huy-nguyen / terraform-google-miniflux

Terraform module for the Miniflux feed reader app on Google Cloud Platform
https://registry.terraform.io/modules/huy-nguyen/miniflux/google/latest
MIT License
5 stars 1 forks source link
cloud-sql google-cloud-platform miniflux terraform

Miniflux for Google Cloud Platform (GCP) App Engine

This Terraform module sets up the infrastructure (such as the VPC network and database) to run Miniflux, a free and open-source feed reader, in App Engine on Google Cloud Platform (GCP) in a secure manner.

Below is a diagram of how the infrastructure is set up based on this sample Terraform config:

Cloud infrastructure diagram

The infrastructure requirements to run Miniflux are fairly minimal: a Linux operating system and a PostgreSQL database. The end-user accesses Miniflux through a browser-based user interface served by an App Engine instance on a public IP address. This setup uses private services access, which allows service providers (Google itself in this case) to provide services (a PostgreSQL database) on internal IP addresses (192.168.16.3). This is a win in terms of security (the database is never exposed to the public internet and its associated risks), performance (communication using private IP addresses has lower latency than that using public IP addresses) and costs (no network egress traffic is charged). The database's privacy is guaranteed because it actually resides in a completely separate VPC network managed by Google. That VPC network is in turn created by a project also managed by Google. Communication between your project's network and the Google-managed VPC network containing the database is enabled by VPC network peering. To make this peering work, a private IP address range (192.168.16.0/20) is reserved in your VPC network so that Google can use that range to provision an IP address for the database (notice that 192.168.16.3 is within 192.168.16.0/20). Because the App Engine instance is not part of the VPC network and the database is only reachable via an internal IP address, this module also creates a serverless VPC access connector to allow the App Engine to communicate with the database. You can think of this connector as a tiny network address translation (NAT) machine just for the App Engine instance. (In fact, this connector is priced by Google as "one e2-micro instance per 100 Mbps of throughput".)

Note that this Terraform module does not set up App Engine itself, just all the infrastructure that App Engine will need to function properly. However, I've included instructions on how to use the outputs from the module to create the configuration for App Engine.

Prerequisites

Before starting, you will have to enable the following Google APIs in your project:

Ensure that the credentials (e.g. your own account or a service account) used by Terraform are granted the following IAM roles on the project:

Infrastructure provisioning

You can use the provided sample Terraform config as a starting point.

First, ensure that you're authenticated by following these instructions, then run the following commands:

Deployment to App Engine

After deploying this module, you'll need to perform the following steps to get a working version of Miniflux:

runtime: go111
vpc_access_connector:
  name: value of the vpc_access_connector_id output
env_variables:
  CLOUDSQL_CONNECTION_NAME: value of the sql_connection_name output
  CLOUDSQL_USER: value of the sql_instance_user output
  CLOUDSQL_PASSWORD: value of the db_user_password you pass into the module

  CREATE_ADMIN: 1
  ADMIN_USERNAME: pick any name you want for the initial login
  ADMIN_PASSWORD: pick any password you want for the initial login
  RUN_MIGRATIONS: 1
  DATABASE_URL: value of the database_url output. Remember to substitute the placeholder password with the real password i.e. the Terraform input variable "db_user_password"

Now you can navigate to your App Engine's URL and log in with the ADMIN_USERNAME and ADMIN_PASSWORD specified above.