updates

Author: vuolen

.gcloudignore

@@ -0,0 +1,10 @@
+# ignore everything
+*
+
+# except the following
+!.gcloudignore
+!.main.py
+!.requirements.txt
+!telegram_bot/bot.py
+!telegram_bot/menu.py
+!telegram_bot/init.py

Pipfile

@@ -14,6 +14,7 @@ python-dotenv = "*"
 python-telegram-bot = "*"
 pytz = "*"
 functions-framework = "*"
+pulumi-random = "*"
 
 [requires]
 python_version = "3.13"

Pipfile.lock

@@ -1,3 +1,4 @@
-encryptionsalt: v1:MpvbSqwJ0R0=:v1:Gb5Aayq2PEDs+22I:lFM2LBSteNXhvO4PjNRCgZ5h783eDQ==
+encryptionsalt: v1:dPeFWTLi9AI=:v1:oVtFIvCQGewIBERG:46y/iE1CtLrjeTkc2SilpwEjfJg0iw==
 config:
-  gcp:project: osakunta-telegram-bot
+  gcp:region: europe-north1
+  gcp:disableGlobalProjectWarning: "true"

infra/Pulumi.prod.yaml

@@ -1,90 +1,188 @@
 import pulumi
-import pulumi_gcp as gcp
+import pulumi_gcp as gcp 
+import pulumi_random as random
+import utils
 
-# Be careful editing this file, if you are unfamiliar with Pulumi or the Google Cloud Platform.
-# Make sure you read the README.md in the root of this repository first.
+gcp_config = pulumi.Config("gcp")
+LOCATION = gcp_config.require("region")
+STACK_NAME = pulumi.get_stack()
 
-# setup infrastructure
+project_id = random.RandomPet("project-id",
+    length=2
+)
 
-PROJECT_ID = "osakunta-telegram-bot"
-LOCATION = "europe-north1"
+project = gcp.organizations.Project("project",
+    name=f"Telegram Bot {STACK_NAME}",
+    project_id=project_id.id,
+    folder_id="452932952214"
+)
 
-# Set up secret to hold the Telegram API token
-telegram_bot_token = gcp.secretmanager.Secret("telegram-bot-token",
-    secret_id="telegram-bot-token",
+# Enable required services / APIs
+secretmanager_service = gcp.projects.Service("secretmanager-service",
+    project=project_id.id,
+    service="secretmanager.googleapis.com",
+    disable_on_destroy=True
+)
+
+cloudbuild_service = gcp.projects.Service("cloudbuild-service",
+    project=project_id.id,
+    service="cloudbuild.googleapis.com",
+    disable_on_destroy=True
+)
+
+cloudrun_service = gcp.projects.Service("cloudrun-service",
+    project=project_id.id,
+    service="run.googleapis.com",
+    disable_on_destroy=True
+)
+
+cloudfunctions_service = gcp.projects.Service("cloudfunctions-service",
+    project=project_id.id,
+    service="cloudfunctions.googleapis.com",
+    disable_on_destroy=True
+)
+
+cloudresourcemanager_service = gcp.projects.Service("cloudresourcemanager-service",
+    project=project_id.id,
+    service="cloudresourcemanager.googleapis.com",
+    disable_on_destroy=True
+)
+
+
+# --- Set up github repo connection ---
+github_token_secret = gcp.secretmanager.Secret("github-token-secret",
+    project=project_id.id,
+    secret_id="github-token",
     replication={
         "user_managed": {
             "replicas": [{ "location": LOCATION }]
         }
-    }
+    },
+    opts=pulumi.ResourceOptions(
+        depends_on=[secretmanager_service]
+    )
 )
 
-# Set up a service account that has access to the secret, for the Function to use
-service_account = gcp.serviceaccount.Account("service-account",
-    account_id="telegram-bot-service-account",
-    display_name="Telegram Bot Service Account")
-
-secret_access = gcp.secretmanager.SecretIamMember("secret-access",
-    secret_id=telegram_bot_token.id,
+github_connection_service_account_secret_access = gcp.secretmanager.SecretIamMember("github-connection-service-account-secret-access",
+    project=project_id.id,
+    secret_id=github_token_secret.id,
     role="roles/secretmanager.secretAccessor",
-    member=service_account.email.apply(lambda email: f"serviceAccount:{email}")
+    member=pulumi.Output.concat(
+        "serviceAccount:service-",
+        project.number,
+        "@gcp-sa-cloudbuild.iam.gserviceaccount.com"
+    ),
+    opts=pulumi.ResourceOptions(
+        depends_on=[cloudbuild_service]
+    )
 )
 
