first commit

mscolnick · mscolnick · commit 1044f8ee5f4c · 2023-12-21T16:57:04.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+.terraform
+.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -0,0 +1,18 @@
+# terraform-dp
+
+Terraform modules to configure your marimo data plane.
+
+## Usage - GCP
+
+1. Create a project in GCP
+2. Add the following to your terraform configuration, or copy `modules/gcp/main.tf` to your project.
+
+```hcl
+module "marimo_dp" {
+  source = "github.com/marimo-team/terraform-dp//modules/gcp"
+  version = "0.1.0"
+
+  project_id = "my-project"
+  region = "us-central1"
+}
+```
diff --git a/development.md b/development.md
@@ -0,0 +1,26 @@
+# Development
+
+## Install
+
+```bash
+brew install terraform
+```
+
+### Plan
+
+```bash
+terraform init
+terraform plan
+```
+
+## Formatting
+
+```bash
+terraform fmt
+```
+
+## Validate
+
+```bash
+terraform validate
+```
diff --git a/modules/aws/README.md b/modules/aws/README.md
@@ -0,0 +1,5 @@
+# AWS
+
+> [!IMPORTANT]
+> In consideration.
+> Please reach out to us if you are interested in AWS support. <contact@marimo.io>
diff --git a/modules/azure/README.md b/modules/azure/README.md
@@ -0,0 +1,5 @@
+# Azure
+
+> [!IMPORTANT]
+> In consideration.
+> Please reach out to us if you are interested in Azure support. <contact@marimo.io>
diff --git a/modules/gcp/README.md b/modules/gcp/README.md
@@ -0,0 +1,45 @@
+## Requirements
+
+| Name                                                                           | Version        |
+| ------------------------------------------------------------------------------ | -------------- |
+| <a name="requirement_google"></a> [google](#requirement_google)                | >= 3.53, < 6.0 |
+| <a name="requirement_google-beta"></a> [google-beta](#requirement_google-beta) | >= 3.53, < 6.0 |
+
+## Providers
+
+| Name                                                                     | Version |
+| ------------------------------------------------------------------------ | ------- |
+| <a name="provider_google"></a> [google](#provider_google)                | 5.10.0  |
+| <a name="provider_google-beta"></a> [google-beta](#provider_google-beta) | 5.10.0  |
+
+## Modules
+
+| Name                                                                 | Source                                        | Version |
+| -------------------------------------------------------------------- | --------------------------------------------- | ------- |
+| <a name="module_gcs_buckets"></a> [gcs_buckets](#module_gcs_buckets) | terraform-google-modules/cloud-storage/google | ~> 5.0  |
+
+## Resources
+
+| Name                                                                                                                                                                                          | Type     |
+| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- |
+| [google-beta_google_artifact_registry_repository.marimo_apps_docker](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_artifact_registry_repository) | resource |
+| [google_project_iam_member.marimo_cp](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member)                                                      | resource |
+| [google_project_service.project_services](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service)                                                     | resource |
+| [google_service_account.marimo_cp](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account)                                                            | resource |
+| [google_service_account_key.marimo_cp](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key)                                                    | resource |
+
+## Inputs
+
+| Name                                                            | Description                           | Type          | Default                                                         | Required |
+| --------------------------------------------------------------- | ------------------------------------- | ------------- | --------------------------------------------------------------- | :------: |
+| <a name="input_labels"></a> [labels](#input_labels)             | additional labels to add to resources | `map(string)` | <pre>{<br> "marimo": "true",<br> "terraform": "true"<br>}</pre> |    no    |
+| <a name="input_project_id"></a> [project_id](#input_project_id) | the project ID                        | `string`      | n/a                                                             |   yes    |
+| <a name="input_region"></a> [region](#input_region)             | the GCP region to deploy to           | `string`      | n/a                                                             |   yes    |
+
+## Outputs
+
+| Name                                                                                                                       | Description                                   |
+| -------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------- |
+| <a name="output_marimo_artifact_registry"></a> [marimo_artifact_registry](#output_marimo_artifact_registry)                | the artifact registry for the data plane      |
