create-svc 0.1.0

package/templates/root/internal/httpapi/routes.go

@@ -0,0 +1,93 @@
+package httpapi
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/go-chi/chi/v5"
+
+	"{{MODULE_PATH}}/internal/app"
+)
+
+func RegisterRoutes(router chi.Router, service *app.DNSService) {
+	router.Get("/healthz", func(w http.ResponseWriter, _ *http.Request) {
+		writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+	})
+
+	router.Route("/v1/dns/records", func(r chi.Router) {
+		r.Get("/", func(w http.ResponseWriter, request *http.Request) {
+			records, err := service.ListRecords(request.Context())
+			if err != nil {
+				writeError(w, err)
+				return
+			}
+			writeJSON(w, http.StatusOK, map[string]any{"records": records})
+		})
+
+		r.Post("/", func(w http.ResponseWriter, request *http.Request) {
+			var input app.CreateRecordInput
+			if err := decodeJSON(request, &input); err != nil {
+				writeError(w, err)
+				return
+			}
+
+			record, err := service.CreateRecord(request.Context(), input)
+			if err != nil {
+				writeError(w, err)
+				return
+			}
+			writeJSON(w, http.StatusCreated, map[string]any{"record": record})
+		})
+
+		r.Route("/{recordID}", func(r chi.Router) {
+			r.Put("/", func(w http.ResponseWriter, request *http.Request) {
+				var input app.UpdateRecordInput
+				if err := decodeJSON(request, &input); err != nil {
+					writeError(w, err)
+					return
+				}
+
+				record, err := service.UpdateRecord(request.Context(), chi.URLParam(request, "recordID"), input)
+				if err != nil {
+					writeError(w, err)
+					return
+				}
+				writeJSON(w, http.StatusOK, map[string]any{"record": record})
+			})
+
+			r.Delete("/", func(w http.ResponseWriter, request *http.Request) {
+				if err := service.DeleteRecord(request.Context(), chi.URLParam(request, "recordID")); err != nil {
+					writeError(w, err)
+					return
+				}
+				w.WriteHeader(http.StatusNoContent)
+			})
+		})
+	})
+}
+
+func decodeJSON(request *http.Request, out any) error {
+	defer request.Body.Close()
+
+	if err := json.NewDecoder(request.Body).Decode(out); err != nil {
+		return err
+	}
+	return nil
+}
+
+func writeJSON(w http.ResponseWriter, status int, payload any) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	_ = json.NewEncoder(w).Encode(payload)
+}
+
+func writeError(w http.ResponseWriter, err error) {
+	status := http.StatusInternalServerError
+	if errors.Is(err, strconv.ErrSyntax) || strings.Contains(strings.ToLower(err.Error()), "json") {
+		status = http.StatusBadRequest
+	}
+	writeJSON(w, status, map[string]string{"error": err.Error()})
+}

