ChingEnLin
diff --git a/‎.github/workflows/google-cloudrun-docker.yml‎
Lines changed: 43 additions & 24 deletions b/‎.github/workflows/google-cloudrun-docker.yml‎
Lines changed: 43 additions & 24 deletions
diff --git a/‎frontend/Dockerfile‎
Lines changed: 2 additions & 8 deletions b/‎frontend/Dockerfile‎
Lines changed: 2 additions & 8 deletions
diff --git a/‎frontend/docker-entrypoint.sh‎
Lines changed: 15 additions & 0 deletions b/‎frontend/docker-entrypoint.sh‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎frontend/nginx.conf‎
Lines changed: 16 additions & 8 deletions b/‎frontend/nginx.conf‎
Lines changed: 16 additions & 8 deletions
diff --git a/‎scripts/migrate_db.sh‎
Lines changed: 130 additions & 0 deletions b/‎scripts/migrate_db.sh‎
Lines changed: 130 additions & 0 deletions
diff --git a/‎terraform/.gitignore‎
Lines changed: 8 additions & 0 deletions b/‎terraform/.gitignore‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎terraform/database.tf‎
Lines changed: 38 additions & 0 deletions b/‎terraform/database.tf‎
Lines changed: 38 additions & 0 deletions
@@ -1,6 +1,8 @@
-# This workflow builds and pushes Docker containers to Google Artifact Registry
-# and deploys both backend and frontend on Cloud Run when a commit is pushed to the "production"
-# branch.
+# Build and deploy QueryPal to Cloud Run.
+# Runs on pushes to the production branch.
+#
+# Infrastructure changes (VPC connector, Secret Manager, IAM) are managed by
+# Terraform in the terraform/ directory and must be applied before first deploy.
 
 name: 'Build and Deploy QueryPal to Cloud Run'
 
@@ -16,6 +18,10 @@ env:
   BACKEND_SERVICE: 'querypal-backend'
   FRONTEND_SERVICE: 'querypal-frontend'
   WORKLOAD_IDENTITY_PROVIDER: 'projects/874216619692/locations/global/workloadIdentityPools/github/providers/querypal'
+  # Cloud Run service account created by Terraform (terraform/iam.tf).
+  CLOUD_RUN_SA: 'querypal-cloudrun-sa@gen-lang-client-0698668474.iam.gserviceaccount.com'
+  # VPC connector created by Terraform (terraform/network.tf).
+  VPC_CONNECTOR: 'querypal-vpc-connector'
 
 jobs:
   deploy:
@@ -29,80 +35,93 @@ jobs:
       - name: 'Checkout'
         uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4
 
-      # Configure Workload Identity Federation and generate an access token.
       - id: 'auth'
         name: 'Authenticate to Google Cloud'
         uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2
         with:
           workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}'
-          service_account: 'github-actions@gen-lang-client-0698668474.iam.gserviceaccount.com'
+          service_account: 'github-actions@${{ env.PROJECT_ID }}.iam.gserviceaccount.com'
 
-      # Set up Cloud SDK
       - name: 'Set up Cloud SDK'
         uses: 'google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200' # google-github-actions/setup-gcloud@v2
 
-      # Configure Docker to use gcloud as a credential helper
       - name: 'Configure Docker for GCR'
-        run: |-
-          gcloud auth configure-docker --quiet
+        run: gcloud auth configure-docker --quiet
+
+      # ── Backend ──────────────────────────────────────────────────────────────
 
-      # Build and Push Backend Container
       - name: 'Build and Push Backend Container'
         run: |-
           cd backend
           DOCKER_TAG="gcr.io/${{ env.PROJECT_ID }}/${{ env.BACKEND_SERVICE }}:${{ github.sha }}"
           docker build --tag "${DOCKER_TAG}" --platform linux/amd64 .
           docker push "${DOCKER_TAG}"
 
