OUTPOST-181 egress-networking #5

Workflow file for this run

.github/workflows/gcp-setup.yml at fd3b621

	# This is a basic workflow to create, configure and deploy artefacts and resources
	# for the PPE Inventory project in the DEMO/Live environment

	name: GCP Setup

	on:
	push:
	branches:
	[OUTPOST-181-update-ofsted-feed-application-to-work-with-new-certificate]
	paths:
	- ".github/workflows/gcp-setup.yml"

	jobs:
	# These run in parallel because gcp-services and setup-networking only make changes on the first run.
	# Running in parallel speeds things up for normal runs (accepting you might get one or two errors for a new deployment)

	gcp-services:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- id: "auth"
	uses: "google-github-actions/auth@v1"
	with:
	credentials_json: "${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}"
	project_id: ${{ secrets.PROJECT_ID }}

	- name: Setup gcloud CLI
	uses: google-github-actions/setup-gcloud@v1

	# Enable the APIs for services we need
	- name: Enable APIs
	run: \|
	gcloud services enable cloudresourcemanager.googleapis.com
	gcloud services enable cloudfunctions.googleapis.com
	gcloud services enable sheets.googleapis.com
	gcloud services enable cloudbuild.googleapis.com
	gcloud services enable run.googleapis.com
	gcloud services enable compute.googleapis.com
	gcloud services enable vpcaccess.googleapis.com
	gcloud services enable secretmanager.googleapis.com
	gcloud services enable artifactregistry.googleapis.com

	egress-networking:
	# We need traffic to egress through a VPC so that it can have a static IP address
	# See: https://cloud.google.com/functions/docs/networking/network-settings#route-egress-to-vpc

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- id: "auth"
	uses: "google-github-actions/auth@v1"
	with:
	credentials_json: "${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}"
	project_id: ${{ secrets.PROJECT_ID }}
	- name: Public IP address
	run: \|
	gcloud compute addresses describe ofsted-egress-ip --region=europe-west2 \|\| \
	gcloud compute addresses create ofsted-egress-ip --region=europe-west2
	- name: Network
	run: \|
	gcloud compute networks describe ofsted-egress-network \|\| \
	gcloud compute networks create ofsted-egress-network --subnet-mode=custom
	- name: Router
	run: \|
	gcloud compute routers describe ofsted-egress-router --region=europe-west2 \|\| \
	gcloud compute routers create ofsted-egress-router \
	--network ofsted-egress-network \
	--region=europe-west2
	- name: NAT
	run: \|
	gcloud compute routers nats describe ofsted-egress-nat --router=ofsted-egress-router --region=europe-west2 \|\| \
	gcloud compute routers nats create ofsted-egress-nat \
	--router=ofsted-egress-router \
	--router-region=europe-west2 \
	--nat-primary-subnet-ip-ranges \
	--nat-external-ip-pool=ofsted-egress-ip
	- name: VPC connector for function traffic
	run: \|
	project_id=$(gcloud config get-value project)
	project_number=$(gcloud projects describe $project_id --format="value(projectNumber)")
	gcloud compute networks vpc-access connectors describe ofsted-egress-vpcc --region europe-west2 \|\| \
	gcloud compute networks vpc-access connectors create ofsted-egress-vpcc \
	--network=ofsted-egress-network \
	--region=europe-west2 \
	--range=10.0.0.16/28
	gcloud projects add-iam-policy-binding $project_id \
	--member=serviceAccount:service-${project_number}@gcf-admin-robot.iam.gserviceaccount.com \
	--role=roles/viewer
	gcloud projects add-iam-policy-binding $project_id \
	--member=serviceAccount:service-${project_number}@gcf-admin-robot.iam.gserviceaccount.com \
	--role=roles/compute.networkUser

	secrets:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- id: "auth"
	uses: "google-github-actions/auth@v1"
	with:
	credentials_json: "${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}"
	project_id: ${{ secrets.PROJECT_ID }}
	env:
	OFSTED_API_KEY: ${{ secrets.OFSTED_API_KEY }}
	OFSTED_SERVICE_KEY: ${{ secrets.OFSTED_SERVICE_KEY }}
	OFSTED_LOCAL_AUTHORITY_CODE: ${{ secrets.OFSTED_LOCAL_AUTHORITY_CODE }}
	ACCESS_TOKEN: ${{ secrets.ACCESS_TOKEN }}
	# see: https://cloud.google.com/sdk/gcloud/reference/secrets/create
	# see also: gcloud beta secrets locations list
	# NB Vaild locations are currently eurompe-west1 (Belgium) and europe-west4 (Netherlands) but not europe-west2 (London)
	- name: ofsted_api_key
	run: \|
	gcloud secrets describe ofsted_api_key \|\| \
	echo $OFSTED_API_KEY \| gcloud secrets create ofsted_api_key --data-file=- --replication-policy=user-managed --locations=europe-west1,europe-west4
	- name: ofsted_service_key
	run: \|
	gcloud secrets describe ofsted_service_key \|\| \
	echo $OFSTED_SERVICE_KEY \| gcloud secrets create ofsted_service_key --data-file=- --replication-policy=user-managed --locations=europe-west1,europe-west4
	- name: ofsted_local_authority_code
	run: \|
	gcloud secrets describe ofsted_local_authority_code \|\| \
	echo $OFSTED_LOCAL_AUTHORITY_CODE \| gcloud secrets create ofsted_local_authority_code --data-file=- --replication-policy=user-managed --locations=europe-west1,europe-west4
	- name: access_token
	run: \|
	gcloud secrets describe access_token \|\| \
	echo $ACCESS_TOKEN \| gcloud secrets create access_token --data-file=- --replication-policy=user-managed --locations=europe-west1,europe-west4
	- name: permissions
	run: \|
	project_id=$(gcloud config get-value project)
	project_number=$(gcloud projects describe $project_id --format="value(projectNumber)")
	gcloud projects add-iam-policy-binding $project_id \
	--member=serviceAccount:${project_number}[email protected] \
	--role=roles/secretmanager.secretAccessor

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OUTPOST-181 egress-networking #5

Workflow file

OUTPOST-181 egress-networking #5

Jobs

Run details

Workflow file for this run