package/templates/root/internal/vault/client.go

@@ -0,0 +1,148 @@
+package vault
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"sync"
+)
+
+type AppRoleClient struct {
+	addr         string
+	roleIDFile   string
+	secretIDFile string
+	client       *http.Client
+
+	mu    sync.Mutex
+	token string
+}
+
+func NewAppRoleClient(addr string, roleIDFile string, secretIDFile string, client *http.Client) *AppRoleClient {
+	return &AppRoleClient{
+		addr:         strings.TrimRight(addr, "/"),
+		roleIDFile:   roleIDFile,
+		secretIDFile: secretIDFile,
+		client:       client,
+	}
+}
+
+func (c *AppRoleClient) Get(ctx context.Context, path string, key string) (string, error) {
+	token, err := c.login(ctx)
+	if err != nil {
+		return "", err
+	}
+
+	request, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("%s/v1/secret/data/%s", c.addr, strings.TrimLeft(path, "/")), nil)
+	if err != nil {
+		return "", err
+	}
+	request.Header.Set("X-Vault-Token", token)
+
+	response, err := c.client.Do(request)
+	if err != nil {
+		return "", err
+	}
+	defer response.Body.Close()
+
+	raw, err := io.ReadAll(response.Body)
+	if err != nil {
+		return "", err
+	}
+	if response.StatusCode < 200 || response.StatusCode >= 300 {
+		return "", fmt.Errorf("vault read failed: status=%d body=%s", response.StatusCode, strings.TrimSpace(string(raw)))
+	}
+
+	var payload struct {
+		Data struct {
+			Data map[string]string `json:"data"`
+		} `json:"data"`
+	}
+	if err := json.Unmarshal(raw, &payload); err != nil {
+		return "", err
+	}
+
+	value := strings.TrimSpace(payload.Data.Data[key])
+	if value == "" {
+		return "", fmt.Errorf("vault secret key %q is empty", key)
+	}
+	return value, nil
+}
+
+func (c *AppRoleClient) login(ctx context.Context) (string, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.token != "" {
+		return c.token, nil
+	}
+
+	roleID, err := readSecretFile(c.roleIDFile)
+	if err != nil {
+		return "", err
+	}
+	secretID, err := readSecretFile(c.secretIDFile)
+	if err != nil {
+		return "", err
+	}
+
+	body, err := json.Marshal(map[string]string{
+		"role_id":   roleID,
+		"secret_id": secretID,
+	})
+	if err != nil {
+		return "", err
+	}
+
+	request, err := http.NewRequestWithContext(ctx, http.MethodPost, c.addr+"/v1/auth/approle/login", bytes.NewReader(body))
+	if err != nil {
+		return "", err
+	}
+	request.Header.Set("Content-Type", "application/json")
+
+	response, err := c.client.Do(request)
+	if err != nil {
+		return "", err
+	}
+	defer response.Body.Close()
+
+	raw, err := io.ReadAll(response.Body)
+	if err != nil {
+		return "", err
+	}
+	if response.StatusCode < 200 || response.StatusCode >= 300 {
+		return "", fmt.Errorf("vault login failed: status=%d body=%s", response.StatusCode, strings.TrimSpace(string(raw)))
+	}
+
+	var payload struct {
+		Auth struct {
+			ClientToken string `json:"client_token"`
+		} `json:"auth"`
+	}
+	if err := json.Unmarshal(raw, &payload); err != nil {
+		return "", err
+	}
+
+	c.token = strings.TrimSpace(payload.Auth.ClientToken)
+	if c.token == "" {
+		return "", fmt.Errorf("vault returned an empty client token")
+	}
+	return c.token, nil
+}
+
+func readSecretFile(path string) (string, error) {
+	bytes, err := os.ReadFile(path)
+	if err != nil {
+		return "", err
+	}
+
+	value := strings.TrimSpace(string(bytes))
+	if value == "" {
+		return "", fmt.Errorf("secret file %q is empty", path)
+	}
+	return value, nil
+}

package/templates/root/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "{{SERVICE_NAME}}",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "go run ./cmd/server",
+    "gen": "buf generate",
+    "lint": "go vet ./... && buf lint",
+    "bootstrap": "bun run ./scripts/cloudrun/bootstrap.ts",
+    "deploy": "bun run ./scripts/cloudrun/deploy.ts"
+  }
+}

