Multi Region REST Service on GCP with IODC-secured Image Publishing from Github Action
I learn best by doing. And recently, most of the projects I’ve been building are either REST or gRPC-base services deployed as container images into Cloud Run on GCP. That means that I increasingly find myself recreating a lot of the same infra and app deployment flows.
Over time, the stack for these services started getting also more complex. Multi-region deployment in Cloud Run, fronted by Load Balancer with custom domain and SSL cert, throttled by Cloud Armor policies, and pushing images to GCR from GitHub action without the need to provision service account keys.
So, over the holidays, I’ve decided to automate the provisioning of the entire stack in a GitHub template project so I can quickly bootstrap new services, in a more reproducible fashion, and focus on actually writing the code, not tweaking the infra.
Here is what’s included:
- Cloud Run service provisioning
- Configured in an n number of regions with
- Custom identity (service account)
- Sample Secret Manager-based variable
- Configurable capacity and autoscaling strategy
- Accessible only by Internal and Load Balancer traffic (no external access)
- HTTPS Load Balancer with external IP and
- Custom domain with SSL certificate
- Cloud Armor policies for throttling and Canary CVE
- Serverless NEGs config for Cloud Run service in each region
- Dev and Ops Configuration for
- Container registry (GCR)
- Service uptime and SSL cert expiration alerts
- IODC-based Workload Identity Pool short-lived credentials provider for GitHub Actions
- Service logging with GCS bucket sink
- Local test, lint, and validate actions using Makefile
- GitHub Actions to test each PR and container image build/publish to GCR on git tag
The template project also includes Go source code for very rudimentary REST services based on gin framework to expedite bootstrapping new app dev:
- [GET] Request info - client request, headers and environment variables
- [POST] Echo message - simple echo message
You can find the prerequisites and deployment instructions in the repo Readme. I hope you find it as helpful as I do.