shaamilahmed/Htmx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Intial commit for deployment script p2

Browse Source
This commit is contained in:
Enciphered
2026-05-04 23:23:02 +05:00
parent 724e6a8ecd
commit 40fe69ed65
20 changed files with 2008 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
GCR/scripts/00-install-gcloud.ps1
+54
View File
@@ -0,0 +1,54 @@
# =============================================================================
# 00-install-gcloud.ps1 (Windows)
# Installs the Google Cloud CLI (gcloud) on Windows.
# Run this once in an elevated PowerShell prompt before doing anything else.
#
# Linux users: run GCR/scripts/00-install-gcloud.sh instead.
# =============================================================================
#Requires -Version 5.1
Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'
Write-Host ">>> Installing Google Cloud CLI on Windows..."
Write-Host ""
# ── Try winget first (available on Windows 10 1709+ / Windows 11) ────────────
if (Get-Command winget -ErrorAction SilentlyContinue) {
Write-Host ">>> winget found — installing Google Cloud SDK via winget..."
winget install --id Google.CloudSDK --accept-source-agreements --accept-package-agreements
Write-Host ""
Write-Host ">>> gcloud installed via winget."
Write-Host " Close and reopen PowerShell so PATH changes take effect."
}
# ── Fallback: download the official Windows installer ────────────────────────
else {
Write-Host ">>> winget not available — downloading the official installer..."
Write-Host ""
$InstallerUrl = "https://dl.google.com/dl/cloudsdk/channels/rapid/GoogleCloudSDKInstaller.exe"
$InstallerPath = "$env:TEMP\GoogleCloudSDKInstaller.exe"
Write-Host " Downloading from: $InstallerUrl"
Invoke-WebRequest -Uri $InstallerUrl -OutFile $InstallerPath -UseBasicParsing
Write-Host " Launching installer..."
Write-Host " Follow the on-screen prompts. Make sure 'Add gcloud to PATH' is checked."
Write-Host ""
Start-Process -FilePath $InstallerPath -Wait
Remove-Item $InstallerPath -Force
}
Write-Host ""
Write-Host ">>> Verifying installation..."
try {
$version = & gcloud version 2>&1 | Select-Object -First 1
Write-Host " $version"
Write-Host ""
Write-Host ">>> gcloud is installed."
} catch {
Write-Host " gcloud not found on PATH yet."
Write-Host " Close and reopen PowerShell, then run: gcloud version"
}
Write-Host ""
Write-Host ">>> Next step: run GCR\scripts\01-login.ps1"
GCR/scripts/00-install-gcloud.sh
Executable
+88
View File
@@ -0,0 +1,88 @@
#!/usr/bin/env bash
# =============================================================================
# 00-install-gcloud.sh (Linux)
# Installs the Google Cloud CLI (gcloud) on Debian/Ubuntu.
# Run this once on a new machine before doing anything else.
#
# Windows users: run GCR/scripts/00-install-gcloud.ps1 in PowerShell instead.
# =============================================================================
set -euo pipefail
OS="$(uname -s)"
if [[ "$OS" != "Linux" ]]; then
echo "ERROR: This script is for Linux only."
echo "Windows users: run GCR/scripts/00-install-gcloud.ps1"
exit 1
fi
echo ">>> Installing Google Cloud CLI on Linux (Debian/Ubuntu)..."
apt_update_with_retry() {
local attempts=5
local i
for ((i=1; i<=attempts; i++)); do
if sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/* && sudo apt-get update; then
return 0
fi
echo " apt-get update failed (attempt ${i}/${attempts})."
if (( i < attempts )); then
echo " Retrying apt metadata refresh..."
fi
done
echo "ERROR: apt-get update failed after ${attempts} attempts."
echo "This is often a temporary mirror sync issue. Please try again in a few minutes."
exit 1
}
apt_install_with_retry() {
local attempts=3
local i
for ((i=1; i<=attempts; i++)); do
if sudo apt-get install -y --no-install-recommends "$@"; then
return 0
fi
echo " apt-get install failed (attempt ${i}/${attempts}) for: $*"
if (( i < attempts )); then
echo " Retrying package install..."
fi
done
echo "ERROR: apt-get install failed after ${attempts} attempts for: $*"
exit 1
}
# ── Install dependencies ───────────────────────────────────────────────────
apt_update_with_retry
apt_install_with_retry \
apt-transport-https \
ca-certificates \
curl \
gnupg
# ── Import the Google Cloud signing key ───────────────────────────────────
# Key is downloaded to a file rather than piped straight into gpg so it can
# be inspected or cached by CI systems if needed.
curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg \
-o /tmp/cloud.google.gpg
sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg /tmp/cloud.google.gpg
rm /tmp/cloud.google.gpg
# ── Add the apt repository ────────────────────────────────────────────────
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] \
https://packages.cloud.google.com/apt cloud-sdk main" \
| sudo tee /etc/apt/sources.list.d/google-cloud-sdk.list
# ── Install gcloud ────────────────────────────────────────────────────────
apt_update_with_retry
apt_install_with_retry google-cloud-cli
echo ""
echo ">>> gcloud installed successfully."
gcloud version
echo ""
echo ">>> Next step: run GCR/scripts/01-login.sh"
GCR/scripts/01-login.ps1
+62
View File
@@ -0,0 +1,62 @@
# =============================================================================
# 01-login.ps1 (Windows)
# Authenticates your local machine to Google Cloud and configures Docker
# to push images to Artifact Registry.
#
# Run this once per machine (or whenever your credentials expire).
# Linux users: run GCR/scripts/01-login.sh instead.
# =============================================================================
#Requires -Version 5.1
Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'
$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$EnvFile = Join-Path $ScriptDir "..\\.env"
# ── Load .env ─────────────────────────────────────────────────────────────────
if (-not (Test-Path $EnvFile)) {
Write-Error "ERROR: $EnvFile not found.`nCopy GCR\.env.example to GCR\.env and fill in your values first."
