working terraform scripts from local

Author: davidgamez

.gitignore

@@ -35,3 +35,7 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+# Ignore terraform local files
+backend.conf
+backend-*.conf

README.md

@@ -1 +1,119 @@
-# gbfs-validator-java-infra
+# gbfs-validator-java-infra
+
+
+# Set up new GCP environment
+
+`All roads lead to Rome!` This quote is a reminder that there are multiple ways to get to the same final state.
+Take the following steps as a guidance and adapt them to your own local and organizational requirements.
+For more information regarding Google Cloud Platform and terraform go to the [Official GCP Site](https://cloud.google.com/) and [Terraform Official Site](https://www.terraform.io/).
+
+## Initial project and remote state set up
+
+- Create GCP project
+
+```shell
+gcloud projects create gbfs-validator-staging --name="GBFS Validator Staging"
+```
+
+- Assign a billing account to the project
+- Create a Firebase project to host the UI
+- Create Oauth credentials and to be used as part of the terraform parameters
+- Create SSL certificates for the Load Balancer
+- Enable and configure Identity Platform
+- Login to gcloud cli using,
+
+```shell
+gcloud auth application-default login
+```
+
+- Point local project environment variable to the newly created project
+
+```shell
+gcloud config set project gbfs-validator-staging
+```
+
+- Create a cloud storage bucket to persist the terraform state
+```
+gcloud storage buckets create gs://mobilitydata-gbfs-validator-state-staging \
+  --project=gbfs-validator-staging \
+  --location=northamerica-northeast1 \
+  --uniform-bucket-level-access
+```
+- Create a terraform backend file using the template `backend.conf.rename_me` with name backend-<environment>.conf and populate the file with valid values.
+
+- Create deployer service account
+```
+gcloud iam service-accounts create gbfs-deployer-service-account \
+  --display-name="GBFS Terraform Deployer"
+```
+- Execute,
+
+```shell
+terraform init -backend-config=backend-<environment>.conf
+```
+
+- Create a terraform variables file using the template `vars.tfvars.rename_me` with name vars-<env>.tfvars and populate the file with valid values.
+- Execute and review the terraform plan,
+
+```shell
+  terraform plan -var-file=vars-<environment>.tfvars
+```
+
+- Once you had reviewed the plan, execute the terraform apply command to commit the changes to the GCP environment using,
+- To be able to execute the apply command on the terraform-init project you need Project IAM Admin role
+
+```shell
+terraform apply -var-file=vars-<environment>.tfvars
+```
+
+- Troubleshooting
+  - Make sure you have the right permissions.
+  - `There is a delay due to configuration propagation on newly GCP enabled services`. In this case wait for the change to be propagated and execute the terraform apply command again.
+  - If you had a previous GCP environment set up in your local folders, remove `.terraform` folder and `terraform.state*` files locally before running `terraform init` command.
+
+### Adding new GCP service to the stack
+
+The initial project set up is required while setting up a GCP environment also when `a new GCP service` is added to the stack.
+When a new service is added to the stack the service account used to deploy the infrastructure needs to have the required permissions.
+In this case,
+
+- Add/modify roles and policies as necessary to the deployer's servie account in the `infra/terraform-init/main.tf`
+- From `infra/terraform-init/` execute,
+
+```shell
+terraform apply -var-file=vars-<environment>.tfvars
+```
+
+- Now you are in position to execute the main terraform script from `infra` folder.
+
+## Deploy Feeds API
+
+- Open the terminal in the folder `<project_dir>/infra`
+- Create a terraform backend file using the template `backend.conf.rename_me` with name backend-<environment>.conf and populate the file with valid values.
+- Execute,
+
+```shell
+terraform init -backend-config=backend-<environment>.conf
+```
+
+- One-time artifact set up. Set up the GCP artifact registry before-hand to be able to publish docker images.
+
+```shell
+terraform apply -var-file=vars-<environment>.tfvars -target=module.artifact-registry
+```
+
+- Remember that: `There is a delay due to configuration propagation on newly GCP enabled services.`. You might get 403 responses while GCP is propagating the new configuration.
+- You need at least one docker image published to be able to deploy the cloud run service. Execute the following script,
+
+```shell
+<project_dir>/scripts/docker-build-push.sh -project_id mobility-feeds-<environment> -service feed-api -repo_name feeds-<environment> -region northamerica-northeast1 -version <version_number>
+```
+
+- Set the version number on the `infra/vars-<environment>.tfvars` file.
+- Execute apply from infra folder
+
+```shell
+terraform apply -var-file=vars-<environment>.tfvars
+```
+
+- Enjoy Coding!

