mybuddy/terraform/gcp-cloud-run/main.tf

188 lines
5.0 KiB
HCL

provider "google" {
region = var.region
}
resource "google_project" "baby_buddy" {
name = var.project_name
project_id = var.project_id
billing_account = var.billing_account
auto_create_network = false
}
locals {
services = toset(["run.googleapis.com",
"sqladmin.googleapis.com",
"sql-component.googleapis.com",
"secretmanager.googleapis.com"
])
}
resource "google_project_service" "project_services" {
for_each = local.services
project = google_project.baby_buddy.project_id
service = each.value
disable_on_destroy = true
disable_dependent_services = true
}
resource "random_password" "root_password" {
min_lower = 1
min_numeric = 1
min_upper = 1
length = 19
special = true
min_special = 1
lifecycle {
ignore_changes = [
min_lower, min_upper, min_numeric, special, min_special, length
]
}
}
resource "random_password" "django_secret_key" {
min_lower = 1
min_numeric = 1
min_upper = 1
length = 20
special = true
min_special = 1
lifecycle {
ignore_changes = [
min_lower, min_upper, min_numeric, special, min_special, length
]
}
}
resource "google_sql_database_instance" "baby_buddy" {
name = "babybuddy"
database_version = "POSTGRES_15"
root_password = random_password.root_password.result
settings {
tier = "db-f1-micro"
disk_autoresize = false
deletion_protection_enabled = false
insights_config {
query_insights_enabled = false
}
maintenance_window {
day = 1
hour = 0
}
}
deletion_protection = "true"
}
resource "google_secret_manager_secret" "postgres_password" {
secret_id = "postgres-password"
project = google_project.baby_buddy.project_id
replication {
auto {}
}
}
resource "google_secret_manager_secret_version" "postgres_password" {
secret = google_secret_manager_secret.postgres_password.name
secret_data = google_sql_database_instance.baby_buddy.root_password
}
resource "google_secret_manager_secret_iam_member" "postgres_password" {
secret_id = google_secret_manager_secret.postgres_password.id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_project.baby_buddy.number}-compute@developer.gserviceaccount.com"
depends_on = [google_secret_manager_secret.postgres_password]
}
resource "google_secret_manager_secret" "django_secret_key" {
secret_id = "django-secret-key"
project = google_project.baby_buddy.project_id
replication {
auto {}
}
}
resource "google_secret_manager_secret_version" "django_secret_key" {
secret = google_secret_manager_secret.django_secret_key.name
secret_data = random_password.django_secret_key.result
}
resource "google_secret_manager_secret_iam_member" "django_secret_key" {
secret_id = google_secret_manager_secret.django_secret_key.name
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_project.baby_buddy.number}-compute@developer.gserviceaccount.com"
depends_on = [google_secret_manager_secret.django_secret_key]
}
resource "google_cloud_run_v2_service" "baby_buddy" {
name = "babybuddy"
location = var.region
ingress = "INGRESS_TRAFFIC_ALL"
project = google_project.baby_buddy.project_id
template {
scaling {
max_instance_count = 2
}
volumes {
name = "cloudsql"
cloud_sql_instance {
instances = [google_sql_database_instance.baby_buddy.connection_name]
}
}
containers {
name = "babybuddy-1"
image = "docker.io/linuxserver/babybuddy:latest"
env {
name = "DB_HOST"
value = "/cloudsql/${google_project.baby_buddy.project_id}:${var.region}:${google_sql_database_instance.baby_buddy.name}"
}
env {
name = "DB_USER"
value = "postgres"
}
env {
name = "DB_NAME"
value = "postgres"
}
env {
name = "DB_ENGINE"
value = "django.db.backends.postgresql"
}
env {
name = "DB_PASSWORD"
value_source {
secret_key_ref {
secret = google_secret_manager_secret.postgres_password.secret_id
version = google_secret_manager_secret_version.postgres_password.version
}
}
}
env {
name = "SECRET_KEY"
value_source {
secret_key_ref {
secret = google_secret_manager_secret.django_secret_key.secret_id
version = google_secret_manager_secret_version.django_secret_key.version
}
}
}
volume_mounts {
name = "cloudsql"
mount_path = "/cloudsql"
}
}
}
annotations = {
"foo" = "bar"
}
traffic {
type = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
percent = 100
}
depends_on = [google_secret_manager_secret_version.postgres_password, google_secret_manager_secret_version.django_secret_key]
}