Merge pull request #54 from cal-itp/mov/37-terraform-load-balancer

ohrite · web-flow · commit ccde9e7cccd5 · 2025-10-20T21:56:49.000-07:00
Analyst can log into staging with DOT email
diff --git a/iac/secrets.tf b/iac/secrets.tf
@@ -29,3 +29,48 @@ resource "google_secret_manager_secret_version" "cal-bc-staging-database-url" {
   secret         = google_secret_manager_secret.cal-bc-staging-database-url.name
   secret_data_wo = "postgres://${google_sql_user.cal-bc-staging.name}:${random_password.cal-bc-staging-database.result}@//cloudsql/${google_sql_database_instance.cal-bc-staging.project}:${google_sql_database_instance.cal-bc-staging.region}:${google_sql_database_instance.cal-bc-staging.name}/${google_sql_database.cal-bc-staging.name}"
 }
+
+resource "google_secret_manager_secret" "cal-bc-staging-azure-auth-client-id" {
+  secret_id = "cal-bc-staging-azure-auth-client-id"
+  replication {
+    user_managed {
+      replicas {
+        location = "us-west2"
+      }
+    }
+  }
+}
+
+resource "google_secret_manager_secret_version" "cal-bc-staging-azure-auth-client-id" {
+  secret = google_secret_manager_secret.cal-bc-staging-azure-auth-client-id.name
+}
+
+resource "google_secret_manager_secret" "cal-bc-staging-azure-auth-client-secret" {
+  secret_id = "cal-bc-staging-azure-auth-client-secret"
+  replication {
+    user_managed {
+      replicas {
+        location = "us-west2"
+      }
+    }
+  }
+}
+
+resource "google_secret_manager_secret_version" "cal-bc-staging-azure-auth-client-secret" {
+  secret = google_secret_manager_secret.cal-bc-staging-azure-auth-client-secret.name
+}
+
+resource "google_secret_manager_secret" "cal-bc-staging-azure-auth-directory-id" {
+  secret_id = "cal-bc-staging-azure-auth-directory-id"
+  replication {
+    user_managed {
+      replicas {
+        location = "us-west2"
+      }
+    }
+  }
+}
+
+resource "google_secret_manager_secret_version" "cal-bc-staging-azure-auth-directory-id" {
+  secret = google_secret_manager_secret.cal-bc-staging-azure-auth-directory-id.name
+}
diff --git a/iac/service.tf b/iac/service.tf
@@ -4,6 +4,11 @@ resource "google_cloud_run_v2_service" "cal-bc-staging" {
   deletion_protection = false
   ingress             = "INGRESS_TRAFFIC_ALL"
 
+  traffic {
+    type    = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
+    percent = 100
+  }
+
   template {
     service_account = data.terraform_remote_state.iam.outputs.google_service_account_cal-bc-service-account_email
 
@@ -44,12 +49,37 @@ resource "google_cloud_run_v2_service" "cal-bc-staging" {
           }
         }
       }
-    }
-  }
 
-  traffic {
-    type    = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
-    percent = 100
+      env {
+        name = "AZURE_AUTH__CLIENT_ID"
+        value_source {
+          secret_key_ref {
+            secret  = google_secret_manager_secret.cal-bc-staging-azure-auth-client-id.secret_id
+            version = "latest"
+          }
+        }
+      }
+
+      env {
+        name = "AZURE_AUTH__CLIENT_SECRET"
+        value_source {
+          secret_key_ref {
+            secret  = google_secret_manager_secret.cal-bc-staging-azure-auth-client-secret.secret_id
+            version = "latest"
+          }
+        }
+      }
+
+      env {
+        name = "AZURE_AUTH__DIRECTORY_ID"
+        value_source {
+          secret_key_ref {
+            secret  = google_secret_manager_secret.cal-bc-staging-azure-auth-directory-id.secret_id
+            version = "latest"
+          }
+        }
+      }
+    }
   }
 }
 
@@ -59,3 +89,64 @@ resource "google_cloud_run_service_iam_binding" "cal-bc-staging" {
   role     = "roles/run.invoker"
   members  = ["allUsers"]
 }
+
+resource "google_compute_region_network_endpoint_group" "cal-bc-staging" {
+  name                  = "cal-bc-staging"
+  network_endpoint_type = "SERVERLESS"
+  region                = google_cloud_run_v2_service.cal-bc-staging.location
+  cloud_run {
+    service = google_cloud_run_v2_service.cal-bc-staging.name
+  }
+}
+
+resource "google_compute_global_address" "cal-bc-staging" {
+  name = "cal-bc-staging-address"
+}
+
+module "lb-http" {
+  source  = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
+  version = "~> 13.2"
+
+  name    = "cal-bc-staging"
+  project = "cal-itp-data-infra-staging"
+
+  ssl                             = true
+  managed_ssl_certificate_domains = ["cal-bc-staging.dds.dot.ca.gov"]
+  https_redirect                  = true
+
+  address        = google_compute_global_address.cal-bc-staging.address
+  create_address = false
+
+  backends = {
+    default = {
+      description = null
+
+      groups = []
+      serverless_neg_backends = [
+        {
+          "region" : "us-west2",
+          "type" : "cloud-run",
+          "service" : {
+            "name" : google_cloud_run_v2_service.cal-bc-staging.name
+          }
+        }
+      ]
+
+      health_check = {
+        request_path = "/"
+        protocol     = "HTTP"
+        port         = 80
+      }
+
+      enable_cdn = false
+
+      iap_config = {
+        enable = false
+      }
+
+      log_config = {
+        enable = false
+      }
+    }
+  }
+}
