feat: added ci/cd pipeline for the frontend service (#51)

Author: yliaog

5-appinfra/apps/frontend/envs/shared/main.tf

@@ -0,0 +1,39 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  application_name = "cymbal-bank"
+  service_name     = "frontend"
+  repo_name        = "eab-${local.application_name}-${local.service_name}"
+  repo_branch      = "main"
+}
+
+module "app" {
+  source = "../../../../modules/cicd-pipeline"
+
+  project_id                     = var.project_id
+  region                         = var.region
+  cluster_membership_id_dev      = var.cluster_membership_id_dev
+  cluster_membership_ids_nonprod = var.cluster_membership_ids_nonprod
+  cluster_membership_ids_prod    = var.cluster_membership_ids_prod
+
+  application_name = local.application_name
+  service          = local.service_name
+  repo_name        = local.repo_name
+  repo_branch      = local.repo_branch
+
+  buckets_force_destroy = var.buckets_force_destroy
+}

5-appinfra/apps/frontend/envs/shared/outputs.tf

@@ -0,0 +1,15 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */

5-appinfra/apps/frontend/envs/shared/variables.tf

@@ -0,0 +1,46 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "CI/CD project ID"
+  type        = string
+}
+
+variable "region" {
+  description = "CI/CD region"
+  type        = string
+}
+
+variable "cluster_membership_id_dev" {
+  description = "Cluster fleet membership ID in development environment"
+  type        = string
+}
+
+variable "cluster_membership_ids_nonprod" {
+  description = "Cluster fleet membership IDs in nonprod environment"
+  type        = list(string)
+}
+
+variable "cluster_membership_ids_prod" {
+  description = "Cluster fleet membership IDs in prod environment"
+  type        = list(string)
+}
+
+variable "buckets_force_destroy" {
+  description = "When deleting the bucket for storing CICD artifacts, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects."
+  type        = bool
+  default     = false
+}

5-appinfra/modules/cicd-pipeline/README.md

@@ -0,0 +1,24 @@
+# Cymbal Bank deployment example
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| application\_name | application name (e.g. 'cymbal-bank') | `string` | n/a | yes |
+| buckets\_force\_destroy | When deleting the bucket for storing CICD artifacts, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. | `bool` | `false` | no |
+| cluster\_membership\_id\_dev | Fleet membership ID for the cluster in development environment | `string` | n/a | yes |
+| cluster\_membership\_ids\_nonprod | Fleet membership IDs for the cluster in non-production environment | `list(string)` | n/a | yes |
+| cluster\_membership\_ids\_prod | Fleet membership IDs for the cluster in production environment | `list(string)` | n/a | yes |
+| project\_id | CI/CD project ID | `string` | n/a | yes |
+| region | CI/CD Region (e.g. us-central1) | `string` | n/a | yes |
+| repo\_branch | Branch to sync ACM configs from & trigger CICD if pushed to. | `string` | n/a | yes |
+| repo\_name | Short version of repository to sync ACM configs from & use source for CI (e.g. 'bank-of-anthos' for https://www.github.com/GoogleCloudPlatform/bank-of-anthos) | `string` | n/a | yes |
+| service | service name (e.g. 'frontend') | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+

5-appinfra/modules/cicd-pipeline/apis.tf

@@ -0,0 +1,40 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "enabled_google_apis" {
+  source  = "terraform-google-modules/project-factory/google//modules/project_services"
+  version = "~> 14.4"
+
+  project_id                  = var.project_id
+  disable_services_on_destroy = false
+
+  activate_apis = [
+    "artifactregistry.googleapis.com",
+    "sourcerepo.googleapis.com",
+    "certificatemanager.googleapis.com",
+    "cloudbuild.googleapis.com",
+    "clouddeploy.googleapis.com",
+    "cloudresourcemanager.googleapis.com",
+    "compute.googleapis.com",
+    "anthos.googleapis.com",
+    "container.googleapis.com",
+    "gkehub.googleapis.com",
+    "gkeconnect.googleapis.com",
+    "anthosconfigmanagement.googleapis.com",
+    "mesh.googleapis.com",
+    "meshconfig.googleapis.com",
+    "meshtelemetry.googleapis.com",
+    "iam.googleapis.com",
+  ]
+}

5-appinfra/modules/cicd-pipeline/artifact-registry.tf

@@ -0,0 +1,48 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# create artifact registry for container images
+resource "google_artifact_registry_repository" "container_registry" {
+  repository_id = var.application_name
+  location      = var.region
+  format        = "docker"
+  description   = "Bank of Anthos docker repository"
+  project       = var.project_id
+
+  depends_on = [
+    module.enabled_google_apis
+  ]
+}
+
+module "artifact-registry-repository-iam-bindings" {
+  source       = "terraform-google-modules/iam/google//modules/artifact_registry_iam"
+  version      = "~> 7.7"
+  project      = var.project_id
+  repositories = [var.application_name]
+  location     = var.region
+  mode         = "authoritative"
+
+  bindings = {
+    "roles/artifactregistry.reader" = [
+      "serviceAccount:${data.google_project.project.number}[email protected]",
+      "serviceAccount:${google_service_account.cloud_deploy.email}",
+      "allAuthenticatedUsers"
+    ],
+  }
+
+  depends_on = [
+    module.enabled_google_apis,
+    google_artifact_registry_repository.container_registry
+  ]
+}

