Skip to content

Commit 493eab0

Browse files
ohriteohrite
committed
Analysts can access Metabase hosted by Cloud Run
1 parent d53c05e commit 493eab0

File tree

14 files changed

+401
-0
lines changed

14 files changed

+401
-0
lines changed

.github/workflows/build-metabase.yml

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
name: Metabase Docker image
2+
3+
on: [push]
4+
5+
concurrency:
6+
group: ${{ github.workflow }}-${{ github.ref }}-metabase
7+
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
8+
9+
jobs:
10+
build:
11+
name: Build image
12+
13+
runs-on: ubuntu-latest
14+
15+
permissions:
16+
contents: read
17+
packages: write
18+
attestations: write
19+
id-token: write
20+
21+
steps:
22+
- name: Checkout
23+
uses: actions/checkout@v4
24+
25+
- name: Login to GitHub Repository
26+
uses: docker/login-action@v3
27+
with:
28+
registry: ghcr.io
29+
username: ${{ github.actor }}
30+
password: ${{ secrets.GITHUB_TOKEN }}
31+
32+
- name: Build and Push
33+
uses: docker/build-push-action@v6
34+
with:
35+
context: services/metabase
36+
push: true
37+
tags: ghcr.io/${{ github.repository }}/metabase:latest
38+
cache-from: type=registry,ref=ghcr.io/${{ github.repository }}/metabase:latest
39+
cache-to: type=inline

iac/cal-itp-data-infra-staging/iam/us/outputs.tf

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -178,6 +178,18 @@ output "google_service_account_cal-bc-service-account_name" {
178178
value = google_service_account.cal-bc-service-account.name
179179
}
180180

181+
output "google_service_account_metabase-service-account_id" {
182+
value = google_service_account.metabase-service-account.id
183+
}
184+
185+
output "google_service_account_metabase-service-account_email" {
186+
value = google_service_account.metabase-service-account.email
187+
}
188+
189+
output "google_service_account_metabase-service-account_name" {
190+
value = google_service_account.metabase-service-account.name
191+
}
192+
181193
output "google_service_account_composer-service-account_id" {
182194
value = google_service_account.composer-service-account.id
183195
}

iac/cal-itp-data-infra-staging/iam/us/project_iam_member.tf

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -278,6 +278,16 @@ resource "google_project_iam_member" "cal-bc-service-account" {
278278
project = "cal-itp-data-infra-staging"
279279
}
280280

281+
resource "google_project_iam_member" "metabase-service-account" {
282+
for_each = toset([
283+
"roles/cloudsql.client",
284+
"roles/secretmanager.secretAccessor",
285+
])
286+
role = each.key
287+
member = "serviceAccount:${google_service_account.metabase-service-account.email}"
288+
project = "cal-itp-data-infra-staging"
289+
}
290+
281291
resource "google_project_iam_member" "composer-service-account" {
282292
for_each = toset([
283293
"roles/bigquery.dataOwner",

iac/cal-itp-data-infra-staging/iam/us/service_account.tf

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,14 @@ resource "google_service_account" "cal-bc-service-account" {
5050
project = "cal-itp-data-infra-staging"
5151
}
5252

53+
resource "google_service_account" "metabase-service-account" {
54+
account_id = "metabase-service-account"
55+
description = "Service account for Metabase"
56+
disabled = "false"
57+
display_name = "metabase"
58+
project = "cal-itp-data-infra-staging"
59+
}
60+
5361
resource "google_service_account" "composer-service-account" {
5462
account_id = "composer-service-account"
5563
description = "Service account for Composer"

iac/cal-itp-data-infra-staging/metabase/us/.terraform.lock.hcl

Lines changed: 62 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

iac/cal-itp-data-infra-staging/metabase/us/network.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
resource "google_compute_global_address" "metabase-staging" {
2+
name = "metabase-staging-address"
3+
}

iac/cal-itp-data-infra-staging/metabase/us/provider.tf

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
provider "google" {
2+
project = "cal-itp-data-infra-staging"
3+
}
4+
5+
terraform {
6+
required_providers {
7+
google = {
8+
version = "~> 7.10.0"
9+
}
10+
}
11+
12+
backend "gcs" {
13+
bucket = "calitp-staging-gcp-components-tfstate"
14+
prefix = "cal-itp-data-infra-staging/metabase"
15+
}
16+
}

iac/cal-itp-data-infra-staging/metabase/us/repository.tf

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
resource "google_artifact_registry_repository" "ghcr" {
2+
location = "us-west2"
3+
repository_id = "ghcr"
4+
format = "DOCKER"
5+
mode = "REMOTE_REPOSITORY"
6+
cleanup_policy_dry_run = true
7+
8+
remote_repository_config {
9+
description = "GitHub Container Repository"
10+
docker_repository {
11+
custom_repository {
12+
uri = "https://ghcr.io"
13+
}
14+
}
15+
}
16+
}

