Skip to content

Commit

Permalink
Merge terraform into early access (#202)
Browse files Browse the repository at this point in the history 
* add baseline org infra

* comment out gcs block, fmt

* add data deployment

* add cloudsql and network

* rename network to networks

* add shared vpc

* add backend blocks

* fix list item

* Add GKE clusters and GKE network

This config hasn't been tested yet.

* add data regions

* fix cloudsql registry path

* fix terragrunt configs

* fixes

* Input the network for GKE through Terragrunt

Also adjust variables from "network_name" to just "network" and use the
"network_self_link" output instead of "network_name".

* Fix typo in mock output for GKE network terragrunt dependency

* add firebase project

* update names to match gcp setup doc

* Add network project in org policy.

* Add cloudbuild triggers.

* rename folder

* Move the GKE clusters into the same subnet

Also combine the GKE subnet definition into main.tf

* add gitignore, update bootstrap to fix dep and cleanup order

* put terraform block back up top

* Add selective CICD steps.

* Pure fmt fix.

* HCL formatting.

* Add a note for tf validate.

* Add plan cloudbuild job.

* Comment out cloud build resources initially.

* check in bootstrap terraform block

* add org policies terragrunt file

* Specify file include path in triggers and disable them initially.

* Make plan presubmit job run by default and only make SA viewer.

* post-deployment changes

* Format fix.

* Add permissions to SA and enable more APIs.

* Use for_each for roles.

* Refine viewer roles.

* more deployment fixes

* Format

* move devops triggers to org folder

* rename to hhas_gke

* make buckets multi regional

* add sql admin api o on apps project

* Add variables/tfvars for triggers.

* Add apply trigger.

* Use variable to control CD job.

* move shared vpc deployment to networks, limit gke SA access to subnet

* Add missing API and permissions to deploy firebase project.

* Delete .gitignore in Terraform/ directory.

* Add included files for presubmit triggers.

* Enable subnet_private_access and subnet_flow_logs

* Add explicit IP address range for the Cloud SQL private access

* Update comment for Cloud SQL network prefix

* Make the GKE apps depend on the data deployment

They need access to Cloud SQL and Firestore.

* Enable CD to do a full deployment.

* Increase the timeout.

* add initial readme, add org admin to bootstrap

* minor spacing fixes

* minor spacing fixes

* fmt

* add terraform readme

* rm readme

* Include cd config itself in trigger.

* Use CFT container.

* Upgrade TF version.

* add deployment steps

* Combine all clusters into one (#122)

It seems the FDA MyStudies team has moved towards combining all servers into
one cluster, "heroes-hat-dev". Adjust Terraform configs to match that.

Also increase the IP ranges for pods and services, to leave more room for
scaling.

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Re-add subnet ranges because GCP can't add and remove secondary IP ranges in the same request (#123)

After TF runs in CD, remove these ranges again.

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Missed one for auth-server (#124)

Co-authored-by: Martin Petkov <mpetkov@google.com>

* aaddress zohreh comments

* try to fix numbering

* rename folder

* wording

* Re-remove subnets, can't add and delete secondary subnet IP ranges (#125)

Co-authored-by: Martin Petkov <mpetkov@google.com>

* prefix

* Add roles/cloudsql.client binding for the data project (#126)

Requires a new module under data/ because:
* apps depends on data to exist for the Cloud SQL connection
* This new IAM binding in data requires apps to exist to know the service account

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Make region and zone mandatory and consistent. (#137)

* Add random suffix to sql name to avoid name duplication.

* Simply rename the SQL instead.

* Add missing serviceAccount: prefix. (#146)

* Add support for secrets (#144)

* add support for secrets

* add layout

* use for_each and add remote state

* fmt

* Add README for CICD. (#139)

* Add README for CICD.

* Pull cicd to a separate deployment.

* include children for audit exports (#147)

* Add bastion host. (#136)

* Add bastion host.

* Add NAT.

* Add VM startup script and restrict NAT source IP range.

