Build and push container image to GCS

.github/workflows/deploy.yml

@@ -0,0 +1,31 @@
+name: Deploy
+on:
+  push:
+    branches:
+      - main
+jobs:
+  build-and-push-image:
+    name: Build and push image to Google Cloud
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: google-github-actions/auth@v1
+        with:
+          token_format: "access_token"
+          workload_identity_provider: ${{ secrets.GCS_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCS_SERVICE_ACCOUNT_EMAIL }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          push: true
+          tags: gcr.io/${{ secrets.GCS_PROJECT_ID }}/compass:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

terraform/README.md

@@ -2,18 +2,24 @@
 
 ## Initializing a new Google Cloud project
 
-To initialize the Terraform backend (must be done once manually per Google Cloud project):
+To initialize the Terraform backend and necessary services (must be done once manually per Google Cloud project):
 
 1. `cd terraform/gcs-backend`
 2. `terraform init`
-3. `terraform apply`
+3. `terraform apply -var="project=<project-id>"`
 
-If this is for a local development environment, copy `backend.hcl` to `backend.dev.hcl` and update `bucket` with what is output from the `terraform apply` command.
+### For a local development environment
 
-Otherwise, update `backend.hcl` directly.
+Copy `backend.hcl` to `backend.dev.hcl` and update `bucket` with what is output from the `terraform apply` command.
 
-## Deploying
+### For a production deployment
+
+Update `bucket` in `backend.hcl` with what is output from the `terraform apply` command and commit your changes.
+
+Similarly, set or update the GitHub secrets `GCS_WORKLOAD_IDENTITY_PROVIDER` and `GCS_SERVICE_ACCOUNT_EMAIL` from the output of the `terraform apply` command.
+
+## Manual deployment
 
 1. `cd terraform/gcs`
 2. `terraform init -backend-config=../backend.dev.hcl` (you only need to run this once)
-3. `terraform apply`
+3. `terraform apply -var="project=<project-id>" -var="image=<image-ref>`

terraform/gcs-backend/main.tf

@@ -7,7 +7,7 @@ terraform {
 }
 
 provider "google" {
-  project = var.project
+  project = var.project_id
 }
 
 # Enable Cloud Storage API
@@ -42,3 +42,37 @@ resource "google_storage_bucket" "default" {
 output "state_bucket_name" {
   value = google_storage_bucket.default.name
 }
+
+# Create necessary resources for authenticating to GCP via GitHub Actions tokens
+resource "google_service_account" "github_ci" {
+  account_id   = "github-ci"
+  display_name = "GitHub CI"
+}
+
+# Allow GitHub CI to write to Artifact Registry
+resource "google_project_iam_member" "github_ci_artifacts" {
+  project = var.project_id
+  role    = "roles/artifactregistry.writer"
+  member  = "serviceAccount:${google_service_account.github_ci.email}"
+}
+
+module "gh_oidc" {
+  source      = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
+  project_id  = var.project_id
+  pool_id     = "compass-ci-pool"
+  provider_id = "gh-provider"
+  sa_mapping = {
+    (google_service_account.github_ci.account_id) = {
+      sa_name   = google_service_account.github_ci.name
+      attribute = "attribute.repository/user/repo"
+    }
+  }
+}
+
+output "github_ci_workload_identity_provider" {
+  value = module.gh_oidc.provider_name
+}
+
+output "github_ci_sevice_account_email" {
+  value = google_service_account.github_ci.email
+}

terraform/gcs-backend/variables.tf

@@ -1,4 +1,4 @@
 # Google Cloud project slug
-variable "project" {
+variable "project_id" {
   type = string
 }

terraform/gcs/main.tf

@@ -9,7 +9,7 @@ terraform {
 }
 
 provider "google" {
-  project = var.project
+  project = var.project_id
 }
 
 data "google_project" "project" {}

terraform/gcs/variables.tf

@@ -1,5 +1,5 @@
 # Google Cloud project slug
-variable "project" {
+variable "project_id" {
   type = string
 }