Terraform module for deploying build-results-viewer to GCP

Copyright (c) 2023 Antmicro

This module deploys a set of infrastructure resources that together comprise a self-hosted Build Results Viewer instance.

Running the container

The application is deployed as a Docker container on a Compute Engine instance running Container-Optimized OS. Please be advised that this module on its own does not handle deploying the container image; this is something that you need to do separately after building the image using bazel build -c opt server:build_results_viewer_container.

If you're uploading the image to the Artifact Registry, you need to grant the app instance service account the read permission to the repository or project-wide. This may be accomplished by creating an IAM binding between the service account and the roles/artifactregistry.reader role.

Exposing the front-end and back-end services

By default, the instance does not have any firewall rules for exposing the internal ports used by the application.

Some of the possible strategies for exposing the front-end (port 8080) service to the Internet include:

• Using the built-in Caddy support by setting the caddy_external_ip and caddy_domain variables.
• Setting up a Load Balancer that will act as a reverse proxy (SSL termination is possible).

In order to expose the internal backend (gRPC port 1985) to a GCP instance running within the same or a different project, you can use VPC Network Peering. After doing this, make sure to populate the grpc_allowlist variable (e.g. 10.4.3.2/32 for a single instance) to allow ingress traffic to the service.

Required permissions

In order to deploy the infrastructure, make sure that the service account has the following roles:

• Compute Admin for creating and managing resources within the Compute Engine.
• Service Account Creator for managing the service account linked with the coordinator instance.
• Service Account User for assigning the aforementioned service account to the coordinator instance.
• Service Usage Admin for enabling the necessary APIs.

Requirements

Name	Version
terraform	>= 0.13
google	~> 4.42.1
google-beta	~> 4.42.1

Providers

Name	Version
google	~> 4.42.1

Modules

No modules.

Resources

Name	Type
google_compute_address.app-internal-ip	resource
google_compute_backend_service.brv-service	resource
google_compute_disk.data-disk	resource
google_compute_firewall.allow-caddy-http	resource
google_compute_firewall.allow-caddy-https	resource
google_compute_firewall.allow-hc-rule	resource
google_compute_firewall.expose-grpc	resource
google_compute_http_health_check.manifest-json	resource
google_compute_instance.brv	resource
google_compute_instance.caddy	resource
google_compute_instance_group.brv-group	resource
google_compute_network.network	resource
google_compute_subnetwork.main-subnet	resource
google_project_service.compute-engine-api	resource
google_project_service.iam-api	resource
google_service_account.sa	resource
google_compute_image.coreos	data source
google_project.project	data source

Inputs

Name	Description	Type	Default	Required
basename	Base name used for creating cloud resources	string	n/a	yes
caddy_domain	(optional) Domain pointed at caddy_external_ip for SSL termination	string	null	no
caddy_external_ip	(optional) Reserved external IP for the Internet-facing proxy	string	null	no
caddy_image	(optional) Container image of Caddy reverse proxy	string	"caddy"	no
grpc_allowlist	A list of CIDR ranges to allow to access the gRPC back-end	list(any)	[]	no
image	The image to be used for the application	string	n/a	yes
internal_port	Internal HTTP server port	number	8080	no
ip_cidr_range	The IP CIDR range for the application	string	n/a	yes
region	The region where the application will be deployed	string	n/a	yes
theme	The theme of the application	string	n/a	yes
zone	The zone where the application will be deployed	string	n/a	yes

Outputs

Name	Description
backend_address	The address and port of the app backend
sa	The email address of the service account assigned to the Build Results Viewer instance