-
rikinsk committed with hasura-bot 2 months ago1 parent a8630db2
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
1 + --- 2 + description: Step-by-step guide to deploy Hasura GraphQL Engine on Google Cloud Run with Cloud SQL for Postgres 3 + title: 'Deploy Hasura GraphQL Engine on Google Cloud Run' 4 + keywords: 5 + - hasura 6 + - google cloud run 7 + - cloud sql 8 + - deployment 9 + - graphql 10 + sidebar_position: 13 11 + sidebar_label: Using Google Cloud Run & Cloud SQL 12 + --- 13 + 14 + # Deploying Hasura GraphQL Engine on Cloud Run 15 + 16 + To deploy Hasura GraphQL Engine on Google Cloud Run with a Cloud SQL (Postgres) instance and ensure secure communication 17 + via private IP, follow this detailed guide. 18 + 19 + :::info Prerequisites 20 + 21 + This guide assumes you have a [Google Cloud](https://cloud.google.com/?hl=en) account and `gcloud` [installed](https://cloud.google.com/sdk/docs/install). Additionally, you should be working within a Google Cloud Project, whether it's one you've newly created or an existing project you have access to. 22 + ::: 23 + 24 + 25 + ## Step 1: Setup Your Environment 26 + 27 + 1. **Authenticate with Google Cloud:** 28 + 29 + ```bash 30 + gcloud auth login 31 + ``` 32 + 33 + 2. **Set your project ID:** 34 + 35 + Replace `<PROJECT_ID>` with your actual Google Cloud project ID. 36 + 37 + ```bash 38 + gcloud config set project <PROJECT_ID> 39 + ``` 40 + 41 + ## Step 2: Enable Required Google Cloud Services 42 + 43 + Enable Cloud Run, Cloud SQL, Cloud SQL Admin, Secret Manager, and the Service Networking APIs: 44 + 45 + 46 + ```bash 47 + gcloud services enable run.googleapis.com sqladmin.googleapis.com servicenetworking.googleapis.com secretmanager.googleapis.com 48 + ``` 49 + 50 + :::caution Requires IAM permissions 51 + 52 + To execute the above command, your Google Cloud account needs to have the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin) or an equivalent custom role with permissions to enable services. This role allows you to view, enable, and disable services in your GCP project. 53 + 54 + If you encounter permissions errors, contact your GCP administrator to ensure your account has the appropriate roles assigned, or to request the services be enabled on the project you are working with. 55 + 56 + ::: 57 + 58 + ## Step 3: Create a Cloud SQL (Postgres) Instance 59 + 60 + 1. **Create the database instance:** 61 + 62 + ```bash 63 + gcloud sql instances create hasura-postgres --database-version=POSTGRES_15 --cpu=2 --memory=7680MiB --region=us-central1 64 + ``` 65 + 66 + 2. **Set the password** for the default postgres user: 67 + 68 + Replace `<PASSWORD>` with your desired password. 69 + 70 + ```bash 71 + gcloud sql users set-password postgres --instance=hasura-postgres --password=<PASSWORD> 72 + ``` 73 + 74 + 3. **Create a database** 75 + 76 + Replace `<DATABASE_NAME>` with your database name: 77 + 78 + ```bash 79 + gcloud sql databases create <DATABASE_NAME> --instance=hasura-postgres 80 + ``` 81 + 82 + :::info Don't have a `default` network? 83 + 84 + The `default` network is normally created inside a Google Cloud Platform Project, however in some cases the `default` network might have been deleted or the project may have been set up with a specific network configuration without a default network. 85 + 86 + To see the networks you have available you can run: 87 + 88 + ```bash 89 + gcloud compute networks list 90 + ``` 91 + 92 + If you find you do not have an appropriate network for your deployment, you can create a new VPC network by running the following command to create a network named `default`: 93 + 94 + ```bash 95 + gcloud compute networks create default --subnet-mode=auto 96 + ``` 97 + 98 + ::: 99 + 100 + 101 + ## Step 4: Configure Service Networking for Private Connectivity 102 + 103 + 1. **Allocate an IP range** for Google services in your VPC: 104 + 105 + ```bash 106 + gcloud compute addresses create google-managed-services-default \ 107 + --global \ 108 + --purpose=VPC_PEERING \ 109 + --prefix-length=24 \ 110 + --network=default 111 + ``` 112 + 113 + 2. **Connect your VPC to the Service Networking API:** 114 + 115 + Replace `<PROJECT_ID>` with your actual Google