+github_connection = gcp.cloudbuildv2.Connection("github-connection",
+    project=project_id.id,
+    name="github-connection",
+    location=LOCATION,
+    github_config={
+        "app_installation_id": 30357801,
+        "authorizer_credential": {
+            "oauth_token_secret_version": github_token_secret.name.apply(lambda name: f"{name}/versions/latest")
+        }
+    },
+    opts=pulumi.ResourceOptions(
+        depends_on=[github_connection_service_account_secret_access]
+    )
+)
 
-# Set up the source code
-source_bucket = gcp.storage.Bucket("source-bucket",
+github_repository = gcp.cloudbuildv2.Repository("github-repository",
+    project=project_id.id,
+    name="telegram-bot",
     location=LOCATION,
-    name=f"{PROJECT_ID}-source-bucket",
+    parent_connection=github_connection.name,
+    remote_uri="https://github.com/osakunta/telegram-bot.git",
 )
 
-source_asset = pulumi.AssetArchive({
-    "telegram_bot": pulumi.FileArchive("../telegram_bot"),
-    "main.py": pulumi.FileAsset("../main.py"),
-    "requirements.txt": pulumi.FileAsset("../requirements.txt")
-})
-source_object = gcp.storage.BucketObject("source-object",
-    bucket=source_bucket.name,
-    name="telegram-bot-source",
-    source=source_asset
+# --- Set up CI/CD ---
+
+cicd_service_account = utils.service_account_with_roles(
+    "cicd-service-account",
+    [
+        "roles/logging.logWriter", 
+        "roles/cloudfunctions.developer",
+        "roles/iam.serviceAccountUser",
+        "roles/storage.objectViewer",
+        "roles/artifactregistry.writer"
+    ],
+    project=project_id.id,
+    account_id="cicd-service-account",
+    display_name="CICD Service Account"
 )
 
-# Set up the Function, which handles the requests
-function = gcp.cloudfunctionsv2.Function("function",
-    location=LOCATION,
-    name="telegram-bot-function",
-    description="Cloud Run Function for handling telegram bot requests",
-    build_config={
-        "runtime": "python313",
-        "entryPoint": "telegram_bot",
-        "source": {
-            "storage_source": {
-                "bucket": source_bucket.name,
-                "object": source_object.name,
-                "generation": source_object.generation
-            }
+runtime_service_account = utils.service_account_with_roles(
+    "runtime-service-account",
+    [ "roles/iam.serviceAccountUser" ],
+    project=project_id.id,
+    account_id="runtime-service-account",
+    display_name="Function Runtime Service Account"
+)
+
+telegram_bot_token = gcp.secretmanager.Secret("telegram-bot-token",
+    project=project_id.id,
+    secret_id="telegram-bot-token",
+    replication={
+        "user_managed": {
+            "replicas": [{ "location": LOCATION }]
         }
-    },  
-    service_config={
-        "availableMemory": "128Mi",
-        "maxInstanceCount": 1, # No need for more than one instance
-        "minInstanceCount": 0, # Important to allow scale-to-zero, to save costs
-        "service_account_email": service_account.email,
-        "ingressSettings": "ALLOW_ALL",
-        "secret_environment_variables": [{
-            "key": "TOKEN",
-            "project_id": PROJECT_ID,
-            "secret": telegram_bot_token.secret_id,
-            "version": "latest"
-        }],
-    }
+    },
+    opts=pulumi.ResourceOptions(
+        depends_on=[secretmanager_service]
+    )
 )
 
-# Finally, set an IAM policy to allow unauthenticated people (anyone) to invoke the function
-# this has to be cloudrun.ServiceIamMember instead of cloudfunctions.FunctionIamMember
-# because the function is v2
-function_public_iam = gcp.cloudrunv2.ServiceIamMember("function-public-iam",
+telegram_bot_token_secret_access = gcp.secretmanager.SecretIamMember("telegram-bot-token-secret-access",
+    project=project_id.id,
+    secret_id=telegram_bot_token.id,
+    role="roles/secretmanager.secretAccessor",
+    member=runtime_service_account.member,
+)
+
+deploy_trigger = gcp.cloudbuild.Trigger("deploy-trigger",
+    project=project_id.id,
+    name="deploy",
     location=LOCATION,
-    name=function.name,
-    role="roles/run.invoker",
-    member="allUsers"
+    service_account=cicd_service_account.id,
+    repository_event_config={
+        "repository": github_repository.id,
+        "push": {
+            "branch": f"^{STACK_NAME}$",
+        }
+    },
+    build={
+        "steps": [
+            {
+                "name": "gcr.io/cloud-builders/gcloud",
+                "args": [
+                    "functions", "deploy", "telegram-bot",
+                    "--region", LOCATION,
+                    "--runtime", "python313",
+                    "--entry-point", "telegram_bot",
+                    "--trigger-http",
+                    "--allow-unauthenticated",
+                    "--timeout", "5s",
+                    "--gen2",
+                    "--max-instances", "1",
+                    "--min-instances", "0",
+                    "--memory", "128Mi",
+                    "--set-secrets", telegram_bot_token.name.apply(lambda name: f"TOKEN={name}/versions/latest"),
+                    "--source", ".",
+                    "--run-service-account", runtime_service_account.email,
+                    "--build-service-account", cicd_service_account.id,
+                ],
+            }
+        ],
+        "options": {
+            "logging": "CLOUD_LOGGING_ONLY"
+        }
+    },
+    opts=pulumi.ResourceOptions(
+        depends_on=[ cloudrun_service, cloudfunctions_service, cloudresourcemanager_service ]
+    )
 )

