Newer
Older
/**
* The resource ids of resources must be unique. Since we might create resources for a branch multiple times
* (after destroying the ones created before maybe failed, e.g. on environment cleanup, reopening a branch), we ensure uniqueness
* by appending some random data to resource ids in order to avoid collisions.
*/
resource "random_id" "main" {
byte_length = 2
prefix = "${local.service_name}-${local.environment}-"
}
resource "google_project_service" "service" {
for_each = toset([
"run.googleapis.com",
"servicemanagement.googleapis.com",
"servicecontrol.googleapis.com",
"endpoints.googleapis.com",
])
service = each.key
project = data.terraform_remote_state.holi_infra_state.outputs.shared_project_id
# keep this property as false. Having it true caused https://holi.atlassian.net/wiki/spaces/HOLI/pages/348258312/2023-06-27+All+services+down
disable_dependent_services = false
disable_on_destroy = false
}
# in CI, this is set via scripts/create-or-update-env.sh
variable "image_tag" {
type = string
nullable = false
}
resource "google_cloud_run_service" "unified_api" {
project = data.terraform_remote_state.holi_infra_state.outputs.shared_project_id
name = random_id.main.hex
location = local.default_region # finland, low CO2 emissions
Ole Langbehn
committed
# https://github.com/hashicorp/terraform-provider-google/issues/5898
autogenerate_revision_name = true
template {
spec {
service_account_name = data.terraform_remote_state.holi_unified_api_common_state.outputs.cloud_run_service_account_email
image = "${data.terraform_remote_state.holi_infra_state.outputs.artifact_registry_location}/holi-unified-api:${var.image_tag}"
name = "ENVIRONMENT_ID"
value = local.environment
}
env {
name = "OKUNA_URL"
value = local.okuna_url
}
name = "OKUNA_DOMAIN"
value = local.okuna_domain
}
env {
name = "DONATIONS_API_URL"
value = local.donations_api_url
}
name = "GOODNEWS_API_URL"
value = local.goodnews_api_url
}
name = "GEO_API_URL"
Ole Langbehn
committed
name = "VOLUNTEERING_API_URL"
value = local.volunteering_api_url
}
env {
name = "NOTIFICATIONS_API_URL"
value = local.notifications_api_url
}
env {
name = "TRANSLATION_API_URL"
value = local.translation_api_url
}
env {
name = "REDIS_HOST"
value = data.terraform_remote_state.holi_infra_state.outputs.redis_host_cmek_development
}
env {
name = "REDIS_PORT"
value = data.terraform_remote_state.holi_infra_state.outputs.redis_port_cmek_development
name = "REDIS_PASSWORD"
value_from {
secret_key_ref {
key = "latest"
env {
name = "REDIS_DB"
value = local.environment == "production" ? "13" : "5"
}
env {
name = "MATRIX_SERVER_BASE_URL"
value = local.environment == "production" ? "https://chat.holi.social" : "https://development-chat.holi.social"
}
# switching the ory project to production/development
Daniel Bimschas
committed
env {
name = "ACCESS_RULES_REPOSITORIES"
Daniel Bimschas
committed
value = local.environment == "production" ? "file:///opt/oathkeeper/rules-production.yaml" : "file:///opt/oathkeeper/rules-staging.yaml"
Daniel Bimschas
committed
}
env {
name = "MUTATORS_ID_TOKEN_CONFIG_ISSUER_URL"
value = local.environment == "production" ? "https://auth.holi.social" : "https://dev-auth.holi.social"
Daniel Bimschas
committed
}
env {
name = "AUTHENTICATORS_COOKIE_SESSION_CONFIG_CHECK_SESSION_URL"
value = local.environment == "production" ? "https://auth.holi.social/sessions/whoami" : "https://dev-auth.holi.social/sessions/whoami"
}
env {
name = "AUTHENTICATORS_COOKIE_SESSION_CONFIG_ONLY"