gbfs-validator/Dockerfile

@@ -0,0 +1,12 @@
+# Use a lightweight JDK base image
+FROM eclipse-temurin:17-jdk-alpine
+
+# Set working directory
+WORKDIR /app
+
+# Copy the fat JAR
+COPY gbfs-validator-java-api.jar app.jar
+
+# org.entur.gbfs.validator.api.handler.OpenApiGeneratorApplication
+# Run the app
+ENTRYPOINT ["java", "-jar", "app.jar"]

gbfs-validator/function_config.json

@@ -0,0 +1,13 @@
+{
+  "name_suffix": "gbfs-validator-api",
+  "description": "API containing the GBFS validator",
+  "entry_point": "org.entur.gbfs.validator.api.handler.OpenApiGeneratorApplication",
+  "timeout": 540,
+  "available_memory": "1Gi",
+  "trigger_http": true,
+  "ingress_settings": "ALLOW_ALL",
+  "max_instance_request_concurrency": 1,
+  "max_instance_count": 5,
+  "min_instance_count": 0,
+  "available_cpu": 1
+}

gbfs-validator/gbfs-validator-java-api.jar

@@ -0,0 +1,28 @@
+#
+# MobilityData 2025
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# This file represents a template for setting up a remote terraform state.
+# If you choose to use a remote state:
+#   - Create a GCP storage bucket with the target name.
+#   - Make sure the `deployer` account has the right permissions on the newly created bucket.
+#   - Rename this file to backend.conf
+#   - Replace variable values.
+#   - Execute: terraform init -backend-conf=backend.conf
+#   - Enjoy coding!
+# More info: https://developer.hashicorp.com/terraform/language/state/remote
+
+bucket      = mobilitydata-gbfs-validator-state-{{BUCKET_NAME}}
+prefix      = {{OBJECT_PREFIX}}

iam.tf

@@ -0,0 +1,74 @@
+#
+# MobilityData 2025
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+# This make the google project information accessible only keeping the project_id as a parameter in the previous provider resource
+data "google_project" "project" {
+}
+
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 4.0"
+    }
+  }
+}
+
+locals {
+  gbfs_validator_config = jsondecode(file("${path.module}/../../gbfs-validator/function_config.json"))
+  artifact_registry_repo = "gbfs-validator-${var.environment}"
+}
+
+provider "google" {
+  project = var.project_id
+  region  = var.gcp_region
+}
+
+# This is a temporary patch until the publising of the Java jar is defined
+data "archive_file" "source_zip" {
+  type        = "zip"
+  source_file = "${path.module}/../../gbfs-validator/${var.jar_file_name}"
+  output_path = "/tmp/function-source.zip" # Temporary path for the zipped JAR
+}
+
+resource "google_cloud_run_v2_service" "gbfs_validator_api" {
+  name        = "${var.environment}-${local.gbfs_validator_config.name_suffix}"
+  location = var.gcp_region
+#   ingress = "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER"
+
+  template {
+    service_account = var.gbfs_validator_service_account_email
+    # vpc_access {
+    #   connector = data.google_vpc_access_connector.vpc_connector.id
+    #   egress = "ALL_TRAFFIC"
+    # }
+    containers {
+      image = "${var.gcp_region}-docker.pkg.dev/${var.project_id}/${local.artifact_registry_repo}/${var.gbfs_api_service}:${var.feed_api_image_version}"
+      resources {
+        limits = {
+          cpu    = local.gbfs_validator_config.available_cpu
+          memory = local.gbfs_validator_config.available_memory
+        }
+      }
+    }
+  }
+
+  labels = {
+    environment = var.environment
+    app         = var.gbfs_validator_app_name
+  }
+}

infra/.terraform.lock.hcl

@@ -0,0 +1,9 @@
+output "function_url" {
+  description = "The HTTPS trigger URL for the Cloud Function."
+  value       = google_cloud_run_v2_service.gbfs_validator_api.uri
+}
+
+output "cloud_run_service_name" {
+  description = "Name of the cloud run resource"
+  value = google_cloud_run_v2_service.gbfs_validator_api.name
+}