singforhope/devops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
devops/infra/gcp/CICD_PLAN.md
Javier Hinojosa 35773c6efe added infra
2025-11-09 11:17:13 -05:00

128 lines
4.8 KiB
Markdown
Raw Permalink Blame History

# CI/CD Plan for GCP Terraform with Gitea
This document outlines a CI/CD plan for the GCP Terraform infrastructure using Gitea Actions.
## 1. Overview
The goal is to automate the process of validating, planning, and applying Terraform changes. This will ensure that all infrastructure changes are peer-reviewed, tested, and applied in a consistent and predictable manner.
We will use Gitea Actions, the built-in CI/CD solution in Gitea, to orchestrate the workflows.
## 2. Branching Strategy
We will use a simple GitFlow-like model:
- **`main` branch:** Represents the production infrastructure. Direct pushes will be disallowed. Changes are merged via pull requests.
- **Feature branches:** All changes are developed on feature branches (e.g., `feat/add-monitoring`, `fix/firewall-rules`).
## 3. Secrets Management
GCP credentials must be handled securely. We will use Gitea's encrypted secrets to store the GCP service account key.
1. **Create a GCP Service Account:** Create a dedicated service account in GCP with the necessary permissions to manage the infrastructure.
2. **Generate a JSON Key:** Generate a JSON key for this service account.
3. **Store the Key in Gitea:** Store the contents of the JSON key file as a repository secret in Gitea with the name `GCP_SA_KEY`.
## 4. Gitea Actions Workflow
We will create a single workflow file at `.gitea/workflows/terraform.yml`. This workflow will have two main jobs, triggered by different events.
### Workflow Triggers
- **On `pull_request` to `main`:** The workflow will run `terraform init`, `terraform validate`, and `terraform plan`. The output of the plan will be added as a comment to the pull request for review.
- **On `push` to `main`:** After a pull request is merged, the workflow will run `terraform init` and `terraform apply` to deploy the changes to production. This step will require manual approval within Gitea Actions.
### Workflow Definition (`.gitea/workflows/terraform.yml`)
```yaml
name: Terraform CI/CD
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
terraform-plan:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.8.0
- name: Authenticate to GCP
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_SA_KEY }}
- name: Terraform Init
run: terraform init
- name a: Terraform Validate
run: terraform validate
- name: Terraform Plan
id: plan
run: terraform plan -no-color -out=tfplan
- name: Add Plan to PR
uses: actions/github-script@v6
with:
script: |
const output = `#### Terraform Plan 📖\n${{ steps.plan.outputs.stdout }}\n`
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
terraform-apply:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: production # This can be used to require manual approval
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.8.0
- name: Authenticate to GCP
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_SA_KEY }}
- name: Terraform Init
run: terraform init
- name: Terraform Apply
run: terraform apply -auto-approve tfplan
```
### 5. Manual Approval for Production
To protect the production environment, the `terraform-apply` job will be configured to require manual approval. In Gitea, you can protect the `main` branch and require reviews before merging. For the deployment, Gitea Actions can be configured with an `environment` that requires a manual approval from a specific team or user before the job runs.
## 6. Implementation Steps
1. **Create the `.gitea/workflows` directory.**
2. **Create the `terraform.yml` file** with the content above.
3. **Create a dedicated GCP service account** with appropriate IAM roles.
4. **Generate a JSON key** for the service account.
5. **Add the JSON key as a secret** named `GCP_SA_KEY` in the Gitea repository settings.
6. **Protect the `main` branch** in Gitea to require pull requests and reviews.
7. **(Optional) Configure an environment** in Gitea that requires manual approval for deployments.
This plan provides a solid foundation for automating the Terraform workflow in a safe and controlled manner.
Reference in New Issue View Git Blame Copy Permalink