Documentation generated

Author: wtsd

.github/workflows/deploy.yml

@@ -0,0 +1,59 @@
+name: GCP Deploy
+
+on:
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    env:
+      TF_IN_AUTOMATION: true
+      SCENARIO: serverless_public
+      VAR_FILE: terraform.tfvars
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install CLI deps
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Authenticate to Google Cloud (Workload Identity Federation)
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+          access_token_lifetime: 3600s
+
+      - name: Setup gcloud
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.9.5
+
+      - name: Terraform Init
+        working-directory: terraform/${{ env.SCENARIO }}
+        run: terraform init
+
+      - name: Terraform Apply
+        working-directory: terraform/${{ env.SCENARIO }}
+        env:
+          TF_VAR_project_id: ${{ secrets.GCP_PROJECT_ID }}
+          TF_VAR_region: ${{ vars.GCP_REGION }}
+          TF_VAR_zones: ${{ vars.GCP_ZONES }}
+          TF_VAR_db_password: ${{ secrets.DB_PASSWORD }}
+        run: |
+          terraform apply -auto-approve -var-file=${{ env.VAR_FILE }}
+
+      - name: Terraform Outputs
+        working-directory: terraform/${{ env.SCENARIO }}
+        run: terraform output -json

docs/ci_cd.md

@@ -0,0 +1,18 @@
+# CI/CD (GitHub Actions)
+
+We include `.github/workflows/deploy.yml` with **Workload Identity Federation**.
+
+**Required repo secrets**
+- `GCP_WORKLOAD_IDENTITY_PROVIDER` – resource name of your WIF provider
+- `GCP_SERVICE_ACCOUNT` – service account email with Terraform permissions
+- `GCP_PROJECT_ID` – target project
+- `DB_PASSWORD` – Cloud SQL user password
+
+**Optional repo vars**
+- `GCP_REGION`, `GCP_ZONES`
+
+**Switch scenario**
+- Set workflow env `SCENARIO` to `serverless_public` or `private_mig`
+
+**Outputs**
+- `terraform output -json` is shown at the end

docs/private_mig.md

@@ -0,0 +1,27 @@
+# Private MIG Scenario (HTTPS LB + Compute Engine + Cloud SQL Private IP)
+
+**What you get**
+- Custom VPC with two subnets
+- Cloud Router + NAT (instances have no external IP)
+- Two zonal MIGs running NGINX (simple landing page)
+- Global external HTTP LB (always), optional **managed HTTPS** when `domain_name` is set
+- Cloud SQL (Postgres 15) with **private IP** (Service Networking)
+- Firewall permitting only LB/health-check sources to port 80
+
+**Outputs**
+- `lb_ip` and `http_url`
+- `db_private_ip`
+
+**TLS & DNS (optional)**
+- Set `domain_name = "app.example.com"` in `terraform.tfvars` to create a managed cert and HTTPS forwarding rule
+- Create an **A** record in your DNS provider pointing `app.example.com` to `lb_ip`
+- Certificate may take some minutes to become **ACTIVE**
+
+**Security**
+- Backends have no external IPs
+- Only Google LB/HC source ranges can hit port 80
+- Add SSH only from your IP if needed (extra firewall rule)
+
+**Scaling**
+- Adjust `desired_size`
+- Switch to `regional_instance_group_manager` for per-zone autoscaling if desired

