Deploy to GCP using Terraform

.dockerignore

@@ -0,0 +1,43 @@
+# Git
+.git
+.gitignore
+
+# CI/CD and infrastructure
+terraform/
+.github/
+
+# Development and test files
+node_modules/
+e2e/
+test/
+playwright-report/
+playwright/
+test-results/
+
+# IDE and editor files
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# Logs and temp
+log/*
+tmp/*
+
+# OS files
+.DS_Store
+
+# Documentation
+docs/
+*.md
+
+# Environment files
+.env
+.env.*
+
+# Storage (databases and uploads are created at runtime)
+storage/*
+
+# Playwright MCP
+.playwright-mcp/

.gitignore

@@ -41,3 +41,11 @@
 playwright-report/
 playwright/.auth/
 test-results/
+
+# Terraform
+terraform/.terraform/
+terraform/.terraform.lock.hcl
+terraform/*.tfstate
+terraform/*.tfstate.backup
+terraform/terraform.tfvars
+terraform/.terraform.tfstate.lock.info

Dockerfile

@@ -2,7 +2,7 @@
 
 # Make sure RUBY_VERSION matches the Ruby version in .ruby-version and Gemfile
 ARG RUBY_VERSION=3.3.5
-FROM registry.docker.com/library/ruby:$RUBY_VERSION-slim as base
+FROM docker.io/library/ruby:$RUBY_VERSION-slim as base
 
 # Rails app lives here
 WORKDIR /rails

terraform/deploy.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Deploy Dill to GCP Cloud Run
+#
+# Prerequisites:
+#   - gcloud CLI installed and authenticated (gcloud auth login)
+#   - Docker installed
+#   - Terraform installed
+#   - A GCP project with billing enabled (free tier is sufficient)
+#
+# Usage:
+#   cd terraform
+#   ./deploy.sh
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+APP_DIR="$(dirname "$SCRIPT_DIR")"
+
+# Load terraform variables
+if [ ! -f "$SCRIPT_DIR/terraform.tfvars" ]; then
+  echo "Error: terraform/terraform.tfvars not found."
+  echo "Copy terraform.tfvars.example to terraform.tfvars and fill in your values."
+  exit 1
+fi
+
+# Initialize Terraform and read variables using terraform console to avoid brittle parsing
+(
+  cd "$SCRIPT_DIR"
+  terraform init -input=false >/dev/null
+)
+
+PROJECT_ID=$(cd "$SCRIPT_DIR" && terraform console -input=false -var-file="terraform.tfvars" -execute='var.project_id' | tr -d '\r')
+REGION=$(cd "$SCRIPT_DIR" && terraform console -input=false -var-file="terraform.tfvars" -execute='var.region' | tr -d '\r')
+APP_NAME=$(cd "$SCRIPT_DIR" && terraform console -input=false -var-file="terraform.tfvars" -execute='try(var.app_name, "dill")' | tr -d '\r' || echo "dill")
+if [ -z "$APP_NAME" ] || [ "$APP_NAME" = "dill" ]; then
+  APP_NAME="dill"
+fi
+
+DOCKER_TAG="${REGION}-docker.pkg.dev/${PROJECT_ID}/${APP_NAME}/${APP_NAME}:latest"
+
+echo "==> Deploying ${APP_NAME} to GCP Cloud Run"
+echo "    Project:  ${PROJECT_ID}"
+echo "    Region:   ${REGION}"
+echo "    Image:    ${DOCKER_TAG}"
+echo ""
+
+# Step 1: Provision infrastructure with Terraform
+echo "==> Step 1: Running Terraform to provision infrastructure..."
+cd "$SCRIPT_DIR"
+terraform init
+terraform apply -auto-approve
+cd "$APP_DIR"
+
+# Step 2: Configure Docker to push to Artifact Registry
+echo ""
+echo "==> Step 2: Configuring Docker authentication for Artifact Registry..."
+gcloud auth configure-docker "${REGION}-docker.pkg.dev" --quiet
+
+# Step 3: Build the Docker image
+echo ""
+echo "==> Step 3: Building Docker image..."
+docker build -t "$DOCKER_TAG" "$APP_DIR"
+
+# Step 4: Push the image to Artifact Registry
+echo ""
+echo "==> Step 4: Pushing image to Artifact Registry..."
+docker push "$DOCKER_TAG"
+
+# Step 5: Deploy to Cloud Run (update the service to use the new image)
+echo ""
+echo "==> Step 5: Deploying new image to Cloud Run..."
+gcloud run services update "$APP_NAME" \
+  --region "$REGION" \
+  --image "$DOCKER_TAG" \
+  --project "$PROJECT_ID" \
+  --quiet
+
+# Print the service URL
+echo ""
+echo "==> Deployment complete!"
+SERVICE_URL=$(gcloud run services describe "$APP_NAME" --region "$REGION" --project "$PROJECT_ID" --format='value(status.url)')
+echo "    Application URL: ${SERVICE_URL}"

