Skip to content

libops/cloud-compose

BranchesTags

Repository files navigation

cloud-compose

Deploy a docker compose project to a Google Cloud Compute Instance.

Optional VM APIs:

  • Rollout API exposes authenticated deployment rollout triggers for the compose project.
  • Managed Runtime keeps sitectl, sitectl plugins, and LibOps-side support services up to date on the VM.

Requirements

Name Version
terraform >= 1.2.4
cloudinit ~> 2.3
google ~> 7.0
time ~> 0.14

Providers

Name Version
cloudinit 2.4.0
google 7.34.0
time 0.14.0

Modules

Name Source Version
ppb git::https://github.com/libops/terraform-cloudrun-v2 0.5.3

Resources

Name Type
google_artifact_registry_repository_iam_member.private-policy-cloud-compose resource
google_compute_disk.boot resource
google_compute_disk.data resource
google_compute_disk.docker-volumes resource
google_compute_disk.overlay_disk resource
google_compute_disk_resource_policy_attachment.daily_snapshot resource
google_compute_disk_resource_policy_attachment.weekly_snapshot resource
google_compute_firewall.allow_rollout_ipv4 resource
google_compute_firewall.allow_ssh_ipv4 resource
google_compute_firewall.allow_ssh_ipv6 resource
google_compute_instance.cloud-compose resource
google_compute_resource_policy.daily_snapshot resource
google_compute_resource_policy.weekly_snapshot resource
google_project_iam_member.gce-start resource
google_project_iam_member.gce-suspend resource
google_project_iam_member.log resource
google_project_iam_member.stackdriver resource
google_service_account.app resource
google_service_account.cloud-compose resource
google_service_account.internal-services resource
google_service_account.ppb resource
google_service_account_iam_member.app-keys resource
google_service_account_iam_member.gsa-user resource
google_service_account_iam_member.internal-services-keys resource
google_service_account_iam_member.self_jwt_signer_policy resource
google_service_account_iam_member.token-creator resource
time_static.snapshot_time_static resource
cloudinit_config.ci data source
google_compute_snapshot.latest_prod data source
google_project_iam_custom_role.gce-start data source
google_project_iam_custom_role.gce-suspend data source

