Terraform GCP with Kamal v2

Author: justin808

.gitignore

@@ -35,3 +35,45 @@
 
 /app/assets/builds/*
 !/app/assets/builds/.keep
+
+/config/credentials/production.key
+
+### Terraform template
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+./terraform-gcloud/terraform-state/
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

.kamal/secrets

@@ -1,17 +1,28 @@
+# Use gcloud to read secrets from GCP Secret Manager
+# First, load the project_id from Terraform outputs
+PROJECT_ID=$(cd ./terraform-gcloud && terraform output -raw project_id)
+
+# Fetch secrets from Google Cloud Secrets Manager using the project ID
+# Edit secrets in GCP Secret Manager web UX:
+KAMAL_REGISTRY_PASSWORD=$(gcloud secrets versions access latest --secret=KAMAL_REGISTRY_PASSWORD --project="$PROJECT_ID")
+
+DB_PASSWORD=$(gcloud secrets versions access latest --secret=DB_PASSWORD --project="$PROJECT_ID")
+
+SECRET_KEY_BASE=$(gcloud secrets versions access latest --secret=SECRET_KEY_BASE --project="$PROJECT_ID")
+
+# Use this if you want to use Rails credentials
+# RAILS_MASTER_KEY=$(gcloud secrets versions access latest --secret=RAILS_MASTER_KEY --project="$PROJECT_ID")
+
+# Possibly useful comments that you can probably ignore are below.
 # Secrets defined here are available for reference under registry/password, env/secret, builder/secrets,
 # and accessories/*/env/secret in config/deploy.yml. All secrets should be pulled from either
 # password manager, ENV, or a file. DO NOT ENTER RAW CREDENTIALS HERE! This file needs to be safe for git.
 
-# Example of extracting secrets from 1password (or another compatible pw manager)
-# SECRETS=$(kamal secrets fetch --adapter 1password --account your-account --from Vault/Item KAMAL_REGISTRY_PASSWORD RAILS_MASTER_KEY)
-# KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD ${SECRETS})
-# RAILS_MASTER_KEY=$(kamal secrets extract RAILS_MASTER_KEY ${SECRETS})
-
 # Use a GITHUB_TOKEN if private repositories are needed for the image
 # GITHUB_TOKEN=$(gh config get -h github.com oauth_token)
-
 # Grab the registry password from ENV
-KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
+# KAMAL_REGISTRY_PASSWORD=${KAMAL_REGISTRY_PASSWORD}
 
-# Improve security by using a password manager. Never check config/master.key into git!
-RAILS_MASTER_KEY=$(cat config/master.key)
+# Use op to read secrets from 1password directly because using kamal secret commands results in parse errors
+# KAMAL_REGISTRY_PASSWORD=$(op read op://kamal-demo/Items/KAMAL_REGISTRY_PASSWORD/password)
+# RAILS_MASTER_KEY=$(op read op://kamal-demo/Items/RAILS_MASTER_KEY/password)

Dockerfile

@@ -16,7 +16,7 @@ WORKDIR /rails
 
 # Install base packages
 RUN apt-get update -qq && \
-    apt-get install --no-install-recommends -y curl libjemalloc2 libvips postgresql-client && \
+    apt-get install --no-install-recommends -y curl libjemalloc2 libvips postgresql-client iputils-ping && \
     rm -rf /var/lib/apt/lists /var/cache/apt/archives
 
 # Set production environment

Procfile.dev

@@ -1,2 +1,3 @@
 web: bin/rails server
 css: bin/rails tailwindcss:watch
+db: docker-compose up db

bin/kamal

@@ -24,4 +24,10 @@ end
 require "rubygems"
 require "bundler/setup"
 
+require_relative '../lib/deployment_manager'
+
+unless DeploymentManager.new.deployed_ip_matches_configured_ip?
+  abort("Rerun './terraform-gcloud/bin/stand-up' to fix this or change the host IP directly in 'config/deploy.yml'")
+end
+
 load Gem.bin_path("kamal", "kamal")