+| <a name="output_marimo_cp_service_account"></a> [marimo_cp_service_account](#output_marimo_cp_service_account)             | the service account for the control plane     |
+| <a name="output_marimo_cp_service_account_key"></a> [marimo_cp_service_account_key](#output_marimo_cp_service_account_key) | the service account key for the control plane |
diff --git a/modules/gcp/main.tf b/modules/gcp/main.tf
@@ -0,0 +1,103 @@
+locals {
+  roles = [
+    "roles/run.developer",                # Manage cloud run services
+    "roles/run.invoker",                  # Invoke cloud run services
+    "roles/secretmanager.secretAccessor", # Access env secrets
+    "roles/secretmanager.admin",          # Create and manage secrets
+    "roles/artifactregistry.writer",      # Push to docker registry in data plane
+    "roles/iam.serviceAccountUser",       # Impersonate service accounts
+    "roles/iam.serviceAccountCreator",    # Create service accounts
+  ]
+
+  activate_apis = [
+    # Artifact Registry
+    "artifactregistry.googleapis.com",
+    # Identity and Access Management (IAM) API
+    "iam.googleapis.com",
+    # Secret Manager
+    "secretmanager.googleapis.com",
+    # Cloud Run
+    "run.googleapis.com",
+    "container.googleapis.com",
+    # Cloud Storage
+    "storage-api.googleapis.com",
+  ]
+}
+
+# Activate APIs
+resource "google_project_service" "project_services" {
+  for_each                   = toset(local.activate_apis)
+  project                    = var.project_id
+  service                    = each.value
+  disable_on_destroy         = false
+  disable_dependent_services = false
+}
+
+# Service account
+resource "google_service_account" "marimo_cp" {
+  depends_on   = [google_project_service.project_services]
+  project      = var.project_id
+  account_id   = "marimo-cp"
+  display_name = "Marimo Control Plane Service Account"
+  description  = "Service account for the control plane to access the data plane"
+}
+
+# Service account credentials
+resource "google_service_account_key" "marimo_cp" {
+  depends_on         = [google_project_service.project_services]
+  service_account_id = google_service_account.marimo_cp.name
+}
+
+# Add roles to service account
+resource "google_project_iam_member" "marimo_cp" {
+  depends_on = [google_project_service.project_services]
+  project    = var.project_id
+  for_each   = toset(local.roles)
+  role       = each.value
+  member     = "serviceAccount:${google_service_account.marimo_cp.email}"
+}
+
+# Docker Registry for Marimo Apps in Data Plane
+resource "google_artifact_registry_repository" "marimo_apps_docker" {
+  depends_on = [google_project_service.project_services]
+  # Beta provider is required for cleanup_policies
+  # If you don't want to use cleanup_policies, you can use the google provider
+  provider      = google-beta
+  location      = var.region
+  repository_id = "marimo-apps"
+  description   = "Marimo Apps Docker Registry"
+  format        = "DOCKER"
+  project       = var.project_id
+
+  labels = var.labels
+
+  cleanup_policies {
+    id     = "keep-minimum-versions"
+    action = "KEEP"
+    most_recent_versions {
+      keep_count = 2
+    }
+  }
+}
+
+# GCS Buckets for the data plane
+module "gcs_buckets" {
+  depends_on = [google_project_service.project_services]
+  # https://registry.terraform.io/modules/terraform-google-modules/cloud-storage/google/latest
+  source     = "terraform-google-modules/cloud-storage/google"
+  version    = "~> 5.0"
+  project_id = var.project_id
+  location   = var.region
+  names = [
+    # App Code Bucket - Stores the code for all Marimo apps, before deployment
+    "app-code-bucket",
+    # App Screenshots Bucket - Stores the screenshots for all Marimo apps
+    "app-screenshots-bucket",
+  ]
+  # Buckets are globally unique in GCP
+  prefix          = var.project_id
+  set_admin_roles = true
+  admins          = ["serviceAccount:${google_service_account.marimo_cp.email}"]
+  versioning      = {}
+  labels          = var.labels
+}
diff --git a/modules/gcp/outputs.tf b/modules/gcp/outputs.tf
@@ -0,0 +1,15 @@
+output "marimo_cp_service_account" {
+  description = "the service account for the control plane"
+  value       = google_service_account.marimo_cp.email
+}
+
+output "marimo_cp_service_account_key" {
+  description = "the service account key for the control plane"
+  sensitive   = true
+  value       = google_service_account_key.marimo_cp.private_key
+}
+
+output "marimo_artifact_registry" {
+  description = "the artifact registry for the data plane"
+  value       = google_artifact_registry_repository.marimo_apps_docker.name
+}
diff --git a/modules/gcp/variables.tf b/modules/gcp/variables.tf
@@ -0,0 +1,18 @@
+variable "project_id" {
+  description = "the project ID"
+  type        = string
+}
+
+variable "region" {
+  description = "the GCP region to deploy to"
+  type        = string
+}
+
+variable "labels" {
+  description = "additional labels to add to resources"
+  type        = map(string)
+  default = {
+    marimo    = "true"
+    terraform = "true"
+  }
+}
diff --git a/modules/gcp/versions.tf b/modules/gcp/versions.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 3.53, < 6.0"
+    }
+
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 3.53, < 6.0"
+    }
+  }
+}