* Enable IAP api in network project. (#148)

* add bastion service account output, fix apps mock outputs (#153)

* add bastion service account as sql client (#151)

* add bastion service account as sql client

* fix var

* update sql connectionon instructions

* rename sql_clients to sql_client_service_accounts

* fix gke apps terragrunt

* fmt

* fix startup script for cloud sql proxy setup (#155)

* Add new secrets in Secret Manager for later use in Kubernetes (#152)

The Kubernetes secrets need to refer to existing Secret Manager secrets, so
do it in 2 steps.

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Add documentations for org level resources. (#160)

* Add documentations for org level resources.

* Address comments.

* Add license. (#163)

* Move Cloud Build Triggers for GKE containers to app project. (#159)

* Move Cloud Build Triggers for GKE containers to app project.

* Enable cloudbuild api.

* Remove duplicate backend block

* Add more documentation. (#164)

* Add service accounts for each GKE app (#168)

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Add multiple DB credentials and roles/cloudsql.client for the GKE SAs (#161)

* Add multiple GKE service accounts and DB creds

In support of using different credentials for each GKE app.

* Address comments

* Move GKE SAs out, they're a separate PR now

PR: #168

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Fix projects for DB users secrets (#169)

* Fix projects for DB users secrets

The users go in the data project, the secrets go in the secrets project.

* Remove project from secret version

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Update k8s deployments and add cluster-wide configs (#157)

* Update k8s deployments and add cluster-wide configs

Changes:
* Update all services to use NodePort and Container-Native Load Balancing.
* Update all deployments to refer to services by name, not IP address.
* Move the ingress and cert configs to a separate folder "kubernetes/".
* Add Pod Security Policies for the cluster and Istio.
* Add helper script for applying the k8s configs.
* Add helper script for moving Docker images from the main registry.

* Remove the response-server-ws-gcloud-key user-registration-server-ws-gcloud-key secrets

These aren't needed, as these apps can use the GKE credentials.
See https://cloud.google.com/docs/authentication/production

* Revert "Remove the response-server-ws-gcloud-key user-registration-server-ws-gcloud-key secrets"

This reverts commit 6c38d0f.

* Make apps use separate SAs, gcloud keys, and DB creds

* Include changes to ingress.yaml from early-access

* Add usage and args to the push_images.sh script

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Update TF Engine config to date. (#177)

The main purpose is for demoing of TF Engine, not to
re-generate the rest of Terraform configs.

* Minor fix in engine template and configs. (#178)

* Add TODO to replace kubernetes_version with release_channel (#182)

* Add TODO to replace kubernetes_version with release_channel

This depends on terraform-google-modules/terraform-google-kubernetes-engine#487 being merged.

* Remove unused field

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Add Kubernetes Secrets (#149)

* Add Kubernetes Secrets

Install Kubernetes Secrets via terraform, by both using Secret Manager and
service account keys.

* Move the secrets to their own deployment

This deployment depends on the main GKE cluster deployment via Terragrunt.

* Format the kubernetes/terragrunt.hcl file

* Fix for_each in secrets.tf

* Remove Secret Manager changes

Doing it separately in #152

* Rename to "my_studies_cluster" in the new code

* Fix secret names

* Remove extra line

* Output the password in the data deployment

* Refortmat terragrunt.hcl files

* Remove the response-server-ws-gcloud-key user-registration-server-ws-gcloud-key secrets

These aren't needed, as these apps can use the GKE credentials.
See https://cloud.google.com/docs/authentication/production

* Revert "Remove the response-server-ws-gcloud-key user-registration-server-ws-gcloud-key secrets"

This reverts commit 87f786a.

* Create separate DB users and SAs for each app

* Add project id to apps service accounts

* Revert changes to apps/ and data/ deployments

Moved to a separate PR: #161

* Remove file from another PR

* Retrieve the SQL user password from Secret Manager

* terragrunt hclfmt

* Remove unused Kubernetes secrets

Some secrets are no longer used after merging #157

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Update kubeapply (#180)

* Add pointer to Kubernetes setup instructions

* Update kubeapply.sh to do deployments and not fetch the SA

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Use GKE token and fully-qualified SAs in secrets (#183)

For the SA, from https://www.terraform.io/docs/providers/google/r/google_service_account_key.html:
"This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account."

