diff --git a/deploy/external_load_balancer/cloud_run.tf b/deploy/external_load_balancer/cloud_run.tf index 548a052..01dae40 100644 --- a/deploy/external_load_balancer/cloud_run.tf +++ b/deploy/external_load_balancer/cloud_run.tf @@ -67,7 +67,7 @@ resource "google_cloud_run_v2_service" "api_service" { } } } - depends_on = [null_resource.build_api_image] + depends_on = [google_project_service.tag_engine_project, null_resource.build_api_image] } output "api_service_uri" { @@ -148,7 +148,7 @@ resource "google_cloud_run_v2_service" "ui_service" { egress = "PRIVATE_RANGES_ONLY" } } - depends_on = [null_resource.build_ui_image] + depends_on = [google_project_service.tag_engine_project, null_resource.build_ui_image] } output "ui_service_uri" { diff --git a/deploy/external_load_balancer/firestore.tf b/deploy/external_load_balancer/firestore.tf index 4bfc3f4..41b7fa2 100644 --- a/deploy/external_load_balancer/firestore.tf +++ b/deploy/external_load_balancer/firestore.tf @@ -4,16 +4,32 @@ # created automatically when the API is enabled. # ************************************************************ # -#resource "google_firestore_database" "create" { - #project = var.tag_engine_project - #name = "(default)" - #location_id = var.firestore_region - #type = "FIRESTORE_NATIVE" +resource "google_firestore_database" "create" { + project = var.tag_engine_project + name = "(default)" + location_id = var.firestore_region + type = "FIRESTORE_NATIVE" - #depends_on = [google_project_service.tag_engine_project] - #} + depends_on = [google_project_service.tag_engine_project] +} + + +# ************************************************************ # +# Install python packages +# ************************************************************ # +resource "null_resource" "install_packages" { +provisioner "local-exec" { + command = "/bin/bash install_packages.sh" +} + +triggers = { + always_run = timestamp() +} +depends_on = [google_cloud_run_v2_service.api_service, google_cloud_run_v2_service.ui_service] +} + # ************************************************************ # # Create the firestore indexes # ************************************************************ # @@ -24,6 +40,6 @@ resource "null_resource" "firestore_indexes" { command = "python create_indexes.py ${var.tag_engine_project}" } - depends_on = [google_project_service.tag_engine_project] + depends_on = [google_firestore_database.create, null_resource.install_packages] } diff --git a/deploy/external_load_balancer/iam_bindings.tf b/deploy/external_load_balancer/iam_bindings.tf index 9189491..2577b24 100644 --- a/deploy/external_load_balancer/iam_bindings.tf +++ b/deploy/external_load_balancer/iam_bindings.tf @@ -140,20 +140,19 @@ resource "google_project_iam_binding" "loggingViewer" { depends_on = [google_project_service.tag_engine_project] } -resource "google_project_iam_binding" "PolicyTagReader" { - project = var.tag_engine_project - role = "projects/${var.tag_engine_project}/roles/PolicyTagReader" - members = ["serviceAccount:${var.tag_creator_sa}"] - depends_on = [google_project_service.tag_engine_project] -} - resource "google_project_iam_binding" "BigQuerySchemaUpdate" { project = var.bigquery_project role = "projects/${var.bigquery_project}/roles/BigQuerySchemaUpdate" members = ["serviceAccount:${var.tag_creator_sa}"] - depends_on = [google_project_service.tag_engine_project] + depends_on = [google_project_iam_custom_role.bigquery_schema_update] } +resource "google_project_iam_binding" "PolicyTagReader" { + project = var.tag_engine_project + role = "projects/${var.tag_engine_project}/roles/PolicyTagReader" + members = ["serviceAccount:${var.tag_creator_sa}"] + depends_on = [google_project_iam_custom_role.policy_tag_reader] +} # ************************************************************ # # Create the service account policy bindings for tag_engine_sa diff --git a/deploy/external_load_balancer/variables.tf b/deploy/external_load_balancer/variables.tf index 5451cab..5b348a5 100644 --- a/deploy/external_load_balancer/variables.tf +++ b/deploy/external_load_balancer/variables.tf @@ -1,7 +1,7 @@ variable "required_apis" { type = list description = "list of required GCP services" - default = ["cloudresourcemanager.googleapis.com", "iam.googleapis.com", "cloudresourcemanager.googleapis.com", "cloudbuild.googleapis.com", "artifactregistry.googleapis.com", "vpcaccess.googleapis.com", "cloudtasks.googleapis.com", "firestore.googleapis.com", "datacatalog.googleapis.com", "iap.googleapis.com"] + default = ["cloudresourcemanager.googleapis.com", "iam.googleapis.com", "cloudresourcemanager.googleapis.com", "cloudbuild.googleapis.com", "artifactregistry.googleapis.com", "run.googleapis.com", "vpcaccess.googleapis.com", "cloudtasks.googleapis.com", "firestore.googleapis.com", "datacatalog.googleapis.com", "iap.googleapis.com"] } variable "tag_engine_project" { @@ -96,4 +96,4 @@ variable "oauth_client_secret" { variable "authorized_user_accounts" { type = list(string) description = "The list of users you want to authorize to use the Tag Engine UI. Provide the email address for each user, which must be a google identity." -} \ No newline at end of file +} diff --git a/deploy/without_load_balancer/cloud_run.tf b/deploy/without_load_balancer/cloud_run.tf index 20aa2ee..6d1d11a 100644 --- a/deploy/without_load_balancer/cloud_run.tf +++ b/deploy/without_load_balancer/cloud_run.tf @@ -66,7 +66,7 @@ resource "google_cloud_run_v2_service" "api_service" { } } } - depends_on = [null_resource.build_api_image] + depends_on = [google_project_service.tag_engine_project, null_resource.build_api_image] } output "api_service_uri" { @@ -134,7 +134,7 @@ resource "google_cloud_run_v2_service" "ui_service" { } } } - depends_on = [null_resource.build_ui_image] + depends_on = [google_project_service.tag_engine_project, null_resource.build_ui_image] } output "ui_service_uri" { diff --git a/deploy/without_load_balancer/firestore.tf b/deploy/without_load_balancer/firestore.tf index 4bfc3f4..41b7fa2 100644 --- a/deploy/without_load_balancer/firestore.tf +++ b/deploy/without_load_balancer/firestore.tf @@ -4,16 +4,32 @@ # created automatically when the API is enabled. # ************************************************************ # -#resource "google_firestore_database" "create" { - #project = var.tag_engine_project - #name = "(default)" - #location_id = var.firestore_region - #type = "FIRESTORE_NATIVE" +resource "google_firestore_database" "create" { + project = var.tag_engine_project + name = "(default)" + location_id = var.firestore_region + type = "FIRESTORE_NATIVE" - #depends_on = [google_project_service.tag_engine_project] - #} + depends_on = [google_project_service.tag_engine_project] +} + + +# ************************************************************ # +# Install python packages +# ************************************************************ # +resource "null_resource" "install_packages" { +provisioner "local-exec" { + command = "/bin/bash install_packages.sh" +} + +triggers = { + always_run = timestamp() +} +depends_on = [google_cloud_run_v2_service.api_service, google_cloud_run_v2_service.ui_service] +} + # ************************************************************ # # Create the firestore indexes # ************************************************************ # @@ -24,6 +40,6 @@ resource "null_resource" "firestore_indexes" { command = "python create_indexes.py ${var.tag_engine_project}" } - depends_on = [google_project_service.tag_engine_project] + depends_on = [google_firestore_database.create, null_resource.install_packages] } diff --git a/deploy/without_load_balancer/iam_bindings.tf b/deploy/without_load_balancer/iam_bindings.tf index 9189491..2577b24 100644 --- a/deploy/without_load_balancer/iam_bindings.tf +++ b/deploy/without_load_balancer/iam_bindings.tf @@ -140,20 +140,19 @@ resource "google_project_iam_binding" "loggingViewer" { depends_on = [google_project_service.tag_engine_project] } -resource "google_project_iam_binding" "PolicyTagReader" { - project = var.tag_engine_project - role = "projects/${var.tag_engine_project}/roles/PolicyTagReader" - members = ["serviceAccount:${var.tag_creator_sa}"] - depends_on = [google_project_service.tag_engine_project] -} - resource "google_project_iam_binding" "BigQuerySchemaUpdate" { project = var.bigquery_project role = "projects/${var.bigquery_project}/roles/BigQuerySchemaUpdate" members = ["serviceAccount:${var.tag_creator_sa}"] - depends_on = [google_project_service.tag_engine_project] + depends_on = [google_project_iam_custom_role.bigquery_schema_update] } +resource "google_project_iam_binding" "PolicyTagReader" { + project = var.tag_engine_project + role = "projects/${var.tag_engine_project}/roles/PolicyTagReader" + members = ["serviceAccount:${var.tag_creator_sa}"] + depends_on = [google_project_iam_custom_role.policy_tag_reader] +} # ************************************************************ # # Create the service account policy bindings for tag_engine_sa diff --git a/deploy/without_load_balancer/variables.tf b/deploy/without_load_balancer/variables.tf index 1d27425..390e3e2 100644 --- a/deploy/without_load_balancer/variables.tf +++ b/deploy/without_load_balancer/variables.tf @@ -1,7 +1,7 @@ variable "required_apis" { type = list description = "list of required GCP services" - default = ["cloudresourcemanager.googleapis.com", "iam.googleapis.com", "cloudresourcemanager.googleapis.com", "cloudbuild.googleapis.com", "artifactregistry.googleapis.com", "vpcaccess.googleapis.com", "cloudtasks.googleapis.com", "firestore.googleapis.com", "datacatalog.googleapis.com", "iap.googleapis.com"] + default = ["cloudresourcemanager.googleapis.com", "iam.googleapis.com", "cloudresourcemanager.googleapis.com", "cloudbuild.googleapis.com", "artifactregistry.googleapis.com", "cloudtasks.googleapis.com", "firestore.googleapis.com", "datacatalog.googleapis.com", "run.googleapis.com"] } variable "tag_engine_project" {