MRG: Merge pull request #1 from octue/create-module

cortadocodes · web-flow · commit f92cc66b82b0 · 2025-04-16T16:57:52.000+01:00
Create module
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,32 @@
+# This workflow releases a new version of the Terraform module.
+
+name: Release
+
+# Only trigger when a pull request into main branch is merged.
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Get module version
+        id: get-version
+        run: echo "version=$(cat VERSION.txt)" >> $GITHUB_OUTPUT
+
+      - name: Create Release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, no need to create your own.
+        with:
+          tag_name: ${{ steps.get-version.outputs.version }}
+          release_name: ${{ github.event.pull_request.title }}
+          body: ${{ github.event.pull_request.body }}
+          draft: false
+          prerelease: false
diff --git a/.github/workflows/update-pull-request.yml b/.github/workflows/update-pull-request.yml
@@ -0,0 +1,18 @@
+# This workflow updates the pull request description with an auto-generated section containing the categorised commit
+# message headers of the pull request's commits. The auto generated section is enveloped between two comments:
+# "<!--- START AUTOGENERATED NOTES --->" and "<!--- END AUTOGENERATED NOTES --->". Anything outside these in the
+# description is left untouched. Auto-generated updates can be skipped for a commit if
+# "<!--- SKIP AUTOGENERATED NOTES --->" is added to the pull request description.
+
+name: update-pull-request
+
+on: [pull_request]
+
+jobs:
+  description:
+    uses: octue/workflows/.github/workflows/generate-pull-request-description.yml@main
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      contents: read
+      pull-requests: write
diff --git a/.gitignore b/.gitignore
@@ -165,7 +165,7 @@ cython_debug/
 #  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
+.idea/
 
 # Ruff stuff:
 .ruff_cache/
diff --git a/README.md b/README.md
@@ -1,2 +1,160 @@
+> [!NOTE]
+> This Terraform module can be deployed alongside the [terraform-octue-django-api](https://github.com/octue/terraform-octue-django-api)
+> module to create a cloud-based "branch/workspace deployment", or alone to create the buckets needed for a local 
+> environment.
+
 # terraform-octue-django-api-buckets
-A Terraform module for deploying storage buckets for a Django API.
+A Terraform module for deploying Cloud Storage buckets for use with a Django API server running locally or in the cloud.
+
+
+# Infrastructure
+Deploying this module creates Cloud Storage buckets for a local or cloud environment. This infrastructure is [isolated 
+from other environments' infrastructure](#environments). These buckets are deployed:
+- A public static assets bucket
+- A private assets bucket
+- An optional public assets bucket
+
+
+# Installation and usage
+Add the below blocks to your Terraform configuration and run:
+```shell
+terraform init
+terraform plan
+```
+
+If you're happy with the plan, run:
+```shell
+terraform apply
+```
+and approve the run.
+
+
+## Environments
+The suggested way of managing environments is via [Terraform workspaces](https://developer.hashicorp.com/terraform/language/state/workspaces).
+You can get started right away with the `main` environment by removing the `environment` input to the module. 
+
+To create and used other environments, see the example configuration below. It contains a `locals` block that 
+automatically generates the environment name from the name of the current Terraform workspace by taking the text after 
+the final hyphen. This supports uniquely named environments in Terraform Cloud (which must be unique within the 
+organisation) while keeping the environment prefix short but unique within your GCP project. For this to work well, 
+ensure your Terraform workspace names are slugified.
+
+For example, if your resource affix was `my-project` and your Terraform workspace was called `my-project-testing`, the 
+environment would be called `testing` and your resources would be named like this:
+- Static assets bucket: `"my-project--static-assets--testing"`
+- Private assets bucket: `"my-project--private-assets--testing"`
+
+
+## Example configuration
+
+```terraform
+# main.tf
+
+terraform {
+  required_version = ">= 1.8.0, <2"
+  
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "6.28.0"
+    }
+  }
+}
+
+
+provider "google" {
+  project     = var.google_cloud_project_id
+  region      = var.google_cloud_region
+}
+
+
+# Get the environment name from the workspace.
