Merge pull request #3 from getsentry/create-CI-CD

Create ci cd

Author: Jeffreyhung

.github/workflows/terraform-apply.yaml

@@ -21,9 +21,8 @@ jobs:
         id: auth
         uses: google-github-actions/auth@v2
         with:
-          workload_identity_provider: |
-            projects/${{ var.project_number }}/locations/global/workloadIdentityPools/${{ var.environ }}-github/providers/github-oidc-pool
-          service_account: ${{ var.terraformer }}
+          workload_identity_provider: projects/546928617664/locations/global/workloadIdentityPools/gha-terraform-checker-pool/providers/gha-terraform-checker-provider
+          service_account: gha-cloud-functions-deployment@jeffreyhung-test.iam.gserviceaccount.com
 
       - name: terraform apply
         id: terraform-apply

.github/workflows/terraform-plan.yaml

@@ -21,9 +21,8 @@ jobs:
         id: auth
         uses: google-github-actions/auth@v2
         with:
-          workload_identity_provider: |
-            projects/${{ var.project_number }}/locations/global/workloadIdentityPools/${{ var.environ }}-github/providers/github-oidc-pool
-          service_account: ${{ var.terraformer }}
+          workload_identity_provider: projects/546928617664/locations/global/workloadIdentityPools/gha-terraform-checker-pool/providers/gha-terraform-checker-provider
+          service_account: gha-cloud-functions-deployment@jeffreyhung-test.iam.gserviceaccount.com
 
       - name: terraform plan
         id: terraform-plan
@@ -32,3 +31,5 @@ jobs:
           ${{ steps.auth.outcome == 'success'}}
         with:
           add_github_comment: changes-only
+        env:
+            GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

functions/main.tf

@@ -82,8 +82,8 @@ module "cronjob-gen2" {
   target_function_name = module.cloud_function_gen2[each.value.name].function_name
   https_trigger_url    = module.cloud_function_gen2[each.value.name].function_trigger_url
   # passing the static values
-  target_project = var.project
-  target_region  = var.region
+  target_project  = var.project
+  target_region   = var.region
   deploy_sa_email = var.deploy_sa_email
 
   depends_on = [

infrastructure/permissions.tf

@@ -0,0 +1,20 @@
+# Project-wide roles
+locals {
+  roles = [
+    "roles/viewer",                        # general read-only access to most Google Cloud resources
+    "roles/storage.admin",                 # full access to manage GCS buckets and objects
+    "roles/secretmanager.secretAccessor",  # access to Secret Manager
+    "roles/cloudfunctions.developer",      # deploy and manage Cloud Functions
+    "roles/logging.viewer",                # view logs
+    "roles/iam.serviceAccountUser",        # necessary to invoke Cloud Functions
+    "roles/iam.workloadIdentityPoolViewer" # view workload identity pool
+  ]
+}
+
+resource "google_project_iam_member" "project_roles" {
+  for_each = toset(local.roles)
+  project  = var.project
+  role     = each.value
+  member   = "serviceAccount:${google_service_account.gha_cloud_functions_deployment.email}"
+
+}

infrastructure/workload_identity.tf

@@ -8,7 +8,7 @@ variable "region" {}
 
 resource "google_service_account" "gha_cloud_functions_deployment" {
   account_id   = "gha-cloud-functions-deployment"
-  description  = "For use by Terraform and GitHub Actions to deploy DNR pipeline resources via security-cloud-functions repo"
+  description  = "For use by Terraform and GitHub Actions to deploy cloud-functions"
   display_name = "gha-cloud-functions-deployment"
   project      = var.project
 }
@@ -41,4 +41,4 @@ resource "google_service_account_iam_member" "gha_workload_identity_user" {
   service_account_id = google_service_account.gha_cloud_functions_deployment.id
   role               = "roles/iam.workloadIdentityUser"
   member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.gha_terraform_checker_pool.name}/*"
-}
+}

main.tf

@@ -6,7 +6,6 @@ locals {
   project_num       = "546928617664"
   bucket_location   = "US-WEST1"
   alerts_collection = "alerts"
-  sentry_jira_url   = "https://getsentry.atlassian.net"
 }
 
