added infra

2025-11-09 11:17:13 -05:00
parent afcb0b7932
commit 35773c6efe
9 changed files with 855 additions and 0 deletions
--- a/infra/gcp/CICD_PLAN.md
+++ b/infra/gcp/CICD_PLAN.md
@@ -0,0 +1,127 @@
+# CI/CD Plan for GCP Terraform with Gitea
+
+This document outlines a CI/CD plan for the GCP Terraform infrastructure using Gitea Actions.
+
+## 1. Overview
+
+The goal is to automate the process of validating, planning, and applying Terraform changes. This will ensure that all infrastructure changes are peer-reviewed, tested, and applied in a consistent and predictable manner.
+
+We will use Gitea Actions, the built-in CI/CD solution in Gitea, to orchestrate the workflows.
+
+## 2. Branching Strategy
+
+We will use a simple GitFlow-like model:
+- **`main` branch:** Represents the production infrastructure. Direct pushes will be disallowed. Changes are merged via pull requests.
+- **Feature branches:** All changes are developed on feature branches (e.g., `feat/add-monitoring`, `fix/firewall-rules`).
+
+## 3. Secrets Management
+
+GCP credentials must be handled securely. We will use Gitea's encrypted secrets to store the GCP service account key.
+
+1.  **Create a GCP Service Account:** Create a dedicated service account in GCP with the necessary permissions to manage the infrastructure.
+2.  **Generate a JSON Key:** Generate a JSON key for this service account.
+3.  **Store the Key in Gitea:** Store the contents of the JSON key file as a repository secret in Gitea with the name `GCP_SA_KEY`.
+
+## 4. Gitea Actions Workflow
+
+We will create a single workflow file at `.gitea/workflows/terraform.yml`. This workflow will have two main jobs, triggered by different events.
+
+### Workflow Triggers
+
+-   **On `pull_request` to `main`:** The workflow will run `terraform init`, `terraform validate`, and `terraform plan`. The output of the plan will be added as a comment to the pull request for review.
+-   **On `push` to `main`:** After a pull request is merged, the workflow will run `terraform init` and `terraform apply` to deploy the changes to production. This step will require manual approval within Gitea Actions.
+
+### Workflow Definition (`.gitea/workflows/terraform.yml`)
+
+```yaml
+name: Terraform CI/CD
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  terraform-plan:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.8.0
+
+      - name: Authenticate to GCP
+        uses: google-github-actions/auth@v1
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name a: Terraform Validate
+        run: terraform validate
+
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -no-color -out=tfplan
+      
+      - name: Add Plan to PR
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const output = `#### Terraform Plan 📖\n${{ steps.plan.outputs.stdout }}\n`
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+  terraform-apply:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    environment: production # This can be used to require manual approval
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.8.0
+
+      - name: Authenticate to GCP
+        uses: google-github-actions/auth@v1
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Apply
+        run: terraform apply -auto-approve tfplan
+
+```
+
+### 5. Manual Approval for Production
+
+To protect the production environment, the `terraform-apply` job will be configured to require manual approval. In Gitea, you can protect the `main` branch and require reviews before merging. For the deployment, Gitea Actions can be configured with an `environment` that requires a manual approval from a specific team or user before the job runs.
+
+## 6. Implementation Steps
+
+1.  **Create the `.gitea/workflows` directory.**
+2.  **Create the `terraform.yml` file** with the content above.
+3.  **Create a dedicated GCP service account** with appropriate IAM roles.
+4.  **Generate a JSON key** for the service account.
+5.  **Add the JSON key as a secret** named `GCP_SA_KEY` in the Gitea repository settings.
+6.  **Protect the `main` branch** in Gitea to require pull requests and reviews.
+7.  **(Optional) Configure an environment** in Gitea that requires manual approval for deployments.
+
+This plan provides a solid foundation for automating the Terraform workflow in a safe and controlled manner.