infra/__main__.py

@@ -0,0 +1,106 @@
+import pulumi
+import pulumi_gcp as gcp 
+
+def setup_cicd():
+    gcp_config = pulumi.Config("gcp")
+    LOCATION = gcp_config.require("region")
+    PROJECT_ID = gcp_config.require("project")
+
+    config = pulumi.Config()
+    STACK_NAME = config.require("stack_name")
+    GITHUB_BRANCH = config.require("github_branch") 
+
+
+    # Set up secret to hold the GitHub token
+    github_token_secret = gcp.secretmanager.Secret("github-token-secret",
+        secret_id="github-token",
+        replication={
+            "user_managed": {
+                "replicas": [{ "location": LOCATION }]
+            }
+        }
+    )
+    # Populate this manually
+    github_token_secret_version = gcp.secretmanager.get_secret_version(secret=github_token_secret.id) 
+
+    PROJECT_NUMBER = gcp.projects.get_project(filter=f"id:{PROJECT_ID}").projects[0].number
+    service_account_secret_access = gcp.secretmanager.SecretIamMember("service-account-secret-access",
+        secret_id=github_token_secret.id,
+        role="roles/secretmanager.secretAccessor",
+        member=f"serviceAccount:service-{PROJECT_NUMBER}@gcp-sa-cloudbuild.iam.gserviceaccount.com"
+    )
+
+    github_connection = gcp.cloudbuildv2.Connection("github-connection",
+        name="github-connection",
+        location=LOCATION,
+        github_config={
+            "app_installation_id": 30357801,
+            "authorizer_credential": {
+                "oauth_token_secret_version": github_token_secret_version.id,
+            }
+        },
+        opts=pulumi.ResourceOptions(
+            depends_on=[service_account_secret_access]
+        )
+    )
+
+    github_repository = gcp.cloudbuildv2.Repository("github-repository",
+        name="telegram-bot",
+        location=LOCATION,
+        parent_connection=github_connection.name,
+        remote_uri="https://github.com/osakunta/telegram-bot.git",
+    )
+
+    cicd_service_account = gcp.serviceaccount.Account("cicd-service-account",
+        account_id="cicd-service-account",
+        display_name="CICD Service Account"
+    )
+
+    # Artefact Registry stores the Docker images built by Cloud Build
+    artefact_repository = gcp.artifactregistry.Repository("artefact-repository",
+        repository_id="telegram-bot",
+        location=LOCATION,
+        format="DOCKER",
+        description="Docker repository for the Telegram Bot",
+        labels={
+            "osakunta": "telegram-bot"
+        }
+    )
+
+    # staging_build_trigger = gcp.cloudbuild.Trigger("staging-build-trigger",
+    #     name="staging-build",
+    #     location=LOCATION,
+    #     repository_event_config={
+    #         "repository": github_repository.id,
+    #         "push": {
+    #             "branch": "^staging$",
+    #         }
+    #     }
+    # )
+
+    IMAGE_URL = artefact_repository.name.apply(lambda name: f"{LOCATION}-docker.pkg.dev/{PROJECT_ID}/{name}/telegram-bot:$COMMIT_SHA")
+    build_trigger = gcp.cloudbuild.Trigger("build-trigger",
+        name="prod-build",
+        location=LOCATION,
+        service_account=cicd_service_account.id,
+        repository_event_config={
+            "repository": github_repository.id,
+            "push": {
+                "branch": "^main$",
+            }
+        },
+        build={
+            "images": [IMAGE_URL],
+            "steps": [{
+                "name": "gcr.io/k8s-skaffold/pack",
+                "entrypoint": "pack",
+                "args": [
+                    "build",
+                    IMAGE_URL,
+                    "--builder", "gcr.io/buildpacks/builder:latest",
+                    "--network",
+                    "cloudbuild"
+                ],
+            }],
+        }
+    )