exit 1
}
$config = @{}
foreach ($line in Get-Content $EnvFile) {
# Skip blank lines and comments
if ($line -match '^\s*$' -or $line -match '^\s*#') { continue }
if ($line -match '^([^=]+)=(.*)$') {
$config[$Matches[1].Trim()] = $Matches[2].Trim()
}
}
$GCP_PROJECT_ID = $config['GCP_PROJECT_ID'] ?? ''
$GCP_REGION = $config['GCP_REGION'] ?? ''
if (-not $GCP_PROJECT_ID) { Write-Error "GCP_PROJECT_ID is not set in .env"; exit 1 }
if (-not $GCP_REGION) { Write-Error "GCP_REGION is not set in .env"; exit 1 }
# ── Step 1: Authenticate user account ────────────────────────────────────────
Write-Host ">>> Logging in to Google Cloud..."
Write-Host " A browser window will open. Sign in with the Google account"
Write-Host " that has access to project: $GCP_PROJECT_ID"
Write-Host ""
gcloud auth login
# ── Step 2: Set default project ──────────────────────────────────────────────
Write-Host ""
Write-Host ">>> Setting default project to: $GCP_PROJECT_ID"
gcloud config set project $GCP_PROJECT_ID
# ── Step 3: Set default region ───────────────────────────────────────────────
Write-Host ">>> Setting default region to: $GCP_REGION"
gcloud config set run/region $GCP_REGION
# ── Step 4: Configure Docker to authenticate against Artifact Registry ────────
Write-Host ""
Write-Host ">>> Configuring Docker to authenticate with Artifact Registry..."
gcloud auth configure-docker "$GCP_REGION-docker.pkg.dev" --quiet
Write-Host ""
Write-Host ">>> Login complete. You are now authenticated as:"
gcloud auth list --filter=status:ACTIVE --format="value(account)"
Write-Host ""
Write-Host ">>> Next step: run GCR\scripts\02-setup-project.ps1"
GCR/scripts/01-login.sh
Executable
+58
View File
@@ -0,0 +1,58 @@
#!/usr/bin/env bash
# =============================================================================
# 01-login.sh (Linux)
# Authenticates your local machine to Google Cloud and configures Docker
# to push images to Artifact Registry.
#
# Run this once per machine (or whenever your credentials expire).
# Windows users: run GCR/scripts/01-login.ps1 in PowerShell instead.
# =============================================================================
set -euo pipefail
if [[ "$(uname -s)" != "Linux" ]]; then
echo "ERROR: This script is for Linux only."
echo "Windows users: run GCR/scripts/01-login.ps1"
exit 1
fi
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# ── Load .env ─────────────────────────────────────────────────────────────────
ENV_FILE="$SCRIPT_DIR/../.env"
if [[ ! -f "$ENV_FILE" ]]; then
echo "ERROR: $ENV_FILE not found."
echo "Copy GCR/.env.example to GCR/.env and fill in your values first."
exit 1
fi
# shellcheck disable=SC1090
source "$ENV_FILE"
: "${GCP_PROJECT_ID:?GCP_PROJECT_ID is not set in .env}"
: "${GCP_REGION:?GCP_REGION is not set in .env}"
# ── Step 1: Authenticate user account ────────────────────────────────────────
echo ">>> Logging in to Google Cloud..."
echo " A browser window will open. Sign in with the Google account that has"
echo " access to project: $GCP_PROJECT_ID"
echo ""
gcloud auth login
# ── Step 2: Set default project ──────────────────────────────────────────────
echo ""
echo ">>> Setting default project to: $GCP_PROJECT_ID"
gcloud config set project "$GCP_PROJECT_ID"
# ── Step 3: Set default region ───────────────────────────────────────────────
echo ">>> Setting default region to: $GCP_REGION"
gcloud config set run/region "$GCP_REGION"
# ── Step 4: Configure Docker to authenticate against Artifact Registry ────────
echo ""
echo ">>> Configuring Docker to authenticate with Artifact Registry..."
gcloud auth configure-docker "${GCP_REGION}-docker.pkg.dev" --quiet
echo ""
echo ">>> Login complete. You are now authenticated as:"
gcloud auth list --filter=status:ACTIVE --format="value(account)"
echo ""
echo ">>> Next step: run GCR/scripts/02-setup-project.sh"
GCR/scripts/02-setup-project.ps1
+126
View File
@@ -0,0 +1,126 @@
# =============================================================================
# 02-setup-project.ps1 (Windows)
# One-time GCP project setup:
# - Links a billing account to the project
# - Enables required APIs (Cloud Run, Artifact Registry, Secret Manager)
# - Creates an Artifact Registry Docker repository
# - Grants the current user the minimum required IAM roles
#
# Safe to re-run — most operations are idempotent.
# Linux users: run GCR/scripts/02-setup-project.sh instead.
# =============================================================================
#Requires -Version 5.1
Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'
$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$EnvFile = Join-Path $ScriptDir "..\\.env"
# ── Load .env ─────────────────────────────────────────────────────────────────
if (-not (Test-Path $EnvFile)) {
Write-Error "ERROR: $EnvFile not found.`nCopy GCR\.env.example to GCR\.env and fill in your values first."
