[ECO-1681] add terraform support

.gitignore

@@ -1 +1,8 @@
 .env
+terraform/creds.json
+terraform/.terraform
+terraform/.terraform.lock.hcl
+terraform/.terraform.tfstate.lock.info
+terraform/*.tfvars
+terraform/*.tfstate
+terraform/*.backup

README.md

@@ -112,4 +112,19 @@ CREATE TRIGGER notify_event
 
 This will emit an MQTT event with the topic as your event type for all your contract's events.
 
+## Terraform
+
+You can deploy this repo on GCP using Terraform.
+
+But first, make sure you have installed the required dependencies:
+
+- `jq` (JSON parsing CLI tool)
+- `cloud-sql-proxy` (Google Cloud tool to connect to a database)
+
+To do so, you first need to create a GCP project.
+
+Once done, run `PROJECT_ID=<YOUR_PROJECT_ID> terraform/init.sh` to enable the required Google APIs, create a service account, and download the credentials file.
+
+Then, simply run `terraform apply -var-file variables.tfvars`.
+
 [emojicoin dot fun]: https://github.com/econia-labs/emojicoin-dot-fun

cfg/cspell-dictionary.txt

@@ -3,19 +3,27 @@ Econia
 PGRST
 PostgREST
 PostgreSQL
+artifactregistry
 autofix
 bigdecimal
 capitalisation
 chrono
 clippy
+cloudbuild
+cloudresourcemanager
+creds
 devnet
 econialabs
 emojicoin
 eventloop
 eventpoll
+gcloud
+googleapis
+gserviceaccount
 hadolint
 healthcheck
 isready
+jsonencode
 libclang
 libpq
 libudev
@@ -25,13 +33,23 @@ mosquitto
 mqtt
 mqttoptions
 notif
+pgrep
 plpgsql
 psql
 readwrite
 rumqttc
 rustls
 serde
+servicenetworking
+sqladmin
 sqlfluff
 sqlx
+sslmode
+subnetwork
+subnetworks
 testnet
+tfstate
+tfvars
+trimsuffix
+vpcaccess
 websockets

sql_extensions/00000_init.sql

@@ -4,5 +4,6 @@ CREATE TABLE sql_extensions (
 
 
 CREATE USER web_anon NOLOGIN;
+GRANT web_anon TO postgres;
 GRANT SELECT ON ALL TABLES IN SCHEMA public TO web_anon;
 ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO web_anon;

sql_extensions/apply-sql-extensions.sh

@@ -2,10 +2,12 @@
 
 sleep 1
 
-if [ -d "migrations" ]; then
-    for file in 00000_init.sql $(ls migrations/*.sql);do
-        if [ "$(psql $DATABASE_URL --csv -t -c "SELECT COUNT(*) FROM sql_extensions WHERE name = '$file'" 2>/dev/null)" != "1" ];then
-            psql $DATABASE_URL --single-transaction -f "$file" -c "INSERT INTO sql_extensions VALUES ('$file');"
+script_dir=$(dirname -- "$(readlink -f -- "$BASH_SOURCE")")
+
+if [ -d "$script_dir/migrations" ]; then
+    for file in "$script_dir/00000_init.sql" $(ls -Q "$script_dir/migrations/*.sql");do
+        if [ "$(psql $DATABASE_URL --csv -t -c "SELECT COUNT(*) FROM sql_extensions WHERE name = '($(basename $file))'" 2>/dev/null)" != "1" ];then
+            psql $DATABASE_URL --single-transaction -f "$file" -c "INSERT INTO sql_extensions VALUES ('$(basename $file)');"
         fi
     done
 fi

