This guide describes how to set up Four Keys with your GitHub or GitLab project. The main steps are:
- Running the setup script
- Integrating with your GitHub or GitLab repo by:
We recommend using Cloud Shell to install Four Keys
- Install GCloud SDK.
- Install Terraform.
- You must be owner on a Google Cloud project that has billing enabled. You can either use a currently active project or create a new project specifically to use with Four Keys.
ℹ️ To create a new project using the same billing account as your currently-active gcloud project, run the following commands:
export PARENT_PROJECT=$(gcloud config get-value project) export PARENT_FOLDER=$(gcloud projects describe ${PARENT_PROJECT} --format="value(parent.id)") export BILLING_ACCOUNT=$(gcloud beta billing projects describe ${PARENT_PROJECT} --format="value(billingAccountName)") export FOURKEYS_PROJECT=$(printf "fourkeys-%06d" $((RANDOM%999999))) gcloud projects create ${FOURKEYS_PROJECT} --folder=${PARENT_FOLDER} gcloud beta billing projects link ${FOURKEYS_PROJECT} --billing-account=${BILLING_ACCOUNT} echo "project created: "$FOURKEYS_PROJECT
-
Run the following setup script from the top-level directory of this repository:
cd setup script setup.log -c ./setup.sh
-
Answer the setup script's questions:
- Enter the project ID and region information for the project in which you wish to install Four Keys
- Choose the event sources to configure...
- Which version control system are you using?
- Choose the appropriate option for your VCS, or choose "other" to skip VCS integration
- Which CI/CD system are you using?
- Choose the appropriate option for your CICD system, or choose "other" to skip CICD integration
- (see
/README.md#extending-to-other-event-sources
to integrate event sources not available during setup)
- Which version control system are you using?
- Would you like to generate mock data? (y/N)
- If you select yes, a script will run through and send mock GitLab or GitHub events to your event-handler. This will populate your dashboard with mock data. The mock data will include the work "mock" in the source. You can generate mock data without using the setup script. See Generating mock data.
- To exclude the mock data from the dashboard, update the SQL script to filter out any source with the word mock in it by adding:
WHERE source not like "%mock"
.
- To exclude the mock data from the dashboard, update the SQL script to filter out any source with the word mock in it by adding:
- If you select yes, a script will run through and send mock GitLab or GitHub events to your event-handler. This will populate your dashboard with mock data. The mock data will include the work "mock" in the source. You can generate mock data without using the setup script. See Generating mock data.
At some point after running the setup script, you may want to make modifications to your infrastructure. Or, the Four Keys repo itself may be updated with a new configuration. If you make changes to your resources outside of Terraform, they will not be tracked and cannot be managed by Terraform. This includes pub/sub topics, subscriptions, permissions, service accounts, services, etc. Therefore, it's recommended to make all infrastructure changes by updating your Terraform files and re-running Terraform, using terraform apply
. You'll be prompted to confirm the planned changes; review them carefully, then type yes
to proceed.
Tip: The configurations in this repo will continue to evolve over time; if you want to be able to apply ongoing updates, don't modify the tracked Terraform files. Instead, consider using Terraform Override Files, which will allow you to customize the infrastructure to your needs without introducing potential merge conflicts the next time you pull from upstream.
The setup script does many things to help create the service architecture described in the README.md
. These include a little bash scripting and a lot of Terraform.
Step by step, here's what's happening:
setup.sh
starts by collecting information from the system and the user to determine a number of configuration variables that will be provided to Terraform.- It sets several environment variables, and writes a
terraform.tfvars
file to disk, containing inputs to Terraform. - Then it invokes
install.sh
, which is responsible for provisioning the infrastructure. install.sh
runsgcloud builds submit
commands to build the application containers that will be used in Cloud Run services.- Then it invokes Terraform, which processes the configuration files (ending in
.tf
) to provision all of the necessary infrastructure into the speficied Cloud project. - If you've chosen to generate mock data, the script then calls the "data generator" python application to submit several synthetic webhook events to the event-handler service that was just created.
- Finally, the script prints information about next steps, including configuring webhooks and visiting the dashboard.
Terraform maintains information about infrastucture in persistent state storage, known as a backend. By default, this is maintained in a file named terraform.tfstate
, saved to the same directory that Terraform is executed from. This local backend is fine for a one-time setup, but if you plan to maintain and use your Four Keys infrastructure, it's recommended to choose a remote backend. (Alternatively, you may choose to use Terraform only for the initial setup, and then use other tools--like gcloud
or the Cloud Console--for ongoing modifications.)
To learn how to use a remote backend for robust storage of Terraform state, see: Terraform Language: Backends
If something goes wrong during Terraform setup, you may be able to run terraform destroy
to delete the resources that were created. However, it's possible for the Terraform state to become inconsistent with your project, leaving Terraform unaware of resources (yet their existance will prevent subsequent installations from working). If that happens, the best option is usually to delete the GCP project and start a new one. If that's not possible, you can force-remove all of the four keys resources in your project by running:
./ci/project_cleaner.sh --project=<your_fourkeys_project>
The setup script can create mock data, but it cannot integrate automatically with live projects. To measure your team's performance, you need to integrate to your live GitHub or GitLab repo that has ongoing deployments. You can then measure the four key metrics, and experiment with how changes, successful deployments, and failed deployments affect your metrics.