+locals {
+  workspace_split = split("-", terraform.workspace)
+  environment = element(local.workspace_split, length(local.workspace_split) - 1)
+}
+
+
+module "octue_django_api" {
+  source = "git::github.com/octue/terraform-octue-django-api.git?ref=0.1.0"
+  project = var.google_cloud_project_id
+  region = var.google_cloud_region
+  resource_affix = var.resource_affix
+  environment = local.environment
+}
+
+
+module "octue_django_api_buckets" {
+  source = "git::github.com/octue/terraform-octue-django-api-buckets.git?ref=0.1.0"
+  server_service_account_email = module.octue_django_api.server_service_account.email
+  project = var.google_cloud_project_id
+  resource_affix = var.resource_affix
+  environment = local.environment
+}
+```
+
+```terraform
+# variables.tf
+
+variable "google_cloud_project_id" {
+  type    = string
+  default = "<your-google-project-id>"
+}
+
+
+variable "resource_affix" {
+  type    = string
+  default = "<name-of-your-api>"
+}
+```
+
+## Dependencies
+- Terraform: `>= 1.8.0, <2`
+- Providers:
+  - `hashicorp/google`: `~>6.28`
+- Google cloud APIs:
+  - The Cloud Resource Manager API must be [enabled manually](https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com) 
+    before using the module
+  - All other required google cloud APIs are enabled automatically by the module 
+
+
+## Authentication
+The module needs to authenticate with google cloud before it can be used:
+
+1. Create a service account for Terraform and assign it the `editor` and `owner` basic IAM permissions
+2. Download a JSON key file for the service account
+3. If using Terraform Cloud, follow [these instructions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#using-terraform-cloud).
+   before deleting the key file from your computer 
+4. If not using Terraform Cloud, follow [these instructions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration)
+   or use another [authentication method](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication).
+
+
+## Destruction
+> [!WARNING]
+> If the `deletion_protection` input is set to `true`, it must first be set to `false` and `terraform apply` run before 
+> running `terraform destroy` or any other operation that would result in the destruction or replacement of the Cloud
+> Storage buckets. Not doing this can lead to a state needing targeted Terraform commands and/or manual > configuration 
+> changes to recover from.
+
+Disable `deletion_protection` and run:
+```shell
+terraform destroy
+```
+
+
+# Input reference
+
+| Name                           | Type       | Required | Default    |
+|--------------------------------|------------|----------|------------| 
+| `server_service_account_email` | `string`   | Yes      | N/A        |  
+| `google_cloud_project_id`      | `string`   | Yes      | N/A        |  
+| `resource_affix`               | `string`   | Yes      | N/A        |                 
+| `environment`                  | `string`   | No       | `"main"`   |     
+| `create_public_bucket`         | `boolean`  | No       | `false`    |     
+| `deletion_protection`          | `bool`     | No       | `true`     | 
+
+See [`variables.tf`](/variables.tf) for descriptions.
+
+
+# Output reference
+There are no outputs.
diff --git a/VERSION.txt b/VERSION.txt
@@ -0,0 +1 @@
+0.1.0
diff --git a/google_apis.tf b/google_apis.tf
@@ -0,0 +1,18 @@
+locals {
+  services = {
+    iam = "iam.googleapis.com"
+  }
+}
+
+
+resource "google_project_service" "services" {
+  for_each           = local.services
+  project            = var.google_cloud_project_id
+  service            = each.value
+  disable_on_destroy = false
+
+  timeouts {
+    create = "30m"
+    update = "40m"
+  }
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.8.0, <2"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~>6.28.0"
+    }
+  }
+}
diff --git a/storage.tf b/storage.tf
@@ -0,0 +1,97 @@
+# STATIC BUCKET
+###############
+# Static bucket for long term cacheable application assets (eg favicons, logo images etc).