-      # Deploy Backend to Cloud Run
       - id: 'deploy-backend'
         name: 'Deploy Backend to Cloud Run'
         uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2
         with:
           service: '${{ env.BACKEND_SERVICE }}'
           region: '${{ env.REGION }}'
           image: 'gcr.io/${{ env.PROJECT_ID }}/${{ env.BACKEND_SERVICE }}:${{ github.sha }}'
+          # Non-secret runtime configuration only.
           env_vars: |
             ENVIRONMENT=production
-            AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
-            AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
-            AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
             ARM_SCOPE=https://management.azure.com/.default
-            GEMINI_API_KEY=${{ secrets.GEMINI_API_KEY }}
-            DB_USER=${{ secrets.DB_USER }}
-            DB_PASS=${{ secrets.DB_PASS }}
             DB_NAME=querypal
-            DB_UNIX_SOCKET=/cloudsql/gen-lang-client-0698668474:europe-west1:querypal-db
+            DB_UNIX_SOCKET=/cloudsql/${{ env.PROJECT_ID }}:${{ env.REGION }}:querypal-db
+          # Sensitive values are read directly from Secret Manager at runtime.
+          # Secret must exist before first deploy (created by terraform/secrets.tf).
+          secrets: |
+            AZURE_TENANT_ID=querypal-azure-tenant-id:latest
+            AZURE_CLIENT_ID=querypal-azure-client-id:latest
+            AZURE_CLIENT_SECRET=querypal-azure-client-secret:latest
+            GEMINI_API_KEY=querypal-gemini-api-key:latest
+            DB_USER=querypal-db-user:latest
+            DB_PASS=querypal-db-pass:latest
           flags: |
             --port=8000
-            --add-cloudsql-instances=gen-lang-client-0698668474:europe-west1:querypal-db
+            --service-account=${{ env.CLOUD_RUN_SA }}
+            --add-cloudsql-instances=${{ env.PROJECT_ID }}:${{ env.REGION }}:querypal-db
+            --vpc-connector=${{ env.VPC_CONNECTOR }}
+            --vpc-egress=private-ranges-only
+            --ingress=internal
             --allow-unauthenticated
 
-      # Build and Push Frontend Container
+      # ── Frontend ─────────────────────────────────────────────────────────────
+
       - name: 'Build and Push Frontend Container'
         run: |-
           cd frontend
           DOCKER_TAG="gcr.io/${{ env.PROJECT_ID }}/${{ env.FRONTEND_SERVICE }}:${{ github.sha }}"
           docker build --tag "${DOCKER_TAG}" --platform linux/amd64 \
-            --build-arg VITE_API_BASE_URL=${{ steps.deploy-backend.outputs.url }} \
+            --build-arg VITE_API_BASE_URL=/api \
             --build-arg VITE_AZURE_REDIRECT_URI=https://querypal.virtonomy.io \
             .
           docker push "${DOCKER_TAG}"
 
-      # Deploy Frontend to Cloud Run
       - id: 'deploy-frontend'
         name: 'Deploy Frontend to Cloud Run'
         uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2
         with:
           service: '${{ env.FRONTEND_SERVICE }}'
           region: '${{ env.REGION }}'
           image: 'gcr.io/${{ env.PROJECT_ID }}/${{ env.FRONTEND_SERVICE }}:${{ github.sha }}'
+          # BACKEND_URL is the internal Cloud Run URL; nginx uses it at runtime to
+          # proxy /api/* requests to the backend (which is not publicly reachable).
+          env_vars: |
+            BACKEND_URL=${{ steps.deploy-backend.outputs.url }}
           flags: |
             --port=4000
+            --service-account=${{ env.CLOUD_RUN_SA }}
+            --vpc-connector=${{ env.VPC_CONNECTOR }}
+            --vpc-egress=all-traffic
+            --ingress=all
             --allow-unauthenticated
 
-      # Show output URLs
+      # ── Summary ───────────────────────────────────────────────────────────────
+
       - name: 'Show deployment URLs'
         run: |-
-          echo "Backend URL: ${{ steps.deploy-backend.outputs.url }}"
           echo "Frontend URL: ${{ steps.deploy-frontend.outputs.url }}"
+          echo "Backend URL:  ${{ steps.deploy-backend.outputs.url }} (internal only)"
@@ -21,13 +21,7 @@ COPY --from=build /app/dist .
 EXPOSE 4000
 RUN rm -rf /etc/nginx/conf.d/default.conf
 COPY nginx.conf /etc/nginx/conf.d/default.conf.template
-
-# Create script to substitute environment variables in nginx config
-RUN echo '#!/bin/sh' > /docker-entrypoint.sh && \
-    echo '# Set PORT default if not provided' >> /docker-entrypoint.sh && \
-    echo 'export PORT=${PORT:-4000}' >> /docker-entrypoint.sh && \
-    echo 'envsubst "\$PORT" < /etc/nginx/conf.d/default.conf.template > /etc/nginx/conf.d/default.conf' >> /docker-entrypoint.sh && \
-    echo 'exec nginx -g "daemon off;"' >> /docker-entrypoint.sh && \
-    chmod +x /docker-entrypoint.sh
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
 