exit 1
}
$config = @{}
foreach ($line in Get-Content $EnvFile) {
if ($line -match '^\s*$' -or $line -match '^\s*#') { continue }
if ($line -match '^([^=]+)=(.*)$') {
$config[$Matches[1].Trim()] = $Matches[2].Trim()
}
}
$GCP_PROJECT_ID = $config['GCP_PROJECT_ID'] ?? ''
$GCP_REGION = $config['GCP_REGION'] ?? ''
$GCP_REPOSITORY = $config['GCP_REPOSITORY'] ?? ''
if (-not $GCP_PROJECT_ID) { Write-Error "GCP_PROJECT_ID is not set in .env"; exit 1 }
if (-not $GCP_REGION) { Write-Error "GCP_REGION is not set in .env"; exit 1 }
if (-not $GCP_REPOSITORY) { Write-Error "GCP_REPOSITORY is not set in .env"; exit 1 }
Write-Host ">>> Active project: $GCP_PROJECT_ID"
Write-Host ">>> Region: $GCP_REGION"
Write-Host ">>> AR repository: $GCP_REPOSITORY"
Write-Host ""
# ── Step 1: Link billing account ──────────────────────────────────────────────
Write-Host ">>> Checking billing status..."
$billingOutput = gcloud billing projects describe $GCP_PROJECT_ID --format="value(billingEnabled)" 2>$null
$billingEnabled = ($billingOutput -eq "True")
if ($billingEnabled) {
Write-Host " Billing is already enabled — skipping."
} else {
Write-Host ""
Write-Host " Billing is NOT enabled on this project."
Write-Host " Listing available billing accounts..."
Write-Host ""
gcloud billing accounts list --format="table(name,displayName,open)"
Write-Host ""
$BILLING_ACCOUNT_ID = Read-Host " Enter the BILLING_ACCOUNT_ID from the list above (format: XXXXXX-XXXXXX-XXXXXX)"
gcloud billing projects link $GCP_PROJECT_ID --billing-account=$BILLING_ACCOUNT_ID
Write-Host " Billing linked."
}
# ── Step 2: Enable required APIs ─────────────────────────────────────────────
Write-Host ""
Write-Host ">>> Enabling required Google Cloud APIs (this may take a minute)..."
gcloud services enable `
run.googleapis.com `
artifactregistry.googleapis.com `
secretmanager.googleapis.com `
cloudresourcemanager.googleapis.com `
--project=$GCP_PROJECT_ID
Write-Host " APIs enabled."
# ── Step 3: Create Artifact Registry Docker repository ───────────────────────
Write-Host ""
Write-Host ">>> Creating Artifact Registry repository: $GCP_REPOSITORY ..."
$repoExists = $false
try {
gcloud artifacts repositories describe $GCP_REPOSITORY `
--location=$GCP_REGION `
--project=$GCP_PROJECT_ID 2>$null | Out-Null
$repoExists = $true
} catch { }
if ($repoExists) {
Write-Host " Repository already exists — skipping."
} else {
gcloud artifacts repositories create $GCP_REPOSITORY `
--repository-format=docker `
--location=$GCP_REGION `
--description="Container images for Htmx app" `
--project=$GCP_PROJECT_ID
Write-Host " Repository created."
}
# ── Step 4: Grant current user the minimum required IAM roles ─────────────────
$CURRENT_USER = (gcloud config get-value account).Trim()
Write-Host ""
Write-Host ">>> Granting IAM roles to $CURRENT_USER ..."
foreach ($role in @(
"roles/run.developer",
"roles/artifactregistry.writer",
"roles/iam.serviceAccountUser",
"roles/secretmanager.admin",
"roles/secretmanager.secretAccessor",
"roles/secretmanager.secretVersionAdder"
)) {
Write-Host " Adding role: $role"
gcloud projects add-iam-policy-binding $GCP_PROJECT_ID `
--member="user:$CURRENT_USER" `
--role=$role `
--quiet
}
Write-Host ""
Write-Host ">>> Project setup complete."
Write-Host ""
Write-Host ">>> Summary:"
Write-Host " Project ID: $GCP_PROJECT_ID"
Write-Host " Region: $GCP_REGION"
Write-Host " Artifact Registry: $GCP_REGION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_REPOSITORY"
Write-Host ""
Write-Host ">>> Next step: run GCR\scripts\03-create-secrets.ps1"
GCR/scripts/02-setup-project.sh
Executable
+117
View File
@@ -0,0 +1,117 @@
#!/usr/bin/env bash
# =============================================================================
# 02-setup-project.sh (Linux)
# One-time GCP project setup:
# - Links a billing account to the project
# - Enables required APIs (Cloud Run, Artifact Registry, Secret Manager)
# - Creates an Artifact Registry Docker repository
# - Grants the current user the minimum required IAM roles
#
# Safe to re-run — most operations are idempotent.
# Windows users: run GCR/scripts/02-setup-project.ps1 in PowerShell instead.
# =============================================================================
set -euo pipefail
if [[ "$(uname -s)" != "Linux" ]]; then
echo "ERROR: This script is for Linux only."
echo "Windows users: run GCR/scripts/02-setup-project.ps1"
exit 1
fi
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# ── Load .env ─────────────────────────────────────────────────────────────────
ENV_FILE="$SCRIPT_DIR/../.env"
if [[ ! -f "$ENV_FILE" ]]; then
echo "ERROR: $ENV_FILE not found."
echo "Copy GCR/.env.example to GCR/.env and fill in your values first."
exit 1
fi
# shellcheck disable=SC1090
source "$ENV_FILE"
: "${GCP_PROJECT_ID:?GCP_PROJECT_ID is not set in .env}"
: "${GCP_REGION:?GCP_REGION is not set in .env}"
: "${GCP_REPOSITORY:?GCP_REPOSITORY is not set in .env}"
# ── Confirm active project ────────────────────────────────────────────────────
echo ">>> Active project: $GCP_PROJECT_ID"
echo ">>> Region: $GCP_REGION"
echo ">>> AR repository: $GCP_REPOSITORY"
echo ""
# ── Step 1: Link billing account ──────────────────────────────────────────────
echo ">>> Checking billing status..."
