Dialect map: Terraform

About

This repository contains the Terraform definition for all the necessary resources in order to run the Dialect map application.

🤖 Automatic provisioning

This repository has been designed as a declarative, and not actionable set of Terraform definitions.

That means that all the modifications of the Terraform-defined resources must not be applied by any user, but for the repository itself using the GitHub Actions CI/CD system. The conditions at which the CI/CD jobs trigger is a sensitive matter, as we do not want them to modify production resources at an early stage. For this reason, we proposed the following conditions:

Validation

On Pull Request creation, when a .tf file has been modified.

on:
  pull_request:
    branches:
      - main
    paths:
      - "config/**/*.tf"

Application

On push to the main branch, when a .tf file has been modified.

on:
  push:
    branches:
      - main
    paths:
      - "config/**/*.tf"

☁️ Project provider

For this project, Google Cloud Platform (google) is used as the chosen provider where the required infrastructure will be hosted. The reason to rely on Google is that the integration with our existing NYU accounts is basically free, given the relation between NYU IT and Google.

👤 Project authentication

The authentication between GCP and the repository CI/CD is performed by using a Service Account key as a GitHub secret.

This secret is read within the CI/CD steps and stored in a file, that can later be referenced by the env. variable Terraform uses to connect to GCP projects: GOOGLE_APPLICATION_CREDENTIALS. More information about this authentication method can be found in the official docs.

🔐 Project secrets

In order to apply the Terraform configuration, there are secrets that need to be populated as environment variables. The naming of these env. variables must follow the TF_VAR_<variable_name> format specified in the official Terraform documentation.

The complete list of secret Terraform variables can be seen at the main variables.tf file.

🗂️ Modules structure

This project has been designed so that there is a 1:1 correspondence between Terraform modules and GCP products, all of which are defined within the resources folder. The reason not to choose modules as the name of the folder is that modules has a different connotation in GIT.

Some of these modules are:

• access: to manage IAM permissions.
• caches: to manage Redis and Memcached instances.
• cloud-run: to manage container deployments.
• databases: to manage SQL databases.
• pub-sub: to manage Pub/Sub topics and subscriptions.
• registry: to manage Docker registry options.
• storage: to manage GC Storage buckets.

⚙️ Components

The Dialect Map project has several inter-connected components in order to offer the complete functionality.

Computing components

Those based on Cloud Run. Their access can be set to one of the following policies:

• Authenticated requires a Bearer token. See the Terraform guide.
• Public access: does not require a Bearer token.

The project computing components have the following access policies:

• Backend API: public to avoid Firebase (suggested by the end-users Auth guide).
• Frontend UI: public by design.

Storage components

Those based on Cloud SQL. Their access can be set by a combination of the following methods:

• White-listed IPs: ranges of IPs that are always allowed.
• Cloud SQL Proxy: authentication based connection from Cloud Run resources.

The project storage components have the following access methods:

• Main DB: white-listed IPs for the CDS office, and Cloud SQL Proxy for the backend API component. The latter was designed following the PostgreSQL guide, in addition to the usage of the host keyword to establish a Unix Domain Connection.