Add terragrunt cfg for OmniGCP

deployment/live/cloudbuild/dev/terragrunt.hcl

@@ -6,8 +6,9 @@ include "root" {
 inputs = merge(
   include.root.locals,
   {
-    cloud_run_service   = "distributor-service-dev"
-    slack_template_json = file("slack.json")
+    distributor_cloud_run_service = "distributor-service-dev"
+    witness_cloud_run_service     = "witness-service-dev"
+    slack_template_json           = file("slack.json")
   }
 )
 

deployment/live/cloudbuild/terragrunt.hcl

@@ -3,9 +3,9 @@ terraform {
 }
 
 locals {
-  project_id  = "checkpoint-distributor"
-  region      = "us-central1"
-  env         = path_relative_to_include()
+  project_id = "checkpoint-distributor"
+  region     = "us-central1"
+  env        = path_relative_to_include()
 }
 
 remote_state {
@@ -18,7 +18,7 @@ remote_state {
     prefix   = "${path_relative_to_include()}-terraform.tfstate"
 
     gcs_bucket_labels = {
-      name  = "terraform_state_storage"
+      name = "terraform_state_storage"
     }
   }
 }

deployment/live/monitoring/ci/terragrunt.hcl

@@ -7,7 +7,7 @@ inputs = merge(
   include.root.locals,
   {
     alert_lt_num_witness_threshold = 0
-    num_expected_devices = 5
+    num_expected_devices           = 5
   }
 )
 

deployment/live/monitoring/dev/terragrunt.hcl

@@ -7,7 +7,7 @@ inputs = merge(
   include.root.locals,
   {
     alert_lt_num_witness_threshold = 0
-    num_expected_devices = 2
+    num_expected_devices           = 2
   }
 )
 

deployment/live/monitoring/prod/terragrunt.hcl

@@ -7,8 +7,8 @@ inputs = merge(
   include.root.locals,
   {
     alert_lt_num_witness_threshold = 10
-    alert_enable_num_witness = false
-    num_expected_devices = 15
+    alert_enable_num_witness       = false
+    num_expected_devices           = 15
   }
 )
 

deployment/live/monitoring/terragrunt.hcl

@@ -19,7 +19,7 @@ remote_state {
     prefix   = "${path_relative_to_include()}/terraform.tfstate"
 
     gcs_bucket_labels = {
-      name  = "terraform_state_storage"
+      name = "terraform_state_storage"
     }
   }
 }

deployment/live/serving/terragrunt.hcl

@@ -3,9 +3,9 @@ terraform {
 }
 
 locals {
-  project_id  = "checkpoint-distributor"
-  region      = "us-central1"
-  env         = path_relative_to_include()
+  project_id    = "checkpoint-distributor"
+  region        = "us-central1"
+  env           = path_relative_to_include()
   witnesses_raw = yamldecode(file("${get_repo_root()}/config/witnesses-${local.env}.yaml"))
   witnessArgs   = [for w in local.witnesses_raw.Witnesses : "--witkey=${w}"]
 }
@@ -20,7 +20,7 @@ remote_state {
     prefix   = "${path_relative_to_include()}/terraform.tfstate"
 
     gcs_bucket_labels = {
-      name  = "terraform_state_storage"
+      name = "terraform_state_storage"
     }
   }
 }

deployment/live/witness/README.md

@@ -0,0 +1,27 @@
+# Witness deployment
+
+The directories under here contain the top-level terragrunt files for the deployment environments.
+
+In all cases, before deploying for the first time, you MUST have created the witness `private` key
+and stored it in Secret Manager, or the `terragrunt apply` will fail.
+
+> [!Note]
+> While the witness binary itself doesn't need the `public` key, *you will* in order to share it
+> with others.
+
+Below is a `bash` snippet which will generate and store both the public and private key in Secret
+Manager under secrets called `witness_public_XXX` and `witness_secret_XXX` respectively, where
+```XXX``` is the name of the target deployment environment.
+
+```bash
+$ export TARGET="dev" # This MUST match the name of the directory you're deploying
+$ export WITNESS_NAME="..." # This is the witness name we're generating keys for. It should follow the schemaless-url recommendation from `tlog-witness`.
+$ go run github.com/transparency-dev/serverless-log/cmd/generate_keys@HEAD \
+    --key_name="${WITNESS_NAME}" \
+    --print | 
+    tee >(grep -v PRIVATE | gcloud secrets create witness_public_${TARGET} --data-file=-) | 
+    grep PRIVATE | 
+    gcloud secrets create witness_secret_${TARGET} --data-file=- 
+Created version [1] of the secret [witness_public_dev].
+Created version [1] of the secret [witness_secret_dev].
+```

