# Setup Flow

This notebook guides you through the setup flow of a new project.

### Variables
Set project environment. Default environment is `dev`.

In [3]:
env = "dev"

Define basic project values.

In [4]:
# Note: This value is hard-coded in /environments/{env}/versions.tf
bucket_name = "nest-vite-fs-microservices-terraform-state-dev"

project_id = "nest-vite-fs-microservices"
project_name = "Nest Vite FS Microservices"

region = "us-central1"

db_tier = "db-f1-micro"

## Database Credentials

In [5]:
auth_db_user="auth_user"
auth_db_password="auth_password"

events_db_user="events_user"
events_db_password="events_password"

Create `tfvars` file for the `environments` folder.

In [5]:
import os

# Path to the terraform.tfvars file
tfvars_file_path = f"environments/{env}/terraform.tfvars"

# Check if the file exists
if os.path.isfile(tfvars_file_path):
  # If the file exists, delete it
  os.remove(tfvars_file_path)
  print(f"Existing terraform.tfvars file deleted: {tfvars_file_path}")

# Variables for the terraform.tfvars file content
terraform_tfvars_content = f"""environment = "{env}"
project_id = "{project_id}"
region = "{region}"

db_tier= "{db_tier}"
"""

# Write content to the terraform.tfvars file
with open(tfvars_file_path, "w") as f:
  f.write(terraform_tfvars_content)

print(f"terraform.tfvars file created at: {tfvars_file_path}")

terraform.tfvars file created at: environments/dev/terraform.tfvars


## Change CHDIR

We need to change the current working directory to the `environments/{env}` folder so that terraform commands can be executed in the correct directory.

In [6]:
import os
os.chdir(f"./environments/{env}")
print("Current working directory:", os.getcwd())

Current working directory: /Users/michaljarnot/IdeaProjects/nest-microservices-example-v2/infra/environments/dev


## Google Cloud Project Setup

In [7]:
# Authenticate with Google Cloud
!gcloud auth login

Your browser has been opened to visit:

    https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=vO0chXmnjtKx7KXo3bHWjVfMGwSGnQ&access_type=offline&code_challenge=n6Dk20mRoUdzuCVGJ11hice7KkXJSS4vX_hzwDHRF1g&code_challenge_method=S256


You are now logged in as [m.jarnot@yahoo.com].
Your current project is [nest-vite-fs-microservices].  You can change this setting by running:
  $ gcloud config set project PROJECT_ID


In [8]:
# Create a new Google Cloud project
!gcloud projects create {project_id} --name="{project_name}"

[1;31mERROR:[0m (gcloud.projects.create) Project creation failed. The project ID you specified is already in use by another project. Please try an alternative ID.


In [9]:
# Set your Google Cloud project
!gcloud config set project {project_id}

Updated property [core/project].


In [10]:
# Set the default region and zone for your project
!gcloud auth application-default login

Your browser has been opened to visit:

    https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=MAjbWWV30UPSmdFClhegSbK1PLAGVW&access_type=offline&code_challenge=7MBOFSjpJuTXcnDvWR0xiJ-tHUXXGfjf1Q_5o9WBxR4&code_challenge_method=S256


Credentials saved to file: [/Users/michaljarnot/.config/gcloud/application_default_credentials.json]

These credentials will be used by any library that requests Application Default Credentials (ADC).

Quota project "nest-vite-fs-microservices" was added to ADC which can be used by Google client libraries for billing and quota. Note that some services may still bill

## Required Google Cloud Services
Link billing account to your project.

In [11]:
import webbrowser
billing_account_link = "https://console.cloud.google.com/billing/linkedaccount?hl=en&project=" + project_id
webbrowser.open(billing_account_link)

True

In [12]:
!gcloud services enable \
  artifactregistry.googleapis.com \
  compute.googleapis.com \
  cloudbuild.googleapis.com \
  secretmanager.googleapis.com \
  sqladmin.googleapis.com \
  storage.googleapis.com \
  iam.googleapis.com \
  cloudresourcemanager.googleapis.com \
  run.googleapis.com \
  vpcaccess.googleapis.com \
  servicenetworking.googleapis.com \
  cloudapis.googleapis.com \
  containerregistry.googleapis.com

Operation "operations/acf.p2-821837556923-b8ad902b-0126-4f1b-b8de-3317ed510d2e" finished successfully.


## GCS Bucket for Terraform State:

In [15]:
# Create a GCS Bucket
!gsutil mb -l {region} gs://{bucket_name}/

Creating gs://nest-vite-fs-microservices-terraform-state-dev/...


In [16]:
# Enable Versioning
!gsutil versioning set on gs://{bucket_name}/

Enabling versioning for gs://nest-vite-fs-microservices-terraform-state-dev/...