To integrate Four Keys with a live repo, you need to:
If you have an existing installation of The Four Keys, created using the now-deprecated bash-based setup process, and you want to be able to keep your installation up-to-date with new upstream releases, you'll need to put your cloud resources under Terraform control. The easiest way to do this is to destroy all existing resources and let Terraform create new ones that it will then manage going forward. Here's the process to do that (adapt as needed for your specific installation):
- Export the data from
events_raw
- If you exported your data to a bucket in a project that you plan to delete, be sure to download it before deleting the project!
- Delete existing cloud resources
- If you have a project dedicated to Four Keys, you can simply delete that project
- Run
setup.sh
in this folder- When configuring the installation, choose to not generate mock data
- When the setup is complete:
- Use the newly-generated webhook URL and secret to reconfigure webhook deliveries from your VCS/CICD systems
- Import the
events_raw
data:- Load the data into a temporary table named
events_raw_import
- You may need to manually specify the schema (and delete the column headers) when importing
- Copy the imported data into the
events_raw
tableINSERT INTO events_raw (SELECT * FROM events_raw_import)
- Delete the temporary table
- Load the data into a temporary table named
- Start with your GitHub repo
- Navigate to your repo (or forked repo) and click Settings.
- Select Webhooks from the left hand side.
- Click Add Webhook.
- Get the Event Handler endpoint for your Four Keys service:
echo $(terraform output -raw event_handler_endpoint)
- In the Add Webhook interface use the Event Handler endpoint for Payload URL.
- Run the following command to get the secret from Google Secrets Manager:
echo $(terraform output -raw event_handler_secret)
- Put the secret in the box labelled Secret.
- For Content Type, select application/json.
- Select Send me everything.
- Click Add Webhook.
- Navigate to your repo and click Settings.
- Select Webhooks from the menu.
- Get the Event Handler endpoint for your Four Keys service by running the following:
echo $(terraform output -raw event_handler_endpoint)
- For Payload URL, use the Event Handler endpoint.
- Run the following command to get the secret from Google Secrets Manager:
echo $(terraform output -raw event_handler_secret)
- Put the secret in the box labelled Secret Token.
- Select all the checkboxes.
- Leave the Enable SSL verification selected.
- Click Add Webhook.
- For whichever CI/CD system you are using, set it up to send Webhook events to the event-handler.
- Add a
.circleci.yaml
file to your repo.version: 2.1 executors: default: ... jobs: build: executor: default steps: - run: make build deploy: executor: default steps: - run: make deploy workflows: version: 2 build_and_deploy_on_master: # A workflow whose name contains 'deploy' will be used in the query to build the deployments view jobs: - build: name: build filters: &master_filter branches: only: master - deploy: name: deploy filters: *master_filter requires: - build
This setup will trigger a deployment on any push
to the master
branch.
Four Keys uses GitLab and/or GitHub issues to track incidents.
- Open an issue.
- Add the tag
Incident
. - In the body of the issue, input
root cause: {SHA of the commit}
.
When the incident is resolved, close the issue. Four Keys will measure the incident from the time of the deployment to when the issue is closed.
If Pager Duty support is enabled (passed via the parsers
variable), this secret is required and used for verifying Pager Duty events received belong to us.
To create this secret:
- You will need a Pager Duty General Access REST API Key. These can only be created by users that are >=Global Admin.
- Using said API key, create a webhook subscription. The example below creates an account-wide subscription, but depending on your Four Keys architecture, you could choose to create individual subscriptions per-project or service.
API_TOKEN=<your_api_token>
FOURKEYS_ENDPOINT=<your_fourkeys_endpoint>
curl-- location-- request POST
'https://api.pagerduty.com/webhook_subscriptions'-- header
'Authorization: Token token=${API_TOKEN}'-- header
'Content-Type: application/json'-- header
'Accept: application/vnd.pagerduty+json;version=2'-- data - raw '{
"webhook_subscription": {
"delivery_method": {
"type": "http_delivery_method",
"url": "${FOURKEYS_ENDPOINT}"
},
"description": "Sends PagerDuty v3 webhook events to DORA metrics.",
"events": [
"incident.resolved",
"incident.triggered"
],
"filter": {
"type": "account_reference"
},
"type": "webhook_subscription"
}
}'
- The Pager Duty webhook subscription creation API response will include a secret (only returned on creation). This secret needs to be stored in Secret Manager in your Four Keys project as
pager_duty_secret
.
SECRET=<your_pager_duty_secret>
echo $SECRET | tr -d '\n' | gcloud beta secrets create pager_duty_secret \
--replication-policy=automatic \
--data-file=-