5-appinfra/modules/cicd-pipeline/cloud-build-trigger.tf

@@ -0,0 +1,36 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# CI trigger configuration
+resource "google_cloudbuild_trigger" "ci" {
+  name     = "${local.service_clean}-ci"
+  project  = var.project_id
+  location = var.region
+
+  trigger_template {
+    branch_name = var.repo_branch
+    repo_name   = var.repo_name
+  }
+  included_files = ["src/${var.service}/**", "src/components/**"]
+  filename       = "src/${local.team_name}/cloudbuild.yaml"
+  substitutions = {
+    _SERVICE               = local.service_name
+    _TEAM                  = local.team_name
+    _CACHE_URI             = "gs://${google_storage_bucket.build_cache.name}/${google_storage_bucket_object.cache.name}"
+    _CONTAINER_REGISTRY    = "${local.container_registry.location}-docker.pkg.dev/${local.container_registry.project}/${local.container_registry.repository_id}"
+    _SOURCE_STAGING_BUCKET = "gs://${google_storage_bucket.release_source_development.name}"
+    _CACHE                 = local.cache_filename
+  }
+  service_account = google_service_account.cloud_build.id
+}

5-appinfra/modules/cicd-pipeline/cloud-deploy.tf

@@ -0,0 +1,30 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# create delivery pipeline for service including all targets
+resource "google_clouddeploy_delivery_pipeline" "delivery-pipeline" {
+  project  = var.project_id
+  location = var.region
+  name     = var.service
+  serial_pipeline {
+    dynamic "stages" {
+      for_each = { for idx, target in local.targets : idx => target }
+      content {
+        # TODO: use "production" profile once it works.
+        profiles  = [stages.value.name == "development" ? "development" : (startswith(stages.value.name, "non-production") ? "staging" : "production")]
+        target_id = stages.value.name
+      }
+    }
+  }
+}

5-appinfra/modules/cicd-pipeline/cloud-storage.tf

@@ -0,0 +1,70 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# GCS bucket used as skaffold build cache
+resource "google_storage_bucket" "build_cache" {
+  project                     = var.project_id
+  name                        = "build-cache-${local.service_name}-${data.google_project.project.number}"
+  uniform_bucket_level_access = true
+  location                    = var.region
+  force_destroy               = var.buckets_force_destroy
+}
+
+resource "google_storage_bucket" "release_source_development" {
+  project                     = var.project_id
+  name                        = "release-source-development-${local.service_name}-${data.google_project.project.number}"
+  uniform_bucket_level_access = true
+  location                    = var.region
+  force_destroy               = var.buckets_force_destroy
+}
+
+# Initialize cache with empty file
+resource "google_storage_bucket_object" "cache" {
+  bucket = google_storage_bucket.build_cache.name
+
+  name    = local.cache_filename
+  content = " "
+
+  lifecycle {
+    # do not reset cache when running terraform
+    ignore_changes = [
+      content,
+      detect_md5hash
+    ]
+  }
+}
+
+# give CloudBuild SA access to skaffold cache
+resource "google_storage_bucket_iam_member" "build_cache" {
+  bucket = google_storage_bucket.build_cache.name
+
+  member = "serviceAccount:${google_service_account.cloud_build.email}"
+  role   = "roles/storage.admin"
+}
+
+# give CloudBuild SA access to write to source development bucket
+resource "google_storage_bucket_iam_member" "release_source_development_admin" {
+  bucket = google_storage_bucket.release_source_development.name
+
+  member = "serviceAccount:${google_service_account.cloud_build.email}"
+  role   = "roles/storage.admin"
+}
+
+# give CloudDeploy SA access to read from source development bucket
+resource "google_storage_bucket_iam_member" "release_source_development_objectViewer" {
+  bucket = google_storage_bucket.release_source_development.name
+
+  member = "serviceAccount:${google_service_account.cloud_deploy.email}"
+  role   = "roles/storage.objectViewer"
+}

5-appinfra/modules/cicd-pipeline/locals.tf

@@ -0,0 +1,22 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+locals {
+  cache_filename     = "cache"
+  service_name       = reverse(split("/", var.service))[0]
+  team_name          = split("/", var.service)[0]
+  service_clean      = replace(var.service, "/", "-")
+  targets            = [google_clouddeploy_target.development, google_clouddeploy_target.non_prod[0], google_clouddeploy_target.non_prod[1], google_clouddeploy_target.prod[0], google_clouddeploy_target.prod[1]]
+  container_registry = google_artifact_registry_repository.container_registry
+}