Skip to content

EQS 81 - Create Proxy Service Infrastructure #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
farres1 wants to merge 41 commits into from
Closed

EQS 81 - Create Proxy Service Infrastructure #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
8a2307c
Add Cloud Build scripts
farres1 Jul 15, 2025
30ad92a
Add Dockerfile
farres1 Jul 15, 2025
6da8c70
Add Uvicorn to pyproject toml
farres1 Jul 15, 2025
556c71d
Add Makefile commands
farres1 Jul 16, 2025
1de423c
Add FastAPI entrypoint and test
farres1 Jul 16, 2025
dd76461
Add sample endpoint
farres1 Jul 16, 2025
06dd218
Add FastAPI to pyproject toml
farres1 Jul 16, 2025
1ca91e5
Merge branch 'main' of https://github.com/ONSdigital/eq-cir-proxy-ser…
farres1 Jul 16, 2025
bd9e7dd
Add extra line
farres1 Jul 16, 2025
5f986a7
Add extra line to Makefile
farres1 Jul 16, 2025
b9ce469
Update cloudbuild scripts
farres1 Jul 22, 2025
413f805
Update waitFor syntax
farres1 Jul 22, 2025
98f10ff
Add logging to build and deploy script
farres1 Jul 22, 2025
496e471
Add lint check
farres1 Jul 24, 2025
d2dcb7a
Update formatting
farres1 Jul 24, 2025
6df9e31
Add logging
farres1 Jul 24, 2025
c2c78a5
Update commands
farres1 Jul 24, 2025
bd1af15
Update install commands
farres1 Jul 24, 2025
9980c3a
Add poetry install command
farres1 Jul 24, 2025
bb2c254
Update poetry install to make install
farres1 Jul 24, 2025
94c683b
Update to install dev
farres1 Jul 24, 2025
61cc860
Separate Megalint
farres1 Jul 24, 2025
1017d2d
Update Megalinter check
farres1 Jul 24, 2025
a52485b
Update Megalinter check
farres1 Jul 24, 2025
5c05dfc
Add test checks
farres1 Jul 24, 2025
73480f0
Add temp test step
farres1 Jul 24, 2025
fa476ae
Move test checks
farres1 Jul 24, 2025
01aa4a0
Remove unused command
farres1 Jul 24, 2025
a1e6043
Add install commands
farres1 Jul 24, 2025
6873830
Run steps in parallel
farres1 Jul 24, 2025
52de81d
Remove running checks in parallel
farres1 Jul 24, 2025
a8a8b4f
Remove lint step from lint and test script
farres1 Jul 24, 2025
8ffc1dd
Add .trivyignore
petechd Jul 31, 2025
18ac0c5
Check poetry version
petechd Aug 4, 2025
381dfae
Add env use
petechd Aug 4, 2025
6472edf
Check env list
petechd Aug 4, 2025
45b6d30
Check poetry lock
petechd Aug 4, 2025
6170148
Adjust order
petechd Aug 4, 2025
6954ae7
Add verbose
petechd Aug 4, 2025
72c9b91
Downgrade to poetry 1.8.3
petechd Aug 4, 2025
f2dc9d8
Add ci config changes
petechd Aug 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,14 @@ jobs:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Install Poetry
run: pipx install poetry==2.1.2

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version-file: .python-version
cache: poetry

- name: Install Poetry
run: python -m pip install poetry==2.1.2

- name: Install dependencies
run: make install-dev
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ COPY pyproject.toml poetry.lock /eq_cir_proxy_service/

RUN pip install --no-cache-dir poetry==1.8.4 && \
poetry config virtualenvs.create false && \
poetry install --no-root --with dev
poetry install --no-root --no-dev

COPY eq_cir_proxy_service eq_cir_proxy_service

Expand Down
22 changes: 17 additions & 5 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,6 @@ format: ## Format the code.
poetry run black .
poetry run isort .

.PHONY: run
run: ## Start the local application
export LOG_LEVEL=${LOG_LEVEL} && \
poetry run uvicorn eq_cir_proxy_service.main:app --reload --port 5050

.PHONY: lint
lint: ## Run all linters (black/ruff/pylint/mypy).
poetry run black --check .
Expand Down Expand Up @@ -55,3 +50,20 @@ megalint: ## Run the MegaLinter.
-v /var/run/docker.sock:/var/run/docker.sock:rw \
-v $(shell pwd):/tmp/lint:rw \
oxsecurity/megalinter-python:v8.8.0

.PHONY: run
run: ## Start the local application.
export LOG_LEVEL=${LOG_LEVEL} && \
poetry run uvicorn eq_cir_proxy_service.main:app --reload --port 5050

.PHONY: docker-build
docker-build: ## Build the docker image.
docker build -t cir-proxy-service .