 terraform {
@@ -16,6 +15,10 @@ terraform {
       version = "~> 6.0.1"
     }
   }
+  backend "gcs" {
+    bucket = "jeffreyhung-test-tfstate"
+    prefix = "terraform/state"
+  }
 }
 
 provider "google" {
@@ -25,8 +28,55 @@ provider "google" {
 }
 
 resource "google_storage_bucket" "staging_bucket" {
-  name          = "${local.project}-cloud-function-staging"
-  location      = "US"
-  force_destroy = true
+  name                     = "${local.project}-cloud-function-staging"
+  location                 = "US"
+  force_destroy            = true
   public_access_prevention = "enforced"
+}
+
+resource "google_storage_bucket_iam_binding" "staging-bucket-iam" {
+  bucket = google_storage_bucket.tf-state.name
+  role   = "roles/storage.objectUser"
+
+  members = ["serviceAccount:${module.infrastructure.deploy_sa_email}"]
+
+  depends_on = [
+    module.infrastructure,
+    google_storage_bucket.staging_bucket
+  ]
+}
+
+resource "google_storage_bucket_iam_member" "staging_bucket_get" {
+  bucket = google_storage_bucket.staging_bucket.name
+  role   = "roles/storage.objectViewer"
+  member = "serviceAccount:${module.infrastructure.deploy_sa_email}"
+}
+
+resource "google_storage_bucket" "tf-state" {
+  name                     = "${local.project}-tfstate"
+  force_destroy            = false
+  location                 = "US"
+  storage_class            = "STANDARD"
+  public_access_prevention = "enforced"
+  versioning {
+    enabled = true
+  }
+}
+
+resource "google_storage_bucket_iam_binding" "tfstate-bucket-iam" {
+  bucket = google_storage_bucket.tf-state.name
+  role   = "roles/storage.objectUser"
+
+  members = ["serviceAccount:${module.infrastructure.deploy_sa_email}"]
+
+  depends_on = [
+    module.infrastructure,
+    google_storage_bucket.tf-state
+  ]
+}
+
+resource "google_storage_bucket_iam_member" "tfstate_bucket_get" {
+  bucket = google_storage_bucket.tf-state.name
+  role   = "roles/storage.objectViewer"
+  member = "serviceAccount:${module.infrastructure.deploy_sa_email}"
 }

modules/cloud-function-gen2/variables.tf

@@ -31,7 +31,7 @@ variable "runtime" {
   type        = string
   description = "Function runtime, default python 3.11"
   default     = "python311"
-  nullable=false
+  nullable    = false
 }
 
 variable "source_object_prefix" {
@@ -56,21 +56,21 @@ variable "trigger_http" {
   type        = bool
   description = "Whether or not the trigger for this cloud function should be an HTTP endpoint"
   default     = true
-  nullable=false
+  nullable    = false
 }
 
 variable "execution_timeout" {
   type        = number
   description = "Amount of time function can execute before timing out, in seconds"
   default     = 60
-  nullable=false
+  nullable    = false
 }
 
 variable "available_memory_mb" {
   type        = string
   description = "Amount of memory assigned to each execution"
   default     = "128M"
-  nullable=false
+  nullable    = false
 }
 
 variable "temp_zip_output_dir" {

modules/cloud-function/variables.tf

@@ -24,7 +24,7 @@ variable "runtime" {
   type        = string
   description = "Function runtime, default python 3.11"
   default     = "python311"
-  nullable=false
+  nullable    = false
 }
 
 variable "source_object_prefix" {
@@ -49,21 +49,21 @@ variable "trigger_http" {
   type        = bool
   description = "Whether or not the trigger for this cloud function should be an HTTP endpoint"
   default     = true
-  nullable=false
+  nullable    = false
 }
 
 variable "execution_timeout" {
   type        = number
   description = "Amount of time function can execute before timing out, in seconds"
   default     = 60
-  nullable=false
+  nullable    = false
 }
 
 variable "available_memory_mb" {
   type        = number
   description = "Amount of memory assigned to each execution"
   default     = 128
-  nullable=false
+  nullable    = false
 }
 
 variable "temp_zip_output_dir" {