+
+resource "google_storage_bucket" "static_assets" {
+  name                        = "${var.resource_affix}--static-assets--${var.environment}"
+  location                    = "EU"
+  force_destroy               = !var.deletion_protection
+  uniform_bucket_level_access = true
+  labels                      = {}
+  cors {
+    origin          = ["*"]
+    method          = ["GET"]
+    response_header = ["*"]
+    max_age_seconds = 3600
+  }
+}
+
+
+# Make static bucket contents public.
+resource "google_storage_bucket_iam_member" "static_assets_object_viewer" {
+  bucket = google_storage_bucket.static_assets.name
+  role   = "roles/storage.objectViewer"
+  member = "allUsers"
+}
+
+
+# Allow the server to administer what's on the staging bucket
+resource "google_storage_bucket_iam_member" "static_assets_object_admin" {
+  bucket = google_storage_bucket.static_assets.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${var.server_service_account_email}"
+}
+
+
+# PRIVATE BUCKET
+################
+# Private bucket for user-editable assets. Note: CORS are set to allow direct uploads, enabling upload of files larger
+# than 32 mb (Cloud Run has a hard limit on file upload size).
+
+resource "google_storage_bucket" "private_assets" {
+  name                        = "${var.resource_affix}--private-assets--${var.environment}"
+  labels                      = {}
+  location                    = "EU"
+  force_destroy               = !var.deletion_protection
+  uniform_bucket_level_access = false
+
+  cors {
+    origin          = ["*"]
+    method          = ["GET", "HEAD", "PUT"]
+    response_header = ["*"]
+    max_age_seconds = 3600
+  }
+}
+
+
+resource "google_storage_bucket_iam_member" "private_assets_object_admin" {
+  bucket = google_storage_bucket.private_assets.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${var.server_service_account_email}"
+}
+
+
+# PUBLIC BUCKET (OPTIONAL)
+##########################
+resource "google_storage_bucket" "public_assets" {
+  count                       = var.create_public_bucket ? 1 : 0
+  name                        = "${var.resource_affix}--public-assets--${var.environment}"
+  location                    = "EU"
+  force_destroy               = !var.deletion_protection
+  uniform_bucket_level_access = true
+  labels                      = {}
+  cors {
+    origin          = ["*"]
+    method          = ["GET"]
+    response_header = ["*"]
+    max_age_seconds = 3600
+  }
+}
+
+
+# Make public bucket contents public.
+resource "google_storage_bucket_iam_member" "public_assets_object_viewer" {
+  count  = var.create_public_bucket ? 1 : 0
+  bucket = google_storage_bucket.public_assets[0].name
+  role   = "roles/storage.objectViewer"
+  member = "allUsers"
+}
+
+
+# Allow the server to administer what's on the public bucket.
+resource "google_storage_bucket_iam_member" "public_assets_object_admin" {
+  count  = var.create_public_bucket ? 1 : 0
+  bucket = google_storage_bucket.public_assets[0].name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${var.server_service_account_email}"
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,37 @@
+variable "server_service_account_email" {
+  type = string
+  description = "The email address of the service account for running the Django server."
+}
+
+
+variable "google_cloud_project_id" {
+  type        = string
+  description = "The ID of the GCP project to deploy resources in."
+}
+
+
+variable "resource_affix" {
+  type        = string
+  description = "The affix to add to each resource controlled by this module."
+}
+
+
+variable "environment" {
+  type        = string
+  default     = "main"
+  description = "The name of the environment to deploy the resources in (must be one word with no hyphens or underscores in). This can be derived from a Terraform workspace name and used to facilitate e.g. testing and staging environments alongside the production environment ('main')."
+}
+
+
+variable "create_public_bucket" {
+  type        = bool
+  default     = false
+  description = "If `true`, create a public assets bucket."
+}
+
+
+variable "deletion_protection" {
+  type        = bool
+  default     = false
+  description = "If `true`, disallow deletion of the cloud storage buckets. `terraform apply` must be run after setting this to `false` before `terraform destroy` will work."
+}