value = local.environment == "production" ? "ory_session_flamboyanthopperh35qftghn9" : "ory_session_mystifyingcarverakajr6v4t8"
}
env {
name = "AUTHENTICATORS_BEARER_TOKEN_CONFIG_CHECK_SESSION_URL"
value = local.environment == "production" ? "https://auth.holi.social/sessions/whoami" : "https://dev-auth.holi.social/sessions/whoami"
env {
name = "VIDEOCALL_URL"
value = local.environment == "production" ? "https://meet.holi.social" : "https://development.meet.holi.social"
}
env {
name = "NOVU_API_KEY"
value_from {
secret_key_ref {
key = "latest"
name = local.environment == "production" ? "NOVU_API_KEY_PRODUCTION" : "NOVU_API_KEY_DEVELOPMENT"
}
}
}
env {
name = "NOVU_ENVIRONMENT_ID"
value_from {
secret_key_ref {
key = "latest"
name = local.environment == "production" ? "NOVU_ENVIRONMENT_ID_PRODUCTION" : "NOVU_ENVIRONMENT_ID_DEVELOPMENT"
}
}
}
env {
name = "JITSI_JWT_SECRET"
value_from {
secret_key_ref {
key = "latest"
name = local.environment == "production" ? "JITSI_JWT_SECRET_PRODUCTION" : "JITSI_JWT_SECRET_DEVELOPMENT"
}
}
}
volume_mounts {
mount_path = "/opt/oathkeeper/secrets/"
name = "JWKS"
}
resources {
limits = {
# cpu can only be scaled down to 1000m as long as container_concurrency is set to != 1
cpu = local.environment == "production" ? "1000m" : "1000m"
memory = local.environment == "production" ? "512Mi" : "512Mi"
}
requests = {
cpu = local.environment == "production" ? "1000m" : "1000m"
memory = local.environment == "production" ? "512Mi" : "512Mi"
volumes {
name = "JWKS"
secret {
secret_name = local.environment == "production" ? "ORY_PRIVATE_KEY_PRODUCTION" : "ORY_PRIVATE_KEY_DEVELOPMENT"
items {
key = "latest"
path = "jwks.json"
}
}
}
container_concurrency = 0 # 0 means thread safe, no restriction on max concurrency
}
metadata {
annotations = {
"autoscaling.knative.dev/minScale" = local.environment == "production" ? "1" : "0"
"autoscaling.knative.dev/maxScale" = local.environment == "production" ? "10" : "2"
"run.googleapis.com/vpc-access-connector" = data.terraform_remote_state.holi_infra_state.outputs.vpc_access_connector_name
# possible values: all-traffic/private-ranges-only(default) https://cloud.google.com/sdk/gcloud/reference/run/services/update#--vpc-egress
# this needs to be set to all-traffic in order to route a cloud run url correctly, since it does resolve to a non-private ip address.
"run.googleapis.com/vpc-access-egress" = "all-traffic"
# labels set on the revision level
labels = {
"environment_type" = local.environment_type
"holi_service" = "unified-api"
}
metadata {
# labels set on the service level
labels = {
"environment_type" = local.environment_type
"holi_service" = "unified-api"
}
}
traffic {
percent = 100
latest_revision = true
}
depends_on = [google_project_service.service]
}
resource "google_cloud_run_domain_mapping" "holi_social_unified_api" {
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
project = google_cloud_run_service.unified_api.project
# location needs to be the same as the service's
location = google_cloud_run_service.unified_api.location
name = local.dns_name
metadata {
namespace = google_cloud_run_service.unified_api.project
}
spec {
route_name = google_cloud_run_service.unified_api.name
}
}
data "google_iam_policy" "unified_api" {
binding {
role = "roles/run.invoker"
members = [
"allUsers",
]
}
}
resource "google_cloud_run_service_iam_policy" "unified_api" {
location = google_cloud_run_service.unified_api.location
project = google_cloud_run_service.unified_api.project
service = google_cloud_run_service.unified_api.name
policy_data = data.google_iam_policy.unified_api.policy_data
}