Initial commit

.github/terraform/README.md

@@ -0,0 +1,15 @@
+This folder contains the Terraform for some of the infrastructure used by the CICD (continuous integration and continuous delivery/continuous deployment) of this repository.
+
+## Update this Terraform
+
+To make changes to this Terraform, follow these steps:
+
+1. Make sure you have access to the `online-boutique-ci` Google Cloud project.
+1. Move into this folder: `cd .github/terraform`
+1. Set the PROJECT_ID environment variable: `export PROJECT_ID=online-boutique-ci`
+1. Prepare Terraform and download the necessary Terraform dependencies (such as the "hashicorp/google" Terraform provider): `terraform init`
+1. Apply the Terraform: `terraform apply -var project_id=${PROJECT_ID}`
+    * Ideally, you would see `Apply complete! Resources: 0 added, 0 changed, 0 destroyed.` in the output.
+1. Make your desired changes to the Terraform code.
+1. Apply the Terraform: `terraform apply -var project_id=${PROJECT_ID}`
+    * This time, Terraform will prompt you confirm your changes before applying them.

.github/terraform/main.tf

@@ -0,0 +1,116 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# Set defaults for the google Terraform provider.
+provider "google" {
+  project = var.project_id
+  region  = "us-central1"
+  zone    = "us-central1-a"
+}
+
+terraform {
+  # Store the state inside a Google Cloud Storage bucket.
+  backend "gcs" {
+    bucket = "cicd-terraform-state"
+    prefix = "terraform-state"
+  }
+}
+
+# Enable Google Cloud APIs.
+module "enable_google_apis" {
+  source                      = "terraform-google-modules/project-factory/google//modules/project_services"
+  version                     = "~> 18.0"
+  disable_services_on_destroy = false
+  activate_apis = [
+    "cloudresourcemanager.googleapis.com",
+    "container.googleapis.com",
+    "iam.googleapis.com",
+    "storage.googleapis.com",
+  ]
+  project_id = var.project_id
+}
+
+# Google Cloud Storage for storing Terraform state (.tfstate).
+resource "google_storage_bucket" "terraform_state_storage_bucket" {
+  name                        = "cicd-terraform-state"
+  location                    = "us"
+  storage_class               = "STANDARD"
+  force_destroy               = false
+  public_access_prevention    = "enforced"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = true
+  }
+}
+
+# Google Cloud IAM service account for GKE clusters.
+# We avoid using the Compute Engine default service account because it's too permissive.
+resource "google_service_account" "gke_clusters_service_account" {
+  account_id   = "gke-clusters-service-account"
+  display_name = "My Service Account"
+  depends_on = [
+    module.enable_google_apis
+  ]
+}
+
+# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
+resource "google_project_iam_member" "gke_clusters_service_account_role_metric_writer" {
+  project = var.project_id
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
+}
+
+# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
+resource "google_project_iam_member" "gke_clusters_service_account_role_logging_writer" {
+  project = var.project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
+}
+
+# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
+resource "google_project_iam_member" "gke_clusters_service_account_role_monitoring_viewer" {
+  project = var.project_id
+  role    = "roles/monitoring.viewer"
+  member  = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
+}
+
+# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
+resource "google_project_iam_member" "gke_clusters_service_account_role_stackdriver_writer" {
+  project = var.project_id
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
+}
+
+# The GKE cluster used for pull-request (PR) staging deployments.
+resource "google_container_cluster" "prs_gke_cluster" {
+  name                = "prs-gke-cluster"
+  location            = "us-central1"
+  enable_autopilot    = true
+  project             = var.project_id
+  deletion_protection = true
+  depends_on = [
+    module.enable_google_apis
+  ]
+  cluster_autoscaling {
+    auto_provisioning_defaults {
+      service_account = google_service_account.gke_clusters_service_account.email
+    }
+  }
+  # Need an empty ip_allocation_policy to overcome an error related to autopilot node pool constraints.
+  # Workaround from https://github.com/hashicorp/terraform-provider-google/issues/10782#issuecomment-1024488630
+  ip_allocation_policy {
+  }
+}

.github/terraform/variables.tf

@@ -0,0 +1,23 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# This file lists variables that you can set using the -var flag during "terraform apply".
+# Example: terraform apply -var project_id="${PROJECT_ID}"
+
+variable "project_id" {
+  type        = string
+  description = "The Google Cloud project ID."
+}

.github/terraform/versions.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 7.0"
+    }
+  }
+}