BILLING_ENABLED=$(gcloud billing projects describe "$GCP_PROJECT_ID" \
--format="value(billingEnabled)" 2>/dev/null || echo "false")
if [[ "$BILLING_ENABLED" == "True" ]]; then
echo " Billing is already enabled — skipping."
else
echo ""
echo " Billing is NOT enabled on this project."
echo " Listing available billing accounts..."
echo ""
gcloud billing accounts list --format="table(name,displayName,open)"
echo ""
read -rp " Enter the BILLING_ACCOUNT_ID from the list above (format: XXXXXX-XXXXXX-XXXXXX): " BILLING_ACCOUNT_ID
gcloud billing projects link "$GCP_PROJECT_ID" \
--billing-account="$BILLING_ACCOUNT_ID"
echo " Billing linked."
fi
# ── Step 2: Enable required APIs ─────────────────────────────────────────────
echo ""
echo ">>> Enabling required Google Cloud APIs (this may take a minute)..."
gcloud services enable \
run.googleapis.com \
artifactregistry.googleapis.com \
secretmanager.googleapis.com \
cloudresourcemanager.googleapis.com \
--project="$GCP_PROJECT_ID"
echo " APIs enabled."
# ── Step 3: Create Artifact Registry Docker repository ───────────────────────
echo ""
echo ">>> Creating Artifact Registry repository: $GCP_REPOSITORY ..."
if gcloud artifacts repositories describe "$GCP_REPOSITORY" \
--location="$GCP_REGION" \
--project="$GCP_PROJECT_ID" &>/dev/null; then
echo " Repository already exists — skipping."
else
gcloud artifacts repositories create "$GCP_REPOSITORY" \
--repository-format=docker \
--location="$GCP_REGION" \
--description="Container images for Htmx app" \
--project="$GCP_PROJECT_ID"
echo " Repository created."
fi
# ── Step 4: Grant current user the minimum required IAM roles ─────────────────
CURRENT_USER="$(gcloud config get-value account)"
echo ""
echo ">>> Granting IAM roles to $CURRENT_USER ..."
for ROLE in \
"roles/run.developer" \
"roles/artifactregistry.writer" \
"roles/iam.serviceAccountUser" \
"roles/secretmanager.admin" \
"roles/secretmanager.secretAccessor" \
"roles/secretmanager.secretVersionAdder"; do
echo " Adding role: $ROLE"
gcloud projects add-iam-policy-binding "$GCP_PROJECT_ID" \
--member="user:$CURRENT_USER" \
--role="$ROLE" \
--quiet
done
echo ""
echo ">>> Project setup complete."
echo ""
echo ">>> Summary:"
echo " Project ID: $GCP_PROJECT_ID"
echo " Region: $GCP_REGION"
echo " Artifact Registry: ${GCP_REGION}-docker.pkg.dev/${GCP_PROJECT_ID}/${GCP_REPOSITORY}"
echo ""
echo ">>> Next step: run GCR/scripts/03-create-secrets.sh"
GCR/scripts/03-create-secrets.ps1
+122
View File
@@ -0,0 +1,122 @@
# =============================================================================
# 03-create-secrets.ps1 (Windows)
# Creates and configures secrets in Google Cloud Secret Manager.
#
# Run this after 02-setup-project.ps1 to set up sensitive configuration
# values (e.g., MongoDB connection string).
#
# Linux users: run GCR/scripts/03-create-secrets.sh instead.
# =============================================================================
#Requires -Version 5.1
Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'
$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$EnvFile = Join-Path $ScriptDir "..\\.env"
# ── Load .env ─────────────────────────────────────────────────────────────────
if (-not (Test-Path $EnvFile)) {
Write-Error "ERROR: $EnvFile not found.`nCopy GCR\.env.example to GCR\.env and fill in your values first."
exit 1
}
$config = @{}
foreach ($line in Get-Content $EnvFile) {
if ($line -match '^\s*$' -or $line -match '^\s*#') { continue }
if ($line -match '^([^=]+)=(.*)$') {
$config[$Matches[1].Trim()] = $Matches[2].Trim()
}
}
$GCP_PROJECT_ID = $config['GCP_PROJECT_ID'] ?? ''
if (-not $GCP_PROJECT_ID) { Write-Error "GCP_PROJECT_ID is not set in .env"; exit 1 }
Write-Host "================================================================"
Write-Host " Google Cloud Secret Manager setup"
Write-Host "================================================================"
Write-Host " Project: $GCP_PROJECT_ID"
Write-Host ""
# ── Helper function to create or update a secret ──────────────────────────────
function New-OrUpdateSecret {
param(
[string]$SecretName,
[string]$SecretPrompt
)
Write-Host ">>> Setting up secret: $SecretName"
Write-Host " $SecretPrompt"
# Read secret without echo
$SecretValue = Read-Host " Enter value (will not be echoed)" -AsSecureString
$PlainValue = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto(
[System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUni($SecretValue)
)
# Write to temp file without trailing newline to avoid contaminating the secret
$TempFile = [System.IO.Path]::GetTempFileName()
try {
[System.IO.File]::WriteAllText($TempFile, $PlainValue, [System.Text.Encoding]::UTF8)
$secretExists = $false
try {
gcloud secrets describe $SecretName --project=$GCP_PROJECT_ID 2>$null | Out-Null
$secretExists = $true
} catch { }
if ($secretExists) {
Write-Host " Secret already exists — creating new version..."