.PHONY: docker-run
docker-run: ## Run the docker container using the built image.
docker run -d -p 5050:5050 --name eq-cir-proxy-service cir-proxy-service

.PHONY: docker-stop-remove
docker-stop-remove: ## Stop and remove the docker container.
docker stop eq-cir-proxy-service && docker rm eq-cir-proxy-service
44 changes: 44 additions & 0 deletions cloudbuild-build-and-deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
steps:
Copy link
Contributor

@liamtoozer liamtoozer Aug 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is quite different to the one we have in the converter service: https://github.com/ONSdigital/eq-cir-converter-service/blob/main/cloud-build-on-merge-dev.yaml, and it seems to be named differently? I think the Converter Cloud Build file might have the advantage of being more concise, not relying on shell script for the steps (so might be less error prone), and matches Cloud Build best practices? We should aim for consistency across repos I think?

Copy link

@martyncolmer martyncolmer Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are based of the authors cloudbuild scripts, which have been about for a while and used to be how it was done. We can update this to replace "docker" with "gcr.io/cloud-builders/docker", using the shell entry point does allow us to add log message, but i'm happy to drop those and use the default entry point.

Copy link
Contributor

@liamtoozer liamtoozer Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if using SHORT_SHA would work as expected for our staging env. In the Terraform, we're setting the latest tag in our staging environment tfvars to allow for continuous delivery/deployment. If we deploy with this particular file, then we would also need to keep updating our tfvars with the SHORT_SHA var each time we want to make a deployment. Using latest tag for this would prevent this I think?

# Builds the Docker image
- name: docker
id: build_proxy_service_image
entrypoint: "sh"
args:
- "-c"
- |
echo "*************************************************************"
echo "* Building Docker image for environment... *"
echo "*************************************************************"
docker build -t "$_EQ_CIR_PROXY_SERVICE_IMAGE_REPO:${SHORT_SHA}" .

# Pushes the Docker image to Artifact Registry
- name: docker
id: push_proxy_service_image
entrypoint: "sh"
waitFor:
Copy link
Contributor

@liamtoozer liamtoozer Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These steps are all run in sequence, so don't think we'd need waitFor at the moment?

Copy link

@martyncolmer martyncolmer Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not needed

- build_proxy_service_image
args:
- "-c"
- |
echo "*************************************************************"
echo "* Pushing Docker image to Artifact Registry... *"
echo "*************************************************************"
docker push "$_EQ_CIR_PROXY_SERVICE_IMAGE_REPO:${SHORT_SHA}"

# Deploys the Docker image to Cloud Run
- name: "gcr.io/google.com/cloudsdktool/cloud-sdk:alpine"
id: deploy_proxy_service
entrypoint: "sh"
args:
- "-c"
- |
echo "*************************************************************"
echo "* Deploying Docker image to Cloud Run... *"
echo "*************************************************************"
gcloud run deploy cir-proxy-service \
Copy link
Contributor

@liamtoozer liamtoozer Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this might lose all of the vars we're passing in for our Terraform deployment? E.g. LOG_LEVEL isn't being passed in here

--image "$_EQ_CIR_PROXY_SERVICE_IMAGE_REPO:$SHORT_SHA" \
--region europe-west2 \
--platform managed
timeout: 1800s
options:
logging: CLOUD_LOGGING_ONLY
12 changes: 12 additions & 0 deletions cloudbuild-deploy-manual.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
steps:
Copy link
Contributor

@liamtoozer liamtoozer Aug 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might be misunderstanding, but I'm not certain what this file is to be used for, as it's not used in the PR linked to this? I'm guessing that this file might be for our formal deployments, as I can see that it's using TAG_NAME? If so, might be worth suffixing the file with -formal.yaml or something to make it clear? We don't have tagging or version control set up yet so bit unsure? Manual Cloud Build triggers can be overridden in our infrastructure with the cloud_build_manual_trigger_for_app_enabled var I think?

Also, I'm not sure if this will preserve the same flags that we use for the Cloud Run deployment config in the infrastructure?

Copy link

@martyncolmer martyncolmer Aug 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this would be for the deployment to prod or anywhere deploy only is required. We are looking to name the scripts after the function they carry out. So maybe cloudbuld-deploy-only.yaml would be an better name.

Copy link
Contributor

@liamtoozer liamtoozer Sep 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As there is currently no reference to this file in our infrastructure repo, does that mean we will be manually creating a deployment trigger in our formal environments which uses this file, outside of the Terraform altogether? If that's the case, we might want to document this somewhere as part of our run books, release strategy documentation, or maybe as a comment in the file?

# Deploys the Docker image with the specified tag to Cloud Run
- name: "gcr.io/google.com/cloudsdktool/cloud-sdk:alpine"
id: deploy_proxy_service
entrypoint: "sh"
args:
- "-c"
- |
gcloud run deploy cir-proxy-service \
Copy link
Contributor

@liamtoozer liamtoozer Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this might lose all of the vars we're passing in for our Terraform deployment? E.g. LOG_LEVEL isn't being passed in here

--image "$_EQ_CIR_PROXY_SERVICE_IMAGE_REPO:$TAG_NAME" \
--region europe-west2 \
--platform managed
34 changes: 34 additions & 0 deletions cloudbuild-lint-and-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
steps:
Copy link
Contributor

@liamtoozer liamtoozer Aug 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're going to lint and test in Cloud Build (instead of GitHub Actions), I think we might want to also update this for the Converter Service too?

