SAD¶
Table of Content:
Overview¶
Inno notification is a serverless notification service in data platform
SAD - System architechture design¶
Techstack¶
[+] Programing Language: Python, Bash
[+] Notication Channels:
-
Email: Gmail by Sendgrid
-
Slack: Slack application
-
GitHub
[+] Deployment notification service:
-
Serverless: Cloud Run
-
CICD: CloudBuild, GitHub Actions
-
Secret: Secret Manager
-
Development: docker, docker-compose
-
Ratelimit: Cloud Tasks Queue
-
Client: Workflows, Cloud Scheduler, GitHub
Logical View¶
The logical view method of notification service
flowchart LR
%% Component
client[Client]
subgraph gcp[Google Cloud Platform]
subgraph rate-limit[Rate Limit Service]
workflow[Queue]
end
subgraph crun[Google Cloud Run]
app[Notification Service]
end
event_hub
workflow --> app
end
subgraph notification_channel[Notification Channel]
gh[GitHub]
slack[Slack server]
email[SMTP server]
sms[SMS service]
discord[Discord Channel]
end
%% Flow
client -- request --> workflow
client -- publish event --> event_hub[Event Hub] -- dispatch --> app
client -- direct API call --> app
app --> slack & email & sms & gh & discordPhysical View¶
Following is the deployed services that matching on notification service
flowchart LR
%% Service in Cloud Platform
subgraph Google Cloud Platform
cbuild[Cloud Build]
lb[Load Balancing]
iap[Cloud IAP]
secret[Cloud Secret Manager]
logging[Cloud Logging]
iam[Cloud IAM]
artifact[Cloud Artifact]
subgraph notification[Notification Service]
run[Cloud Run]
end
end
subgraph gh[GitHub]
repository[Repository]
end
%% Flow
lb -- navigate --> iap -- handle authentication --> run
gh <-- sync/trigger --> cbuild -- deploy --> run
secret <-. mount .-> run
iam -- control access --> cbuild
cbuild -- store images --> artifact
run -- yield logs --> logging
%% Targeted
run -- notification --> notificationDeployment¶
There are 3 deployment environments: development, staging, production
Security¶
Service Accounts Permission¶
For the deployment of builder related to inno-notification will in charge by:
sa-natures-prophet: Project builder:
Service account: sa-natures-prophet@$PROJECT_ID.iam.gserviceaccount.com
Alias: sa-natures-prophet
| Permissions | Identifiers | Performtion |
|---|---|---|
roles/cloudbuild.builds.builder | Cloud Build | Cloudbuild builder |
roles/iam.serviceAccountUser | IAM | Impersion service account on a targeted service |
roles/iam.serviceAccountTokenCreator | To impersonate a service account | |
roles/secretmanager.secretAccessor | Secret | Access secrets |
roles/storage.admin | GCS::inno-internal-cloudbuild | Related to write log into bucket |
roles/run.developer | Cloud Run | Deploy Run service |
PROJECT::roles/run.services.setIamPolicy | Cloud Run | Set IAM for run service |
roles/cloudscheduler.admin | Cloud Schedule | Create and update Scheduler job |
roles/monitoring.metricWriter | Cloud Monitoring | Writing monitoring data to a metrics scope |
roles/logging.logWriter | Cloud Logging | Write log entries |
sa-techies: Deploy service into Cloud Run:
Service account: sa-techies@$PROJECT_ID.iam.gserviceaccount.com
Alias: sa-techies
| Permissions | Identifiers | Performtion |
|---|---|---|
roles/secretmanager.secretAccessor | Secret Manager | Allows accessing the payload of secrets. |
roles/serviceusage.serviceUsageConsumer | Service Usage | Inspect service states and operations. |
roles/serviceusage.serviceUsageViewer | Service Usage | Inspect service states and operations. |
roles/run.developer | Cloud Run | Read and write access to all Cloud Run resources. |
roles/workflows.viewer | Workflows | Read-only access to workflows. |
roles/errorreporting.writer | Error Reporting | Send error events to Error Reporting. |
roles/logging.logWriter | Logging | Write log entries. |
roles/monitoring.metricWriter | Monitoring | Write metrics. |
sa-terrorblade: Deploy workflow notification:
Service account: sa-terrorblade@$PROJECT_ID.iam.gserviceaccount.com
Alias: sa-terrorblade
| Permissions | Identifiers | Performtion |
|---|---|---|
roles/bigquery.dataEditor | Dataset: workflows_terminal | Insert a job, load data, create and run a job in the project. |
roles/bigquery.jobUser | Dataset: workflows_terminal | Insert a job, load data, create and run a job in the project. |
roles/run.developer | Cloud Run | Read and write access to all Cloud Run. |
roles/run.invoker | Cloud Run | Invoke a Cloud Run. |
roles/errorreporting.writer | Error Reporting | Send error events to Error Reporting. |
roles/logging.logWriter | Logging | Write log entries. |
roles/monitoring.metricWriter | Monitoring | Write metrics. |
roles/secretmanager.secretAccessor | Secret Manager | Allows accessing the payload of secrets. |
roles/serviceusage.serviceUsageConsumer | Service Usage | Inspect service states and operations. |
roles/workflows.invoker | Workflows | Execute workflows and manage the executions using the API. |
roles/workflows.viewer | Workflows | Read-only access to workflows. |
sa-slardar: Deploy notification task declare:
Service account: sa-slardar@$PROJECT_ID.iam.gserviceaccount.com
Alias: sa-slardar
| Permissions | Identifiers | Performtion |
|---|---|---|
roles/cloudtasks.enqueuer | Cloud Tasks | Access to create tasks. |
roles/iam.serviceAccountUser | Service Accounts | Run operations as the service account. |
roles/workflows.invoker | Workflows | Execute workflows and manage the executions using the API. |
Source Reference¶
-
[6] PubSub messages returned subscribe-build-notifications
Appendix¶
Appendix A: Record of Changes¶
Table: Record of changes
| Version | Date | Author | Description of Change |
|---|---|---|---|
| 0.1.0 | 06/04/2024 | Bao Truong | Initation documentation |
| 0.2.0 | 06/04/2024 | Bao Truong | Updated service account |