Skip to content

Commit

Permalink
Setup automation (#4)
Browse files Browse the repository at this point in the history
* Add demo github action

* Add terraform

* Add google credentials

* Add permission to read from terraform state bucket

* More stuff

* Use artifact repository

* Initial test of github deploy action

* fix syntax

* Checkout submodules

* Add trace to debug jekyll issue

* Hopefully fix permission issues on docker github

* Try and make it work some more

* Try random things until it works

* Please work

* Fix up directory path

* Add artifact repository role for deployer service account

* Add docker cache to github actions

* Try and get github actions caching to work with docker

* Try cache again, but with more environment variables

* Remove useless docker cache

* Set action for pushes to main only
  • Loading branch information
MatthewLymer authored Nov 12, 2023
1 parent 597e0eb commit 703fc50
Show file tree
Hide file tree
Showing 10 changed files with 81 additions and 50 deletions.
30 changes: 30 additions & 0 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Deploy

on:
push:
branches:
- main

jobs:
Configure-GCP-Project:
runs-on: ubuntu-latest
environment: production
steps:
- uses: actions/checkout@v3
with:
submodules: recursive

- uses: 'google-github-actions/auth@v1'
with:
credentials_json: '${{ secrets.GCP_DEPLOYER_SA }}'

- uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.1.4

- name: Build image and push
env:
GOOGLE_CREDENTIALS: ${{ secrets.GCP_DEPLOYER_SA }}
run: |
mkdir matthewlymer.github.io/.jekyll-cache
make -C ./deploy push
34 changes: 0 additions & 34 deletions Makefile

This file was deleted.

2 changes: 1 addition & 1 deletion containers/httpd/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ COPY .git ../.git

RUN mkdir /output && chown jekyll /output

RUN JEKYLL_ENV=production jekyll build --destination /output
RUN JEKYLL_ENV=production jekyll build --trace --destination /output

FROM httpd:2.4

Expand Down
12 changes: 9 additions & 3 deletions deploy/Makefile
Original file line number Diff line number Diff line change
@@ -1,10 +1,16 @@
DOCKER_TAG:=$(shell git rev-parse HEAD)
DOCKER_REGISTRY_DOMAIN:=gcr.io
DOCKER_IMAGE:=$(DOCKER_REGISTRY_DOMAIN)/matthewlymer-lymersite/httpd:$(DOCKER_TAG)
DOCKER_REGISTRY_DOMAIN:=us-central1-docker.pkg.dev
DOCKER_IMAGE:=$(DOCKER_REGISTRY_DOMAIN)/matthewlymer-lymersite/default/httpd:$(DOCKER_TAG)

.PHONY: build
build:
docker build --platform=linux/amd64 --tag $(DOCKER_IMAGE) --file "../containers/httpd/Dockerfile" ../
docker buildx build \
--tag=$(DOCKER_IMAGE) \
--cache-to type=gha,mode=max \
--cache-from type=gha \
--platform=linux/amd64 \
--file="../containers/httpd/Dockerfile" \
../

.PHONY: push
push: build
Expand Down
9 changes: 9 additions & 0 deletions deploy/project/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Required github personal-access-token configuration
https://github.com/settings/tokens

Repos:
- lymersite

Permissions:
- Read access to metadata
- Read and Write access to administration, environments, and secrets
16 changes: 9 additions & 7 deletions deploy/project/deployer-sa.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ resource "google_service_account" "github_actions_deployer" {
display_name = "GitHub Actions deployer"
}

resource "google_storage_bucket_iam_member" "github_actions_deployer" {
bucket = "artifacts.${local.project.id}.appspot.com"
resource "google_storage_bucket_iam_member" "github_actions_deployer_tfstate_admin" {
bucket = "490635812867-tfstate"
role = "roles/storage.objectAdmin"
member = "serviceAccount:${google_service_account.github_actions_deployer.email}"
}
Expand All @@ -14,8 +14,10 @@ resource "google_service_account_key" "github_actions_deployer" {
service_account_id = google_service_account.github_actions_deployer.name
}

resource "github_actions_secret" "github_actions_deployer_key" {
repository = local.github.repository
secret_name = "GCP_DEPLOYER_SA"
plaintext_value = base64decode(google_service_account_key.github_actions_deployer.private_key)
}
resource "google_artifact_registry_repository_iam_member" "github_actions_deployer_default_writer" {
project = local.project.id
location = google_artifact_registry_repository.default.location
repository = google_artifact_registry_repository.default.name
role = "roles/artifactregistry.writer"
member = "serviceAccount:${google_service_account.github_actions_deployer.email}"
}
13 changes: 13 additions & 0 deletions deploy/project/github-environment.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# TODO: protect branch

resource "github_repository_environment" "production" {
repository = local.github.repository
environment = "production"
}

resource "github_actions_environment_secret" "github_actions_deployer_key" {
repository = local.github.repository
environment = github_repository_environment.production.environment
secret_name = "GCP_DEPLOYER_SA"
plaintext_value = base64decode(google_service_account_key.github_actions_deployer.private_key)
}
6 changes: 3 additions & 3 deletions deploy/project/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ locals {

variable "github_token" {
type = string
description = "The fine grained personal access token with read/write permissions for 'Secrets' on the target repository. See https://github.com/settings/tokens"
description = "The fine grained personal access token"
}

variable "alerting_email" {
Expand All @@ -39,7 +39,7 @@ resource "google_project" "default" {

terraform {
backend "gcs" {
bucket = "490635812867-tfstate"
bucket = "490635812867-tfstate" # TODO: this should probably be in a different bucket for security reasons
prefix = "matthewlymer-lymersite-project"
}

Expand All @@ -48,4 +48,4 @@ terraform {
source = "integrations/github"
}
}
}
}
4 changes: 2 additions & 2 deletions deploy/project/project-services.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
resource "google_project_service" "container" {
resource "google_project_service" "artifactregistry" {
project = google_project.default.id
service = "container.googleapis.com"
service = "artifactregistry.googleapis.com"
}
5 changes: 5 additions & 0 deletions deploy/project/registry.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
resource "google_artifact_registry_repository" "default" {
location = "us-central1"
repository_id = "default"
format = "DOCKER"
}

0 comments on commit 703fc50

Please sign in to comment.