Since it's using a unique_id, it should use the full name.

For the token, I got the suggestion from here: hashicorp/terraform-provider-kubernetes#382 (comment)

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Fix SQL instance connections in k8s deployments (#185)

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Update Terraform configs with changes in engine. (#184)

* Update Terraform configs with changes in engine.

* Generate configs using OSS TF Engine. (#187)

* Improve CICD permissions (#189)

* remove project owners

* secret manager accessor

* fix perms

* rm viewer perm

* fmt

* add sm viewer

* add logging perms

* rm logging viewer

* Document the GKE cluster setup steps (#181)

* Add pointer to Kubernetes setup instructions

* Document the GKE cluster setup steps

* Address comments

* Change "db-name" to "instance-name"

* Move procedures before version_info import

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Fixes. (#194)

* More fixes. (#195)

* Use the right DB names for the apps (#193)

* Use the right DB names for the apps

These values are supposed to be the database names used by each app, not the name of the Cloud SQL instance name.

* Fix variable name apps_db_names

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Add super experimental rename templates script. (#196)

* Fix user-registration-server-np port (#197)

Currently 60000, but the Ingress expects it to be 50000, like with the other services.

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Comment out customer triggers initially. (#199)

Add more permissions.

* Install the Istio sidecar (#203)

This is recommended by https://cloud.google.com/istio/docs/istio-on-gke/installing#installing_istio_on_gke_2

The annotations method comes from https://istio.io/docs/setup/additional-setup/sidecar-injection/#policy

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Add cloud build viewer IAM member. (#201)

* Improve rename.sh and add to README.md. (#205)

* Address comments from #202 (#204)

Changes:

* Remove .json keys from .gitignore, since they're no longer manually managed.
* Move the audit bucket to us-east1 like all the other resources.
* Replace a CLIENT_ID with a dummy test value in a k8s deployment.
* Use the right port for the user-registration-server-np.
* Fork the k8s deployment.yaml files, to avoid clobbering the working ones.

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Remove workflows to try to get GitHub to see them. Will be re-added immediately.

* Revert "Remove workflows to try to get GitHub to see them. Will be re-added immediately."

This reverts commit 756498a.

* Remove the whole .github/ dir. Will readd immediately.

* Revert "Remove the whole .github/ dir. Will readd immediately."

This reverts commit dcc781b.

* Create a static external IP for the Ingress (#207)

* Remove workflows to try to get GitHub to see them. Will be re-added immediately.

* Revert "Remove workflows to try to get GitHub to see them. Will be re-added immediately."

This reverts commit 756498a.

* Remove the whole .github/ dir. Will readd immediately.

* Revert "Remove the whole .github/ dir. Will readd immediately."

This reverts commit dcc781b.

* Create a static external IP for the Ingress

GKE can create an external IP automatically, but it may change if the ingress
is deleted and recreated. Instead, create one in Terraform, and always use the
same one in the Ingress.

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Change Ingress static IP to global (#208)

* Remove workflows to try to get GitHub to see them. Will be re-added immediately.

* Revert "Remove workflows to try to get GitHub to see them. Will be re-added immediately."

This reverts commit 756498a.

* Remove the whole .github/ dir. Will readd immediately.

* Revert "Remove the whole .github/ dir. Will readd immediately."

This reverts commit dcc781b.

* Change Ingress static IP to global

Looking again at the instructions at https://cloud.google.com/kubernetes-engine/docs/tutorials/configuring-domain-name-static-ip, this address should be global.

