GH-4: Switch database to PostgreSQL in GCP environments

acteng · Oct 18, 2023 · a805f05 · a805f05
1 parent 3df6524
commit a805f05
Show file tree

Hide file tree

Showing 8 changed files with 175 additions and 11 deletions.
diff --git a/cloud/schemes/cloud-run/main.tf b/cloud/schemes/cloud-run/main.tf
@@ -3,14 +3,19 @@ resource "google_project_service" "run" {
   service = "run.googleapis.com"
 }
 
+resource "google_project_service" "vpc_access" {
+  project = var.project
+  service = "vpcaccess.googleapis.com"
+}
+
 resource "google_service_account" "cloud_run_schemes" {
   account_id = "cloud-run-schemes"
 }
 
 resource "google_cloud_run_v2_service" "schemes" {
   name     = "schemes"
   project  = var.project
-  location = var.location
+  location = var.region
 
   template {
     containers {
@@ -28,6 +33,15 @@ resource "google_cloud_run_v2_service" "schemes" {
           }
         }
       }
+      env {
+        name = "FLASK_SQLALCHEMY_DATABASE_URI"
+        value_source {
+          secret_key_ref {
+            secret  = var.database_uri_secret_id
+            version = "latest"
+          }
+        }
+      }
       env {
         name = "FLASK_BASIC_AUTH_USERNAME"
         value_source {
@@ -56,19 +70,24 @@ resource "google_cloud_run_v2_service" "schemes" {
         }
       }
     }
+    vpc_access {
+      connector = google_vpc_access_connector.cloud_run.id
+      egress    = "PRIVATE_RANGES_ONLY"
+    }
     service_account = google_service_account.cloud_run_schemes.email
   }
 
   depends_on = [
     google_project_service.run,
-    google_secret_manager_secret_version.secret_key
+    google_secret_manager_secret_version.secret_key,
+    google_secret_manager_secret_iam_member.cloud_run_schemes_database_uri
   ]
 }
 
 resource "google_cloud_run_v2_service_iam_binding" "schemes_run_invoker" {
   name     = google_cloud_run_v2_service.schemes.name
   project  = var.project
-  location = var.location
+  location = var.region
 
   role = "roles/run.invoker"
   members = [
@@ -88,6 +107,15 @@ resource "google_project_iam_member" "cloud_run_artifact_registry_reader" {
   depends_on = [google_project_service.run]
 }
 
+resource "google_vpc_access_connector" "cloud_run" {
+  name          = "cloud-run"
+  ip_cidr_range = "10.0.0.0/28"
+  region        = var.region
+  network       = var.vpc_id
+
+  depends_on = [google_project_service.vpc_access]
+}
+
 # secret key
 
 resource "random_uuid" "secret_key" {
@@ -113,6 +141,14 @@ resource "google_secret_manager_secret_iam_member" "cloud_run_schemes_secret_key
   secret_id = google_secret_manager_secret.secret_key.id
 }
 
+# database URI
+
+resource "google_secret_manager_secret_iam_member" "cloud_run_schemes_database_uri" {
+  member    = "serviceAccount:${google_service_account.cloud_run_schemes.email}"
+  role      = "roles/secretmanager.secretAccessor"
+  secret_id = var.database_uri_secret_id
+}
+
 # basic auth username
 
 data "google_secret_manager_secret" "basic_auth_username" {

diff --git a/cloud/schemes/cloud-run/variables.tf b/cloud/schemes/cloud-run/variables.tf
@@ -3,12 +3,22 @@ variable "project" {
   type        = string
 }
 
