feat: Update secret manager configuration and add IAM role for Secret… #29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Terraform CI/CD with ADK Infrastructure' | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| jobs: | |
| terraform: | |
| name: 'Terraform' | |
| runs-on: ubuntu-latest | |
| env: | |
| TF_VAR_project_id: ${{ secrets.GCP_PROJECT_ID }} | |
| TF_VAR_region: ${{ secrets.GCP_REGION }} | |
| TF_VAR_environment: ${{ secrets.GCP_ENVIRONMENT }} | |
| TF_VAR_gemini_api_key: ${{ secrets.GEMINI_API_KEY }} | |
| TF_VAR_github_owner: ${{ github.repository_owner }} | |
| TF_VAR_github_repo_name: ${{ github.event.repository.name }} | |
| TF_VAR_deployment_branch: ${{ github.ref_name }} | |
| steps: | |
| - name: 'Checkout' | |
| uses: actions/checkout@v4 | |
| - name: 'Authenticate to Google Cloud' | |
| uses: 'google-github-actions/auth@v2' | |
| with: | |
| credentials_json: '${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}' | |
| - name: 'Set up Google Cloud SDK' | |
| uses: 'google-github-actions/setup-gcloud@v2' | |
| - name: 'Set up Terraform' | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: latest | |
| - name: 'Terraform Init' | |
| id: init | |
| run: | | |
| terraform init \ | |
| -backend-config="bucket=${{ secrets.GCP_PROJECT_ID }}-terraform-state" | |
| working-directory: ./terraform | |
| - name: 'Terraform Validate' | |
| id: validate | |
| run: terraform validate -no-color | |
| working-directory: ./terraform | |
| - name: 'Terraform Plan' | |
| id: plan | |
| run: terraform plan -no-color -input=false -out=tfplan | |
| working-directory: ./terraform | |
| if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main') | |
| - name: 'Terraform Apply' | |
| id: apply | |
| run: terraform apply -auto-approve -input=false tfplan | |
| working-directory: ./terraform | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| - name: 'Output Service Account Information' | |
| id: output_sa | |
| run: | | |
| echo "=== Core Service Accounts ===" | |
| echo "GitHub Actions Service Account: $(terraform output -raw github_actions_service_account_email)" | |
| echo "Cloud Function Service Account: $(terraform output -raw cloud_function_service_account_email)" | |
| echo "" | |
| echo "=== ADK Service Accounts ===" | |
| echo "ADK Agent Service Account: $(terraform output -raw adk_agent_service_account_email)" | |
| echo "BigQuery ML Agent Service Account: $(terraform output -raw bqml_agent_service_account_email)" | |
| echo "Vertex AI Agent Service Account: $(terraform output -raw vertex_agent_service_account_email)" | |
| echo "" | |
| echo "=== ADK Infrastructure ===" | |
| echo "Titanic Dataset: $(terraform output -raw titanic_dataset_id)" | |
| echo "ADK Artifacts Bucket: $(terraform output -raw adk_artifacts_bucket)" | |
| echo "Gemini API Secret: $(terraform output -raw gemini_api_key_secret_name)" | |
| working-directory: ./terraform | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| - name: 'Check BigQuery Dataset and Load Titanic Data' | |
| id: bigquery_check | |
| run: | | |
| chmod +x ../scripts/check_and_load_titanic_data.sh | |
| ../scripts/check_and_load_titanic_data.sh ${{ secrets.GCP_PROJECT_ID }} | |
| working-directory: ./terraform | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' |