Rewriting GCP as a Terraform module, updating packages and adding workflows and a devcontainer

Author: James Belchamber

.devcontainer/Dockerfile

@@ -0,0 +1,21 @@
+# Dockerfile
+FROM docker.io/golang:latest
+
+RUN apt-get update &&\
+    apt-get upgrade -y &&\
+    apt-get install -y apt-transport-https &&\
+    curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg &&\
+    echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list &&\
+    apt-get update &&\
+    apt-get install google-cloud-cli -y &&\
+    apt-get clean
+
+RUN curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh &&\
+    chmod +x install-opentofu.sh &&\
+    ./install-opentofu.sh --install-method deb &&\
+    rm -f install-opentofu.sh &&\
+    apt-get clean
+
+RUN mkdir -p /usr/local/bin && apt-get update && apt-get install -y unzip && curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
+
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

.devcontainer/devcontainer.json

@@ -0,0 +1,16 @@
+{
+    "name": "Juicebox Software Realm",
+    "dockerFile": "Dockerfile",
+    "features": {
+        "ghcr.io/devcontainers-extra/features/pre-commit:2": {},
+        "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {},
+        "ghcr.io/devcontainers/features/common-utils": {
+            "installZsh": true,
+            "installOhMyZsh": true,
+            "installOhMyZshConfig": true,
+            "configureZshAsDefaultShell": true,
+            "upgradePackages": true
+        }
+    },
+    "postCreateCommand": "bash .devcontainer/post-create.sh"
+}

.devcontainer/post-create.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Install pre-commit hooks
+pre-commit install

.github/workflows/build_and_publish.yml

@@ -0,0 +1,64 @@
+name: Build and Publish
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build_and_publish:
+    name: Build and Publish
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.24.4"
+          check-latest: false
+
+      - name: Build Executable
+        run: |
+          go build ./cmd/jb-sw-realm
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/main.yml .github/workflows/lint_and_test.yml.github/workflows/main.yml renamed to .github/workflows/lint_and_test.yml

@@ -1,10 +1,7 @@
-name: CI
+name: Lint and Test
 
 on:
   pull_request: {}
-  push:
-    branches:
-    - main
   workflow_dispatch: {}
 
 jobs:
@@ -13,18 +10,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
         with:
-          go-version: '1.22.2'
+          go-version: "1.24.4"
           check-latest: false
 
       - name: Run revive
         run: |
           go install github.com/mgechev/revive@latest
-          revive -config revive.toml -formatter friendly -set_exit_status ./...
+          revive -config revive.toml -formatter friendly ./...
 
       - name: Run staticcheck
         run: |

.pre-commit-config.yaml

@@ -0,0 +1,16 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v2.3.0
+    hooks:
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-case-conflict
+      - id: check-merge-conflict
+      - id: detect-private-key
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.99.3
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_validate
+      - id: terraform_tflint
+      - id: terraform_trivy

Dockerfile

@@ -1,36 +1,13 @@
-FROM golang:1.22.2 as build-env
+FROM debian:latest
 
-WORKDIR /app
+RUN apt update && apt install -y ca-certificates
 
-COPY go.mod go.sum ./
-
-RUN go mod download
-
-COPY . .
-
-RUN CGO_ENABLED=0 go build -o /jb-sw-realm ./cmd/jb-sw-realm
-
-FROM debian:11-slim
-
-RUN apt-get update && apt-get install -y curl supervisor
-
-WORKDIR /otel
-
-RUN curl -LO https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/v0.77.0/otelcol-contrib_0.77.0_linux_amd64.tar.gz \
-    && tar -xzvf otelcol-contrib_0.77.0_linux_amd64.tar.gz \
-    && mv otelcol-contrib /usr/local/bin/otelcol-contrib \
-    && rm -rf /otel
-
-COPY otel-collector-config.yaml /etc/otelcol-contrib/config.yaml
-
-COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
-
-COPY --from=build-env /jb-sw-realm /usr/local/bin/jb-sw-realm
+COPY jb-sw-realm /usr/local/bin/jb-sw-realm
 