-variable "location" {
-  description = "GCP location"
+variable "region" {
+  description = "GCP region"
   type        = string
 }
 
 variable "env" {
   description = "App environment"
   type        = string
 }
+
+variable "database_uri_secret_id" {
+  description = "Database URI secret ID"
+  type        = string
+}
+
+variable "vpc_id" {
+  description = "VPC ID"
+  type        = string
+}
diff --git a/cloud/schemes/cloud-sql/main.tf b/cloud/schemes/cloud-sql/main.tf
@@ -0,0 +1,55 @@
+resource "google_sql_database_instance" "main" {
+  name   = "schemes"
+  region = var.region
+
+  database_version = "POSTGRES_15"
+
+  settings {
+    tier = "db-f1-micro"
+
+    ip_configuration {
+      ipv4_enabled    = false
+      private_network = var.vpc_id
+    }
+  }
+}
+
+resource "google_sql_database" "schemes" {
+  name     = "schemes"
+  instance = google_sql_database_instance.main.name
+}
+
+resource "google_secret_manager_secret" "database_uri" {
+  secret_id = "database-uri"
+
+  replication {
+    auto {
+    }
+  }
+}
+
+resource "random_password" "schemes" {
+  length  = 20
+  special = false
+}
+
+resource "google_sql_user" "schemes" {
+  name     = "schemes"
+  instance = google_sql_database_instance.main.name
+
+  password = random_password.schemes.result
+}
+
+resource "google_secret_manager_secret_version" "database_uri" {
+  secret = google_secret_manager_secret.database_uri.id
+  secret_data = join("", [
+    "postgresql+pg8000://",
+    google_sql_user.schemes.name,
+    ":",
+    random_password.schemes.result,
+    "@",
+    google_sql_database_instance.main.private_ip_address,
+    "/",
+    google_sql_database.schemes.name
+  ])
+}
diff --git a/cloud/schemes/cloud-sql/outputs.tf b/cloud/schemes/cloud-sql/outputs.tf
@@ -0,0 +1,4 @@
+output "database_uri_secret_id" {
+  description = "Database URI secret ID"
+  value       = google_secret_manager_secret.database_uri.id
+}
diff --git a/cloud/schemes/cloud-sql/variables.tf b/cloud/schemes/cloud-sql/variables.tf
@@ -0,0 +1,9 @@
+variable "region" {
+  description = "GCP region"
+  type        = string
+}
+
+variable "vpc_id" {
+  description = "VPC ID"
+  type        = string
+}
diff --git a/cloud/schemes/main.tf b/cloud/schemes/main.tf
@@ -20,13 +20,28 @@ module "secret_manager" {
   project = local.project
 }
 
-module "cloud_run" {
-  source   = "./cloud-run"
-  project  = local.project
-  location = local.location
-  env      = local.env
+module "vpc" {
+  source = "./vpc"
+}
+
+module "cloud_sql" {
+  source = "./cloud-sql"
+  region = local.location
+  vpc_id = module.vpc.id
 
-  depends_on = [module.secret_manager]
+  depends_on = [
+    module.secret_manager,
+    module.vpc
+  ]
+}
+
+module "cloud_run" {
+  source                 = "./cloud-run"
+  project                = local.project
+  region                 = local.location
+  env                    = local.env
+  database_uri_secret_id = module.cloud_sql.database_uri_secret_id
+  vpc_id                 = module.vpc.id
 }
 
 module "github_action" {

diff --git a/cloud/schemes/vpc/main.tf b/cloud/schemes/vpc/main.tf
@@ -0,0 +1,31 @@
+resource "google_project_service" "compute" {
+  service = "compute.googleapis.com"
+}
+
+resource "google_project_service" "service_networking" {
+  service = "servicenetworking.googleapis.com"
+}
+
+resource "google_compute_network" "main" {
+  name                    = "schemes"
+  auto_create_subnetworks = false
+
+  depends_on = [google_project_service.compute]
+}
+
+resource "google_compute_global_address" "private_ip_address" {
+  name    = "private-ip-address"
+  network = google_compute_network.main.id
+
+  address_type  = "INTERNAL"
+  purpose       = "VPC_PEERING"
+  prefix_length = 16
+}
+
+resource "google_service_networking_connection" "private_vpc_connection" {
+  network                 = google_compute_network.main.id
+  service                 = "servicenetworking.googleapis.com"
+  reserved_peering_ranges = [google_compute_global_address.private_ip_address.name]
+
+  depends_on = [google_project_service.service_networking]
+}
diff --git a/cloud/schemes/vpc/outputs.tf b/cloud/schemes/vpc/outputs.tf
@@ -0,0 +1,4 @@
+output "id" {
+  description = "VPC ID"
+  value       = google_compute_network.main.id
+}