pushed. Access by Github to GCP is configured through special authorization rules, automatically set up by the Terraform `base` project above.
These permissions are necessary for the service account that runs the deployment:
- "roles/iam.serviceAccountTokenCreator",
- "roles/iam.serviceAccountUser",
- "roles/run.developer",
- "roles/artifactregistry.reader",
- "roles/artifactregistry.writer"

There are 2 CloudRun instances, one for the client application and one for the API. Github Secrets are used to provide environment secrets to these instances. Some of the secrets are managed by terraform when provisioning resources (e.g. database credentials for the API). To make it clear, the respective GH Secrets are suffixed "TF_MANAGED".

Expand Down

0 comments on commit 11b4e56

Please sign in to comment.