gcloud secrets versions add $SecretName `
--data-file=$TempFile `
--project=$GCP_PROJECT_ID
} else {
Write-Host " Creating new secret..."
gcloud secrets create $SecretName `
--data-file=$TempFile `
--replication-policy="automatic" `
--project=$GCP_PROJECT_ID
}
} finally {
Remove-Item $TempFile -Force -ErrorAction SilentlyContinue
}
Write-Host " ✓ Secret '$SecretName' ready."
Write-Host ""
}
# ── Step 1: Create MongoDB connection string secret ──────────────────────────
New-OrUpdateSecret `
"mongodb-connection-string" `
"MongoDB Atlas or self-hosted connection URI (e.g., mongodb+srv://user:pass@cluster.mongodb.net)"
# ── Step 2: Grant Cloud Run service account access to secrets ─────────────────
Write-Host ">>> Granting Cloud Run service account access to secrets..."
Write-Host ""
# Get the default Cloud Run service account for this project
$SERVICE_ACCOUNT = "$GCP_PROJECT_ID@appspot.gserviceaccount.com"
foreach ($SECRET_NAME in @("mongodb-connection-string")) {
Write-Host " Granting Secret Accessor role for '$SECRET_NAME' to $SERVICE_ACCOUNT"
gcloud secrets add-iam-policy-binding $SECRET_NAME `
--member="serviceAccount:$SERVICE_ACCOUNT" `
--role="roles/secretmanager.secretAccessor" `
--project=$GCP_PROJECT_ID `
--quiet
}
Write-Host ""
Write-Host "================================================================"
Write-Host " Secret Manager setup complete!"
Write-Host "================================================================"
Write-Host ""
Write-Host ">>> Summary:"
Write-Host " Secrets created:"
Write-Host " • mongodb-connection-string"
Write-Host ""
Write-Host " Service account granted access:"
Write-Host "$SERVICE_ACCOUNT"
Write-Host ""
Write-Host ">>> Next step: run GCR\scripts\04-deploy.ps1"
Write-Host " (The deploy script will automatically inject secrets into"
Write-Host " the running container.)"
GCR/scripts/03-create-secrets.sh
+101
View File
@@ -0,0 +1,101 @@
#!/usr/bin/env bash
# =============================================================================
# 03-create-secrets.sh (Linux)
# Creates and configures secrets in Google Cloud Secret Manager.
#
# Run this after 02-setup-project.sh to set up sensitive configuration
# values (e.g., MongoDB connection string).
#
# Windows users: run GCR/scripts/03-create-secrets.ps1 in PowerShell instead.
# =============================================================================
set -euo pipefail
if [[ "$(uname -s)" != "Linux" ]]; then
echo "ERROR: This script is for Linux only."
echo "Windows users: run GCR/scripts/03-create-secrets.ps1"
exit 1
fi
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# ── Load .env ─────────────────────────────────────────────────────────────────
ENV_FILE="$SCRIPT_DIR/../.env"
if [[ ! -f "$ENV_FILE" ]]; then
echo "ERROR: $ENV_FILE not found."
echo "Copy GCR/.env.example to GCR/.env and fill in your values first."
exit 1
fi
# shellcheck disable=SC1090
source "$ENV_FILE"
: "${GCP_PROJECT_ID:?GCP_PROJECT_ID is not set in .env}"
echo "================================================================"
echo " Google Cloud Secret Manager setup"
echo "================================================================"
echo " Project: $GCP_PROJECT_ID"
echo ""
# ── Helper function to create or update a secret ──────────────────────────────
create_or_update_secret() {
local SECRET_NAME="$1"
local SECRET_PROMPT="$2"
echo ">>> Setting up secret: $SECRET_NAME"
echo " $SECRET_PROMPT"
read -rsp " Enter value (will not be echoed): " SECRET_VALUE
echo ""
if gcloud secrets describe "$SECRET_NAME" --project="$GCP_PROJECT_ID" &>/dev/null; then
echo " Secret already exists — creating new version..."
printf '%s' "$SECRET_VALUE" | gcloud secrets versions add "$SECRET_NAME" \
--data-file=- \
--project="$GCP_PROJECT_ID"
else
echo " Creating new secret..."
printf '%s' "$SECRET_VALUE" | gcloud secrets create "$SECRET_NAME" \
--data-file=- \
--replication-policy="automatic" \
--project="$GCP_PROJECT_ID"
fi
echo " ✓ Secret '$SECRET_NAME' ready."
echo ""
}
# ── Step 1: Create MongoDB connection string secret ──────────────────────────
create_or_update_secret \
"mongodb-connection-string" \
"MongoDB Atlas or self-hosted connection URI (e.g., mongodb+srv://user:pass@cluster.mongodb.net)"
# ── Step 2: Grant Cloud Run service account access to secrets ─────────────────
echo ">>> Granting Cloud Run service account access to secrets..."
echo ""
# Get the default Cloud Run service account for this project
SERVICE_ACCOUNT="$GCP_PROJECT_ID@appspot.gserviceaccount.com"
for SECRET_NAME in mongodb-connection-string; do
echo " Granting Secret Accessor role for '$SECRET_NAME' to $SERVICE_ACCOUNT"
gcloud secrets add-iam-policy-binding "$SECRET_NAME" \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/secretmanager.secretAccessor" \
--project="$GCP_PROJECT_ID" \
--quiet
done
echo ""
echo "================================================================"
echo " Secret Manager setup complete!"
echo "================================================================"
echo ""
echo ">>> Summary:"
echo " Secrets created:"
echo " • mongodb-connection-string"
echo ""
echo " Service account granted access:"
echo "$SERVICE_ACCOUNT"
echo ""
echo ">>> Next step: run GCR/scripts/04-deploy.sh"
echo " (The deploy script will automatically inject secrets into"
echo " the running container.)"