package/templates/root/protos/dns/v1/dns.proto

@@ -0,0 +1,58 @@
+syntax = "proto3";
+
+package dns.v1;
+
+option go_package = "{{MODULE_PATH}}/gen/dns/v1;dnsv1";
+
+service DNSService {
+  rpc ListRecords(ListRecordsRequest) returns (ListRecordsResponse) {}
+  rpc CreateRecord(CreateRecordRequest) returns (CreateRecordResponse) {}
+  rpc UpdateRecord(UpdateRecordRequest) returns (UpdateRecordResponse) {}
+  rpc DeleteRecord(DeleteRecordRequest) returns (DeleteRecordResponse) {}
+}
+
+message Record {
+  string id = 1;
+  string type = 2;
+  string name = 3;
+  string content = 4;
+  int32 ttl = 5;
+  bool proxied = 6;
+}
+
+message ListRecordsRequest {}
+
+message ListRecordsResponse {
+  repeated Record records = 1;
+}
+
+message CreateRecordRequest {
+  string type = 1;
+  string name = 2;
+  string content = 3;
+  int32 ttl = 4;
+  bool proxied = 5;
+}
+
+message CreateRecordResponse {
+  Record record = 1;
+}
+
+message UpdateRecordRequest {
+  string id = 1;
+  string type = 2;
+  string name = 3;
+  string content = 4;
+  int32 ttl = 5;
+  bool proxied = 6;
+}
+
+message UpdateRecordResponse {
+  Record record = 1;
+}
+
+message DeleteRecordRequest {
+  string id = 1;
+}
+
+message DeleteRecordResponse {}

package/templates/root/scripts/cloudrun/bootstrap.ts

@@ -0,0 +1,65 @@
+import { bootstrapSecrets, config } from "./config";
+import {
+  ensureProjectRole,
+  ensureSecret,
+  ensureSecretAccessor,
+  ensureServiceAccount,
+  ensureServiceAccountRole,
+  ensureWorkloadIdentityPool,
+  ensureWorkloadIdentityProvider,
+  gcloud,
+  requireCommand,
+  setGithubSecret,
+  setGithubVariable,
+  workloadIdentityPoolResource,
+  workloadIdentityProviderResource,
+} from "./lib";
+
+export async function bootstrap() {
+  requireCommand("gcloud");
+  requireCommand("gh");
+
+  gcloud(["services", "enable", ...config.requiredApis, "--project", config.projectId]);
+
+  ensureServiceAccount(config.runtimeServiceAccount);
+  ensureServiceAccount(config.deployerServiceAccount);
+
+  ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/run.admin");
+  ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/cloudbuild.builds.editor");
+  ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/serviceusage.serviceUsageConsumer");
+
+  ensureServiceAccountRole(config.runtimeServiceAccount, `serviceAccount:${config.deployerServiceAccount}`, "roles/iam.serviceAccountUser");
+
+  for (const secret of bootstrapSecrets) {
+    ensureSecret(secret.secretName, secret.bootstrapEnv);
+    ensureSecretAccessor(secret.secretName, `serviceAccount:${config.runtimeServiceAccount}`);
+  }
+
+  ensureWorkloadIdentityPool();
+  ensureWorkloadIdentityProvider();
+
+  ensureServiceAccountRole(
+    config.deployerServiceAccount,
+    `principalSet://iam.googleapis.com/${workloadIdentityPoolResource()}/attribute.repository/${config.githubRepo}`,
+    "roles/iam.workloadIdentityUser"
+  );
+
+  for (const [name, value] of Object.entries(config.githubVariables)) {
+    setGithubVariable(name, value);
+  }
+  setGithubVariable("GCP_WIF_PROVIDER", workloadIdentityProviderResource());
+  setGithubVariable("GCP_DEPLOYER_SERVICE_ACCOUNT", config.deployerServiceAccount);
+
+  if (config.bufModule) {
+    setGithubVariable("BUF_MODULE", config.bufModule);
+  }
+
+  const bufToken = process.env.BUF_TOKEN?.trim();
+  if (bufToken && config.bufModule) {
+    setGithubSecret("BUF_TOKEN", bufToken);
+  }
+}
+
+if (import.meta.main) {
+  await bootstrap();
+}