Co-authored-by: Martin Petkov <mpetkov@google.com>

* Fork the service.yaml files into tf-service.yaml

Co-authored-by: umairidris <umairidris@google.com>
Co-authored-by: Martin Petkov <mpetkov@google.com>
Co-authored-by: Xin Gao <xingao@google.com>
Co-authored-by: Xin <xingao267@users.noreply.github.com>
  • Loading branch information
@MartinPetkov @umairidris @xingao267
5 people committed Apr 23, 2020
1 parent 383a393 commit ebad6c3
Show file tree
Hide file tree
Showing 107 changed files with 4,629 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
**/.terraform
*.tfstate
*.tfstate.*
150 changes: 150 additions & 0 deletions Terraform/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
# FDA MyStudies Terraform Infrastructure

These directories define the entire GCP infrastructure app to run the FDA
MyStudies application.

## Prerequisites

1. Install the following dependencies and add them to your PATH:

- [GCloud](https://cloud.google.com/sdk/gcloud)
- [Terraform](https://www.terraform.io/)
- [Terragrunt](https://terragrunt.gruntwork.io/)

1. Get familiar with [GCP](https://cloud.google.com/docs/overview),
[Terraform](https://www.terraform.io/intro/index.html) and
[Terragrunt](https://blog.gruntwork.io/terragrunt-how-to-keep-your-terraform-code-dry-and-maintainable-f61ae06959d8).

The infrastructure is deployed using Terraform, which is an industry
standard for defining infrastructure-as-code. Terragrunt is used as a
wrapper around Terraform to manage multiple Terraform deployments and reduce
duplication.

1. Setup your
[organization](https://cloud.google.com/resource-manager/docs/creating-managing-organization)
for GCP resources and [G Suite Domain](https://gsuite.google.com/) for
groups.

1. [Create administrative groups](https://support.google.com/a/answer/33343?hl=en)
in the G Suite Domain:

- {PREFIX}-org-admins@{DOMAIN}.com: This group has administrative access
to the entire org. This group can be used in break-glass situations to
give humans access to the org to make changes.

- {PREFIX}-devops-owners@{DOMAIN}.com: This group has owners access to the
devops project to make changes to the CICD project or make changes to
the Terraform state.

- {PREFIX}-auditors@{DOMAIN}.com: This group has security reviewer
(metadata viewer) access to the entire org, as well as viewer access to
the audit logs BigQuery and Cloud Storage resources.

WARNING: It is always recommended to use CICD to deploy changes to the
infrastructure. The groups above should remain empty and only have humans
added for emergency situations or when investigation is required.

## Directory Structure

The infrastructure is split into multiple directories. Each directory represents
one Terraform deployment. Each deployment will manage specific resources in you
infrastructure.

A deployment typically contains the following files:

- **main.tf**: This file defines the Terraform resources and modules to
manage. For more complex deployments, there may be multiple .tf files that
define resources.

- **variables.tf**: This file defines any input variables that the deployment
can take.

- **outputs.tf**: This file defines any outputs from this deployment. These
values can be used by other deployments.

- **terraform.tfvars**: This file defines values for the input variables.

- **terragrunt.hcl**: This file defines dependencies between other
deployments, the remote state, and input values from other dependent
deployments.

To see what resources each deployment provisions, check out the comments in each
**main.tf** file.

## Layout

```
|- bootstrap: one time setup to create projects to host Terraform state and CICD pipeline.
|- cicd: CloudBuild configs for the CICD pipeline.
|- secrets: Definitions of secrets used in the org (secret values are not set in configs).
|- org: org level resources. Resources within this directory should be managed by CICD pipeline.
|- terragrunt.hcl: root Terragrunt config which defines remote state for all deployments.
|- project.{PREFIX}-audit: the project to hold all audit logs for the org.
|- audit: deployment to setup auditing for the org.
|- iam: org level iam definitions such as org admins.
|- folder.fda-mystudies: folder to hold all projects related to FDA MyStudies.
|- project.{PREFIX}-apps: apps project and resources (GKE)
|- project.{PREFIX}-data: data project and resources (GCS buckets, CloudSQL instances)
|- project.{PREFIX}-networks: network project and resources (VPC)
|- project.{PREFIX}-firebase: firebase project (firestores)
```

## Deployment Steps

1. Authenticate as a super admin using `gcloud auth login [ACCOUNT]`.

WARNING: remember to run `gcloud auth revoke` to logout as a super admin.
Being logged in as a super admin beyond the initial setup is dangerous!