Also, we're still using GitHub Actions for linting and testing as it stands too?

Copy link

@martyncolmer martyncolmer Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we can do that for convertor too. We did discuss getting this through and review the best approach in a later ticket. At that discussion we can decide if we want to get rid of github actions.

Copy link
Contributor

@liamtoozer liamtoozer Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay no worries. Just a quick follow up - if we're running linting and testing both in GitHub Actions and in GCP, then it might be worth a temporary comment just to call this out? Otherwise it may be a bit confusing for others if we're intentionally doing both in the interim?

Copy link

@berroar berroar Sep 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had a couple of thoughts about this since it came up during the session, and the pros and cons of running lint/test in cloud build vs actions. From a developer QoL perspective, is it not easier to investigate failing tests within the Pull Request within GitHub rather than having to context switch to GCP and navigating the cloudbuild logs? Could just be me but would be curious to see the opinions of the other devs.

On top of this as commented below, it opens up some issues such as needing to run docker within docker for things like Megalinter, which I believe can potentially be a security vulnerability, and is certainly not best practice. I think we also need to ensure when running megalinter in cloudbuild that it is making use of the same config as when it is running locally.

Copy link

@martyncolmer martyncolmer Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RE the first point, we've had tests in cloud build for a long time now and noone has had issue with switching into GCP to see the test results. For me having all the CI scripts in one place and format, rather than mix of both is preferable.

Copy link

@martyncolmer martyncolmer Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy for the script to be rejigged to remove the SH entry point and to use the default entry point

# Runs Megalinter on the codebase
- name: docker
id: megalint_proxy_service
entrypoint: "sh"
args:
- "-c"
- |
echo "*************************************************************"
echo "* Running Megalinter on the codebase... *"
echo "*************************************************************"
docker run --platform linux/amd64 --rm \
Copy link
Contributor

@liamtoozer liamtoozer Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this build step in Cloud Run is run inside a docker a container already, so this will run a docker container inside another docker container so not sure if this looks quite right?

Copy link

@martyncolmer martyncolmer Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I does look odd, will need to break down what this is doing exactly

Copy link
Contributor

@liamtoozer liamtoozer Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this be done as a separate piece of work?

Copy link

@martyncolmer martyncolmer Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy for it to be changed to argument based approach with the default entry point, rather than the sh entry point

-v /var/run/docker.sock:/var/run/docker.sock:rw \
-v $(pwd):/tmp/lint:rw \
oxsecurity/megalinter-python:v8.8.0

# Tests the codebase
- name: python:3.12.6
id: test_proxy_service
entrypoint: "sh"
args:
- "-c"
- |
pip install --upgrade pip
pip install poetry==2.1.2
make install-dev
echo "*************************************************************"
echo "* Testing the codebase... *"
echo "*************************************************************"
make test

timeout: 1800s
options:
logging: CLOUD_LOGGING_ONLY
23 changes: 23 additions & 0 deletions cloudbuild-tag-and-deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
steps:
# Tags the Docker image with the release tag
- name: "gcr.io/google.com/cloudsdktool/cloud-sdk:alpine"
id: tag_proxy_service_release
entrypoint: /bin/bash
args:
- "-c"
- |
gcloud container images add-tag \
$_EQ_CIR_PROXY_SERVICE_IMAGE_REPO:$SHORT_SHA \
Copy link
Contributor

@liamtoozer liamtoozer Aug 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might be misunderstanding, but for continuous delivery for our staging env, I would have thought we'd want to tag with latest?

Copy link

@martyncolmer martyncolmer Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This script is tag and deploy. it would be used for release to preprod after a release tag has been set in github

Copy link
Contributor

@liamtoozer liamtoozer Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As there is currently no reference to this file in our infrastructure repo, does that mean we will be manually creating a deployment trigger in our formal environments which uses this file, outside of the Terraform altogether? If that's the case, we might want to document this somewhere as part of our run books, release strategy documentation, or maybe as a comment in the file?

$_EQ_CIR_PROXY_SERVICE_IMAGE_REPO:$TAG_NAME

# Deploys the Docker image to Cloud Run
- name: "gcr.io/google.com/cloudsdktool/cloud-sdk:alpine"
id: deploy_proxy_service
entrypoint: "sh"
args:
- "-c"
- |
gcloud run deploy cir-proxy-service \
--image "$_EQ_CIR_PROXY_SERVICE_IMAGE_REPO:$TAG_NAME" \
--region europe-west2 \
--platform managed
Loading
Loading