deployment/live/witness/dev/terragrunt.hcl

@@ -0,0 +1,13 @@
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+  expose = true
+}
+
+inputs = merge(
+  include.root.locals,
+  {
+    witness_docker_image = "us-central1-docker.pkg.dev/checkpoint-distributor/distributor-docker-dev/witness:latest"
+    ephemeral = true
+  }
+)
+

deployment/live/witness/root.hcl

@@ -0,0 +1,24 @@
+terraform {
+  source = "${get_repo_root()}/deployment/modules/witness"
+}
+
+locals {
+  project_id = "checkpoint-distributor"
+  region     = "us-central1"
+  env        = path_relative_to_include()
+}
+
+remote_state {
+  backend = "gcs"
+
+  config = {
+    project  = local.project_id
+    location = local.region
+    bucket   = "${local.project_id}-witness-${local.env}-terraform-state"
+    prefix   = "${path_relative_to_include()}/terraform.tfstate"
+
+    gcs_bucket_labels = {
+      name = "terraform_state_storage"
+    }
+  }
+}

deployment/modules/cloudbuild/main.tf

@@ -30,7 +30,8 @@ resource "google_artifact_registry_repository" "distributor_docker" {
 
 locals {
   artifact_repo = "${var.region}-docker.pkg.dev/${var.project_id}/${google_artifact_registry_repository.distributor_docker.name}"
-  docker_image  = "${local.artifact_repo}/distributor"
+  distributor_docker_image  = "${local.artifact_repo}/distributor"
+  witness_docker_image  = "${local.artifact_repo}/witness"
 }
 
 resource "google_cloudbuild_trigger" "distributor_docker" {
@@ -51,8 +52,8 @@ resource "google_cloudbuild_trigger" "distributor_docker" {
       name = "gcr.io/cloud-builders/docker"
       args = [
         "build",
-        "-t", "${local.docker_image}:$SHORT_SHA",
-        "-t", "${local.docker_image}:latest",
+        "-t", "${local.distributor_docker_image}:$SHORT_SHA",
+        "-t", "${local.distributor_docker_image}:latest",
         "-f", "./cmd/Dockerfile",
         "."
       ]
@@ -62,7 +63,7 @@ resource "google_cloudbuild_trigger" "distributor_docker" {
       args = [
         "push",
         "--all-tags",
-        local.docker_image
+        local.distributor_docker_image
       ]
     }
     # Deploy container image to Cloud Run
@@ -72,9 +73,9 @@ resource "google_cloudbuild_trigger" "distributor_docker" {
       args = [
         "run",
         "deploy",
-        var.cloud_run_service,
+        var.distributor_cloud_run_service,
         "--image",
-        "${local.docker_image}:$SHORT_SHA",
+        "${local.distributor_docker_image}:$SHORT_SHA",
         "--region",
         var.region
       ]
@@ -109,22 +110,22 @@ resource "google_cloudbuild_trigger" "distributor_docker_tag" {
       name = "gcr.io/cloud-builders/docker"
       args = [
         "pull",
-        "${local.docker_image}:$SHORT_SHA",
+        "${local.distributor_docker_image}:$SHORT_SHA",
       ]
     }
     step {
       name = "gcr.io/cloud-builders/docker"
       args = [
         "tag",
-        "${local.docker_image}:$SHORT_SHA",
-        "${local.docker_image}:$TAG_NAME",
+        "${local.distributor_docker_image}:$SHORT_SHA",
+        "${local.distributor_docker_image}:$TAG_NAME",
       ]
     }
     step {
       name = "gcr.io/cloud-builders/docker"
       args = [
         "push",
-        "${local.docker_image}:$TAG_NAME",
+        "${local.distributor_docker_image}:$TAG_NAME",
       ]
     }
     options {
@@ -133,6 +134,107 @@ resource "google_cloudbuild_trigger" "distributor_docker_tag" {
   }
 }
 
