namespace cloud resources; dress up READMEs

micro-nova · Jul 8, 2024 · 9aa26da · 9aa26da
1 parent e3e986d
commit 9aa26da
Show file tree

Hide file tree

Showing 7 changed files with 45 additions and 25 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -30,4 +30,4 @@ jobs:
           sudo apt install hugo
           hugo
           hugo deploy
-          gcloud compute url-maps invalidate-cdn-cache blog-prod --path "/*" --async
+          gcloud compute url-maps invalidate-cdn-cache engineering-blog-prod --path "/*" --async
diff --git a/README.md b/README.md
@@ -1,18 +1,10 @@
-# `micro-nova-engineering-blog`
+# `engineering-blog`
 
-This repo generates and deploys Micro-Nova's engineering blog. Posts are stored as Markdown, rendered using Hugo, and deployed to an upstream object store (presently in GCP.)
-
-## prereqs
-
-Install these prereqs:
-```
-apt install hugo
-```
+This repo generates and deploys Micro-Nova's engineering blog. Posts are stored as Markdown, rendered using [Hugo](https://gohugo.io/), and deployed to an upstream object store & CDN using GitHub Actions. Infrastructure in GCP is configured using [OpenTofu](https://opentofu.org/) and stored in `opentofu/`.
 
 ## How to add a blog post
 
+1. If you have not already, install `hugo` (might be `sudo apt install hugo`.)
 1. Create the post using `hugo new post/$TITLE.md`
 1. Modify the file in `content/post/$TITLE.md`.
 1. Create a PR & merge it.
-
-
diff --git a/opentofu/README.md b/opentofu/README.md
@@ -4,13 +4,30 @@ This folder contains [OpenTofu](https://opentofu.org/) code to deploy a basic st
 
 ## Setup
 
-Install opentofu, then configure a `.env` like so and `source` it:
+Install [`gcloud`](https://cloud.google.com/sdk/gcloud/) and authenticate to GCP.
+
+Create a personal [CloudFlare API token](https://dash.cloudflare.com/profile/api-tokens); ensure it is IP-limited to the office IP and expires in <= 2 years.
+
+Install `opentofu`, then configure a `.env` like so and `source` it:
 
 ```
 export GOOGLE_CLOUD_PROJECT=$SOME_VALUE_FROM_GCP_CONSOLE
 export GOOGLE_REGION=us-central1
 export TF_VAR_dns_record="blog"
 export TF_VAR_dns_zone_name="micro-nova.com"
 export TF_VAR_env="prod"
-export CLOUDFLARE_API_TOKEN="your token here" # create a cloudflare token that is IP limited to the office and expires in 2yrs
+export CLOUDFLARE_API_TOKEN="your token here"
+```
+
+## Changing infra
+
+Please read the [OpenTofu](https://opentofu.org/docs/intro/) documentation. A sample workflow looks like this:
+
+
+```
+tofu plan
+# does everything look okay? modify to fit
+tofu apply
+tofu fmt # make it pretty
+# git commit & PR your changes
 ```
diff --git a/opentofu/cert.tf b/opentofu/cert.tf
@@ -1,5 +1,5 @@
 resource "google_certificate_manager_certificate" "default" {
-  name = "${var.dns_name}-${var.env}" # the regex for this resource is restrictive
+  name = "${var.project}-${var.dns_name}-${var.env}"
   managed {
     domains = [
       google_certificate_manager_dns_authorization.default.domain,
@@ -11,17 +11,17 @@ resource "google_certificate_manager_certificate" "default" {
 }
 
 resource "google_certificate_manager_dns_authorization" "default" {
-  name        = "${var.dns_name}-${var.env}" # the regex for this resource is restrictive
+  name        = "${var.project}-${var.dns_name}-${var.env}"
   description = "The default dnss"
   domain      = "${var.dns_name}.${var.dns_zone_name}"
 }
 
 resource "google_certificate_manager_certificate_map" "certificate_map" {
-  name = "${var.dns_name}-${var.env}" # the regex for this resource is restrictive
+  name = "${var.project}-${var.dns_name}-${var.env}"
 }
 