 CMD ["/docker-entrypoint.sh"]
@@ -0,0 +1,15 @@
+#!/bin/sh
+set -e
+
+export PORT=${PORT:-4000}
+# BACKEND_URL is the internal Cloud Run URL of the backend service.
+# In production this is set as a Cloud Run environment variable.
+# Locally, point directly at the backend container.
+export BACKEND_URL=${BACKEND_URL:-http://localhost:8000}
+
+# Substitute only $PORT and $BACKEND_URL; leave nginx's own $variables untouched.
+envsubst '$PORT $BACKEND_URL' \
+  < /etc/nginx/conf.d/default.conf.template \
+  > /etc/nginx/conf.d/default.conf
+
+exec nginx -g "daemon off;"
@@ -2,18 +2,26 @@ server {
     listen       $PORT;
     server_name  localhost;
 
+    # Serve the React SPA static files.
     location / {
         root   /usr/share/nginx/html;
         index  index.html index.htm;
         try_files $uri $uri/ /index.html;
     }
 
-    # Optionally, proxy API requests to backend if needed
-    # location /api/ {
-    #     proxy_pass http://backend:8000;
-    #     proxy_set_header Host $host;
-    #     proxy_set_header X-Real-IP $remote_addr;
-    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    #     proxy_set_header X-Forwarded-Proto $scheme;
-    # }
+    # Proxy all /api/ requests to the internal backend Cloud Run service.
+    # The trailing slash on proxy_pass strips the /api prefix before forwarding,
+    # so /api/query/execute becomes /query/execute on the backend.
+    # BACKEND_URL is injected at container startup via docker-entrypoint.sh.
+    location /api/ {
+        proxy_pass            $BACKEND_URL/;
+        proxy_http_version    1.1;
+        proxy_set_header      Host              $proxy_host;
+        proxy_set_header      X-Real-IP         $remote_addr;
+        proxy_set_header      X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header      X-Forwarded-Proto $http_x_forwarded_proto;
+        proxy_read_timeout    300s;
+        proxy_connect_timeout 10s;
+        proxy_send_timeout    300s;
+    }
 }
@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+# Migrate PostgreSQL data between Cloud SQL instances using Cloud SQL Auth Proxy.
+#
+# Use this when you need to move data to a new Cloud SQL instance
+# (e.g., after recreating the instance via Terraform).
+#
+# Prerequisites:
+#   - gcloud CLI authenticated with Cloud SQL Admin permissions
+#   - cloud-sql-proxy binary in PATH (https://cloud.google.com/sql/docs/postgres/sql-proxy)
+#   - pg_dump / psql installed locally
+#
+# Usage:
+#   ./scripts/migrate_db.sh \
+#     --source-instance gen-lang-client-0698668474:europe-west1:querypal-db \
+#     --target-instance gen-lang-client-0698668474:europe-west1:querypal-db-new \
+#     --db-name querypal \
+#     --db-user postgres
+#
+# The script will prompt for the database password interactively.
+
+set -euo pipefail
+
+# ── Argument parsing ─────────────────────────────────────────────────────────
+
+SOURCE_INSTANCE=""
+TARGET_INSTANCE=""
+DB_NAME="querypal"
+DB_USER="postgres"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --source-instance) SOURCE_INSTANCE="$2"; shift 2 ;;
+    --target-instance) TARGET_INSTANCE="$2"; shift 2 ;;
+    --db-name)         DB_NAME="$2";         shift 2 ;;
+    --db-user)         DB_USER="$2";         shift 2 ;;
+    *) echo "Unknown argument: $1" >&2; exit 1 ;;
+  esac
+done
+
+if [[ -z "$SOURCE_INSTANCE" || -z "$TARGET_INSTANCE" ]]; then
+  echo "Usage: $0 --source-instance CONN_NAME --target-instance CONN_NAME [--db-name NAME] [--db-user USER]" >&2
+  exit 1
+fi
+
+# ── Setup ────────────────────────────────────────────────────────────────────