GCR/scripts/04-deploy.ps1
+194
View File
@@ -0,0 +1,194 @@
# =============================================================================
# 04-deploy.ps1 (Windows)
# Builds the Docker image, pushes it to Artifact Registry, and deploys it
# to Cloud Run — all in one command.
#
# Usage:
# .\GCR\scripts\04-deploy.ps1 # deploy with tag = git short SHA
# .\GCR\scripts\04-deploy.ps1 -Tag my-tag # deploy with a custom tag
#
# Prerequisites:
# 1. GCR\.env exists and is filled in (copy from GCR\.env.example)
# 2. 01-login.ps1 has been run (gcloud auth + Docker configured)
# 3. 02-setup-project.ps1 has been run (APIs enabled, repo created)
# 4. 03-create-secrets.ps1 has been run (MongoDB secret created)
# 5. Docker Desktop is running
#
# Linux users: run GCR/scripts/04-deploy.sh instead.
# =============================================================================
#Requires -Version 5.1
[CmdletBinding()]
param(
[string]$Tag = ""
)
Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'
$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$RepoRoot = (Resolve-Path (Join-Path $ScriptDir "..\..")).Path
$EnvFile = Join-Path $ScriptDir "..\\.env"
# ── Load .env ─────────────────────────────────────────────────────────────────
if (-not (Test-Path $EnvFile)) {
Write-Error "ERROR: $EnvFile not found.`nCopy GCR\.env.example to GCR\.env and fill in your values first."
exit 1
}
$config = @{}
foreach ($line in Get-Content $EnvFile) {
if ($line -match '^\s*$' -or $line -match '^\s*#') { continue }
if ($line -match '^([^=]+)=(.*)$') {
$config[$Matches[1].Trim()] = $Matches[2].Trim()
}
}
$GCP_PROJECT_ID = $config['GCP_PROJECT_ID'] ?? ''
$GCP_REGION = $config['GCP_REGION'] ?? ''
$GCP_REPOSITORY = $config['GCP_REPOSITORY'] ?? ''
$SERVICE_NAME = $config['SERVICE_NAME'] ?? ''
$MONGODB_DATABASE_NAME = $config['MONGODB_DATABASE_NAME'] ?? 'HtmxAppDb'
# Note: MONGODB_CONNECTION_STRING is stored in Secret Manager (mongodb-connection-string)
if (-not $GCP_PROJECT_ID) { Write-Error "GCP_PROJECT_ID is not set in .env"; exit 1 }
if (-not $GCP_REGION) { Write-Error "GCP_REGION is not set in .env"; exit 1 }
if (-not $GCP_REPOSITORY) { Write-Error "GCP_REPOSITORY is not set in .env"; exit 1 }
if (-not $SERVICE_NAME) { Write-Error "SERVICE_NAME is not set in .env"; exit 1 }
# Note: MONGODB_CONNECTION_STRING is stored in Secret Manager
function Test-SecretsReady {
$serviceAccount = "serviceAccount:$GCP_PROJECT_ID@appspot.gserviceaccount.com"
try {
gcloud secrets describe mongodb-connection-string --project=$GCP_PROJECT_ID 2>$null | Out-Null
} catch {
return $false
}
$binding = gcloud secrets get-iam-policy mongodb-connection-string `
--project=$GCP_PROJECT_ID `
--flatten="bindings[].members" `
--filter="bindings.role=roles/secretmanager.secretAccessor AND bindings.members=$serviceAccount" `
--format="value(bindings.members)" 2>$null
return ($binding -match [regex]::Escape($serviceAccount))
}
if (-not (Test-SecretsReady)) {
Write-Host ""
Write-Host ">>> Required secrets are not fully configured yet."
$runSecretSetup = Read-Host " Run GCR\scripts\03-create-secrets.ps1 now? [y/N]"
if ($runSecretSetup -match '^[Yy]$') {
& (Join-Path $ScriptDir "03-create-secrets.ps1")
} else {
Write-Host ""
Write-Error "Deployment requires secret setup first. Run: .\GCR\scripts\03-create-secrets.ps1"
exit 1
}
if (-not (Test-SecretsReady)) {
Write-Host ""
Write-Error "Secret setup check still failing after running 03-create-secrets.ps1."
exit 1
}
}
# ── Determine image tag ────────────────────────────────────────────────────────
if (-not $Tag) {
# Default to git short SHA if inside a git repo; otherwise use timestamp
try {
$Tag = (git -C $RepoRoot rev-parse --short HEAD 2>$null).Trim()
} catch { }
if (-not $Tag) {
$Tag = (Get-Date -Format "yyyyMMddHHmmss")
}
}
$REGISTRY = "$GCP_REGION-docker.pkg.dev"
$IMAGE_URI = "$REGISTRY/$GCP_PROJECT_ID/$GCP_REPOSITORY/${SERVICE_NAME}:$Tag"
Write-Host "================================================================"
Write-Host " Htmx -> Cloud Run deployment"
Write-Host "================================================================"
Write-Host " Project: $GCP_PROJECT_ID"
Write-Host " Region: $GCP_REGION"
Write-Host " Service: $SERVICE_NAME"
Write-Host " Image: $IMAGE_URI"
Write-Host "================================================================"
Write-Host ""
# ── Step 1: Ensure package-lock.json exists (required for `npm ci`) ───────────
$LockFile = Join-Path $RepoRoot "Htmx.ApiDemo\package-lock.json"
if (-not (Test-Path $LockFile)) {
Write-Host ">>> package-lock.json not found. Generating it now..."
