Add deployment of flight controller to GCP as part of pipeline

Author: mayuthombre

.github/workflows/cicd.yaml renamed to .github/workflows/aws_cicd.yaml

@@ -6,11 +6,11 @@ on:
   workflow_dispatch:
   pull_request:
 concurrency:
-  group: "cicd"
-  cancel-in-progress: true
+  group: "AWS"
+  # cancel-in-progress: true
 jobs:
   deploy:
-    name: CI
+    name: AWS
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -82,4 +82,3 @@ jobs:
         run: make deploy
         env:
           GRAFANA_API_KEY: ${{ secrets.GRAFANA_API_KEY_PROD }}
-      

.github/workflows/gcp_cicd.yaml

@@ -0,0 +1,70 @@
+name: cicd
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+  pull_request:
+concurrency:
+  group: "GCP"
+  cancel-in-progress: true
+jobs:
+  deploy:
+    name: GCP
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_wrapper: false
+
+      - id: 'auth'
+        name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@v1'
+        with:
+          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+
+      - name: Install pipenv
+        run: pip install pipenv
+
+      - name: Install node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: Install cdktf
+        run: npm install --global cdktf-cli@latest
+
+      - name: Install pip packages
+        run: make install-dependencies
+
+      - name: Synthesize terraform configuration template
+        run: make synth-gcp
+
+      - name: Terraform plan
+        run: make plan-gcp
+
+      - name: Deploy base infrastructure
+        run: make deploy-base-gcp
+      
+      - name: Build & push docker image
+        run: make build-image
+      
+      - name: Deploy main infrastructure
+        run: make deploy-main-gcp
+
+      # - name: Perform full test and check coverage
+      #   run: make test
+
+      # - name: Conduct e2e testing
+      #   run: make e2e

.gitignore

@@ -261,4 +261,4 @@ all_files/
 api_key_rotation/
 !api_key_rotation/main.py
 imports/
-cdktf.out
+cdktf.out

12_oidc_gcp/.terraform.lock.hcl

@@ -0,0 +1,19 @@
+terraform {
+  backend "gcs" {
+    bucket = "flight-controller-state"
+    prefix = "oidc/terraform.tfstate"
+  }
+
+  required_providers {
+    google = {
+      source = "hashicorp/google"
+      version = "4.57.0"
+    }
+  }
+}
+
+ # Configure project and region
+provider "google" {
+  region = var.region
+  project = var.project_id
+}

12_oidc_gcp/provider.tf

@@ -0,0 +1,60 @@
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+resource "google_iam_workload_identity_pool" "gh_pool" {
+  project                   = var.project_id
+  workload_identity_pool_id = "github-pool"
+}
+
+resource "google_iam_workload_identity_pool_provider" "provider" {
+  project                            = var.project_id
+  workload_identity_pool_id          = google_iam_workload_identity_pool.gh_pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "github-provider"
+  attribute_mapping                  = {
+    "google.subject" = "assertion.sub"
+    "attribute.full" = "assertion.repository"
+  }
+  oidc {
+    issuer_uri        = "https://token.actions.githubusercontent.com"
+  }
+
+  depends_on = [
+    google_iam_workload_identity_pool.gh_pool
+  ]
+}
+
+resource "google_service_account" "runner_sa" {
+  project      = var.project_id
+  account_id   = "github-runner"
+  display_name = "Service Account"
+
+  depends_on = [
+    google_iam_workload_identity_pool.gh_pool
+  ]
+}
+
+data "google_iam_policy" "wli_user_ghshr" {
+  binding {
+    role = "roles/iam.workloadIdentityUser"
+    
+    members = [
+      "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/github-pool/attribute.full/${var.gh_repo}",
+    ]
+  }
+}
+
+resource "google_service_account_iam_policy" "admin-account-iam" {
+  service_account_id = google_service_account.runner_sa.name
+  policy_data        = data.google_iam_policy.wli_user_ghshr.policy_data
+
+  depends_on = [
+    google_service_account.runner_sa
+  ]
+}
+
+resource "google_project_iam_member" "project" {
+  project = var.project_id
+  role    = "roles/owner"
+  member  = "serviceAccount:${google_service_account.runner_sa.email}"
+}

12_oidc_gcp/role.tf

@@ -0,0 +1,15 @@
+variable "project_id" {
+  type = string
+  description = "The Google Project ID"
+}
+
+variable "region" {
+  type = string
+  description = "The Google Project region"
+  default = "australia-southeast1"
+}
+
+variable "gh_repo" {
+  type = string
+  description = "The GitHub repo in the format <username/repo_name>"
+}

12_oidc_gcp/variables.tf

@@ -0,0 +1,13 @@
+FROM python:3.10-slim
+
+ENV PYTHONUNBUFFERED True
+
+COPY requirements.txt ./
+
+RUN pip install -r requirements.txt
+
+ENV APP_HOME /app
+WORKDIR $APP_HOME
+COPY ./src ./src
+
+CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 --timeout 0 "src.entrypoints.cloudrun:app"

