feat: Configure Terraform for production deployment with enhanced set… #899
Conversation
…tings - Add GCS remote state backend configuration for state management - Create terraform.tfvars.example template (terraform.tfvars excluded via .gitignore) - Add explicit IAM roles for Build SA (cloudbuild.builds.editor, run.admin) - Update Cloud Run to 2 vCPU, 4Gi memory, 30min timeout, concurrency=4 for Veo video generation - Add GCS bucket lifecycle policy (90-day deletion) to prevent unbounded storage costs - Add comprehensive resource labels (app, environment, team, owner, cost_center) for cost tracking - Add reserved IP address support for load balancer - Ingress already configured for INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER when use_lb=true - GCS uniform bucket access already enabled - Firestore composite indexes already configured - App SA already uses least-privilege roles (storage.objectCreator not objectAdmin)
sivaprogrowth
requested review from
a team,
awaemmanuel and
ghchinoy
as code owners
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
…on-setup-011CUpQBpDEM6ZgfeGMsCJ97 feat: Configure Terraform for production deployment with enhanced set…
- Add app_env variable to variables.tf (default: local) - Add APP_ENV to Cloud Run environment variables in main.tf - Allows testing without IAP authentication - Required for Phase 1 testing and validation
- Changed iap_enabled from !var.use_lb to var.use_lb - Changed invoker_iam_disabled from !var.use_lb to var.use_lb - When use_lb=false: IAP disabled, allows direct Cloud Run access for testing - When use_lb=true: IAP enabled with load balancer for production
…ration Create comprehensive validation documentation verifying the Firestore database 'create-studio-asset-metadata' configuration against infrastructure code. Validates: - Database properties (OPTIMISTIC concurrency, PITR, delete protection) - GCS bucket configuration and IAM permissions - Cloud Run service configuration and environment variables - Firestore client implementation and integration points - All critical infrastructure components align with deployed database This completes Phase 1 validation. Ready for runtime testing.
Complete comprehensive runtime validation of the Firestore database configuration and integration with the Vertex AI Creative Studio application. All checks passed. Verified Components: - Firestore database accessibility and configuration match - Both composite indexes (media_type+timestamp, mime_type+timestamp) are READY - GCS bucket configuration (CORS, lifecycle, security settings) - Cloud Run service health and environment variables - Firebase client initialization with correct database name - Firestore query operations working (document retrieval verified) - GCS media proxy integration (images and videos accessible) - Application logs showing error-free operation - All integration points (Firestore↔App, GCS↔App) operational - IAM permissions and security controls validated Results: 19/19 checks passed (100% success rate) Status: PRODUCTION READY Includes monitoring recommendations and troubleshooting guide.
Change launch_stage from conditional (GA/BETA) to always BETA. This is required for Identity-Aware Proxy (IAP) functionality with Load Balancer. Fixes: Error 400 - IAP feature not supported in GA launch stage
…nfig-011CUpoEzNg9FuhGNnVf5xoW Claude/firestore database config 011 c upo ez ng9 fuh g nn vf5xo w
|
@sivaprogrowth could you please sign the CLA https://cla.developers.google.com/clas so we can review further? |
…BpDEM6ZgfeGMsCJ97
- Set launch_stage to BETA (required for IAP with Load Balancer) - Update backend.tf configuration - Enables Production deployment with Load Balancer + IAP
awaemmanuel
left a comment
awaemmanuel
left a comment
There was a problem hiding this comment.
@sivaprogrowth can you please sign the Google CLA Agreement? We couldn't find a Contributor License Agreement (CLA)for you. All contributors listed must be covered under a CLA for this pull request to be merged.
📝 If you are not currently covered under a CLA, please visit https://cla.developers.google.com/. Once you've signed, follow the "New Contributors" link at the bottom of this page to update this check.
Thank you so much.
csantos
left a comment
csantos
left a comment
There was a problem hiding this comment.
