Get Terraform out of the CI/CD business (#406)

* Build containers separately * Fail on errors requesting the secret * Do not manage the lifecycle of Cloud Run services * Remove unused secrets, more POLP * Remove triggers * Add ability to deploy single service * Add ability to promote a single service * Update docs + remote state * Remove state.tf * Fix GCR link
google · May 21, 2020 · e41bde2 · e41bde2
1 parent 03293fc
commit e41bde2
Show file tree

Hide file tree

Showing 21 changed files with 411 additions and 488 deletions.
diff --git a/.gitignore b/.gitignore
@@ -15,5 +15,6 @@
 *.tfstate*
 *.terraform/
 terraform.tfvars
+terraform/state.tf
 
 /local/
diff --git a/.ko.yaml b/.ko.yaml
diff --git a/setup_ko.sh → Dockerfile b/setup_ko.sh → Dockerfile
@@ -1,5 +1,3 @@
-#!/bin/sh
-
 # Copyright 2020 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,6 +12,36 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-export PROJECT_ID=$(gcloud config get-value core/project)
-export KO_DOCKER_REPO="us.gcr.io/${PROJECT_ID}"
-export DOCKER_REPO_OVERRIDE="us.gcr.io/${PROJECT_ID}"
+FROM golang:1.14 AS builder
+
+ARG SERVICE
+
+RUN apt-get -qq update && apt-get -yqq install upx
+
+ENV GO111MODULE=on \
+ CGO_ENABLED=0 \
+ GOOS=linux \
+ GOARCH=amd64
+
+WORKDIR /src
+COPY . .
+
+RUN go build \
+ -trimpath \
+ -ldflags "-s -w -extldflags '-static'" \
+ -installsuffix cgo \
+ -tags netgo \
+ -o /bin/service \
+ ./cmd/${SERVICE}
+
+RUN strip /bin/service
+RUN upx -q -9 /bin/service
+
+
+FROM scratch
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /bin/service /bin/service
+
+ENV PORT 8080
+
+ENTRYPOINT ["/bin/service"]
diff --git a/builders/build.yaml b/builders/build.yaml
@@ -13,69 +13,26 @@
 # limitations under the License.
 
 #
-# Builds container imges.
+# Builds a container image.
 #
 
-options:
- env:
- - 'KO_DOCKER_REPO=us.gcr.io/${PROJECT_ID}'
- - 'DOCKER_REPO_OVERRIDE=us.gcr.io/${PROJECT_ID}'
- machineType: N1_HIGHCPU_8
+substitutions:
+ _SERVICE:
+ _TAG:
 
 steps:
-# Tests
-- id: test
- name: 'mirror.gcr.io/library/golang'
- env:
- - GO111MODULE=on
- args: ['go', 'test', './...']
- waitFor: ['-']
-
-# Build and publish containers`
-- id: export
- name: 'gcr.io/cloud-devrel-public-resources/exposure-notifications/ko:latest'
- args:
- - publish
- - -P
- - ./cmd/export
- waitFor: ['test']
-
-- id: federationin
- name: 'gcr.io/cloud-devrel-public-resources/exposure-notifications/ko:latest'
- args:
- - publish
- - -P
- - ./cmd/federationin
- waitFor: ['test']
-
-- id: federationout
- name: 'gcr.io/cloud-devrel-public-resources/exposure-notifications/ko:latest'
- args:
- - publish
- - -P
- - ./cmd/federationout
- waitFor: ['test']
-
-- id: exposure
- name: 'gcr.io/cloud-devrel-public-resources/exposure-notifications/ko:latest'
- args:
- - publish
- - -P
- - ./cmd/exposure
- waitFor: ['test']
-
-- id: cleanup-export
- name: 'gcr.io/cloud-devrel-public-resources/exposure-notifications/ko:latest'
- args:
- - publish
- - -P
- - ./cmd/cleanup-export
- waitFor: ['test']
-
-- id: cleanup-exposure
- name: 'gcr.io/cloud-devrel-public-resources/exposure-notifications/ko:latest'
- args:
- - publish
- - -P
- - ./cmd/cleanup-exposure
- waitFor: ['test']
+- id: 'build'
+ name: 'registry.hub.docker.com/library/docker:18'
+ args: [
+ 'build',
+ '--tag', 'gcr.io/${PROJECT_ID}/github.com/google/exposure-notifications-server/cmd/${_SERVICE}:${_TAG}',
+ '--build-arg', 'SERVICE=${_SERVICE}',
+ '.',
+ ]
+
+- id: 'publish'
+ name: 'registry.hub.docker.com/library/docker:18'
+ args: [
+ 'push',
+ 'gcr.io/${PROJECT_ID}/github.com/google/exposure-notifications-server/cmd/${_SERVICE}:${_TAG}',
+ ]
diff --git a/builders/deploy.yaml b/builders/deploy.yaml
@@ -13,100 +13,27 @@
 # limitations under the License.
 