Cloud project ID. 116 + 117 + ```bash 118 + gcloud services vpc-peerings connect \ 119 + --service=servicenetworking.googleapis.com \ 120 + --ranges=google-managed-services-default \ 121 + --network=default \ 122 + --project=<PROJECT_ID> 123 + ``` 124 + 125 + 3. **Enable a private IP** for your CloudSQL instance: 126 + 127 + ```bash 128 + gcloud sql instances patch hasura-postgres --network=default 129 + ``` 130 + 131 + ## Step 5: Create your connection string 132 + 133 + 1. **Find your Cloud SQL instance's connection name:** 134 + 135 + ```bash 136 + gcloud sql instances describe hasura-postgres 137 + ``` 138 + 139 + :::info Note 140 + 141 + Take note of the `connectionName` field in the output of the above `describe` command. You will use the `connectionName` to deploy the GraphQL Engine to Cloud Run. 142 + 143 + ::: 144 + 145 + 2. **Construct your connection string** 146 + 147 + You can create the connection string by filling in the following template string. Replace `<CONNECTION_NAME>`, `<PASSWORD>`, and `<DATABASE_NAME>` with your actual connectionName, database password, and 148 + database name. 149 + 150 + ``` 151 + postgres://postgres:<PASSWORD>@/<DATABASE_NAME>?host=/cloudsql/<CONNECTION_NAME> 152 + ``` 153 + 154 + ## Step 6: Store your connection string in the Secret Manager 155 + 156 + While you can put the connection string directly into the environment variables, it is recommended that you store it and any secrets or credentials inside of [Google's Secret Manager](https://cloud.google.com/security/products/secret-manager) for maximum security. This prevents secrets from being visible to administrators and from being accessible in other parts of the control/operations plane. 157 + 158 + 1. **Store the constructed connection string as a secret** replacing `<CONNECTION_STRING>` with your actual connection string. 159 + 160 + ```bash 161 + echo -n "<CONNECTION_STRING>" | gcloud secrets create hasura-db-connection-string --data-file=- 162 + ``` 163 + 164 + :::info Not using the `default` service account? 165 + 166 + The following steps assume that you are running the `gcloud deploy` command via the default service account used by compute engine. If you are not using the default service account, you will need to grant the service account you are using the `roles/secretmanager.secretAccessor` role. 167 + 168 + ::: 169 + 170 + 171 + 2. **To get the `<PROJECT_NUMBER>` associated with the default service account:** 172 + 173 + ```bash 174 + echo "$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')" 175 + ``` 176 + 177 + 3. **Run the following command to grant the default service acount access to the secrets**, replacing `<PROJECT_NUMBER>` with your project number from the previous command: 178 + 179 + ```bash 180 + gcloud projects add-iam-policy-binding <PROJECT_NUMBER> \ 181 + --member='serviceAccount:<PROJECT_NUMBER>[email protected]' \ 182 + --role='roles/secretmanager.secretAccessor' 183 + ``` 184 + 185 + ## Step 7: Deploy Hasura to Cloud Run: 186 + 187 + 1. **Run the following command** and replace `<CONNECTION_NAME>`, with your actual connectionName. 188 + 189 + For additional information on configuring the Hasura GraphQL engine, please see the [Server configuration reference](https://hasura.io/docs/latest/deployment/graphql-engine-flags/reference/). 190 + 191 + ```bash 192 + gcloud run deploy hasura-graphql-engine \ 193 + --image=hasura/graphql-engine:latest \ 194 + --add-cloudsql-instances=<CONNECTION_NAME> \ 195 + --update-env-vars='HASURA_GRAPHQL_ENABLE_CONSOLE=true' \ 196 + --update-secrets=HASURA_GRAPHQL_DATABASE_URL=hasura-db-connection-string:latest \ 197 + --region=us-central1 \ 198 + --cpu=1 \ 199 + --min-instances=1 \ 200 + --memory=2048Mi \ 201 + --port=8080 \ 202 + --allow-unauthenticated 203 + ``` 204 + 205 + 206 + ## Step 8: Adding a VPC-Connector (Optional) 207 + 208 + To further enhance the connectivity and security of your Hasura GraphQL Engine deployment on Google Cloud Run, 209 + especially when connecting to other services within your Virtual Private Cloud (VPC), you might consider adding a 210 + Serverless VPC Access connector. This optional step is particularly useful when your architecture requires direct access 211 + from your serverless Cloud Run service to resources within your VPC, such as VMs, other databases, or private services 212 + that are not exposed to the public internet. For more information, please see [Google's official documentation for Serverless VPC Access](https://cloud.google.com/vpc/docs/serverless-vpc-access). 