+resource "google_cloudbuild_trigger" "witness_docker" {
+  name            = "build-witness-docker-${var.env}"
+  service_account = google_service_account.cloudbuild_service_account.id
+  location        = var.region
+
+  github {
+    owner = "transparency-dev"
+    name  = "witness"
+    push {
+      branch = "^main$"
+    }
+  }
+
+  build {
+    step {
+      name = "gcr.io/cloud-builders/docker"
+      args = [
+        "build",
+        "-t", "${local.witness_docker_image}:$SHORT_SHA",
+        "-t", "${local.witness_docker_image}:latest",
+        "-f", "./cmd/gcp/omniwitness/Dockerfile",
+        "."
+      ]
+    }
+    step {
+      name = "gcr.io/cloud-builders/docker"
+      args = [
+        "push",
+        "--all-tags",
+        local.witness_docker_image
+      ]
+    }
+    # Deploy container image to Cloud Run
+    step {
+      name       = "gcr.io/google.com/cloudsdktool/cloud-sdk"
+      entrypoint = "gcloud"
+      args = [
+        "run",
+        "deploy",
+        var.witness_cloud_run_service,
+        "--image",
+        "${local.witness_docker_image}:$SHORT_SHA",
+        "--region",
+        var.region
+      ]
+    }
+    options {
+      logging = "CLOUD_LOGGING_ONLY"
+    }
+  }
+}
+
+# When a new tag is pushed to GitHub, add that tag to the docker
+# image that was already pushed to the repo for the corresponding
+# commit hash.
+# This requires that the above step has already completed, but that
+# seems like a fair assumption given that we'd have deployed it in ci
+# before tagging it.
+resource "google_cloudbuild_trigger" "witness_docker_tag" {
+  name            = "tag-witness-docker-${var.env}"
+  service_account = google_service_account.cloudbuild_service_account.id
+  location        = var.region
+
+  github {
+    owner = "transparency-dev"
+    name  = "witness"
+    push {
+      tag = ".*"
+    }
+  }
+
+  build {
+    step {
+      name = "gcr.io/cloud-builders/docker"
+      args = [
+        "pull",
+        "${local.witness_docker_image}:$SHORT_SHA",
+      ]
+    }
+    step {
+      name = "gcr.io/cloud-builders/docker"
+      args = [
+        "tag",
+        "${local.witness_docker_image}:$SHORT_SHA",
+        "${local.witness_docker_image}:$TAG_NAME",
+      ]
+    }
+    step {
+      name = "gcr.io/cloud-builders/docker"
+      args = [
+        "push",
+        "${local.witness_docker_image}:$TAG_NAME",
+      ]
+    }
+    options {
+      logging = "CLOUD_LOGGING_ONLY"
+    }
+  }
+}
+
+
 resource "google_service_account" "cloudbuild_service_account" {
   account_id   = "cloudbuild-${var.env}-sa"
   display_name = "Service Account for CloudBuild (${var.env})"

deployment/modules/cloudbuild/outputs.tf

@@ -29,7 +29,12 @@ output "cloudbuild_trigger_id" {
   value       = google_cloudbuild_trigger.distributor_docker.id
 }
 
-output "docker_image" {
-  description = "The address of the docker image that will be built"
-  value       = local.docker_image
+output "distributor_docker_image" {
+  description = "The address of the distributor docker image that will be built"
+  value       = local.distributor_docker_image
+}
+
+output "witness_docker_image" {
+  description = "The address of the witness docker image that will be built"
+  value       = local.witness_docker_image
 }

deployment/modules/cloudbuild/variables.tf

@@ -29,8 +29,13 @@ variable "env" {
   type        = string
 }
 
-variable "cloud_run_service" {
-  description = "The name of the cloud run service that new images should be pushed to"
+variable "distributor_cloud_run_service" {
+  description = "The name of the cloud run service running the distributor that new distributor images should be pushed to"
+  type        = string
+}
+
+variable "witness_cloud_run_service" {
+  description = "The name of the cloud run service running the witness that new witness images should be pushed to"
   type        = string
 }