 ENV PORT 8080
 
 EXPOSE 8080
 
 HEALTHCHECK CMD curl --fail "http://localhost:8080" || exit 1
 
-ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
+ENTRYPOINT ["/usr/local/bin/jb-sw-realm"]

README.md

@@ -76,48 +76,26 @@ The realm software will determine which tenant key to validate on a request by a
 
 ## GCP
 
-The following instructions will help you quickly deploy a realm to Google's App Engine Flex.
-
-Before you begin, setup a project for your realm to run in on [console.cloud.google.com](https://console.cloud.google.com) and make note of its ID.
-
-Next, setup your project environment with terraform as follows:
-```sh
-cd gcp
-terraform init
-terraform plan -var='tenant_secrets={"acme":"acme-tenant-key","anotherTenant":"another-tenant-key"}'
-terraform apply -var='tenant_secrets={"acme":"acme-tenant-key","anotherTenant":"another-tenant-key"}'
-```
-
-Note: you should update the tenant secrets `var` to reflect the actual secrets you wish to support.
-
-After terraform has finished configuring your project environment, you should see an output like follows:
-```sh
-BIGTABLE_INSTANCE_ID = "jb-sw-realms"
-GCP_PROJECT_ID = "your-project-id"
-REALM_ID = "99b2da84-b707-6203-dc35-804bbbcb8cba"
-SERVICE_ACCOUNT = "[email protected]"
-```
-
-Open the `cmd/jb-sw-realm/app.yaml` file and configure it with these values where appropriate, for example:
-Replace `{{YOUR_BIGTABLE_INSTANCE_ID}}` with `jb-sw-realms`.
-
-Finally, you can deploy the realm software by running the following command from the `cmd/jb-sw-realm` directory of the repo:
-```sh
-gcloud app deploy --project {{YOUR_GCP_PROJECT_ID}}
-```
-
-Note: you will need to have the `gcloud` command line tools installed to execute this command. You can find instructions on installing these [here](https://cloud.google.com/sdk/docs/install).
-
-This may take a few minutes, but upon success you should be able to access your realm at:
-https://{{YOUR_GCP_PROJECT_ID}}.wl.r.appspot.com
-
-If all was successful, you'll see a page render that looks something like:
-```json
-{"realmID":"99b2da84-b707-6203-dc35-804bbbcb8cba"}
+The `gcp/` directory is now a Terraform module which can be leveraged in your own Terraform codebase. For example:
+
+```terraform
+module "juicebox-software-realm" {
+  source = "github.com/rpcpool/juicebox-software-realm.git//gcp"
+
+  project_id             = "your-project-id"
+  realm_id               = "99b2da84b7076203dc35804bbbcb8cba"
+  region                 = "europe-west3"
+  zone                   = "c"
+  tenant_secrets         = {"acme":"acme-tenant-key","anotherTenant":"another-tenant-key"}
+  juicebox_image_url     = "path/to/juicebox/container/image"
+  juicebox_image_version = "latest"
+  otelcol_image_url      = "path/to/otel/collector/container/image"
+  otelcol_image_version  = "latest"
+  otelcol_config_b64     = filebase64("otel-collector-config.yaml")
+}
 ```
 
-If you wish to configure a custom domain for your new realm, visit:
-https://console.cloud.google.com/appengine/settings/domains
+This will deploy an instance of Juicebox Software Realm along with the necessary infrastructure that supports it. Please note that you will either need to deploy the Juicebox and OpenTelemetry Collector containers to a repository in GCP, or else use a remote repository which caches them from GitHub.
 
 ## AWS
 

cmd/jb-sw-realm/app.yaml

@@ -10,8 +10,8 @@ crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json
@@ -32,3 +32,6 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+# This is a module, so ignore .lock.hcl
+.terraform.lock.hcl