singforhope/devops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5d1b200b3c577badc036dd4510e6cf6b7a37482c
devops/infra/gcp/CICD_PLAN.md
Javier Hinojosa 35773c6efe added infra
2025-11-09 11:17:13 -05:00

4.8 KiB
Raw Blame History

CI/CD Plan for GCP Terraform with Gitea

This document outlines a CI/CD plan for the GCP Terraform infrastructure using Gitea Actions.

1. Overview

The goal is to automate the process of validating, planning, and applying Terraform changes. This will ensure that all infrastructure changes are peer-reviewed, tested, and applied in a consistent and predictable manner.

We will use Gitea Actions, the built-in CI/CD solution in Gitea, to orchestrate the workflows.

2. Branching Strategy

We will use a simple GitFlow-like model:

  • main branch: Represents the production infrastructure. Direct pushes will be disallowed. Changes are merged via pull requests.
  • Feature branches: All changes are developed on feature branches (e.g., feat/add-monitoring, fix/firewall-rules).

3. Secrets Management

GCP credentials must be handled securely. We will use Gitea's encrypted secrets to store the GCP service account key.

  1. Create a GCP Service Account: Create a dedicated service account in GCP with the necessary permissions to manage the infrastructure.
  2. Generate a JSON Key: Generate a JSON key for this service account.
  3. Store the Key in Gitea: Store the contents of the JSON key file as a repository secret in Gitea with the name GCP_SA_KEY.

4. Gitea Actions Workflow

We will create a single workflow file at .gitea/workflows/terraform.yml. This workflow will have two main jobs, triggered by different events.

Workflow Triggers

  • On pull_request to main: The workflow will run terraform init, terraform validate, and terraform plan. The output of the plan will be added as a comment to the pull request for review.
  • On push to main: After a pull request is merged, the workflow will run terraform init and terraform apply to deploy the changes to production. This step will require manual approval within Gitea Actions.

Workflow Definition (.gitea/workflows/terraform.yml)

name: Terraform CI/CD

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  terraform-plan:
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.8.0

      - name: Authenticate to GCP
        uses: google-github-actions/auth@v1
        with:
          credentials_json: ${{ secrets.GCP_SA_KEY }}

      - name: Terraform Init
        run: terraform init

      - name a: Terraform Validate
        run: terraform validate

      - name: Terraform Plan
        id: plan
        run: terraform plan -no-color -out=tfplan
      
      - name: Add Plan to PR
        uses: actions/github-script@v6
        with:
          script: |
            const output = `#### Terraform Plan 📖\n${{ steps.plan.outputs.stdout }}\n`
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            })

  terraform-apply:
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    environment: production # This can be used to require manual approval
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.8.0

      - name: Authenticate to GCP
        uses: google-github-actions/auth@v1
        with:
          credentials_json: ${{ secrets.GCP_SA_KEY }}

      - name: Terraform Init
        run: terraform init

      - name: Terraform Apply
        run: terraform apply -auto-approve tfplan

5. Manual Approval for Production

To protect the production environment, the terraform-apply job will be configured to require manual approval. In Gitea, you can protect the main branch and require reviews before merging. For the deployment, Gitea Actions can be configured with an environment that requires a manual approval from a specific team or user before the job runs.

6. Implementation Steps

  1. Create the .gitea/workflows directory.
  2. Create the terraform.yml file with the content above.
  3. Create a dedicated GCP service account with appropriate IAM roles.
  4. Generate a JSON key for the service account.
  5. Add the JSON key as a secret named GCP_SA_KEY in the Gitea repository settings.
  6. Protect the main branch in Gitea to require pull requests and reviews.
  7. (Optional) Configure an environment in Gitea that requires manual approval for deployments.

This plan provides a solid foundation for automating the Terraform workflow in a safe and controlled manner.

Reference in New Issue View Git Blame Copy Permalink