MRG: Merge pull request #3 from octue/switch-to-global-load-balancer

cortadocodes · web-flow · commit feab0b3199c6 · 2025-04-23T17:16:13.000+01:00
Add CDN and fix bugs
diff --git a/README.md b/README.md
@@ -78,10 +78,11 @@ locals {
 
 
 module "octue_django_api" {
-  source = "git::github.com/octue/terraform-octue-django-api.git?ref=0.2.0"
+  source = "git::github.com/octue/terraform-octue-django-api.git?ref=0.3.0"
   project = var.google_cloud_project_id
   region = var.google_cloud_region
   resource_affix = var.resource_affix
+  api_url = var.api_url
   environment = local.environment
 }
 
@@ -114,6 +115,22 @@ variable "resource_affix" {
   type    = string
   default = "<name-of-your-api>"
 }
+
+
+variable "api_url" {
+  type    = string
+  default = "api.your-org.com" 
+}
+
+
+variable "maintainer_service_account_emails" {
+  type = set(string)
+  default = [
+    "dev1@<your-google-project-id>.iam.gserviceaccount.com",
+    "dev2@<your-google-project-id>.iam.gserviceaccount.com",
+  ]
+}
+
 ```
 
 ## Dependencies
@@ -152,17 +169,21 @@ terraform destroy
 
 # Input reference
 
-| Name                               | Type          | Required | Default                                                                                 |
-|------------------------------------|---------------|----------|-----------------------------------------------------------------------------------------| 
-| `google_cloud_project_id`          | `string`      | Yes      | N/A                                                                                     |  
-| `google_cloud_region`              | `string`      | Yes      | N/A                                                                                     | 
-| `resource_affix`                   | `string`      | Yes      | N/A                                                                                     |                 
-| `environment`                      | `string`      | No       | `"main"`                                                                                |
-| `secret_names`                     | `set(string)` | No       | `set(["django-secret-key", "database-proxy-url", "database-url", "stripe-secret-key"])` |     
-| `tasks_queue_name_suffix`          | `string`      | No       | `""`                                                                                    |
-| `database_availability_type`       | `string`      | No       | `"ZONAL"`                                                                               | 
-| `maintainer_service_account_names` | `set(string)` | No       | `["default"]`                                                                           |
-| `deletion_protection`              | `bool`        | No       | `true`                                                                                  | 
+| Name                                | Type          | Required | Default                                                                                 |
+|-------------------------------------|---------------|----------|-----------------------------------------------------------------------------------------| 
+| `google_cloud_project_id`           | `string`      | Yes      | N/A                                                                                     |  
+| `google_cloud_region`               | `string`      | Yes      | N/A                                                                                     | 
+| `resource_affix`                    | `string`      | Yes      | N/A                                                                                     |
+| `api_url`                           | `string`      | Yes      | N/A                                                                                     |
+| `maintainer_service_account_emails` | `set(string)` | Yes      | N/A                                                                                     |
+| `environment`                       | `string`      | No       | `"main"`                                                                                |
+| `secret_names`                      | `set(string)` | No       | `set(["django-secret-key", "database-proxy-url", "database-url", "stripe-secret-key"])` |     
+| `tasks_queue_name_suffix`           | `string`      | No       | `""`                                                                                    |
+| `minimum_instances`                 | `number`      | No       | `0`                                                                                     |
+| `maximum_instances`                 | `number`      | No       | `10`                                                                                    |
+| `database_tier`                     | `string`      | No       | `"db-f1-micro"`                                                                         |
+| `database_availability_type`        | `string`      | No       | `"ZONAL"`                                                                               |
+| `deletion_protection`               | `bool`        | No       | `true`                                                                                  | 
 
 See [`variables.tf`](/variables.tf) for descriptions.
 
diff --git a/VERSION.txt b/VERSION.txt
@@ -1 +1 @@
-0.2.0
+0.3.0
diff --git a/cloud_run.tf b/cloud_run.tf
@@ -6,11 +6,17 @@ resource "google_cloud_run_v2_service" "server" {
   ingress             = "INGRESS_TRAFFIC_ALL"
   deletion_protection = var.deletion_protection
 
+  # The min instance count is set at the *service* level, not the *revision* level. See here for more info:
+  # https://cloud.google.com/run/docs/configuring/min-instances#revisions
+  scaling {
+    min_instance_count = var.minimum_instances
+  }
+
   template {