1. Checkout the Terraform configs and set some helper environment variables.

```
$ git clone my-repo
$ cd my-repo
$ ROOT=$PWD
```

If you would like to deploy the same infrastructure based on the Terraform
configs in this directory but in a different organization with different
resource prefix or namings, use the `rename.sh` script.

1. The bootstrap config must be deployed first in order to create the `devops`
project which will host your Terraform state and CICD pipelines.

```
$ cd $ROOT/boootstrap
$ terraform init
$ terraform plan
$ terraform apply
```

Your `devops` project should now be ready.

1. Backup the state of the `devops` project to the newly created state bucket
by uncommenting out the `terraform` block in `$ROOT/bootstrap/main.tf` and
running:

```
$ terraform init
```

1. Deploy secrets used in the org in the `devops` project.

```
$ cd $ROOT/secrets
$ terraform init
$ terraform plan
$ terraform apply
```

After the secrets have been created, you must go to the Google Cloud
Console, open `Security` --> `Secret Manager` and fill in their values.

1. Follow `$ROOT/cicd/README.md` to set up CICD pipelines for Terraform
configs.

1. Follow `$ROOT/kubernetes/README.md` to deploy the Kubernetes resources in
the GKE cluster.

1. Revoke your super admin access by running `gcloud auth revoke` and
authenticate as a normal user for daily activities.
9 changes: 9 additions & 0 deletions Terraform/bootstrap/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
This directory defines resources that must be deployed first in order for the
rest of the Terraform configs to function.

Run `terraform init` and `terraform apply` in this directory and backup the
Terraform state files manually.

Currently this only creates the central devops project. After this project has
been created, Terragrunt can bootstrap the state bucket inside the project and
manage all the following resources.
74 changes: 74 additions & 0 deletions Terraform/bootstrap/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# Copyright 2020 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# This folder contains Terraform resources to setup the devops project, which includes:
# - The project itself,
# - APIs to enable,
# - Deletion lien,
# - Project level IAM permissions for the project owners,
# - A Cloud Storage bucket to store Terraform states for all deployments,
# - Org level IAM permissions for org admins.

// TODO: replace with https://github.com/terraform-google-modules/terraform-google-bootstrap

# ==============================================================================
# TODO: Uncomment after initial deployment and run `terraform init`.
terraform {
backend "gcs" {
bucket = "heroes-hat-dev-terraform-state-08679"
prefix = "bootstrap"
}
}
# ==============================================================================

# Create the project, enable APIs, and create the deletion lien, if specified.
module "project" {
source = "terraform-google-modules/project-factory/google"
version = "~> 7.0"

name = var.devops_project_id
org_id = var.org_id
billing_account = var.billing_account
lien = true
default_service_account = "keep"
skip_gcloud_download = true
activate_apis = [
"cloudbuild.googleapis.com",
"secretmanager.googleapis.com",
]
}

# Terraform state bucket, hosted in the devops project.
module "state_bucket" {
source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
version = "~> 1.4"

name = var.state_bucket
project_id = module.project.project_id
location = var.storage_location
}

# Project level IAM permissions for devops project owners.
resource "google_project_iam_binding" "devops_owners" {
project = module.project.project_id
role = "roles/owner"
members = var.devops_owners
}

# Org level IAM permissions for org admins.
resource "google_organization_iam_member" "org_admin" {
org_id = var.org_id
role = "roles/resourcemanager.organizationAdmin"
member = var.org_admin
}
23 changes: 23 additions & 0 deletions Terraform/bootstrap/terraform.tfvars
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Copyright 2020 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

devops_project_id = "heroes-hat-dev-devops"
org_id = "707577601068"
billing_account = "01EA90-3519E1-89CB1F"
state_bucket = "heroes-hat-dev-terraform-state-08679"
storage_location = "us-central1"
org_admin = "group:rocketturtle-gcp-admin@rocketturtle.net"
devops_owners = [
"group:rocketturtle-gcp-admin@rocketturtle.net",
]
41 changes: 41 additions & 0 deletions Terraform/bootstrap/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Copyright 2020 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

variable "devops_project_id" {
type = string
}

variable "devops_owners" {
type = list(string)
}

variable "org_id" {
type = string
}

variable "billing_account" {
type = string
}

variable "state_bucket" {
type = string
}

variable "storage_location" {
type = string
}

variable "org_admin" {
type = string
}
88 changes: 88 additions & 0 deletions Terraform/cicd/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
This directory defines resources needed to setup CICD pipelines of Terraform
configs.

