Skip to content

Commit

Permalink
terraform actions fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@ausbennett
ausbennett committed Nov 11, 2023
1 parent f1547b0 commit 9eb59b4
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 167 deletions.
50 changes: 20 additions & 30 deletions .github/workflows/manual_terraform.yml
View file
Original file line number Diff line number Diff line change
@@ -1,53 +1,43 @@
name: 'Manual Terraform Deployment'
name: "Manually Provision Terraform"

on:
workflow_dispatch:
inputs:
environment:
description: 'Target environment'
required: true
default: 'dev'

jobs:
terraform:
name: 'Deploy to Environment'
name: "Provision Terraform"
runs-on: ubuntu-latest
environment:
name: ${{ github.event.inputs.environment }}

steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Set up Google Cloud SDK
uses: google-github-actions/setup-gcloud@v0.2.1
- name: Install Google Cloud SDK
uses: google-github-actions/setup-gcloud@v1

- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
service_account_key: ${{ secrets.DEFAULT_SA_KEY2 }}
project_id: ${{ secrets.PROJECT_ID }}
credentials_json: ${{ secrets.GCP_SA_KEY }}

- name: Install Terraform
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1

- name: Decode GCP Credentials
run: |
echo '${{ secrets.GCP_SA_KEY_BASE64 }}' | base64 -d > ${{ github.workspace }}/cloud-infra/automateml-3f20c67d2a0a.json
env:
GCP_SA_KEY_BASE64: ${{ secrets.GCP_SA_KEY_BASE64 }}

- name: List files in cloud-infra directory
run: ls -l ${{ github.workspace }}/cloud-infra/

- name: Check SHA256 of the service account file
run: sha256sum ${{ github.workspace }}/cloud-infra/automateml-3f20c67d2a0a.json
- name: "Setup GCP Credentials"
env:
GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
run: |
echo "$GCP_SA_KEY" > ./cloud-infra/credentials.json
- name: Terraform Init and Plan
- name: Terraform Init
working-directory: ./cloud-infra
env:
TF_LOG: DEBUG
run: |
terraform init
terraform plan -out=tfplan
- name: Terraform Plan
working-directory: ./cloud-infra
run: |
terraform plan
- name: Hold for approval
if: github.event_name == 'workflow_dispatch'
Expand All @@ -62,4 +52,4 @@ jobs:
working-directory: ./cloud-infra
if: github.event_name == 'workflow_dispatch'
run: |
terraform apply tfplan
terraform apply -auto-approve
179 changes: 42 additions & 137 deletions cloud-infra/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,161 +1,66 @@
# Provider and Common Variables
variable "project" {
default = "automateml"
}
variable "region" {
default = "us-east1"
}
variable "zone" {
default = "us-east1-a"
}
variable "project" { default = "automateml" }
variable "region" { default = "us-east1" }
variable "zone" { default = "us-east1-a" }
variable "sa_email" { default = "default@automateml.iam.gserviceaccount.com" }

provider "google" {
project = var.project
region = var.region
credentials = file("${path.module}/automateml-3f20c67d2a0a.json")
credentials = file("credentials.json") //github actions creates ./cloud-infra/credentials.json
zone = var.zone
}

# Add GKE Service Account
# Minimum roles bc will be the default account used by requests
resource "google_service_account" "GKE_tf_account" {
account_id = "gke-tf-service-account"
display_name = "A Service Account For Terraform To Make GKE Cluster"
}

# Kubernetes Version
variable "cluster_version" {
default = "1.26"
}

# Setup Clusters
resource "google_container_cluster" "cluster" {
name = "trail"
location = var.zone
min_master_version = var.cluster_version
project = var.project

# Ignore changes to min-master-version - this is bc version may be different to what TF expects
lifecycle {
ignore_changes = [
min_master_version,
]
}
resource "google_container_cluster" "automl_cluster" {
name = "automl-cluster"
location = var.region
project = var.project

# Cant create cluster w/o pool defined, create smallest possible pool, delete immediatly
# Use seperately managed pools
remove_default_node_pool = true
initial_node_count = 1

# Enable Workload Identity
# allows workloads in clusters to impersonate IAM service accounts
workload_identity_config {
workload_pool = "${var.project}.svc.id.goog"
}
initial_node_count = 2
}

# Node Pool Definition
resource "google_container_node_pool" "primary_preemptible_nodes" {
name = "trial-zero-cluster-node-pool"
location = var.zone
project = var.project
cluster = google_container_cluster.cluster.name
//single node "node pool" for frontend and backend pods
resource "google_container_node_pool" "febe_node_pool" {
name = "frontend-backend-node-pool"
location = var.region
cluster = google_container_cluster.automl_cluster.name
node_count = 1

# Setup autoscaling with min and max number of nodes
autoscaling {
min_node_count = 1
max_node_count = 5
}

version = var.cluster_version

# Node configuration definition:
node_config {

preemptible = true
machine_type = "e2-medium"

# Google recommends custom service accounts that have cloud-platform scope and
# permissions granted via IAM Roles.

# Tie nodes to sa created above
service_account = google_service_account.GKE_tf_account.email
oauth_scopes = [
"https://www.googleapis.com/auth/cloud-platform"
]

# Disable regeneration of node pool everytime we run this file
metadata = {
disable-legacy-endpoints = "true"
service_account = var.sa_email
machine_type = "e2-micro"
disk_size_gb = 30
labels = {
workload_type = "frontend-backend"
}
}

lifecycle {
ignore_changes = [
# Ignore changes to node_count, initial_node_count and version
# otherwise node pool will be recreated if there is drift between what
# terraform expects and what it sees
initial_node_count,
node_count,
version
oauth_scopes = [
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring"
]
}
}

//pool for machine learning (allows us to adjust the compute later if needed)
resource "google_container_node_pool" "ml_node_pool" {
name = "machine-learning-node-pool"
location = var.region
cluster = google_container_cluster.automl_cluster.name
node_count = 1

# Older code:
/*
resource "google_service_account_iam_member" "GKE_account_iam" {
service_account_id = google_service_account.GKE_account.name
role = "roles/iam.serviceAccountUser"
member = "user:jane@example.com"
}
# Allow SA service account use the default GCE account
resource "google_service_account_iam_member" "gce-default-account-iam" {
service_account_id = data.google_compute_default_service_account.default.name
role = "roles/iam.serviceAccountUser"
member = "serviceAccount:${google_service_account.sa.email}"
}
resource "google_project_service" "run_api" {
provider = google
service = "run.googleapis.com"
disable_on_destroy = true
}
# Create the Cloud Run service
resource "google_cloud_run_service" "run_service" {
provider = google
name = "automate"
location = "us-east1"
template {
spec {
containers {
image = "us-east1-docker.pkg.dev/automateml/docker-repo/automate:1.0"
}
node_config {
service_account = var.sa_email
machine_type = "e2-micro"
disk_size_gb = 30
labels = {
workload_type = "machine-learning"
}
}

traffic {
percent = 100
latest_revision = true
oauth_scopes = [
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring"
]
}
# Waits for the Cloud Run API to be enabled
depends_on = [google_project_service.run_api]
}
resource "google_cloud_run_service_iam_member" "run_all_users" {
provider = google
service = google_cloud_run_service.run_service.name
location = google_cloud_run_service.run_service.location
role = "roles/run.invoker"
member = "allUsers"
}
output "service_url" {
value = google_cloud_run_service.run_service.status.0.url
}
*/

0 comments on commit 9eb59b4

Please sign in to comment.