Laurent Julliard ljulliar
ljulliar
/ encryt_secrets_with_cloud_kms.sh
Created
May 20, 2019 09:41
Encrypt secrets with Cloud KMS (Photo Album on Google Cloud Run)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create a key ring where to hook your encrypted keys | |
| gcloud kms keyrings create photo-album --location=us-central1 | |
| # Encrypt the credentials of the cloud runner service account | |
| gcloud kms keys create photo_album_runner_key --location us-central1 \ | |
| --keyring photo-album --purpose encryption | |
| gcloud kms encrypt - location us-central1 --keyring photo-album \ | |
| --key photo_album_runner_key --plaintext-file ./config/photo_album_runner.key \ | |
| --ciphertext-file ./config/photo_album_runner.key.enc |
ljulliar
/ svc_account_roles.sh
Last active
March 27, 2020 11:09
Setup service account roles (Photo Album on Google Cloud Run)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Setup Photo Album service account | |
| PA_SVC_ACCOUNT=photo-album-runner@$PROJECT_ID.iam.gserviceaccount.com | |
| # Grant GCS admin role | |
| gcloud projects add-iam-policy-binding $PROJECT_ID \ | |
| --member serviceAccount:$PA_SVC_ACCOUNT --role roles/storage.admin | |
| # Grant GCS admin role | |
| gcloud projects add-iam-policy-binding $PROJECT_ID \ | |
| --member serviceAccount:$PA_SVC_ACCOUNT --role roles/cloudsql.client |
ljulliar
/ cloud_build_roles.sh
Last active
March 27, 2020 11:10
Cloud Build decrypt roles (Photo Album on Google Cloud Run)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # set an env variable to make things more readable | |
| CB_SVC_ACCOUNT=xxx...xxx@cloudbuild.gserviceaccount.com | |
| # Grant Cloud Build the right to decrypt Rails master key | |
| $ gcloud kms keys add-iam-policy-binding rails_master_key --location=us-central1 \ | |
| --keyring=photo-album --member=serviceAccount:$CB_SVC_ACCOUNT \ | |
| --role=roles/cloudkms.cryptoKeyDecrypter | |
| # Grant Cloud Build the right to decrypt Rails the production database password | |
| $ gcloud kms keys add-iam-policy-binding db_pwd_key --location=us-central1 \ |
ljulliar
/ cloud_run_deploy.sh
Last active
March 27, 2020 11:10
Deploy image (Photo Album on Google Cloud Run)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Deploy the latest container images we just built | |
| gcloud beta run deploy photo-album --image gcr.io/$PROJECT_ID/photo_album \ | |
| --set-cloudsql-instances $PROJECT_ID:us-central1:photo-album-production \ | |
| --region us-central1 --allow-unauthenticated | |
ljulliar
/ entrypoint.sh
Created
May 20, 2019 07:13
Entrypoint script (Photo Album on Google Cloud Run)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| cd /usr/src/app | |
| # Create the Rails production DB on first run | |
| RAILS_ENV=production bundle exec rake db:create | |
| # Make sure we are using the most up to date | |
| # database schema | |
| RAILS_ENV=production bundle exec rake db:migrate |
ljulliar
/ Dockerfile
Last active
March 27, 2020 11:11
Cloud Build Dockerfile (Photo Album on Google Cloud Run)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Leverage the official Ruby image from Docker Hub | |
| # https://hub.docker.com/_/ruby | |
| FROM ruby:2.6 | |
| # Install recent versions of nodejs (10.x) and yarn pkg manager | |
| # Needed to properly pre-compile Rails assets | |
| RUN (curl -sL https://deb.nodesource.com/setup_10.x | bash -) && apt-get update && apt-get install -y nodejs | |
| RUN (curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -) && \ | |
| echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && \ |
ljulliar
/ cloudbuild.yaml
Last active
March 27, 2020 11:11
Cloud Build YAML file (Photo Album app on Google Cloud Run)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| steps: | |
| # Decrypt Rails Master key file | |
| - name: gcr.io/cloud-builders/gcloud | |
| args: ["kms", "decrypt", "--ciphertext-file=./config/master.key.enc", | |
| "--plaintext-file=./config/master.key", | |
| "--location=us-central1","--keyring=photo-album", | |
| "--key=rails_master_key"] | |
| # Decrypt Photo Album service account credentials |