In [None]:
## Secrets Manager

In [28]:
# Database Credentials Secrets

# auth
!gcloud secrets create {env}-auth-db-user --replication-policy="automatic"
!echo -n {auth_db_user} | gcloud secrets versions add {env}-auth-db-user --data-file=-

!gcloud secrets create {env}-auth-db-password --replication-policy="automatic"
!echo -n {auth_db_password} | gcloud secrets versions add {env}-auth-db-password --data-file=-

# events
!gcloud secrets create {env}-events-db-user --replication-policy="automatic"
!echo -n {events_db_user} | gcloud secrets versions add {env}-events-db-user --data-file=-

!gcloud secrets create {env}-events-db-password --replication-policy="automatic"
!echo -n {events_db_password} | gcloud secrets versions add {env}-events-db-password --data-file=-

Created secret [dev-auth-db-user].
Created version [1] of the secret [dev-auth-db-user].
Created secret [dev-auth-db-password].
Created version [1] of the secret [dev-auth-db-password].
Created secret [dev-events-db-user].
Created version [1] of the secret [dev-events-db-user].
Created secret [dev-events-db-password].
Created version [1] of the secret [dev-events-db-password].


## Terraform Deployment:

Initialize and apply your Terraform configuration as usual. Include the path to `tfvars`.

**Initialize Terraform**

In [24]:
# Initialize Terraform
!terraform init


[0m[1mInitializing the backend...[0m
[0m[1mInitializing modules...[0m
- cloud_run_web in ../../modules/cloud_run
- firebase in ../../modules/firebase

[0m[1mInitializing provider plugins...[0m
- Reusing previous version of hashicorp/google from the dependency lock file
- Finding latest version of hashicorp/google-beta...
- Using previously-installed hashicorp/google v5.19.0
- Installing hashicorp/google-beta v5.36.0...
- Installed hashicorp/google-beta v5.36.0 (signed by HashiCorp)

Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.

[0m[1m[32mTerraform has been successfully initialized![0m[32m[0m
[0m[32m
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work

**Apply Terraform changes**

Note: The following command will fail with an error because we haven't uploaded Docker image yet. `│ Error: Error waiting to create Service: resource is in failed state "Ready:False", message: Revision 'some-project-id-546757-dev-service-00001-6sm' is not ready and cannot serve traffic. Image 'us-central1-docker.pkg.dev/some-project-id-546757/some-project-id-546757-dev-repo/app-service:latest' not found.`

In [26]:
!terraform plan

Acquiring state lock. This may take a few moments...
[0m[1mmodule.cloud_sql.data.google_compute_default_service_account.default: Reading...[0m[0m
[0m[1mmodule.rabbitmq.data.google_compute_default_service_account.default: Reading...[0m[0m
[0m[1mmodule.vpc.google_compute_network.vpc: Refreshing state... [id=projects/nest-vite-fs-microservices/global/networks/nest-vite-fs-microservices-vpc][0m
[0m[1mmodule.cloud_run_gateway.google_service_account.cloud_run_sa: Refreshing state... [id=projects/nest-vite-fs-microservices/serviceAccounts/dev-gateway-service-sa@nest-vite-fs-microservices.iam.gserviceaccount.com][0m
[0m[1mmodule.ci_cd_service_account.google_service_account.ci_cd: Refreshing state... [id=projects/nest-vite-fs-microservices/serviceAccounts/dev-ci-cd-service-account@nest-vite-fs-microservices.iam.gserviceaccount.com][0m
[0m[1mmodule.rabbitmq.google_compute_address.external_ip: Refreshing state... [id=projects/nest-vite-fs-microservices/regions/us-central1

In [None]:
# Execute Terraform apply directly with hardcoded app_service_count and dynamic tfvars_file_path
!terraform apply --auto-approve

## Docker Image Build & Deployment

In [4]:
!gcloud auth configure-docker


{
  "credHelpers": {
    "asia.gcr.io": "gcloud",
    "eu.gcr.io": "gcloud",
    "gcr.io": "gcloud",
    "marketplace.gcr.io": "gcloud",
    "staging-k8s.gcr.io": "gcloud",
    "us-central1-docker.pkg.dev": "gcloud",
    "us.gcr.io": "gcloud"
  }
}
Adding credentials for all GCR repositories.
gcloud credential helpers already registered correctly.