     service_account = google_service_account.server_service_account.email
 
     scaling {
-      max_instance_count = 10
+      max_instance_count = var.maximum_instances
     }
 
     volumes {
@@ -246,12 +252,14 @@ resource "google_cloud_run_v2_job" "manager" {
   }
 
   lifecycle {
-    ignore_changes = [
-      template[0].template[0].containers[0].args,
-      template[0].template[0].containers[0].image,
-      client,
-      client_version,
-    ]
+    # TODO: The state was stale with revision creating changes
+    # ignore_changes = [
+    #   template[0].template[0].containers[0].args,
+    #   template[0].template[0].containers[0].image,
+    #   client,
+    #   client_version,
+    # ]
+    ignore_changes = all
   }
 
   depends_on = [google_secret_manager_secret.secrets]
diff --git a/database.tf b/database.tf
@@ -6,7 +6,7 @@ resource "google_sql_database_instance" "postgres_instance" {
   deletion_protection = var.deletion_protection
   settings {
     edition                     = "ENTERPRISE"
-    tier                        = "db-f1-micro"
+    tier                        = var.database_tier
     deletion_protection_enabled = var.deletion_protection
 
     database_flags {
diff --git a/iam_roles.tf b/iam_roles.tf
@@ -1,9 +1,8 @@
 locals {
   server_service_account_email = "serviceAccount:${google_service_account.server_service_account.email}"
   maintainer_service_account_emails = toset(
-    [for account in google_service_account.maintainers : "serviceAccount:${account.email}"]
+    [for email in var.maintainer_service_account_emails : "serviceAccount:${email}"]
   )
-  all_service_account_emails = setunion(toset([local.server_service_account_email]), local.maintainer_service_account_emails)
 }
 
 
diff --git a/iam_service_accounts.tf b/iam_service_accounts.tf
@@ -4,12 +4,3 @@ resource "google_service_account" "server_service_account" {
   display_name = "${var.resource_affix}--server--${var.environment}"
   project      = var.google_cloud_project_id
 }
-
-
-resource "google_service_account" "maintainers" {
-  for_each     = var.maintainer_service_account_names
-  account_id   = "maintainer-${each.key}"
-  display_name = "maintainer-${each.key}"
-  project      = var.google_cloud_project_id
-  description  = "Allow ${each.key} to access most resources related to Octue Twined services."
-}
diff --git a/load_balancer.tf b/load_balancer.tf
@@ -8,6 +8,7 @@ resource "google_compute_region_network_endpoint_group" "load_balancer_neg" {
   }
 }
 
+
 resource "google_compute_backend_service" "load_balancer_backend" {
   connection_draining_timeout_sec = 0
   load_balancing_scheme           = "EXTERNAL_MANAGED"
@@ -18,6 +19,16 @@ resource "google_compute_backend_service" "load_balancer_backend" {
   session_affinity                = "NONE"
   timeout_sec                     = 30
   locality_lb_policy              = "ROUND_ROBIN"
+  enable_cdn                      = true
+
+  cdn_policy {
+    cache_mode                   = "CACHE_ALL_STATIC"
+    signed_url_cache_max_age_sec = 3600
+    client_ttl                   = 3600
+    default_ttl                  = 3600
+    max_ttl                      = 86400
+    serve_while_stale            = 86400
+  }
 
   backend {
     balancing_mode               = "UTILIZATION"
@@ -48,7 +59,7 @@ resource "google_compute_managed_ssl_certificate" "ssl" {
 
   managed {
     domains = [
-      "api.bezier.octue.com"
+      var.api_url
     ]
   }
 
diff --git a/variables.tf b/variables.tf
@@ -16,6 +16,18 @@ variable "resource_affix" {
 }
 
 
+variable "api_url" {
+  type        = string
+  description = "The URL for the API e.g. 'api.strands.octue.com'"
+}
+
+
+variable "maintainer_service_account_emails" {
+  type        = set(string)
+  description = "The email addresses of the maintainers' IAM service accounts."
+}
+
+
 variable "environment" {
   type        = string
   default     = "main"
@@ -35,13 +47,34 @@ variable "secret_names" {
 }
 
 
+variable "minimum_instances" {
+  type = number
+  default = 0
+  description = "The minimum number of instances for the Cloud Run service (set at the service level, not revision level)."
+}
+
+
+variable "maximum_instances" {
+  type = number
+  default = 10
+  description = "The maximum number of instances for the Cloud Run service (set at the revision level, not service level)."
+}
+
+
 variable "tasks_queue_name_suffix" {
   type        = string
   default     = ""
   description = "An optional suffix to be added to the resource name of the task queue. Only use when attempting to recreate a queue after it has been deleted as a queue with the same name cannot be created within 7 days."
 }
 
 
+variable "database_tier" {
+  type = string
+  default = "db-f1-micro"
+  description = "The machine type to use for the database."
+}
+
+
 variable "database_availability_type" {
   type    = string
   default = "ZONAL"
@@ -53,13 +86,6 @@ variable "database_availability_type" {
 }
 
 
-variable "maintainer_service_account_names" {
-  type        = set(string)
-  default     = ["default"]
-  description = "The names of each maintainer IAM service account that should be created. They'll automatically be prefixed with 'maintainer-'."
-}
-
-
 variable "deletion_protection" {
   type        = bool
   default     = true

Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,8 @@`
`1`	`1`	`locals {`
`2`	`2`	`server_service_account_email = "serviceAccount:${google_service_account.server_service_account.email}"`
`3`	`3`	`maintainer_service_account_emails = toset(`
`4`		`- [for account in google_service_account.maintainers : "serviceAccount:${account.email}"]`
	`4`	`+ [for email in var.maintainer_service_account_emails : "serviceAccount:${email}"]`
`5`	`5`	`)`
`6`		`- all_service_account_emails = setunion(toset([local.server_service_account_email]), local.maintainer_service_account_emails)`
`7`	`6`	`}`
`8`	`7`
`9`	`8`