213 + 214 + 1. **Enable the Serverless VPC Access API** 215 + 216 + First ensure that the Serverless VPC Access API is enabled: 217 + 218 + ```bash 219 + gcloud services enable vpcaccess.googleapis.com 220 + ``` 221 + 222 + 2. **Create a Serverless VPC Access Connector** 223 + 224 + Choose an IP range that does not overlap with existing ranges in your VPC. This range will be used by the connector to 225 + route traffic from your serverless application to your VPC. **It's important to ensure that the IP range does not overlap with other subnets to avoid routing conflicts.** 226 + 227 + ```bash 228 + gcloud compute networks vpc-access connectors create hasura-connector \ 229 + --region=us-central1 \ 230 + --network=default \ 231 + --range=10.8.0.0/28 232 + ``` 233 + 234 + 3. **Update the Cloud Run Deployment to use the VPC Connector** 235 + 236 + When deploying or updating your Hasura GraphQL Engine service, specify the VPC connector with the `--vpc-connector` 237 + flag: 238 + 239 + ```bash 240 + gcloud run deploy hasura-graphql-engine \ 241 + --image=hasura/graphql-engine:latest \ 242 + --add-cloudsql-instances=<CONNECTION_NAME> \ 243 + --update-env-vars='HASURA_GRAPHQL_ENABLE_CONSOLE=true' \ 244 + --update-secrets=HASURA_GRAPHQL_DATABASE_URL=hasura-db-connection-string:latest \ 245 + --vpc-connector=hasura-connector \ 246 + --region=us-central1 \ 247 + --cpu=1 \ 248 + --min-instances=1 \ 249 + --memory=2048Mi \ 250 + --port=8080 \ 251 + --allow-unauthenticated 252 + ``` 253 + 254 + ### When and Why to Use a VPC Connector 255 + 256 + * **Enhanced Security:** Utilize a VPC Connector when you need to ensure that traffic between your Cloud Run service and 257 + internal Google Cloud resources does not traverse the public internet, enhancing security. 258 + * **Access to Internal Resources:** Use it when your serverless application needs access to resources within your VPC, 259 + such 260 + as internal APIs, databases, or services that are not publicly accessible. 261 + * **Compliance Requirements:** If your application is subject to compliance requirements that mandate data and network 262 + traffic must remain within a private network, a VPC connector facilitates this by providing private access to your 263 + cloud resources. 264 + * **Network Peering:** It's beneficial when accessing services in a peered VPC, allowing your Cloud Run services to 265 + communicate with resources across VPC networks. 266 + 267 + Adding a VPC Connector to your Cloud Run deployment ensures that your Hasura GraphQL Engine can securely and privately 268 + access the necessary Google Cloud resources within your VPC, providing a robust and secure environment for your 269 + applications. 270 + 271 + ## Tearing Down 272 + 273 + To avoid incurring charges, delete the resources once you're done: 274 + 275 + ```bash 276 + gcloud sql instances delete hasura-postgres 277 + gcloud run services delete hasura-graphql-engine 278 + gcloud compute addresses delete google-managed-services-default --global 279 + gcloud secrets delete hasura-db-connection-string 280 + ``` 281 + 282 + If you performed the optional Step 8, you should also delete the VPC-connector resource: 283 + 284 + ```bash 285 + gcloud compute networks vpc-access connectors delete hasura-connector --region=us-central1 286 + ``` -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
docs/static/img/docs-bot-profile-pic.webp
-
docs/static/img/hasura-ai-profile-pic.png
-
-
-
frontend/yarn.lockUnable to diff as the file is too large.
-
-
-
-
skipped 18 lines 19 19 PGADMIN_DEFAULT_EMAIL: [email protected] 20 20 PGADMIN_DEFAULT_PASSWORD: admin 21 21 graphql-engine: 22 - image: hasura/graphql-engine:v2.37.0 22 + image: hasura/graphql-engine:v2.38.0 23 23 ports: 24 24 - "8080:8080" 25 25 depends_on: skipped 17 lines -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-