@ghchinoy / @awaemmanuel tagged you on a few comments. My summary is:
- Not really sure of the value of providing a sample tfvars file as the readme instructions actually create it with real values. This file is just going to be ignored given that users would be following the read me.
- Permissions being changed need explanation
- Couple of files that end with "validation" that I do not believe are needed
- Not sure about adding GCS as a state store by default as it complicates the deployment. I don't oppose enhancing the readme file to include instructions on setting it.
- Labels set aren't really needed, and are hard coded to values that should be variables which we don't have good default values for. I'd recommend changing the readme to provide instructions on adding whatever labels users need.
- I don't agree with adding file max age as it leads to data loss by default.
- I don't agree with adding support for an existing IP address. I see it as an edge case. Folks that need it, can change the template.
- I always like backing resource changes with data. Not sure if there's really a need to double resource provisioning of Cloud Run.
| public_access_prevention = "enforced" | ||
| uniform_bucket_level_access = true | ||
| default_event_based_hold = false | ||
| labels = { |
There was a problem hiding this comment.
Labels are already added in the provider section. Hard coding the label values should be avoided since we don't know the correct values across all users.
| response_header = ["Content-Type"] | ||
| max_age_seconds = 3600 | ||
| } | ||
| lifecycle_rule { |
There was a problem hiding this comment.
If we want to add max age, then setting the lifecycle and age need to be a variable as we should default to preventing data deletion and we don't know the right max age across all users.
| member = google_service_account.cloudbuild.member | ||
| } | ||
|
|
||
| resource "google_project_iam_member" "build_run_admin" { |
There was a problem hiding this comment.
Why is there a need to elevate the privileges of the Cloud Build account?
It already given the roles/run.developer role, which is the least privilege role needed to deploy services on line 413. This is also project wide which is too wide of a scope.
| member = google_service_account.cloudbuild.member | ||
| } | ||
|
|
||
| resource "google_project_iam_member" "build_cloudbuild_editor" { |
There was a problem hiding this comment.
Why is there a need to give the Cloud Build account the build editor role?
| repository_id = "creative-studio" | ||
| description = "Docker repository for GenMedia Creative Studio related images" | ||
| format = "DOCKER" | ||
| labels = { |
There was a problem hiding this comment.
Labels are already added in the provider section. Hard coding the label values should be avoided since we don't know the correct values across all users.
| # Copy this to terraform.tfvars and fill in your actual values | ||
| # NEVER commit terraform.tfvars to version control | ||
|
|
||
| project_id = "genai-studio-mvp" |
There was a problem hiding this comment.
Not sure if I'd even provide an example value for the project id...I'd force the user to set it.
|
|
||
| project_id = "genai-studio-mvp" | ||
| region = "us-central1" | ||
| initial_user = "[email protected]" |
There was a problem hiding this comment.
Remove reference to personal email address
| project_id = "genai-studio-mvp" | ||
| region = "us-central1" | ||
| initial_user = "[email protected]" | ||
| domain = "genaicreativestudio.progrowth.services" |
There was a problem hiding this comment.
Remove reference to company's domain.
| region = "us-central1" | ||
| initial_user = "[email protected]" | ||
| domain = "genaicreativestudio.progrowth.services" | ||
| reserved_ip_address = "[IP_FROM_TASK_1.10]" |
There was a problem hiding this comment.
Only needed if the decision is to support an existing IP address.
There was a problem hiding this comment.
Not really sure of the value of providing a sample tfvars file as the readme instructions actually create it with real values. This file is just going to be ignored given that users would be following the read me. @ghchinoy / @awaemmanuel thoughts?
5 participants
…tings
Pull-Request Template
Thank you for your contribution! Please provide a brief description of your changes and ensure you've completed the checklist below.
Description
What does this PR do?
Why is it necessary?
Fixes # (if applicable)
Checklist
nox -s formatto format the code.aaie_notebook_template.ipynbif submitting a new jupyter notebook.