docs/quickstart.md

@@ -0,0 +1,56 @@
+# Quick Start (GCP DevOps Framework)
+
+## Prereqs
+- GCP project and billing enabled
+- Roles: Project Editor or least-privileged set for Compute, Cloud Run, Cloud SQL, Service Networking, VPC Access
+- `gcloud` authenticated (`gcloud auth login` and `gcloud config set project YOUR_PROJECT`)
+- Terraform >= 1.5 (or use the Docker image we provide)
+
+## Local usage
+```bash
+python -m venv .venv && source .venv/bin/activate
+pip install -r requirements.txt
+```
+
+### Choose a scenario
+
+**Serverless public (Cloud Run + Cloud SQL private IP):**
+```bash
+cd terraform/serverless_public
+cp terraform.tfvars.example terraform.tfvars
+# Edit project_id, region, db_password, etc.
+terraform init
+terraform apply -auto-approve
+terraform output -json
+```
+
+**Private MIG (GCE + HTTPS LB + Cloud SQL private IP):**
+```bash
+cd terraform/private_mig
+cp terraform.tfvars.example terraform.tfvars
+# Edit project_id, region, zones, db_password, etc.
+terraform init
+terraform apply -auto-approve
+terraform output -json
+```
+
+## Python CLI wrapper
+From repo root:
+```bash
+python cli.py init --scenario serverless_public --var-file terraform/serverless_public/terraform.tfvars
+python cli.py deploy --scenario serverless_public --var-file terraform/serverless_public/terraform.tfvars
+python cli.py outputs --scenario serverless_public
+python cli.py destroy --scenario serverless_public
+```
+
+## Docker workflow
+```bash
+docker build -t gcp-devops-framework .
+# Mount your gcloud config for auth
+make init SCENARIO=private_mig VARS=terraform/private_mig/terraform.tfvars
+make deploy SCENARIO=private_mig VARS=terraform/private_mig/terraform.tfvars
+make outputs SCENARIO=private_mig
+make destroy SCENARIO=private_mig
+```
+
+> ⚠ Costs: Load balancer, Cloud SQL, NAT, and compute incur charges. Destroy when done.

docs/serverless_public.md

@@ -0,0 +1,26 @@
+# Serverless Public Scenario (Cloud Run + Cloud SQL Private IP)
+
+**What you get**
+- VPC + /28 subnet for Serverless VPC Connector
+- Private Service Connect peering for Cloud SQL Private IP
+- Cloud SQL (Postgres 15) with private address
+- Cloud Run v2 service (public, unauthenticated) connected through the VPC connector
+- App env vars for DB connection (host/user/pass/name)
+
+**Outputs**
+- `cloud_run_url` – copy into your browser
+
+**Domain & TLS**
+- Cloud Run already serves HTTPS on `*.run.app`
+- For custom domains, use Cloud Run domain mappings (see `gcloud run domain-mappings` docs) or put an external HTTPS LB in front (advanced).
+
+**Variables**
+See `terraform/serverless_public/variables.tf` and `terraform.tfvars.example`
+
+**Security**
+- DB has private IP and is not internet-exposed
+- Cloud Run is public; add IAM policy if you want private (remove the `allUsers` invoker) or put behind IAP
+
+**Typical next steps**
+- Swap `container_image` with your app image
+- Store secrets in Secret Manager and mount via Cloud Run

docs/verification.md

@@ -0,0 +1,38 @@
+# Verification Guide (gcloud & curl)
+
+## Cloud Run (serverless_public)
+```bash
+gcloud run services list --region REGION
+# open the URL
+```
+
+## Cloud SQL
+```bash
+gcloud sql instances list
+gcloud sql instances describe <instance-name> --format="value(ipAddresses)"
+# For private IP, connect from Cloud Run or a VM/container in the VPC
+```
+
+## Load Balancer (private_mig)
+```bash
+gcloud compute forwarding-rules list --global
+gcloud compute addresses list --global
+gcloud compute backend-services list
+gcloud compute backend-services get-health <backend-name> --global
+```
+
+## Instance Groups
+```bash
+gcloud compute instance-groups managed list
+gcloud compute instance-groups managed list-instances private-mig-mig-a --zone us-east1-b
+```
+
+## Firewall
+```bash
+gcloud compute firewall-rules list --filter="name~allow-lb-hc"
+```
+
+## Curl test
+```bash
+curl http://<LB_IP>/
+```