Write-Host " (This requires node + npm to be installed locally)"
Push-Location (Join-Path $RepoRoot "Htmx.ApiDemo")
npm install --package-lock-only
Pop-Location
Write-Host " package-lock.json generated. Commit it to the repository."
Write-Host ""
}
# ── Step 2: Build the Docker image ────────────────────────────────────────────
Write-Host ">>> Building Docker image..."
Write-Host " Context: $RepoRoot"
Write-Host " Dockerfile: GCR\Dockerfile"
Write-Host ""
# Build from repo root so COPY instructions can reach both project directories.
# Docker on Windows accepts forward slashes in --file.
$DockerFile = Join-Path $RepoRoot "GCR\Dockerfile"
docker build --file $DockerFile --tag $IMAGE_URI $RepoRoot
Write-Host ""
Write-Host ">>> Image built: $IMAGE_URI"
# ── Step 3: Push image to Artifact Registry ───────────────────────────────────
Write-Host ""
Write-Host ">>> Pushing image to Artifact Registry..."
docker push $IMAGE_URI
Write-Host ">>> Push complete."
# ── Step 4: Deploy to Cloud Run via docker-compose.yml ───────────────────────
Write-Host ""
Write-Host ">>> Deploying to Cloud Run..."
# Set env vars consumed by docker-compose.yml variable substitution
$env:IMAGE_URI = $IMAGE_URI
$env:MONGODB_DATABASE_NAME = $MONGODB_DATABASE_NAME
$ComposeFile = Join-Path $RepoRoot "GCR\docker-compose.yml"
gcloud run services replace $ComposeFile `
--region=$GCP_REGION `
--project=$GCP_PROJECT_ID
# ── Step 4b: Inject MongoDB connection string from Secret Manager ────────────
Write-Host ""
Write-Host ">>> Injecting MongoDB connection string from Secret Manager..."
gcloud run services update $SERVICE_NAME `
--region=$GCP_REGION `
--project=$GCP_PROJECT_ID `
--set-secrets="ConnectionStrings__DefaultConnection=mongodb-connection-string:latest"
# ── Step 5: Make the service publicly accessible ──────────────────────────────
# Remove this block if you want the service to require authentication.
Write-Host ""
Write-Host ">>> Allowing public (unauthenticated) access to the service..."
gcloud run services add-iam-policy-binding $SERVICE_NAME `
--region=$GCP_REGION `
--project=$GCP_PROJECT_ID `
--member="allUsers" `
--role="roles/run.invoker"
# ── Print service URL ─────────────────────────────────────────────────────────
Write-Host ""
$SERVICE_URL = (gcloud run services describe $SERVICE_NAME `
--region=$GCP_REGION `
--project=$GCP_PROJECT_ID `
--format="value(status.url)").Trim()
Write-Host "================================================================"
Write-Host " Deployment complete!"
Write-Host " Service URL: $SERVICE_URL"
Write-Host "================================================================"
GCR/scripts/04-deploy.sh
Executable
+180
View File
@@ -0,0 +1,180 @@
#!/usr/bin/env bash
# =============================================================================
# 04-deploy.sh (Linux)
# Builds the Docker image, pushes it to Artifact Registry, and deploys it
# to Cloud Run — all in one command.
#
# Usage:
# ./GCR/scripts/04-deploy.sh # deploy with tag = git short SHA
# ./GCR/scripts/04-deploy.sh my-tag # deploy with a custom tag
#
# Prerequisites:
# 1. GCR/.env exists and is filled in (copy from GCR/.env.example)
# 2. 01-login.sh has been run (gcloud auth + Docker configured)
# 3. 02-setup-project.sh has been run (APIs enabled, repo created)
# 4. 03-create-secrets.sh has been run (MongoDB secret created)
# 5. Docker daemon is running locally
#
# Windows users: run GCR/scripts/04-deploy.ps1 in PowerShell instead.
# =============================================================================
set -euo pipefail
if [[ "$(uname -s)" != "Linux" ]]; then
echo "ERROR: This script is for Linux only."
echo "Windows users: run GCR/scripts/04-deploy.ps1"
exit 1
fi
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
# ── Load .env ─────────────────────────────────────────────────────────────────
ENV_FILE="$SCRIPT_DIR/../.env"
if [[ ! -f "$ENV_FILE" ]]; then
echo "ERROR: $ENV_FILE not found."
echo "Copy GCR/.env.example to GCR/.env and fill in your values first."