iac/cal-itp-data-infra-staging/metabase/us/secrets.tf

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
resource "google_secret_manager_secret" "metabase-staging-password" {
2+
secret_id = "metabase-staging-password"
3+
replication {
4+
user_managed {
5+
replicas {
6+
location = "us-west2"
7+
}
8+
}
9+
}
10+
}
11+
12+
resource "google_secret_manager_secret_version" "metabase-staging-password" {
13+
secret = google_secret_manager_secret.metabase-staging-password.name
14+
secret_data_wo = random_password.metabase-staging-database.result
15+
}

iac/cal-itp-data-infra-staging/metabase/us/service.tf

Lines changed: 161 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,161 @@
1+
resource "google_cloud_run_v2_service" "metabase-staging" {
2+
name = "metabase-staging"
3+
location = "us-west2"
4+
deletion_protection = false
5+
ingress = "INGRESS_TRAFFIC_ALL"
6+
7+
traffic {
8+
type = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
9+
percent = 100
10+
}
11+
12+
scaling {
13+
min_instance_count = 1
14+
}
15+
16+
template {
17+
service_account = data.terraform_remote_state.iam.outputs.google_service_account_metabase-service-account_email
18+
19+
volumes {
20+
name = "cloudsql"
21+
cloud_sql_instance {
22+
instances = [google_sql_database_instance.metabase-staging.connection_name]
23+
}
24+
}
25+
26+
containers {
27+
image = "us-west2-docker.pkg.dev/cal-itp-data-infra-staging/ghcr/cal-itp/data-infra/metabase:latest"
28+
29+
resources {
30+
limits = {
31+
cpu = "1"
32+
memory = "2048Mi"
33+
}
34+
}
35+
36+
ports {
37+
container_port = 3000
38+
}
39+
40+
startup_probe {
41+
timeout_seconds = 2
42+
period_seconds = 5
43+
failure_threshold = 10
44+
45+
http_get {
46+
path = "/"
47+
port = 3000
48+
}
49+
}
50+
51+
liveness_probe {
52+
http_get {
53+
path = "/"
54+
port = 3000
55+
}
56+
}
57+
58+
volume_mounts {
59+
name = "cloudsql"
60+
mount_path = "/cloudsql"
61+
}
62+
63+
env {
64+
name = "MB_DB_TYPE"
65+
value = "postgres"
66+
}
67+
68+
env {
69+
name = "MB_DB_DBNAME"
70+
value = google_sql_database.metabase-staging.name
71+
}
72+
73+
env {
74+
name = "MB_DB_HOST"
75+
value = "127.0.0.1"
76+
}
77+
78+
env {
79+
name = "MB_DB_USER"
80+
value = google_sql_user.metabase-staging.name
81+
}
82+
83+
env {
84+
name = "MB_DB_PASS"
85+
value_source {
86+
secret_key_ref {
87+
secret = google_secret_manager_secret.metabase-staging-password.secret_id
88+
version = "latest"
89+
}
90+
}
91+
}
92+
93+
env {
94+
name = "JAVA_OPTS"
95+
value = "-Xmx2048m"
96+
}
97+
}
98+
}
99+
}
100+
101+
resource "google_cloud_run_service_iam_binding" "metabase-staging" {
102+
location = google_cloud_run_v2_service.metabase-staging.location
103+
service = google_cloud_run_v2_service.metabase-staging.name
104+
role = "roles/run.invoker"
105+
members = ["allUsers"]
106+
}
107+
108+
resource "google_compute_region_network_endpoint_group" "metabase-staging" {
109+
name = "metabase-staging"
110+
network_endpoint_type = "SERVERLESS"
111+
region = google_cloud_run_v2_service.metabase-staging.location
112+
cloud_run {
113+
service = google_cloud_run_v2_service.metabase-staging.name
114+
}
115+
}
116+
117+
module "lb-http" {
118+
source = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
119+
version = "~> 14.0"
120+
121+
name = "metabase-staging"
122+
project = "cal-itp-data-infra-staging"
123+
124+
ssl = true
125+
managed_ssl_certificate_domains = [local.domain]
126+
https_redirect = true
127+
128+
address = google_compute_global_address.metabase-staging.address
129+
create_address = false
130+
131+
backends = {
132+
metabase = {
133+
groups = []
134+
serverless_neg_backends = [
135+
{
136+
"region" : "us-west2",
137+
"type" : "cloud-run",
138+
"service" : {
139+
"name" : google_cloud_run_v2_service.metabase-staging.name
140+
}
141+
}
142+
]
143+
144+
health_check = {
145+
request_path = "/"
146+
protocol = "HTTP"
147+
port = 80
148+
}
149+
150+
enable_cdn = false
151+
152+
iap_config = {
153+
enable = false
154+
}
155+
156+
log_config = {
157+
enable = false
158+
}
159+
}
160+
}
161+
}

0 commit comments

Comments
 (0)