+
+SOURCE_PORT=5432
+TARGET_PORT=5433
+DUMP_FILE="$(mktemp /tmp/querypal_dump_XXXXXX.sql)"
+SOURCE_PROXY_PID=""
+TARGET_PROXY_PID=""
+
+cleanup() {
+  echo "==> Cleaning up..."
+  [[ -n "$SOURCE_PROXY_PID" ]] && kill "$SOURCE_PROXY_PID" 2>/dev/null || true
+  [[ -n "$TARGET_PROXY_PID" ]] && kill "$TARGET_PROXY_PID" 2>/dev/null || true
+  rm -f "$DUMP_FILE"
+}
+trap cleanup EXIT
+
+echo "==> Migration plan:"
+echo "    Source:   ${SOURCE_INSTANCE} (port ${SOURCE_PORT})"
+echo "    Target:   ${TARGET_INSTANCE} (port ${TARGET_PORT})"
+echo "    Database: ${DB_NAME}"
+echo ""
+read -rsp "Enter database password for '${DB_USER}': " DB_PASS
+echo ""
+export PGPASSWORD="$DB_PASS"
+
+# ── Start Cloud SQL Auth Proxy ───────────────────────────────────────────────
+
+echo "==> Starting Cloud SQL Auth Proxy for source instance..."
+cloud-sql-proxy \
+  "${SOURCE_INSTANCE}?port=${SOURCE_PORT}" \
+  --quiet &
+SOURCE_PROXY_PID=$!
+
+echo "==> Starting Cloud SQL Auth Proxy for target instance..."
+cloud-sql-proxy \
+  "${TARGET_INSTANCE}?port=${TARGET_PORT}" \
+  --quiet &
+TARGET_PROXY_PID=$!
+
+# Wait for proxies to be ready.
+sleep 3
+
+# ── Dump source ──────────────────────────────────────────────────────────────
+
+echo "==> Dumping source database to ${DUMP_FILE}..."
+pg_dump \
+  --host=127.0.0.1 \
+  --port="${SOURCE_PORT}" \
+  --username="${DB_USER}" \
+  --dbname="${DB_NAME}" \
+  --format=plain \
+  --no-owner \
+  --no-acl \
+  --file="${DUMP_FILE}"
+
+DUMP_SIZE=$(du -sh "$DUMP_FILE" | cut -f1)
+echo "    Dump complete: ${DUMP_SIZE}"
+
+# ── Restore to target ────────────────────────────────────────────────────────
+
+echo "==> Restoring to target database..."
+# Drop and recreate schema to ensure a clean slate.
+psql \
+  --host=127.0.0.1 \
+  --port="${TARGET_PORT}" \
+  --username="${DB_USER}" \
+  --dbname=postgres \
+  --command="DROP DATABASE IF EXISTS ${DB_NAME};"
+
+psql \
+  --host=127.0.0.1 \
+  --port="${TARGET_PORT}" \
+  --username="${DB_USER}" \
+  --dbname=postgres \
+  --command="CREATE DATABASE ${DB_NAME};"
+
+psql \
+  --host=127.0.0.1 \
+  --port="${TARGET_PORT}" \
+  --username="${DB_USER}" \
+  --dbname="${DB_NAME}" \
+  --file="${DUMP_FILE}"
+
+echo ""
+echo "==> Migration complete."
+echo "    Verify the target database before updating DB_UNIX_SOCKET in Cloud Run."
@@ -0,0 +1,8 @@
+.terraform/
+.terraform.lock.hcl
+terraform.tfstate
+terraform.tfstate.backup
+*.tfplan
+tfplan
+terraform.tfvars
+*.auto.tfvars
@@ -0,0 +1,38 @@
+# Existing Cloud SQL instance brought under Terraform management.
+# Run ./import.sh once to import the existing instance into Terraform state
+# before applying this configuration.
+resource "google_sql_database_instance" "querypal_db" {
+  name             = var.cloud_sql_instance_name
+  database_version = "POSTGRES_15"
+  region           = var.region
+
+  settings {
+    tier = "db-f1-micro"
+
+    backup_configuration {
+      enabled                        = true
+      start_time                     = "02:00"
+      point_in_time_recovery_enabled = true
+      transaction_log_retention_days = 7
+    }
+
+    ip_configuration {
+      ipv4_enabled = true
+      # Require SSL for all connections.
+      ssl_mode = "ENCRYPTED_ONLY"
+    }
+
+    database_flags {
+      name  = "log_connections"
+      value = "on"
+    }
+  }
+
+  # Prevent accidental destruction of the production database.
+  deletion_protection = true
+}
+
+resource "google_sql_database" "querypal" {
+  name     = var.db_name
+  instance = google_sql_database_instance.querypal_db.name
+}