Dockerfile

@@ -14,6 +14,9 @@ docs-build: docs-install
 docs-run: docs-build
 	cd docs;npm run dev
 
+local-grafana:
+	docker run -d -p 3000:3000 mirror.gcr.io/grafana/grafana:latest
+
 # Test Commands
 unittest:
 	pipenv run pytest -m 'not integration' tests/src tests/publisher
@@ -33,38 +36,65 @@ e2e:
 # Infrastructure Commands
 build-python:
 	pipenv requirements | tee requirements.txt
-	rsync -avu $(shell pwd)/src $(shell pwd)/infrastructure/all_files
-	pip install -r requirements.txt --target=$(shell pwd)/infrastructure/all_files
-	pip install boto3 --target=$(shell pwd)/infrastructure/api_key_rotation
+	rsync -avu $(shell pwd)/src $(shell pwd)/infrastructure/aws/all_files
+	pip install -r requirements.txt --target=$(shell pwd)/infrastructure/aws/all_files
+	pip install boto3 --target=$(shell pwd)/infrastructure/aws/api_key_rotation
+	cd infrastructure/aws; cdktf provider add grafana/grafana
+	cd infrastructure/gcp; cdktf provider add grafana/grafana
 
 clean:
-	cd infrastructure; rm -rf cdktf.out
+	cd infrastructure/aws; rm -rf cdktf.out
+	cd infrastructure/gcp; rm -rf cdktf.out
 
-synth-core:
-	cd infrastructure;cdktf synth infra_tf_cdk
+synth-aws:
+	cd infrastructure/aws;cdktf synth aws_infra_cdktf
 
 synth-grafana:
-	cd infrastructure;cdktf synth grafana
+	cd infrastructure/aws;cdktf synth grafana
+
+synth-gcp:
+	cd infrastructure/gcp; cdktf provider add grafana/grafana
+	cd infrastructure/gcp; cdktf synth base_gcp_infra
+	cd infrastructure/gcp; cdktf synth main_gcp_infra
 
-synth: synth-core synth-grafana
+synth: synth-aws synth-grafana synth-gcp
 
 build: build-python synth
 
-plan-core:
-	cd infrastructure;cdktf plan infra_tf_cdk
+plan-aws:
+	cd infrastructure/aws;cdktf plan aws_infra_cdktf
 
 plan-grafana:
-	cd infrastructure;cdktf plan grafana
+	cd infrastructure/aws;cdktf plan grafana
+
+plan-gcp:
+	cd infrastructure/gcp;cdktf plan base_gcp_infra main_gcp_infra
+
+plan-gcp-grafana:
+	cd infrastructure/gcp;cdktf plan grafana 
+
+plan: build-python plan-aws plan-grafana plan-gcp
 
-plan: build-python plan-core plan-grafana
+plan-gcpstack: plan-gcp plan-grafana
 
-deploy: build-python
-	cd infrastructure;cdktf deploy infra_tf_cdk grafana --auto-approve
+deploy:
+	cd infrastructure/aws;cdktf deploy aws_infra_cdktf grafana --auto-approve
 
-destroy-core:
-	cd infrastructure;cdktf destroy infra_tf_cdk
+destroy-aws:
+	cd infrastructure/aws;cdktf destroy aws_infra_cdktf
 
 destroy-grafana:
-	cd infrastructure;cdktf destroy grafana
+	cd infrastructure/aws;cdktf destroy grafana
 
 destroy: destroy-core destroy-grafana
+
+deploy-base-gcp:
+	cd infrastructure/gcp; cdktf deploy base_gcp_infra --auto-approve
+
+deploy-main-gcp:
+	cd infrastructure/gcp; cdktf deploy base_gcp_infra main_gcp_infra --auto-approve
+
+build-image:
+	gcloud auth configure-docker australia-southeast1-docker.pkg.dev
+	pipenv requirements | tee requirements.txt
+	docker buildx build --platform=linux/amd64 --push . -t australia-southeast1-docker.pkg.dev/contino-squad0-fc/flight-contoller-event-receiver/event_receiver:latest

Makefile

@@ -9,6 +9,7 @@ google-cloud-bigquery = "*"
 gunicorn = "*"
 structlog = "*"
 boto3= "*"
+flask = "*"
 pydantic = "*"
 
 [dev-packages]
@@ -23,6 +24,8 @@ constructs = "*"
 cdktf = "*"
 cdktf-cdktf-provider-aws = "*"
 cdktf-cdktf-provider-archive = "*"
+cdktf-cdktf-provider-google = "*"
+cdktf-cdktf-provider-external = "*"
 pytest-watch = "*"
 dirhash = "*"