The CI and CD pipelines use
[Google Cloud Build](https://cloud.google.com/cloud-build) and
[Cloud Build Triggers](https://cloud.google.com/cloud-build/docs/automating-builds/create-manage-triggers)
to detect changes in the repo, trigger builds and run the workloads.

## Setup

1. In the Terraform Engine config, add a `CICD` block under the `foundation`
recipe and specify the following attributes:

* `PROJECT_ID`: Project ID of the `devops` project
* `STATE_BUCKET`: Name of the state bucket
* `REPO_OWNER`: GitHub repo owner
* `REPO_NAME`: GitHub repo name
* `BRANCH_REGEX`: Regex of the branches to set the Cloud Build Triggers to
monitor
* `CONTINUOUS_DEPLOYMENT_ENABLED`: Whether or not to enable continuous
deployment of Terraform configs
* `TRIGGER_ENABLED`: Whether or not to enable all Cloud Build Triggers
* `TERRAFORM_ROOT`: Path of the directory relative to the repo root
containing the Terraform configs

1. Generate the CICD Terraform configs and Cloud Build configs using the
Terraform Engine.

1. Before deployment CICD Terraform resources, follow
[installing_the_cloud_build_app](https://cloud.google.com/cloud-build/docs/automating-builds/create-github-app-triggers#installing_the_cloud_build_app)
to install the Cloud Build app and connect your GitHub repository to your
Cloud project. This currently cannot be done through automation.

1. Once the GitHub repo is connected, run the following commands in this
directory to enable necessary APIs, grant Cloud Build Service Account
necessary permissions and create Cloud Build Triggers:

```
$ terraform init
$ terraform plan
$ terraform apply
```

Two presubmit triggers are created by default and results are posted in the
Pull Request. Failing these presubmits will block Pull Request submission.

1. `tf-validate`: Perform Terraform format and syntax check.
1. `tf-plan`: Generate speculative plans to show a set of possible changes
if the pending config changes are deployed.

If `CONTINUOUS_DEPLOYMENT_ENABLED` is set to `true` in your Terraform Engine
config, `continuous_deployment_enabled` will be set to `true` in
`terraform.tfvars` in this directory to create an additional Cloud Build
Trigger and grant the Cloud Build Service Account broder permissions to
automaticaly apply the config changes to GCP after the Pull Request is
approved and submitted.

After the triggers are created, to temporarily disable or re-enable them,
set the `trigger_enabled` in `terraform.tfvars` to `false` or `true` and
apply the changes by running:

```
$ terraform init
$ terraform plan
$ terraform apply
```

## Operation

### Continuous Integration (presubmit)

Presubmit Cloud Build results will be posted as a Cloud Build job link in the
Pull Request, and they will be configured to block Pull Request submission.

Every new push to the Pull Request at the configured branches will automatically
trigger presubmit runs. To manually re-trigger CI jobs, comment `/gcbrun` in the
Pull Ruquest.

### Continuous Deployment (postsubmit)

Postsubmit Cloud Build job will automatically start when a Pull Ruquest is
submitted to a configured branch. To view the result of the Cloud Build run, go
to https://console.cloud.google.com/cloud-build/builds and look for your commit
to view the Cloud Build job triggered by your merged commit.

The Postsubmit Cloud Build Trigger monitors and deploys changes made to `org/`
folder only. Other changes made to `bootstrap`, `cicd` and `secrets` folders
should be deployed manually if needed.

0 comments on commit ebad6c3

Please sign in to comment.