Create db infra and connect from app. (#64)

anybodys · Jun 10, 2024 · 5bc0337 · 5bc0337
1 parent 4ee874f
commit 5bc0337
Show file tree

Hide file tree

Showing 7 changed files with 268 additions and 97 deletions.
diff --git a/infra/app/.terraform.lock.hcl b/infra/app/.terraform.lock.hcl
diff --git a/infra/app/db.tf b/infra/app/db.tf
@@ -0,0 +1,81 @@
+################################################################
+## Database server
+################################################################
+
+resource "random_password" "artist2d_db" {
+  length  = 16
+  special = false
+}
+
+resource "google_sql_database_instance" "artist2d" {
+  name             = "artist2d"
+  database_version = "POSTGRES_15"
+  region           = var.region
+  root_password    = random_password.artist2d_db.result
+
+  settings {
+    tier = "db-f1-micro"
+  }
+
+  deletion_protection = "false"
+}
+
+################################################################
+## Logical Database -- the thing we connect to!
+## And some user config
+################################################################
+
+resource "google_sql_database" "database" {
+  name     = "artist"
+  instance = google_sql_database_instance.artist2d.name
+}
+
+
+resource "random_password" "storageapi_db" {
+  length  = 16
+  special = false
+}
+
+resource "google_sql_user" "root" {
+  name     = "postgres"
+  instance = google_sql_database_instance.artist2d.name
+  password = random_password.artist2d_db.result
+}
+
+resource "google_sql_user" "storageapi" {
+  name     = "storageapi"
+  instance = google_sql_database_instance.artist2d.name
+  password = random_password.storageapi_db.result
+}
+
+resource "google_secret_manager_secret" "storageapi-db-pass" {
+  secret_id = "storageapi-db-pass"
+
+  replication {
+    auto {}
+  }
+}
+
+resource "google_secret_manager_secret_version" "storageapi-current" {
+  secret = google_secret_manager_secret.storageapi-db-pass.id
+
+  secret_data = random_password.storageapi_db.result
+}
+
+resource "postgresql_grant" "storageapi" {
+  database    = google_sql_database.database.name
+  role        = google_sql_user.storageapi.name
+  schema      = "public"
+  object_type = "database"
+  privileges  = ["CONNECT", "CREATE", "TEMPORARY"]
+}
+
+provider "postgresql" {
+  host            = google_sql_database_instance.artist2d.ip_address.0.ip_address
+  port            = 5432
+  database        = google_sql_database.database.name
+  username        = google_sql_user.root.name
+  password        = random_password.artist2d_db.result
+  sslmode         = "require"
+  connect_timeout = 15
+}
diff --git a/infra/app/main.tf b/infra/app/main.tf
@@ -1,8 +1,12 @@
 terraform {
   required_providers {
-    docker = {
-      source  = "kreuzwerker/docker"
-      version = "3.0.2"
+    google = {
+      source  = "hashicorp/google"
+      version = "5.32.0"
+    }
+    postgresql = {
+      source  = "cyrilgdn/postgresql"
+      version = "1.22.0"
     }
   }
   backend "gcs" {
@@ -25,10 +29,116 @@ data "google_client_config" "current" {
 }
 
 locals {
-  image_base    = "${var.region}-docker.pkg.dev/${var.project}/${var.project}/"
-  client_tag    = var.app_versions["client"]
-  client_image  = "${local.image_base}client:${local.client_tag}"
-  painter_image = "${local.image_base}painterapi:${var.app_versions["painterapi"]}"
-  voting_tag    = var.app_versions["votingapi"]
-  voting_image  = "${local.image_base}votingapi:${local.voting_tag}"
+  image_base     = "${var.region}-docker.pkg.dev/${var.project}/${var.project}/"
+  client_tag     = var.app_versions["client"]
+  voting_tag     = var.app_versions["votingapi"]
+  storageapi_tag = var.app_versions["storageapi"]
+}
+
+################################################################
+## Storage API
+################################################################
+
+resource "google_service_account" "storageapi" {
+  account_id   = "cloud-run-service-account"
+  display_name = "Service account for Cloud Run Storage API"
+}
+
+resource "google_cloud_run_v2_service" "storageapi" {
+  name     = "storageapi"
+  location = var.region
+  ingress  = "INGRESS_TRAFFIC_INTERNAL_ONLY"
+
+  template {
+
+    volumes {
+      name = "cloudsql"
+      cloud_sql_instance {
+        instances = [google_sql_database_instance.artist2d.connection_name]
+      }
+    }
+
+    containers {
+      image = "${local.image_base}storageapi:${local.storageapi_tag}"
+      # TODO: gunicorn
+      command = ["python", "manage.py", "runserver", "0.0.0.0:8000"]
+      env {
+        name  = "ENV"
+        value = "prod"
+      }
+      env {
+        name  = "GOOGLE_CLOUD_PROJECT"
+        value = var.project
+      }
+      env {
+        name  = "POSTGRES_HOST"
+        value = "/cloudsql/${var.project}:${var.region}:${google_sql_database_instance.artist2d.name}"
+      }
+      env {
+        name = "SECRET_KEY"
+        value_source {
+          secret_key_ref {
+            secret  = "django-secret-key"
+            version = "latest"
+          }
+        }
+      }
+      env {
+        name  = "POSTGRES_USER"
+        value = "storageapi"
+      }
+      env {
+        name = "POSTGRES_PASSWORD"
+        value_source {
+          secret_key_ref {
+            secret  = "storageapi-db-pass"
+            version = "latest"
+          }
+        }
+      }
+      volume_mounts {
+        name       = "cloudsql"
+        mount_path = "/cloudsql"
+      }
+    }
+    service_account = google_service_account.storageapi.email
+  }
+}
+
+resource "google_secret_manager_secret_iam_member" "storage-db-api" {
+  secret_id = google_secret_manager_secret.storageapi-db-pass.id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.storageapi.email}"
+}
+
+resource "google_project_iam_member" "cloudsql" {
+  project = var.project
+  role    = "roles/cloudsql.client"
+  member  = "serviceAccount:${google_service_account.storageapi.email}"
+}
+
+## Django Secret Key secret.
+
+resource "random_password" "django-secret-key" {
+  length = 64
+}
+
+resource "google_secret_manager_secret" "django-secret-key" {
+  secret_id = "django-secret-key"
+
+  replication {
+    auto {}
+  }
+}
+
+resource "google_secret_manager_secret_version" "django-secret-current" {
+  secret = google_secret_manager_secret.django-secret-key.id
+
+  secret_data = random_password.django-secret-key.result
+}
+
+resource "google_secret_manager_secret_iam_member" "django-secret-key" {
+  secret_id = google_secret_manager_secret.django-secret-key.id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.storageapi.email}"
 }
diff --git a/infra/app/networking.tf b/infra/app/networking.tf
@@ -69,7 +69,7 @@ resource "google_dns_record_set" "api-a" {
   rrdatas      = [module.lb-http.external_ip]
 }
 
-data "google_compute_address" "external_ip" {
+data "google_compute_global_address" "external_ip" {
   name = "artist-address"
 }
 
@@ -80,7 +80,7 @@ module "lb-http" {
   name    = "artist"
   project = var.project
 
-  address                         = data.google_compute_address.external_ip.address
+  address                         = data.google_compute_global_address.external_ip.address
   ssl                             = var.ssl
   managed_ssl_certificate_domains = [var.domain, "${local.api_domain}"]
   https_redirect                  = var.ssl