What is the process for utilizing ACME with Google Cloud Run in TypeScript

Question

Pulumi · Accepted Answer

To utilize ACME (Automated Certificate Management Environment) with Google Cloud Run in TypeScript, you will need to set up a Cloud Run service and configure it to automatically handle HTTPS certificates for your custom domain. Google Cloud Run can automatically provide and renew SSL certificates for your custom domains using Let's Encrypt, which is an ACME provider.

Before proceeding, ensure you have the following prerequisites covered:
1. A Google Cloud account with billing enabled.
2. A custom domain that you own.
3. The `gcloud` CLI installed and authenticated, and your project set up.
4. Pulumi CLI installed and set up.
5. Node.js and npm or yarn installed for TypeScript.

Below is a TypeScript program that uses Pulumi to define a simple Google Cloud Run service which can work with ACME through automated Google-managed SSL certificates. The example service will deploy a simple "Hello World" container.

First, you will need to install the `@pulumi/gcp` package if you don't already have it. Use your preferred package manager (`npm` or `yarn`) to add the package to your project:

```bash
npm install @pulumi/gcp
```

or

```bash
yarn add @pulumi/gcp
```

Here is a TypeScript program that sets up a basic Cloud Run service:

```typescript
import * as gcp from "@pulumi/gcp";
import { Service } from "@pulumi/gcp/cloudrun";

// Replace 'my-custom-domain' with your actual custom domain.
const domainName = "my-custom-domain.com";
// Replace with the appropriate Cloud Run location.
const cloudRunLocation = "us-central1";

// This is the Cloud Run service configuration.
const helloWorldService = new Service("hello-world-service", {
    location: cloudRunLocation,
    template: {
        spec: {
            containers: [
                {
                    image: "gcr.io/cloudrun/hello", // Replace this with your container image if needed.
                },
            ],
        },
    },
});

// Mapping your custom domain to the Cloud Run service.
const mappedDomain = new gcp.cloudrun.DomainMapping("domain-mapping", {
    location: cloudRunLocation,
    metadata: {
        namespace: helloWorldService.metadata.apply(m => m.namespace),
    },
    spec: {
        forceOverride: true,
        routeName: helloWorldService.name,
    },
});

// Export the URL of the Cloud Run service.
export const url = helloWorldService.statuses.apply(s => s.url);
// Export the URL that will be mapped to your custom domain.
export const customDomainUrl = mappedDomain.statuses.apply(s => s.resourceRecords[0].rrdata);
```

Here's a walkthrough of what's happening in the program:

1. We import the `@pulumi/gcp` package to use Google Cloud resources in Pulumi.
2. We define variables for our custom domain and Cloud Run location.
3. We create a new Cloud Run service using the `Service` class. The service uses the default "Hello World" container image provided by Google.
4. We map our custom domain to the Cloud Run service using the `DomainMapping` class. We pass the service and domain information to the `DomainMapping` resource, which will trigger the process of provisioning an SSL certificate for our custom domain using ACME via Let's Encrypt.
5. Finally, we export the URL of the Cloud Run service and the custom domain URL to access our service.

With the above setup, Google Cloud automatically handles the ACME protocol and manages the issuance and renewal of SSL certificates for your custom domain. There is no need for manual intervention to handle the SSL certificates as it is seamlessly integrated into the Cloud Run service and domain mapping.

Please replace the dummy values such as `my-custom-domain.com` with your actual domain and ensure you have rights to it, and adjust `cloudRunLocation` to your appropriate Google Cloud location.