Skip to content

Deploy Management API to GCP

Introduction

To deploy and run the Site Management API on Google Cloud Platform, three services are needed: 1. PostgreSQL database 2. Policy Decision Point (from Permit.io) 3. Site Management API

Every service needs specific configurations as described below.

Assumptions

  • A GCP account that is set up
  • A configured VPC that contains at least one subnet to be used by the services
  • A container for the Site Management API is created and uploaded to the GCP registry

PostgreSQL database

For the database, we can make use of the management SQL service from GCP. Choose PostgreSQL 15.

We want the database to only be accessible within the GCP network and with authorized networks (for local database access). When creating the database, there is an accordion item "Connections" under "Show Configuration Options". To configure the VPC access, check "Private IP" and select the VPC to use. The "Public IP" is checked by default, but it is important to restrict public access to the database. To accomplish this, we need to add authorized networks. For example, adding the IP address of the office in there.

Application secrets

We can make use of the GCP Secret Manager to store and manage the secrets needed to run the applications. Make sure to add all the secrets as defined in here.

Policy Decision Point (PDP)

Permit provides documentation on how to deploy and run the PDP in GCP here. The following steps must be different from the documentation: - The environment variable needed for this is PDP_API_KEY, which should be referenced from the GCP Secret Manager (rather than "hardcoded"). - Name: permit-pdp - Ingress control: Internal

Once configured and once the service is created, Cloud Run will assign a URL to the service. However, this URL cannot be used by the Site Management API, as it is not seen as an internal IP. Therefore, we also do not assign the VPC network to the PDP service directly. The way to make the PDP accessible to the VPC is through an internal load balancer.

Internal load balancer

To configure an internal load balancer, go to the Load Balancing section in GCP. Create a new load balancer with the following settings: - Type: Application Load Balancer (HTTP/S) - Internet facing or internal only: Only between my VMs or serverless services - Cross-region or Regional: Regional internal Application Load Balancer - Load balancer name: pdp-load-balancer - Region: europe-west-4 - Network: The VPC network you created

In the backend configuration section, create a new backend service: - Name: pdp-backend-service - Backend type: Serverless network endpoint group

In the Serverless network endpoint groups drowndown, create a new serverless network endpoint group: - Name: pdp-endpoint-group - Service: permit-pdp

After creating the endpoint group and backend service, continue with the routing rules by selecting pdp-backend-service in the Backend 1 dropdown.

In the Frontend configuration section, configure a new Frontend IP and port: - Name: pdp-load-balancer-forwarding-rule - Subnetwork: Select the subnet used in previous steps

Once the load balancer is created, an internal IP is created, which can be found in the load balancer details, in the Frontend section IP:Port. This IP, e.g. 10.99.0.5 can then be used in the Secret Manager to assign the PDP_URL variable. Make sure to add https:// in front of the URL.

Site Management API

  • Make sure to reference all secrets in the Variables & Secrets section
  • Select the Postgres database instance in the Cloud SQL connections section.
  • In the Networking tab, check Connect to a VPC for outbound traffic. There, select Send traffic directly to a VPC and select the VPC network and subnet you created. In the Traffic routing section, select Route only requests to private IPs to the VPC.

Once a new version is deployed, go to the service details and in the Security tab, select Allow unauthenticated invocations.