ADR-0025 Use Terraform

Date2021-11-15
StatusAccepted
ReferencesADR-0007 Isolation of Use Cases
ReferencesADR-0016 Authentication and Authorization

Context

In ADR-0007 Isolation of Use Cases we note that the cloud infrastructure for each application will be deployed and managed independently. We note further in ADR-0016 Authentication and Authorization that each deployment will be single tenant. This means that we will have to deploy and configure a Google Cloud Platform (GCP) project per tenant per application. It is therefore important to encode and automate as much of this setup as possible.

Terraform is an infrastructure as code (IaC) tool that allows you to build, change, and version infrastructure safely and efficiently. It has good support for GCP, and has a module system that allows you to build reusable components.

GitLab CI/CD has built-in support for Terraform, including remote state storage and templates for defining pipelines.

Decision

We will use Terraform to manage GCP infrastructure and Firebase projects for each application.

We will implement Terraform modules for the common components.

We will use GitLab CI/CD to run the terraform validate, plan, and apply stages.

We will use GitLab’s managed Terraform state as the storage backend.

We will create a GCP project and service account for Terraform and grant the service account sufficient privileges to manage GCP resources.

We will create a service account key and save this as a Terraform CI/CD variable so it is available to the Terraform pipelines.

Consequences

We will have a set of Terraform manifests recording the desired state of GCP resources; modules for common components will make it easy to create new projects and resources for new tenancies.

Using GitLab CI/CD for deployment means developers do not need to install tooling themselves and do not need privileges for provisioning cloud resources.

There are a couple of shortcomings in Firebase that make it impossible to completely automate the provisioning:

  • Firebase Auth can only be enabled in the web console
  • Google Analytics must also be configured in the web console

Terraform does not yet have support for managing Firebase security rules, but this can be done by defining a null resource with a local provisioner that executes the firebase CLI.

See the sandbox project for an example of a manifest for a Firebase project that uses the url-minter and token-service modules to deploy cloud functions to the project. This has been tested from a ReactJS application to exercise the cloud functions, analytics, cloud storage, and cloud firestore (native mode) using the Firebase Javascript SDK.