Inputs

Name Description Type Default Required
docker_compose_repo git repo to checkout that contains a docker compose project string n/a yes
name The site name (will be the name of the GCP instance) string n/a yes
project_id The GCP project ID string n/a yes
project_number The GCP project number string n/a yes
allowed_ips CIDR IP Addresses allowed to turn on this site's GCP instance list(string) [] no
allowed_ssh_ipv4 CIDR IPv4 Addresses allowed to to SSH into this site's GCP instance list(string) [] no
allowed_ssh_ipv6 CIDR IPv6 Addresses allowed to SSH into this site's GCP instance list(string) [] no
artifact_registry_location Artifact Registry location for var.artifact_registry_repository. string "us" no
artifact_registry_repository Optional Artifact Registry repository name to grant the VM service account reader access to. Leave empty to skip creating the IAM binding. string "" no
disk_size_gb Data disk size in GB number 50 no
disk_type The disk type for disks attached to the machine string "hyperdisk-balanced" no
docker_compose_branch git branch to checkout for var.docker_compose_repo string "main" no
docker_compose_down Command to stop the docker compose project list(string) 
[
  "sitectl compose --context "${SITECTL_CONTEXT_NAME}" down"
]
 no
docker_compose_init After cloning the docker compose git repo, any initialization that needs to happen before the docker compose project can start. One command per list value list(string) 
[
  "sitectl config set-context "${SITECTL_CONTEXT_NAME}" --type local --project-dir "${DOCKER_COMPOSE_DIR}" --site "${GCP_INSTANCE_NAME}" --plugin "${SITECTL_PLUGIN}" --environment "${SITECTL_ENVIRONMENT}" --project-name "${GCP_INSTANCE_NAME}" --compose-project-name "${COMPOSE_PROJECT_NAME}" --docker-socket /var/run/docker.sock --env-file .env --default"
]
 no
docker_compose_rollout Command to roll out a new git ref for the docker compose project. The optional rollout service sets GIT_REF/GIT_BRANCH from the trigger request. list(string) 
[
  "TARGET_REF="${GIT_REF:-${GIT_BRANCH:-${DOCKER_COMPOSE_BRANCH:-main}}}"",
  "if [ -x ./scripts/rollout.sh ]; then ./scripts/rollout.sh; else sitectl deploy --context "${SITECTL_CONTEXT_NAME}" --branch "$TARGET_REF"; fi",
  "sitectl healthcheck --context "${SITECTL_CONTEXT_NAME}" --persist --timeout "${SITECTL_HEALTHCHECK_TIMEOUT}" --interval "${SITECTL_HEALTHCHECK_INTERVAL}"",
  "if [ "${SITECTL_ENVIRONMENT}" != "production" ]; then sitectl verify --context "${SITECTL_CONTEXT_NAME}" ${SITECTL_VERIFY_ARGS:-}; fi"
]
 no
docker_compose_up Command to start the docker compose project list(string) 
[
  "sitectl deploy --context "${SITECTL_CONTEXT_NAME}" --skip-git",
  "sitectl healthcheck --context "${SITECTL_CONTEXT_NAME}" --persist --timeout "${SITECTL_HEALTHCHECK_TIMEOUT}" --interval "${SITECTL_HEALTHCHECK_INTERVAL}"",
  "if [ "${SITECTL_ENVIRONMENT}" != "production" ]; then sitectl verify --context "${SITECTL_CONTEXT_NAME}" ${SITECTL_VERIFY_ARGS:-}; fi",
  "sitectl compose --context "${SITECTL_CONTEXT_NAME}" logs -f"
]
 no
frontend Optional frontend container to deploy as a sidecar next to ppb. When set,
ppb continues to power on and ping the VM referenced by machineMetadata,
but proxies incoming requests to this container on localhost instead of
to the VM. Use this to serve a frontend from Cloud Run while keeping
backend services on the VM.		 
object({
    image  = string
    port   = optional(number, 8080)
    cpu    = optional(string, "1000m")
    memory = optional(string, "1Gi")
  })
 null no
ingress_port TCP port on the VM that the Cloud Run ingress should connect to. number 80 no
initcmd Commands to run before /home/cloud-compose/run.sh list(string) [] no
libops_cadvisor_image Container image used for the internal cAdvisor service. string "ghcr.io/google/cadvisor:v0.57.0@sha256:e75bdb03b74b0b6995f208f166fead2e6e555dde73e44200113bb26f41b1981d" no
libops_cap_image Container image used for the internal CAP metrics service. string "ghcr.io/libops/cap:main" no
libops_internal_services_auto_update Whether the managed runtime updater should pull and restart the internal LibOps compose project. bool true no
libops_lightsout_image Container image used for the internal lightsout service. string "ghcr.io/libops/lightsout:main" no
libops_managed_artifacts Additional LibOps-managed files or binaries to download, verify, install, and optionally restart with the managed runtime updater. 
list(object({
    name    = string
    url     = string
    sha256  = string
    path    = string
    mode    = optional(string, "0755")
    owner   = optional(string, "root")
    group   = optional(string, "root")
    restart = optional(string, "")
  }))
 [] no
libops_managed_runtime_enabled Install and periodically update LibOps-managed host tools and internal VM services. bool true no
machine_type VM machine type (General-purpose series that support Hyperdisk Balanced string "n4-standard-2" no
os The host OS to install on the GCP instance string "cos-125-19216-220-185" no
overlay_source_instance Name of production instance to get latest snapshot from (e.g., 'ojs-production'). Terraform will automatically use the most recent snapshot from this instance's data disk. Leave empty for production environments. string "" no
region GCP region for resources string "us-east5" no
rollout_allowed_ipv4 CIDR IPv4 ranges allowed to reach the rollout service port. list(string) 
[
  "10.0.0.0/8"
]
 no
rollout_custom_claims Optional JSON object of additional JWT claims required by the rollout service. string "" no
rollout_enabled Install and run the optional generic rollout HTTP service on the VM. bool false no
rollout_jwks_uri JWKS URI used by the rollout service to validate bearer JWTs. string "" no
rollout_jwt_audience JWT audience required by the rollout service. string "" no
rollout_port TCP port exposed by the optional rollout service. number 8081 no
rollout_release_sha256 Lowercase SHA256 checksum for var.rollout_release_url. string "" no
rollout_release_url HTTPS URL for the pinned rollout Linux binary. string "" no
rootfs Path to additional rootfs files to copy into the VM. Files will be merged with the base rootfs. Example: '/path/to/custom/rootfs' string "" no
run_snapshots Enable daily snapshots of the data disk (recommended for production). Last seven days of snapshots are available. Also weekly snapshots for past year. bool false no
runcmd Additional commands to run during cloud-init. Commands are executed after the main initialization. list(string) [] no
service_account_email Existing service account email for the VM. When empty, this module creates one. string "" no
sitectl_context_name Sitectl context name to create on the VM. Defaults to var.name. string "" no
sitectl_environment Sitectl environment label. Production runs healthcheck only by default; non-production also runs sitectl verify. string "production" no
sitectl_healthcheck_interval Interval passed to sitectl healthcheck --interval in default lifecycle commands. string "15s" no
sitectl_healthcheck_timeout Timeout passed to sitectl healthcheck --timeout in default lifecycle commands. string "10m" no
sitectl_packages LibOps GitHub release package names to install and keep updated on the VM. Include plugin packages such as sitectl-isle or sitectl-wp as needed. list(string) 
[
  "sitectl"
]
 no
sitectl_plugin Sitectl plugin id to associate with the VM context. string "core" no
sitectl_verify_args Additional arguments appended to sitectl verify by the default non-production lifecycle commands. list(string) [] no
sitectl_version Sitectl release tag to install for sitectl packages, or latest to follow https://github.com/libops/sitectl/releases/latest. string "latest" no
users Map of usernames to lists of SSH public keys. Users will be created with docker group membership. Example: { "alice" = ["ssh-rsa AAAA..."], "bob" = ["ssh-ed25519 AAAA...", "ssh-rsa BBBB..."] } map(list(string)) {} no
volume_names List of docker volumes to overlay from production snapshot (e.g., ['compose_ojs-public']). Production data is mounted read-only as lower layer, staging writes go to upper layer. list(string) [] no
zone GCP zone for resources string "us-east5-b" no

Outputs

Name Description
appGsa The Google Service Account the app can leverage to auth to other Google services
backend Backend service ID for attaching the Cloud Run ingress to an external HTTPS load balancer.
external_ip The Google Compute instance external IPv4 address.
instance The Google Compute instance ID, name, zone, data disk, GSA for the instance.
instance_id The Google Compute instance ID.
internal_ip The Google Compute instance internal IPv4 address.
rollout Optional rollout API endpoint details. The URL is the VPC-internal endpoint.
serviceGsa The Google Service Account internal services that manage the VM runs as
urls Cloud Run ingress URLs by region.

About

Deploy a docker compose project to a Google Cloud Compute Instance

Resources

Readme

License

View license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 15

0.8.0 Latest
Jun 13, 2026
+ 14 releases

Packages

 
 
 

Contributors

Languages