Deploying GenMedia Creative Studio

Deployment of GenMedia Creative Studio is accomplished using a combination of Terraform and Cloud Build. Terraform is used to deploy the infrastructure and Cloud Build is used to create the container image and update the Cloud Run service to use it.

You have two deployment options for this application:

Deploy using a custom domain. Use this if:
- You need to support external identities. Included Terraform script does not support this; however, you can customize the script.
- You prefer more control over the domain used
Deploy using the autogenerated Cloud Run Domain. Use this if:
- You can not create a DNS entry
- IAP for Cloud Run Known Limitations are non-blockers (e.g., no external identities, no Cloud CDN support)

Prerequisites

You’ll need the following

An existing Google Cloud Project
If you want to use a custom domain, you need the ability to create a DNS A record for your target domain that resolves to the provisioned load balancer

1. Download the source code for this project

Download the source

git clone https://github.com/GoogleCloudPlatform/vertex-ai-creative-studio.git

2. Export Environment Variables

The following environment variables are the minimum required to deploy the application.

REGION - Should be set to us-central1. Prior to selecting a different region, validate the GenAI models needed are available here.
PROJECT_ID - Set to the desired Google Cloud project’s ID, obtained via gcloud below or you can enter it manually.
DOMAIN_NAME - Update with the DNS name to be used to reach the web application (e.g., creativestudio.example.com). A Google Cloud Managed certificate will be created for this domain.
INITIAL_USER - Email address of initial user given access to the web application (e.g., admin@example.com)

Replace the example values and execute the script below:

export REGION=us-central1 PROJECT_ID=$(gcloud config get project)
export INITIAL_USER=admin@example.com

Deploying with Custom Domain

Follow these steps if you are going to deploy GenMedia Creative Studio using your own custom domain. You will need the ability to create a DNS A record if you choose this deployment option.

1. Initialize Terraform

Because you are using a custom domain, you will need to export one more variable with the DNS name for the domain that will be used to navigate to GenMedia Creative Studio.

export DOMAIN_NAME=creativestudio.example.com

Make sure your command line is in the folder containing this README (i.e., in the root of the main repository, /). Then create the terraform.tfvars using the following command:

cat > terraform.tfvars << EOF
project_id = "$PROJECT_ID"
initial_user = "$INITIAL_USER"
domain = "$DOMAIN_NAME"
EOF

terraform init
terraform apply

2. Create a DNS A record for the domain name

A load balancer and a Google Cloud managed certificate are provisioned by the Terraform configuration file. You must create a DNS A record that resolves to the IP address of the provisioned load balancer. Below is a sample output from running the terraform apply command, showing where the provisioned application balancer’s IP is displayed.

Load Balancer IP Address

If you use Google Cloud DNS, follow the steps here. Provisioning a Google-managed certificate might take up to 60 minutes from the moment your DNS and load balancer configuration changes have propagated across the internet.

If you take too long to create the A record, usually >15 minutes or the DNS entry resolves to any other IP address than the load balancer’s, provisioning of the Google Cloud Managed certificate may fail with a status of FAILED_NOT_VISIBLE. If this is the case, make sure the DNS A record is updated correctly and follow the steps here.

3. Build and Deploy Container Image

A shell script, build.sh, is included in this repo that submits a build to Cloud Build which builds and deploys the application’s container image. Use the following command:

./build.sh

4. Wait for certificate to go to provisioned state

With both the infrastructure and application deployed, you are just waiting for the certificate to complete provisioning. Once you see the status as “ACTIVE” and the “In use by” section populated (see sample below), your application is ready for use. You can navigate to the Certificate Manager GCP Console page, and select the certificate to keep an eye on the status.

Provisioned Certificate

Deploying using Cloud Run Domain

If you are unable to create a DNS record in your corporate domain, you can also use the autogenerated Cloud Run domain along with it’s preview support for IAP to secure the endpoint.

Currently, Cloud Run’s integration with IAP is a preview feature and is subject to the “Pre-GA Offerings Terms” in the General Service Terms section of the Service Specific Terms. Pre-GA features are available “as is” and might have limited support. For more information, see the launch stage descriptions.

1. Initialize Terraform

Make sure your command line is in the folder containing this README (i.e., in the root of the main repository, /). Then create the terraform.tfvars using the following command:

cat > terraform.tfvars << EOF
project_id = "$PROJECT_ID"
initial_user = "$INITIAL_USER"
use_lb = false
EOF

terraform init
terraform apply

Make sure to take note of the Cloud Run URL that is output. This is what you will navigate to in your browser to access the application. Before doing that though, you need to build and deploy the container image.

Cloud Run URL output

2. Build and Deploy Container Image

A shell script, build.sh, is included in this repo that submits a build to Cloud Build which builds and deploys the application’s container image. Use the following command:

./build.sh

3. Edit Cloud Run’s IAP Policy to provide initial user’s access

The last step is to change the IAP policy of the Cloud Run service to provide access to a user. You can also use a group but for the purposes of this example, a single user is given access.

gcloud beta iap web add-iam-policy-binding \
--project=$PROJECT_ID \
--region=$REGION \
--member=user:$INITIAL_USER \
--role=roles/iap.httpsResourceAccessor \
--resource-type=cloud-run \
--service=creative-studio

Congratulations, you can now navigate to the address provided in the cloud-run-app-url Terraform output.

Deploying to Cloud Shell for Testing

Use this option if you want to quickly run the UI without having to setup a local development environment. To get started, use Cloud Shell and follow the tutorial instructions.

Updating GenMedia Creative Studio

As new features and fixes are added to GenMedia Creative Studio, you will want to update your deployment. You do not need to destroy your existing infrastructure.

Updating Application Code

If you only need to update the application code (Python files, UI changes):

Pull the latest changes from the repository:
Terminal window
```
git pull
```
Run the build script:
Terminal window
```
./build.sh
```

This script submits a new build to Cloud Build, creates a new container image, and updates the existing Cloud Run service.

Updating Infrastructure

If the updates include changes to the Terraform configuration (e.g., new environment variables, new Google Cloud services):

Pull the latest changes:
Terminal window
```
git pull
```
Initialize Terraform to download any new provider requirements:
Terminal window
```
terraform init -upgrade
```
Apply the changes. Terraform will only update what has changed:
Terminal window
```
terraform apply
```

Adding Additional Users

With any of the deployment options above that use IAP, if you need to add additional users, there are two steps to take to make sure those users can both access the application and the images generated:

Application Access - Add the user to IAP. Follow these steps if you deployed using a load balancer, granting the user the IAP-Secured Web App User role. If you deployed using only the Cloud Run provided URL, follow these steps.
Image Access - The images are served using the authenticated GCS URL of each storage object so users need to be granted the Storage Object Viewer role. The name of the bucket is available as the assets-bucket Terraform output.

Note: For the application to function correctly, the Cloud Run service account must have the Storage Object Viewer (roles/storage.objectViewer) role on the GCS bucket. This allows the application to read media assets and serve them to users through the proxy.