terraform/main.tf

@@ -0,0 +1,176 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "google" {
+  project = var.project_id
+  region  = var.region
+}
+
+# Enable required GCP APIs
+resource "google_project_service" "apis" {
+  for_each = toset([
+    "run.googleapis.com",
+    "artifactregistry.googleapis.com",
+    "cloudbuild.googleapis.com",
+    "secretmanager.googleapis.com",
+  ])
+
+  project            = var.project_id
+  service            = each.value
+  disable_on_destroy = false
+}
+
+# Artifact Registry repository for Docker images
+resource "google_artifact_registry_repository" "app" {
+  location      = var.region
+  repository_id = var.app_name
+  format        = "DOCKER"
+  description   = "Docker repository for ${var.app_name}"
+
+  depends_on = [google_project_service.apis]
+}
+
+# Store the Rails master key in Secret Manager
+resource "google_secret_manager_secret" "rails_master_key" {
+  secret_id = "${var.app_name}-rails-master-key"
+
+  replication {
+    auto {}
+  }
+
+  depends_on = [google_project_service.apis]
+}
+
+resource "google_secret_manager_secret_version" "rails_master_key" {
+  secret      = google_secret_manager_secret.rails_master_key.id
+  secret_data = var.rails_master_key
+}
+
+# Service account for Cloud Run
+resource "google_service_account" "cloud_run" {
+  account_id   = "${var.app_name}-run-sa"
+  display_name = "${var.app_name} Cloud Run Service Account"
+}
+
+# Grant the service account access to read the secret
+resource "google_secret_manager_secret_iam_member" "secret_access" {
+  secret_id = google_secret_manager_secret.rails_master_key.id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.cloud_run.email}"
+}
+
+# Cloud Run service
+resource "google_cloud_run_v2_service" "app" {
+  name     = var.app_name
+  location = var.region
+
+  deletion_protection = false
+
+  template {
+    service_account = google_service_account.cloud_run.email
+
+    # Scale to zero when idle (free tier friendly)
+    scaling {
+      min_instance_count = 0
+      max_instance_count = 1
+    }
+
+    # Keep costs at zero — use smallest resource allocation
+    containers {
+      image = "${var.region}-docker.pkg.dev/${var.project_id}/${var.app_name}/${var.app_name}:latest"
+
+      ports {
+        container_port = 80
+      }
+
+      resources {
+        limits = {
+          cpu    = "1"
+          memory = "512Mi"
+        }
+        cpu_idle = true # CPU is only allocated during request processing
+      }
+
+      env {
+        name  = "RAILS_ENV"
+        value = "production"
+      }
+
+      env {
+        name  = "DISABLE_SSL"
+        value = "true" # Cloud Run handles SSL termination
+      }
+
+      env {
+        name  = "RAILS_LOG_TO_STDOUT"
+        value = "1"
+      }
+
+      env {
+        name = "RAILS_MASTER_KEY"
+        value_source {
+          secret_key_ref {
+            secret  = google_secret_manager_secret.rails_master_key.secret_id
+            version = "latest"
+          }
+        }
+      }
+
+      # Startup probe — Rails may need time to boot
+      startup_probe {
+        initial_delay_seconds = 5
+        timeout_seconds       = 3
+        period_seconds        = 5
+        failure_threshold     = 10
+        http_get {
+          path = "/up"
+        }
+      }
+
+      # Liveness probe
+      liveness_probe {
+        http_get {
+          path = "/up"
+        }
+      }
+    }
+  }
+
+  depends_on = [
+    google_project_service.apis,
+    google_artifact_registry_repository.app,
+    google_secret_manager_secret_version.rails_master_key,
+  ]
+}
+
+# Make the Cloud Run service publicly accessible
+resource "google_cloud_run_v2_service_iam_member" "public" {
+  project  = google_cloud_run_v2_service.app.project
+  location = google_cloud_run_v2_service.app.location
+  name     = google_cloud_run_v2_service.app.name
+  role     = "roles/run.invoker"
+  member   = "allUsers"
+}
+
+# Optional: Custom domain mapping
+resource "google_cloud_run_domain_mapping" "custom_domain" {
+  count    = var.domain != "" ? 1 : 0
+  location = var.region
+  name     = var.domain
+
+  metadata {
+    namespace = var.project_id
+  }
+
+  spec {
+    route_name = google_cloud_run_v2_service.app.name
+  }
+}

terraform/outputs.tf

@@ -0,0 +1,14 @@
+output "service_url" {
+  description = "The URL of the deployed Cloud Run service"
+  value       = google_cloud_run_v2_service.app.uri
+}
+
+output "artifact_registry_repository" {
+  description = "The Artifact Registry repository URL for pushing Docker images"
+  value       = "${var.region}-docker.pkg.dev/${var.project_id}/${var.app_name}"
+}
+
+output "docker_image_tag" {
+  description = "The full Docker image tag to use when pushing"
+  value       = "${var.region}-docker.pkg.dev/${var.project_id}/${var.app_name}/${var.app_name}:latest"
+}

terraform/terraform.tfvars.example

@@ -0,0 +1,7 @@
+# Copy this file to terraform.tfvars and fill in your values
+project_id       = "your-gcp-project-id"
+region           = "us-central1"
+rails_master_key = "your-rails-master-key-from-config/master.key"
+
+# Optional: set a custom domain
+# domain = "dill.example.com"

terraform/variables.tf

@@ -0,0 +1,28 @@
+variable "project_id" {
+  description = "The GCP project ID"
+  type        = string
+}
+
+variable "region" {
+  description = "The GCP region for deployment"
+  type        = string
+  default     = "us-central1"
+}
+
+variable "app_name" {
+  description = "Application name used for resource naming"
+  type        = string
+  default     = "dill"
+}
+
+variable "rails_master_key" {
+  description = "Rails master key for decrypting credentials (from config/master.key)"
+  type        = string
+  sensitive   = true
+}
+
+variable "domain" {
+  description = "Custom domain for the application (optional, leave empty to use Cloud Run default URL)"
+  type        = string
+  default     = ""
+}