Skip to content

Commit 61acce5

Browse files
committed
Scaffolds Pulumi stack for prod environment and improves documentation
1 parent 865de33 commit 61acce5

4 files changed

Lines changed: 117 additions & 1 deletion

File tree

.github/workflows/deploy-gcp.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ concurrency:
1212

1313
env:
1414
BUCKET_REGION: ${{ vars.GCP_PROJECT_REGION }}
15-
BUCKET_URL: gs://${{ vars.PROJECT_NAME }}-${{ vars.ENV }}-cloud-storage-${{ vars.GCP_PULUMI_BUCKET_NAME }}
15+
BUCKET_URL: gs://${{ vars.PROJECT_NAME }}-${{ vars.ENV == 'prod' && 'p' || 't' }}-${{ vars.GCP_PULUMI_BUCKET_NAME }}
1616
EXTRACT_DIR: ./services/extract
1717
INFRA_DIR: ./infra/gcp/persistent
1818
PROJECT_ID: ${{ vars.GCP_PROJECT_ID }}

infra/gcp/README.md

Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
# Google Cloud Platform (GCP)
2+
3+
Scripts for deploying backend infrastructure to GCP using Pulumi and the gcloud CLI.
4+
5+
## Manual Setup
6+
7+
Before running the scripts, a Pulumi stack must be created. In the current implementation, infrastructure is persisted to a Google Cloud Storage bucket to save costs (as opposed to maintaining a subscription to Pulumi Cloud), and the setup process is implemented manually.
8+
9+
**(1) Log into GCP**
10+
11+
Open a new terminal and run the following command to authenticate with Google Cloud using the gcloud CLI.
12+
13+
```
14+
gcloud auth application-default login
15+
```
16+
17+
The command will launch a new browser window and open to the login page. Select your identity and then click "Continue" until you reach the success message, "You are now authenticated with the gcloud CLI!" Then close the browser and return to your terminal.
18+
19+
**(2) Set GCP Project**
20+
21+
Navigate to the GitHub repository's settings and find DeBIT's Google Cloud Project id in the list of configured variables.
22+
23+
Run the following command to confirm that the same id is returned, indicating that your active project is DeBIT:
24+
25+
```
26+
gcloud config get-value project
27+
```
28+
29+
If you have a different project selected, change to DeBIT by entering:
30+
31+
```
32+
gcloud config set project PROJECT_ID
33+
```
34+
35+
**(3) Create Infrastructure Bucket**
36+
37+
Using either the Cloud Console or gcloud CLI, create a Cloud Storage bucket with default permissions to hold the Pulumi infrastructure state. The following bucket names are expected for each environment:
38+
39+
_Test_
40+
41+
```
42+
debit-t-pulumi-infra
43+
```
44+
45+
_Prod_
46+
47+
```
48+
debit-p-pulumi-infra
49+
```
50+
51+
**(4) Log into Infrastructure Bucket**
52+
53+
Run the following command to log into the configured storage bucket:
54+
55+
_Test_
56+
57+
```
58+
pulumi login gs://debit-t-pulumi-infra
59+
```
60+
61+
_Prod_
62+
63+
```
64+
pulumi login gs://debit-p-pulumi-infra
65+
```
66+
67+
For more information on this login method, please consult the **[Pulumi documentation](https://www.pulumi.com/docs/iac/concepts/state-and-backends/)**.
68+
69+
**(4) Create New Stack**
70+
71+
Run the following command to create a new stack in the bucket:
72+
73+
_Test_
74+
75+
```
76+
pulumi stack init test
77+
```
78+
79+
_Prod_
80+
81+
```
82+
pulumi stack init prod
83+
```
84+
85+
At this point, you will be given the option to enter a passphrase to protect configuration/secrets. At present, no passphrase is expected, but if you choose to enter one, you must save a new secret in the corresponding GitHub environment (i.e., `test` or `prod`) and update the GitHub Action definition to pass the passphrase to the Pulumi deployment steps.
86+
87+
**(5) Set Stack Region**
88+
89+
Run the following commands to set the GCP region of the new stack:
90+
91+
_Test_
92+
93+
```
94+
pulumi stack select test
95+
pulumi config set gcp:region us-central1
96+
```
97+
98+
_Prod_
99+
100+
```
101+
pulumi stack select prod
102+
pulumi config set gcp:region us-central1
103+
```
104+
105+
## Structure
106+
107+
### one-time
108+
109+
When seeding a new GCP project, the bash script in the `one-time` directory should be executed first. The script creates a service account with the permissions necessary to deploy and manage resources using Pulumi and then permits GitHub Actions to impersonate that account as a Workload Identity. When the `deploy-gcp.yaml` GitHub Action is triggered, the service account will successfully authenticate to Google Cloud using OIDC tokens.
110+
111+
## persistent
112+
113+
The Python scripts and YAML file in `persistent` define the infrastructure that runs the logic of the data pipeline. There are two Pulumi stacks, `test` and `prod`, which are configured on GitHub to deploy upon pushes to the `test` and `main` branches, respectively.
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
encryptionsalt: v1:2QpgbvdSgPc=:v1:uMyGsOqi/4WdqA5c:mJagWlvkiF6S29Kn7iN4e1lAaS3c4g==
2+
config:
3+
gcp:region: us-central1

infra/gcp/persistent/README.md

Whitespace-only changes.

0 commit comments

Comments
 (0)