config/database.yml

@@ -60,32 +60,15 @@ test:
   <<: *default
   database: rails_kamal_demo_test
 
-# As with config/credentials.yml, you never want to store sensitive information,
-# like your database password, in your source code. If your source code is
-# ever seen by anyone, they now have access to your database.
-#
-# Instead, provide the password or a full connection URL as an environment
-# variable when you boot the app. For example:
-#
-#   DATABASE_URL="postgres://myuser:mypass@localhost/somedatabase"
-#
-# If the connection URL is provided in the special DATABASE_URL environment
-# variable, Rails will automatically merge its configuration values on top of
-# the values provided in this file. Alternatively, you can specify a connection
-# URL environment variable explicitly:
-#
-#   production:
-#     url: <%= ENV["MY_APP_DATABASE_URL"] %>
-#
 # Read https://guides.rubyonrails.org/configuring.html#configuring-a-database
 # for a full overview on how database connection configuration can be specified.
-#
+# The values here need to correspond to the values in the `terraform-gcloud/main.tf` file.
+# The password comes from ENV variable DB_PASSWORD.
 production:
   primary: &primary_production
     <<: *default
     database: rails_kamal_demo_production
-    username: rails_kamal_demo
-    password: <%= ENV["RAILS_KAMAL_DEMO_DATABASE_PASSWORD"] %>
+    username: rails_user
   cache:
     <<: *primary_production
     database: rails_kamal_demo_production_cache

config/deploy.yml

@@ -1,31 +1,38 @@
+# This deploy.yml file is configured to work with the kamal_tf script.
+# Please use the kamal_tf script to run kamal commands with dynamic IP addresses from Terraform.
+# Example usage: bin/kamal_tf deploy
+
 # Name of your application. Used to uniquely configure containers.
 service: rails_kamal_demo
 
 # Name of the container image.
-image: your-user/rails_kamal_demo
+image: shakacodedemo/rails_kamal_demo
 
 # Deploy to these servers.
 servers:
-  web:
-    - 192.168.0.1
-  # job:
-  #   hosts:
-  #     - 192.168.0.1
-  #   cmd: bin/jobs
+  web: # Next value is set by Terraform script "stand-up" in sibling repo
+    - 34.59.165.111
+#  job:
+#     hosts:
+#       - 34.59.165.111
+#     cmd: bin/jobs
 
 # Enable SSL auto certification via Let's Encrypt and allow for multiple apps on a single web server.
 # Remove this section when using multiple web servers and ensure you terminate SSL at your load balancer.
 #
 # Note: If using Cloudflare, set encryption mode in SSL/TLS setting to "Full" to enable CF-to-app encryption.
+#  uncomment next line for a real host name
 proxy:
   ssl: true
-  host: app.example.com
+  # IMPT: Edit for your real host name
+  host: gcp.kamaltutorial.com
 
 # Credentials for your image host.
 registry:
   # Specify the registry server, if you're not using Docker Hub
   # server: registry.digitalocean.com / ghcr.io / ...
-  username: your-user
+  # IMPT: Edit for your real Docker Hub username
+  username: shakacodedemo
 
   # Always use an access token rather than real password when possible.
   password:
@@ -34,12 +41,16 @@ registry:
 # Inject ENV variables into containers (secrets come from .kamal/secrets).
 env:
   secret:
-    - RAILS_MASTER_KEY
+    - DB_PASSWORD
+    - SECRET_KEY_BASE
   clear:
     # Run the Solid Queue Supervisor inside the web server's Puma process to do jobs.
     # When you start using multiple servers, you should split out job processing to a dedicated machine.
     SOLID_QUEUE_IN_PUMA: true
 
+    # This is the networking to get to host machine from within the Rails docker container
+    DB_HOST: 172.18.0.1
+
     # Set number of processes dedicated to Solid Queue (default: 1)
     # JOB_CONCURRENCY: 3
 
@@ -61,13 +72,11 @@ aliases:
   logs: app logs -f
   dbc: app exec --interactive --reuse "bin/rails dbconsole"
 
-
 # Use a persistent storage volume for sqlite database files and local Active Storage files.
 # Recommended to change this to a mounted volume path that is backed up off server.
 volumes:
   - "rails_kamal_demo_storage:/rails/storage"
 
-
 # Bridge fingerprinted assets, like JS and CSS, between versions to avoid
 # hitting 404 on in-flight requests. Combines all files from new and old
 # version inside the asset_path.
@@ -88,8 +97,8 @@ builder:
   #   - RAILS_MASTER_KEY
 
 # Use a different ssh user than root
-# ssh:
-#   user: app
+ssh:
+   user: justin
 
 # Use accessory services (secrets come from .kamal/secrets).
 # accessories:
@@ -114,3 +123,7 @@ builder:
 #     port: 6379
 #     directories:
 #       - data:/data
+
+# Configure rolling deploys by setting a wait time between batches of restarts.
+# 30 is the default. First deploy will need a longer time to create the database.
+deploy_timeout: 30

config/puma.rb

@@ -39,3 +39,6 @@
 # Specify the PID file. Defaults to tmp/pids/server.pid in development.
 # In other environments, only set the PID file if requested.
 pidfile ENV["PIDFILE"] if ENV["PIDFILE"]
+
+# test change to see if this gets server to connect to kamal-proxy
+# bind "tcp://0.0.0.0:3000"