|
| 1 | +# Google Cloud Platform (GCP) |
| 2 | + |
| 3 | +Scripts for deploying backend infrastructure to GCP using Pulumi and the gcloud CLI. |
| 4 | + |
| 5 | +## Manual Setup |
| 6 | + |
| 7 | +Before running the scripts, a Pulumi stack must be created. In the current implementation, infrastructure is persisted to a Google Cloud Storage bucket to save costs (as opposed to maintaining a subscription to Pulumi Cloud), and the setup process is implemented manually. |
| 8 | + |
| 9 | +**(1) Log into GCP** |
| 10 | + |
| 11 | +Open a new terminal and run the following command to authenticate with Google Cloud using the gcloud CLI. |
| 12 | + |
| 13 | +``` |
| 14 | +gcloud auth application-default login |
| 15 | +``` |
| 16 | + |
| 17 | +The command will launch a new browser window and open to the login page. Select your identity and then click "Continue" until you reach the success message, "You are now authenticated with the gcloud CLI!" Then close the browser and return to your terminal. |
| 18 | + |
| 19 | +**(2) Set GCP Project** |
| 20 | + |
| 21 | +Navigate to the GitHub repository's settings and find DeBIT's Google Cloud Project id in the list of configured variables. |
| 22 | + |
| 23 | +Run the following command to confirm that the same id is returned, indicating that your active project is DeBIT: |
| 24 | + |
| 25 | +``` |
| 26 | +gcloud config get-value project |
| 27 | +``` |
| 28 | + |
| 29 | +If you have a different project selected, change to DeBIT by entering: |
| 30 | + |
| 31 | +``` |
| 32 | +gcloud config set project PROJECT_ID |
| 33 | +``` |
| 34 | + |
| 35 | +**(3) Create Infrastructure Bucket** |
| 36 | + |
| 37 | +Using either the Cloud Console or gcloud CLI, create a Cloud Storage bucket with default permissions to hold the Pulumi infrastructure state. The following bucket names are expected for each environment: |
| 38 | + |
| 39 | +_Test_ |
| 40 | + |
| 41 | +``` |
| 42 | +debit-t-pulumi-infra |
| 43 | +``` |
| 44 | + |
| 45 | +_Prod_ |
| 46 | + |
| 47 | +``` |
| 48 | +debit-p-pulumi-infra |
| 49 | +``` |
| 50 | + |
| 51 | +**(4) Log into Infrastructure Bucket** |
| 52 | + |
| 53 | +Run the following command to log into the configured storage bucket: |
| 54 | + |
| 55 | +_Test_ |
| 56 | + |
| 57 | +``` |
| 58 | +pulumi login gs://debit-t-pulumi-infra |
| 59 | +``` |
| 60 | + |
| 61 | +_Prod_ |
| 62 | + |
| 63 | +``` |
| 64 | +pulumi login gs://debit-p-pulumi-infra |
| 65 | +``` |
| 66 | + |
| 67 | +For more information on this login method, please consult the **[Pulumi documentation](https://www.pulumi.com/docs/iac/concepts/state-and-backends/)**. |
| 68 | + |
| 69 | +**(4) Create New Stack** |
| 70 | + |
| 71 | +Run the following command to create a new stack in the bucket: |
| 72 | + |
| 73 | +_Test_ |
| 74 | + |
| 75 | +``` |
| 76 | +pulumi stack init test |
| 77 | +``` |
| 78 | + |
| 79 | +_Prod_ |
| 80 | + |
| 81 | +``` |
| 82 | +pulumi stack init prod |
| 83 | +``` |
| 84 | + |
| 85 | +At this point, you will be given the option to enter a passphrase to protect configuration/secrets. At present, no passphrase is expected, but if you choose to enter one, you must save a new secret in the corresponding GitHub environment (i.e., `test` or `prod`) and update the GitHub Action definition to pass the passphrase to the Pulumi deployment steps. |
| 86 | + |
| 87 | +**(5) Set Stack Region** |
| 88 | + |
| 89 | +Run the following commands to set the GCP region of the new stack: |
| 90 | + |
| 91 | +_Test_ |
| 92 | + |
| 93 | +``` |
| 94 | +pulumi stack select test |
| 95 | +pulumi config set gcp:region us-central1 |
| 96 | +``` |
| 97 | + |
| 98 | +_Prod_ |
| 99 | + |
| 100 | +``` |
| 101 | +pulumi stack select prod |
| 102 | +pulumi config set gcp:region us-central1 |
| 103 | +``` |
| 104 | + |
| 105 | +## Structure |
| 106 | + |
| 107 | +### one-time |
| 108 | + |
| 109 | +When seeding a new GCP project, the bash script in the `one-time` directory should be executed first. The script creates a service account with the permissions necessary to deploy and manage resources using Pulumi and then permits GitHub Actions to impersonate that account as a Workload Identity. When the `deploy-gcp.yaml` GitHub Action is triggered, the service account will successfully authenticate to Google Cloud using OIDC tokens. |
| 110 | + |
| 111 | +## persistent |
| 112 | + |
| 113 | +The Python scripts and YAML file in `persistent` define the infrastructure that runs the logic of the data pipeline. There are two Pulumi stacks, `test` and `prod`, which are configured on GitHub to deploy upon pushes to the `test` and `main` branches, respectively. |
0 commit comments