exit 1
fi
# shellcheck disable=SC1090
source "$ENV_FILE"
: "${GCP_PROJECT_ID:?GCP_PROJECT_ID is not set in .env}"
: "${GCP_REGION:?GCP_REGION is not set in .env}"
: "${GCP_REPOSITORY:?GCP_REPOSITORY is not set in .env}"
: "${SERVICE_NAME:?SERVICE_NAME is not set in .env}"
: "${MONGODB_DATABASE_NAME:?MONGODB_DATABASE_NAME is not set in .env}"
# Note: MONGODB_CONNECTION_STRING is stored in Secret Manager (mongodb-connection-string)
# See GCR/README.md for Secret Manager setup
secret_setup_ready() {
local service_account
service_account="serviceAccount:${GCP_PROJECT_ID}@appspot.gserviceaccount.com"
gcloud secrets describe "mongodb-connection-string" --project="$GCP_PROJECT_ID" >/dev/null 2>&1 || return 1
gcloud secrets get-iam-policy "mongodb-connection-string" \
--project="$GCP_PROJECT_ID" \
--flatten="bindings[].members" \
--filter="bindings.role=roles/secretmanager.secretAccessor AND bindings.members=${service_account}" \
--format="value(bindings.members)" 2>/dev/null \
| grep -Fxq "$service_account"
}
if ! secret_setup_ready; then
echo ""
echo ">>> Required secrets are not fully configured yet."
read -rp " Run GCR/scripts/03-create-secrets.sh now? [y/N]: " RUN_SECRET_SETUP
if [[ "$RUN_SECRET_SETUP" =~ ^[Yy]$ ]]; then
bash "$SCRIPT_DIR/03-create-secrets.sh"
else
echo ""
echo "ERROR: Deployment requires secret setup first."
echo "Run: bash GCR/scripts/03-create-secrets.sh"
exit 1
fi
if ! secret_setup_ready; then
echo ""
echo "ERROR: Secret setup check still failing after running 03-create-secrets.sh."
exit 1
fi
fi
# ── Determine image tag ────────────────────────────────────────────────────────
TAG="${1:-}"
if [[ -z "$TAG" ]]; then
# Default to git short SHA if inside a git repo; otherwise use timestamp
if git -C "$REPO_ROOT" rev-parse --short HEAD &>/dev/null; then
TAG="$(git -C "$REPO_ROOT" rev-parse --short HEAD)"
else
TAG="$(date +%Y%m%d%H%M%S)"
fi
fi
REGISTRY="${GCP_REGION}-docker.pkg.dev"
IMAGE_URI="${REGISTRY}/${GCP_PROJECT_ID}/${GCP_REPOSITORY}/${SERVICE_NAME}:${TAG}"
echo "================================================================"
echo " Htmx → Cloud Run deployment"
echo "================================================================"
echo " Project: $GCP_PROJECT_ID"
echo " Region: $GCP_REGION"
echo " Service: $SERVICE_NAME"
echo " Image: $IMAGE_URI"
echo "================================================================"
echo ""
# ── Step 1: Ensure package-lock.json exists (required for `npm ci`) ───────────
LOCKFILE="$REPO_ROOT/Htmx.ApiDemo/package-lock.json"
if [[ ! -f "$LOCKFILE" ]]; then
echo ">>> package-lock.json not found. Generating it now..."
echo " (This requires node + npm to be installed locally)"
(cd "$REPO_ROOT/Htmx.ApiDemo" && npm install --package-lock-only)
echo " package-lock.json generated. Commit it to the repository."
echo ""
fi
# ── Step 2: Build the Docker image ────────────────────────────────────────────
echo ">>> Building Docker image..."
echo " Context: $REPO_ROOT"
echo " Dockerfile: GCR/Dockerfile"
echo ""
# Build from repo root so the COPY instructions can reach both
# Htmx.ApiDemo/ and Htmx.SourceGenerator/ directories.
docker build \
--file "$REPO_ROOT/GCR/Dockerfile" \
--tag "$IMAGE_URI" \
"$REPO_ROOT"
echo ""
echo ">>> Image built: $IMAGE_URI"
# ── Step 3: Push image to Artifact Registry ───────────────────────────────────
echo ""
echo ">>> Pushing image to Artifact Registry..."
docker push "$IMAGE_URI"
echo ">>> Push complete."
# ── Step 4: Deploy to Cloud Run via docker-compose.yml ───────────────────────
echo ""
echo ">>> Deploying to Cloud Run..."
# Export variables consumed by docker-compose.yml substitution
export IMAGE_URI
export MONGODB_DATABASE_NAME
gcloud run services replace "$REPO_ROOT/GCR/docker-compose.yml" \
--region="$GCP_REGION" \
--project="$GCP_PROJECT_ID"
# ── Step 4b: Inject MongoDB connection string from Secret Manager ────────────
echo ""
echo ">>> Injecting MongoDB connection string from Secret Manager..."
gcloud run services update "$SERVICE_NAME" \
--region="$GCP_REGION" \
--project="$GCP_PROJECT_ID" \
--set-secrets="ConnectionStrings__DefaultConnection=mongodb-connection-string:latest"
# ── Step 5: Make the service publicly accessible ──────────────────────────────
# Remove this block if you want the service to require authentication.
echo ""
echo ">>> Allowing public (unauthenticated) access to the service..."
gcloud run services add-iam-policy-binding "$SERVICE_NAME" \
--region="$GCP_REGION" \
--project="$GCP_PROJECT_ID" \
--member="allUsers" \
--role="roles/run.invoker"
# ── Print service URL ─────────────────────────────────────────────────────────
echo ""
SERVICE_URL=$(gcloud run services describe "$SERVICE_NAME" \
--region="$GCP_REGION" \
--project="$GCP_PROJECT_ID" \
--format="value(status.url)")
echo "================================================================"
echo " Deployment complete!"
echo " Service URL: $SERVICE_URL"
echo "================================================================"