In [33]:
service_name = "web-service"
app_name = "web-service"
service_folder = "web"

In [34]:
# Build the Docker image using the Dockerfile located in the parent directory.
!docker build --no-cache -t {region}-docker.pkg.dev/{project_id}/{project_id}-{env}-repo/{env}-{app_name}:latest -f ../../../apps/{service_folder}/Dockerfile ../../../

[1A[1B[0G[?25l[+] Building 0.0s (0/0)  docker:desktop-linux
[?25h[1A[0G[?25l[+] Building 0.0s (0/1)                                    docker:desktop-linux
[?25h[1A[0G[?25l[+] Building 0.1s (2/5)                                    docker:desktop-linux
[34m => [internal] load build definition from Dockerfile                       0.0s
[0m[34m => => transferring dockerfile: 914B                                       0.0s
[0m[34m => [internal] load .dockerignore                                          0.0s
[0m[34m => => transferring context: 486B                                          0.0s
[0m => [internal] load metadata for docker.io/library/nginx:alpine            0.1s
 => [internal] load metadata for docker.io/library/node:18.20.3            0.1s
 => [auth] library/node:pull token for registry-1.docker.io                0.0s
[?25h[1A[1A[1A[1A[1A[1A[1A[1A[0G[?25l[+] Building 0.3s (4/6)                                    docker:desktop-linux


In [35]:
# Push Docker Image to Artifact Registry
!docker push {region}-docker.pkg.dev/{project_id}/{project_id}-{env}-repo/{env}-{app_name}:latest

The push refers to repository [us-central1-docker.pkg.dev/nest-vite-fs-microservices/nest-vite-fs-microservices-dev-repo/dev-web-service]

[1B67fb62d6: Preparing 
[1Bf59421a6: Preparing 
[1B0bfcdf17: Preparing 
[1Ba09843a0: Preparing 
[1B172d7184: Preparing 
[1B6fe26981: Preparing 
[1B8baef084: Preparing 
[1Bf4a1b224: Preparing 
[1B164ce225: Preparing 
[1B270dbfe6: Preparing 
[1Be1fcf1ad: Preparing 
[9Ba09843a0: Pushed lready exists 7MB[12A[2K[9A[2K[7A[2K[6A[2K[12A[2K[11A[2K[4A[2K[3A[2K[9A[2Klatest: digest: sha256:764b26e1071e624bc8eec70674e6102c2c8ee4747b0777cf3d2a25fda5f59b1f size: 2821


In [36]:
# Deploy to Google Cloud Run
# NOTE THERE IS HARD_CODED SERVICE NAME BECAUSE FOLDER NAME IS DIFFERENT FROM SERVICE NAME
!gcloud run deploy {project_id}-{env}-{service_name} --image {region}-docker.pkg.dev/{project_id}/{project_id}-{env}-repo/{env}-{app_name}:latest --platform managed --region={region} --allow-unauthenticated

Deploying container to Cloud Run service [[1mnest-vite-fs-microservices-dev-web-service[m] in project [[1mnest-vite-fs-microservices[m] region [[1mus-central1[m]
Deploying...                                                                   
  . Creating Revision...                                                       
  . Routing traffic...                                                         
  . Setting IAM Policy...                                                      
  Deploying...                                                                 



⠛ Deploying...                                                                 



⠹ Deploying...                                                                 



⠼ Deploying...                                                                 



⠶ Deploying...                                                                 



⠧ Deploying...                                                          

## Secrets for CI Authorization

In [26]:
# Define your variables
service_account_name = f"{env}-ci-cd-service-account"
service_account_email = f"{service_account_name}@{project_id}.iam.gserviceaccount.com"
key_filename = f"{env}-ci-cd-service-account-key.json"

# Construct the gcloud command
gcloud_command = f"gcloud iam service-accounts keys create ../../../{key_filename} --iam-account {service_account_email}"

# Execute the command
!{gcloud_command}

created key [1af2b81d7c7fa9add606cfe5e2766dc29621cdf9] of type [json] as [../../../dev-ci-cd-service-account-key.json] for [dev-ci-cd-service-account@template-nestjs-api.iam.gserviceaccount.com]


## GitHub Secrets

Go to your GitHub repository and navigate to `Settings` > `Secrets`.

Add a new secrets:

- GCP_PROJECT_ID
- GCP_REGION
- GCP_{env}_SA_KEY
- GCP_{env}_REPOSITORY
- GCP_{env}_IMAGE_NAME

In [27]:
# Print secrets for GitHub
print(f"GCP_PROJECT_ID: {project_id}")
print(f"GCP_REGION: {region}")
print(f"GCP_{env.upper()}_SA_KEY: >>contents of {key_filename}<<")
print(f"GCP_{env.upper()}_REPOSITORY: {project_id}-{env}-repo")
print(f"GCP_{env.upper()}_IMAGE_NAME: {env}-{docker_image_name}")

GCP_PROJECT_ID: template-nestjs-api
GCP_REGION: us-central1
GCP_DEV_SA_KEY: >>contents of dev-ci-cd-service-account-key.json<<
GCP_DEV_REPOSITORY: template-nestjs-api-dev-repo
GCP_DEV_IMAGE_NAME: dev-app-service