 resource "google_certificate_manager_certificate_map_entry" "default" {
-  name         = "${var.dns_name}-${var.env}" # the regex for this resource is restrictive
+  name         = "${var.project}-${var.dns_name}-${var.env}"
   map          = google_certificate_manager_certificate_map.certificate_map.name
   certificates = [google_certificate_manager_certificate.default.id]
   matcher      = "PRIMARY"

diff --git a/opentofu/deploy.tf b/opentofu/deploy.tf
@@ -10,7 +10,7 @@ resource "google_iam_workload_identity_pool_provider" "github" {
   workload_identity_pool_id          = google_iam_workload_identity_pool.github.workload_identity_pool_id
   workload_identity_pool_provider_id = "github"
   display_name                       = "Github"
-  description                        = "OIDC identity pool provider for automated deployments from Github -> Cloud Run"
+  description                        = "OIDC identity pool provider for automated deployments from Github -> Object Storage"
   attribute_condition                = "assertion.repository_owner == 'micro-nova' && assertion.repository_id == '${data.github_repository.repo.repo_id}'"
   attribute_mapping = {
     "google.subject"             = "assertion.sub"
@@ -38,7 +38,7 @@ resource "google_service_account_iam_binding" "github" {
 }
 
 resource "google_project_iam_custom_role" "static_site_cdn" {
-  role_id     = "${var.dns_name}_${var.env}_cdn"
+  role_id     = "${var.project}_${var.dns_name}_${var.env}_cdn"
   title       = "invalidate CDN for static site, ${data.github_repository.repo.name}-${var.env}"
   description = "Limited scope role for github to deploy the static site"
   permissions = [
@@ -56,7 +56,7 @@ resource "google_project_iam_binding" "static_site_cdn" {
 }
 
 resource "google_project_iam_custom_role" "static_site_bucket" {
-  role_id     = "${var.dns_name}_${var.env}_bucket"
+  role_id     = "${var.project}_${var.dns_name}_${var.env}_bucket"
   title       = "deploy static site to bucket, ${data.github_repository.repo.name}-${var.env}"
   description = "Limited scope role for github to deploy the static site"
   permissions = [

diff --git a/opentofu/lb.tf b/opentofu/lb.tf
@@ -1,23 +1,23 @@
 resource "google_compute_backend_bucket" "backend_bucket" {
-  name        = "${var.dns_name}-${var.env}" # the regex for this is restrictive
+  name        = "${var.project}-${var.dns_name}-${var.env}" # the regex for this is restrictive
   bucket_name = "${var.dns_name}.${var.dns_zone_name}"
   enable_cdn  = true
 }
 
 resource "google_compute_target_https_proxy" "lb" {
-  name            = "${var.dns_name}-${var.env}" # the regex for this is restrictive
+  name            = "${var.project}-${var.dns_name}-${var.env}" # the regex for this is restrictive
   url_map         = google_compute_url_map.map.id
   certificate_map = "//certificatemanager.googleapis.com/${google_certificate_manager_certificate_map.certificate_map.id}"
 }
 
 resource "google_compute_url_map" "map" {
-  name = "${var.dns_name}-${var.env}" # the regex for this is restrictive
+  name = "${var.project}-${var.dns_name}-${var.env}" # the regex for this is restrictive
 
   default_service = google_compute_backend_bucket.backend_bucket.self_link
 }
 
 resource "google_compute_global_forwarding_rule" "rule" {
-  name                  = "${var.dns_name}-${var.env}"
+  name                  = "${var.project}-${var.dns_name}-${var.env}"
   port_range            = "443"
   load_balancing_scheme = "EXTERNAL_MANAGED"
   ip_protocol           = "TCP"

diff --git a/opentofu/variables.tf b/opentofu/variables.tf
@@ -3,6 +3,17 @@ variable "env" {
   type        = string
 }
 
+variable "project" {
+  description = "A short project descriptor. Used for namespacing resources with restrictive name validation."
+  type        = string
+  default     = "engineering"
+
+  validation {
+    condition     = can(regex("^[a-zA-Z0-9]*$", var.project))
+    error_message = "Must be strictly alphanumeric"
+  }
+}
+
 variable "dns_name" {
   description = "The bare dns record used to instantiate various services; does not include the zone."
   type        = string