package/templates/root/scripts/cloudrun/config.ts

@@ -0,0 +1,50 @@
+export const config = {
+  serviceName: "{{SERVICE_NAME}}",
+  projectId: "{{PROJECT_ID}}",
+  region: "{{REGION}}",
+  githubRepo: "{{GITHUB_REPO}}",
+  bufModule: "{{BUF_MODULE}}",
+  artifactRepository: "cloud-run",
+  runtimeServiceAccount: "{{RUNTIME_SERVICE_ACCOUNT}}",
+  deployerServiceAccount: "{{DEPLOYER_SERVICE_ACCOUNT}}",
+  vaultRoleIdSecret: "{{VAULT_ROLE_ID_SECRET}}",
+  vaultSecretIdSecret: "{{VAULT_SECRET_ID_SECRET}}",
+  workloadIdentityPoolId: "{{WIF_POOL_ID}}",
+  workloadIdentityProviderId: "{{WIF_PROVIDER_ID}}",
+  requiredApis: [
+    "run.googleapis.com",
+    "cloudbuild.googleapis.com",
+    "artifactregistry.googleapis.com",
+    "iamcredentials.googleapis.com",
+    "sts.googleapis.com",
+    "secretmanager.googleapis.com",
+    "serviceusage.googleapis.com",
+  ],
+  githubVariables: {
+    GCP_PROJECT_ID: "{{PROJECT_ID}}",
+    GCP_REGION: "{{REGION}}",
+    CLOUD_RUN_SERVICE: "{{SERVICE_NAME}}",
+  },
+} as const;
+
+export const manifestEnv = {
+  SERVICE_NAME: "{{SERVICE_NAME}}",
+  RUNTIME_SERVICE_ACCOUNT: "{{RUNTIME_SERVICE_ACCOUNT}}",
+  VAULT_ADDR: "{{VAULT_ADDR}}",
+  VAULT_SECRET_PATH: "{{VAULT_SECRET_PATH}}",
+  VAULT_SECRET_KEY: "{{VAULT_SECRET_KEY}}",
+  CLOUDFLARE_ZONE_ID: "{{CLOUDFLARE_ZONE_ID}}",
+  VAULT_ROLE_ID_SECRET: "{{VAULT_ROLE_ID_SECRET}}",
+  VAULT_SECRET_ID_SECRET: "{{VAULT_SECRET_ID_SECRET}}",
+} as const;
+
+export const bootstrapSecrets = [
+  {
+    secretName: "{{VAULT_ROLE_ID_SECRET}}",
+    bootstrapEnv: "BOOTSTRAP_VAULT_ROLE_ID",
+  },
+  {
+    secretName: "{{VAULT_SECRET_ID_SECRET}}",
+    bootstrapEnv: "BOOTSTRAP_VAULT_SECRET_ID",
+  },
+] as const;

package/templates/root/scripts/cloudrun/deploy.ts

@@ -0,0 +1,41 @@
+import { bootstrap } from "./bootstrap";
+import { config } from "./config";
+import { ensureArtifactRepository, gcloud, imageUrl, requireCommand, serviceUrl, writeRenderedManifest } from "./lib";
+
+export async function deploy(args = Bun.argv.slice(2)) {
+  requireCommand("gcloud");
+  requireCommand("bun");
+
+  const ci = args.includes("--ci");
+  if (!ci) {
+    await bootstrap();
+  }
+
+  ensureArtifactRepository();
+
+  const image = imageUrl();
+  gcloud(["builds", "submit", "--project", config.projectId, "--region", config.region, "--tag", image]);
+
+  const renderedManifestPath = await writeRenderedManifest(image);
+  gcloud(["run", "services", "replace", renderedManifestPath.pathname, "--project", config.projectId, "--region", config.region]);
+  gcloud([
+    "run",
+    "services",
+    "add-iam-policy-binding",
+    config.serviceName,
+    "--project",
+    config.projectId,
+    "--region",
+    config.region,
+    "--member",
+    "allUsers",
+    "--role",
+    "roles/run.invoker",
+  ]);
+
+  console.log(serviceUrl());
+}
+
+if (import.meta.main) {
+  await deploy();
+}