terraform/init.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+set -e
+
+which jq > /dev/null 2>&1 || echo "ERROR: cannot find jq in PATH." && exit 1
+which cloud-sql-proxy > /dev/null 2>&1 || echo "ERROR: cannot find cloud-sql-proxy in PATH." && exit 1
+
+if [[ -z "$PROJECT_ID" ]]; then
+    echo "Must provide PROJECT_ID in environment" 1>&2
+    exit 1
+fi
+
+echo "Setting project:"
+gcloud config set project "$PROJECT_ID"
+
+echo "Enabling GCP APIs (be patient):"
+gcloud services enable \
+    artifactregistry.googleapis.com \
+    cloudbuild.googleapis.com \
+    cloudresourcemanager.googleapis.com \
+    compute.googleapis.com \
+    iam.googleapis.com \
+    run.googleapis.com \
+    servicenetworking.googleapis.com \
+    sqladmin.googleapis.com \
+    vpcaccess.googleapis.com
+
+echo "Creating service account:"
+gcloud iam service-accounts create terraform
+
+service_account_name="terraform@$PROJECT_ID.iam.gserviceaccount.com"
+
+script_dir=$(dirname -- "$(readlink -f -- "$BASH_SOURCE")")
+
+gcloud iam service-accounts keys create \
+    "$script_dir/creds.json" \
+    --iam-account $service_account_name
+
+gcloud projects add-iam-policy-binding $PROJECT_ID \
+    --member serviceAccount:$service_account_name \
+    --role roles/editor
+
+# https://stackoverflow.com/a/61250654
+gcloud projects add-iam-policy-binding $PROJECT_ID \
+    --member serviceAccount:$service_account_name \
+    --role roles/run.admin
+
+# https://serverfault.com/questions/942115
+gcloud projects add-iam-policy-binding $PROJECT_ID \
+    --member serviceAccount:$service_account_name \
+    --role roles/compute.networkAdmin
+
+# https://stackoverflow.com/a/54351644
+gcloud projects add-iam-policy-binding $PROJECT_ID \
+    --member serviceAccount:$service_account_name \
+    --role roles/servicenetworking.serviceAgent

terraform/main.tf

@@ -0,0 +1,76 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "5.8.0"
+    }
+  }
+  required_version = ">= 0.12, < 2.0.0"
+}
+
+provider "google" {
+  credentials = "creds.json"
+  project     = var.project_id
+  region      = var.region
+  zone        = var.zone
+}
+
+provider "google-beta" {
+  credentials = "creds.json"
+  project     = var.project_id
+  region      = var.region
+  zone        = var.zone
+}
+
+module "db" {
+  db_root_password = var.db_root_password
+  credentials_file = var.credentials_file
+  region           = var.region
+  source           = "./modules/db"
+}
+
+module "processor" {
+  db_conn_str_private   = module.db.db_conn_str_private
+  contract_address      = var.contract_address
+  migrations_complete   = module.db.migrations_complete
+  grpc_auth_token       = var.grpc_auth_token
+  grpc_data_service_url = var.grpc_data_service_url
+  source                = "./modules/processor"
+  sql_network_id        = module.db.sql_network_id
+  starting_version      = var.starting_version
+  zone                  = var.zone
+}
+
+module "no_auth_policy" {
+  source = "./modules/no_auth_policy"
+}
+
+module "postgrest" {
+  db_conn_str_private  = module.db.db_conn_str_private
+  migrations_complete  = module.db.migrations_complete
+  no_auth_policy_data  = module.no_auth_policy.policy_data
+  postgrest_max_rows   = var.postgrest_max_rows
+  region               = var.region
+  source               = "./modules/postgrest"
+  sql_vpc_connector_id = module.db.sql_vpc_connector_id
+}
+
+module "mqtt" {
+  db_conn_str_private = module.db.db_conn_str_private
+  mosquitto_password  = var.mosquitto_password
+  source              = "./modules/mqtt"
+  sql_network_id      = module.db.sql_network_id
+  zone                = var.zone
+}
+
+module "grafana" {
+  db_conn_str_private_grafana = module.db.db_conn_str_private_grafana
+  db_private_ip_and_port      = module.db.db_private_ip_and_port
+  grafana_admin_password      = var.grafana_admin_password
+  grafana_public_password     = var.grafana_public_password
+  migrations_complete         = module.db.migrations_complete
+  no_auth_policy_data         = module.no_auth_policy.policy_data
+  region                      = var.region
+  source                      = "./modules/grafana"
+  sql_vpc_connector_id        = module.db.sql_vpc_connector_id
+}