 #
-# Re-deploys existing Cloud Run services. The services must have been deployed
-# with Terraform first, before using this script.
+# Deploys a Cloud Run service.
 #
 
 substitutions:
  _REGION:
+ _SERVICE:
+ _TAG:
 
 steps:
-- id: 'export'
+- id: 'deploy'
  name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:293.0.0-alpine'
  args:
  - 'bash'
+ - '-eEuo'
+ - 'pipefail'
  - '-c'
  - |-
- gcloud run deploy export \
+ gcloud run deploy "${_SERVICE}" \
  --quiet \
  --project "${PROJECT_ID}" \
  --platform "managed" \
  --region "${_REGION}" \
- --image "us.gcr.io/$PROJECT_ID/github.com/google/exposure-notifications-server/cmd/export:latest" \
+ --image "gcr.io/${PROJECT_ID}/github.com/google/exposure-notifications-server/cmd/${_SERVICE}:${_TAG}" \
  --no-traffic
- waitFor: ['-']
-
-- id: 'federationin'
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:293.0.0-alpine'
- args:
- - 'bash'
- - '-c'
- - |-
- gcloud run deploy federationin \
- --quiet \
- --project "${PROJECT_ID}" \
- --platform "managed" \
- --region "${_REGION}" \
- --image "us.gcr.io/$PROJECT_ID/github.com/google/exposure-notifications-server/cmd/federationin:latest" \
- --no-traffic
- waitFor: ['-']
-
-- id: 'federationout'
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:293.0.0-alpine'
- args:
- - 'bash'
- - '-c'
- - |-
- gcloud run deploy federationout \
- --quiet \
- --project "${PROJECT_ID}" \
- --platform "managed" \
- --region "${_REGION}" \
- --image "us.gcr.io/$PROJECT_ID/github.com/google/exposure-notifications-server/cmd/federationout:latest" \
- --no-traffic
- waitFor: ['-']
-
-- id: 'exposure'
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:293.0.0-alpine'
- args:
- - 'bash'
- - '-c'
- - |-
- gcloud run deploy exposure \
- --quiet \
- --project "${PROJECT_ID}" \
- --platform "managed" \
- --region "${_REGION}" \
- --image "us.gcr.io/$PROJECT_ID/github.com/google/exposure-notifications-server/cmd/exposure:latest" \
- --no-traffic
- waitFor: ['-']
-
-- id: 'cleanup-export'
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:293.0.0-alpine'
- args:
- - 'bash'
- - '-c'
- - |-
- gcloud run deploy cleanup-export \
- --quiet \
- --project "${PROJECT_ID}" \
- --platform "managed" \
- --region "${_REGION}" \
- --image "us.gcr.io/$PROJECT_ID/github.com/google/exposure-notifications-server/cmd/cleanup-export:latest" \
- --no-traffic
- waitFor: ['-']
-
-- id: 'cleanup-exposure'
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:293.0.0-alpine'
- args:
- - 'bash'
- - '-c'
- - |-
- gcloud run deploy cleanup-exposure \
- --quiet \
- --project "${PROJECT_ID}" \
- --platform "managed" \
- --region "${_REGION}" \
- --image "us.gcr.io/$PROJECT_ID/github.com/google/exposure-notifications-server/cmd/cleanup-exposure:latest" \
- --no-traffic
- waitFor: ['-']
diff --git a/builders/migrate.yaml b/builders/migrate.yaml
@@ -30,6 +30,8 @@ steps:
  name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:293.0.0-alpine'
  args:
  - 'bash'
+ - '-eEuo'
+ - 'pipefail'
  - '-c'
  - |-
  gcloud secrets versions access "${_DB_PASS_SECRET}" > ./dbpass

diff --git a/builders/promote.yaml b/builders/promote.yaml
@@ -17,91 +17,23 @@
 #
 
 substitutions:
+ _PERCENTAGE: '100'
  _REGION:
  _REVISION: 'LATEST'
- _PERCENTAGE: '100'
+ _SERVICE:
 
 steps:
 - id: 'export'
  name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:293.0.0-alpine'
  args:
  - 'bash'
+ - '-eEuo'
+ - 'pipefail'
  - '-c'
  - |-
- gcloud run services update-traffic export \
- --quiet \
- --project "${PROJECT_ID}" \
- --platform "managed" \
- --region "${_REGION}" \
- --to-revisions "${_REVISION}=${_PERCENTAGE}"
- waitFor: ['-']
-
-- id: 'federationin'
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:293.0.0-alpine'
- args:
- - 'bash'
- - '-c'
- - |-
- gcloud run services update-traffic federationin \
- --quiet \
- --project "${PROJECT_ID}" \
- --platform "managed" \
- --region "${_REGION}" \
- --to-revisions "${_REVISION}=${_PERCENTAGE}"
- waitFor: ['-']
-
-- id: 'federationout'
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:293.0.0-alpine'
- args:
- - 'bash'
- - '-c'
- - |-
- gcloud run services update-traffic federationout \
- --quiet \
- --project "${PROJECT_ID}" \
- --platform "managed" \
- --region "${_REGION}" \
- --to-revisions "${_REVISION}=${_PERCENTAGE}"
- waitFor: ['-']
-
-- id: 'exposure'
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:293.0.0-alpine'
- args:
- - 'bash'
- - '-c'
- - |-
- gcloud run services update-traffic exposure \
- --quiet \
- --project "${PROJECT_ID}" \
- --platform "managed" \
- --region "${_REGION}" \
- --to-revisions "${_REVISION}=${_PERCENTAGE}"
- waitFor: ['-']
-
-- id: 'cleanup-export'
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:293.0.0-alpine'
- args:
- - 'bash'
- - '-c'
- - |-
- gcloud run services update-traffic cleanup-export \
- --quiet \
- --project "${PROJECT_ID}" \
- --platform "managed" \
- --region "${_REGION}" \
- --to-revisions "${_REVISION}=${_PERCENTAGE}"
- waitFor: ['-']
-
-- id: 'cleanup-exposure'
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:293.0.0-alpine'
- args:
- - 'bash'
- - '-c'
- - |-
- gcloud run services update-traffic cleanup-exposure \
+ gcloud run services update-traffic ${_SERVICE} \
  --quiet \
  --project "${PROJECT_ID}" \
  --platform "managed" \
  --region "${_REGION}" \
  --to-revisions "${_REVISION}=${_PERCENTAGE}"
- waitFor: ['-']