Prerequisites

Before starting, ensure you have the following:

1. Google Cloud Setup

  • gcloud CLI installed: Install the gcloud CLI
  • Authenticated with Google Cloud: Run gcloud auth login to authenticate
  • Project ID configured: Set your project with gcloud config set project YOUR_PROJECT_ID
  • Billing enabled: Ensure billing is enabled for your GCP project

2. Docker

  • Docker daemon running: Ensure Docker is installed and running on your machine
  • Docker authenticated: You’ll need to authenticate with both Docker Hub and Google Artifact Registry

3. AWS Resources

  • S3 bucket created: Create an S3 bucket for storing Terraform state and artifacts
  • AWS credentials: Have your AWS Access Key ID and Secret Access Key ready
  • IAM permissions: Ensure your AWS credentials have permissions to read/write to the S3 bucket

4. Auth0 Setup

  • Auth0 application: Create an Auth0 application and note your domain, client ID, and client secret. You should follow the guide in Configure SSO, you won’t have the server url until the server is up but you don’t need to set that right away.

Configuration

For GCP, you’ll need to set up environment variables and then deploy to Cloud Run. First, create a cloud-run.env.yaml file with your configuration: 
# S3 Storage Configuration
OPENTACO_S3_BUCKET: "your-s3-bucket-name"
OPENTACO_S3_REGION: "us-east-1"
OPENTACO_S3_PREFIX: "your-prefix"

# Auth0 Authentication Configuration
OPENTACO_AUTH_ISSUER: "https://your-auth0-domain.auth0.com/"
OPENTACO_AUTH_CLIENT_ID: "your_auth0_client_id"
OPENTACO_AUTH_CLIENT_SECRET: "your_auth0_client_secret"
OPENTACO_AUTH_AUTH_URL: "https://your-auth0-domain.auth0.com/authorize"
OPENTACO_AUTH_TOKEN_URL: "https://your-auth0-domain.auth0.com/oauth/token"

# AWS Credentials
AWS_ACCESS_KEY_ID: "your_aws_access_key_id"
AWS_SECRET_ACCESS_KEY: "your_aws_secret_access_key"
AWS_REGION: "us-east-1"

# Additional Statesman Configuration
OPENTACO_PORT: "8080"
OPENTACO_STORAGE: "s3"
OPENTACO_AUTH_DISABLE: "false"
Then, use the following script to set up Artifact Registry and deploy to Cloud Run from the same directory as your cloud-run.env.yaml 
#!/bin/bash
set -e

# Set your project ID
PROJECT_ID="YOUR_GCP_REPO"
GCP_REPO_NAME="STATESMAN_ARTEFACT_NAME"
GCP_REGION="us-central1"

echo "Setting up Artifact Registry for Statesman..."

# Enable all required APIs
echo "Enabling required GCP APIs..."
gcloud services enable artifactregistry.googleapis.com
gcloud services enable run.googleapis.com
gcloud services enable cloudbuild.googleapis.com
gcloud services enable containerregistry.googleapis.com

# Check if repository exists, create if it doesn't
if ! gcloud artifacts repositories describe $GCP_REPO_NAME --location=$GCP_REGION >/dev/null 2>&1; then
  echo "Creating repository..."
  gcloud artifacts repositories create $GCP_REPO_NAME \
    --repository-format=docker \
    --location=$GCP_REGION \
    --description="Repository for OpenTaco Statesman images"
else
  echo "Repository already exists $GCP_REPO_NAME, skipping creation..."
fi

# Configure Docker auth
gcloud auth configure-docker $GCP_REGION-docker.pkg.dev

# Pull, tag, and push image
docker pull --platform linux/amd64 ghcr.io/diggerhq/digger/taco-statesman:latest
docker tag ghcr.io/diggerhq/digger/taco-statesman:latest \
  $GCP_REGION-docker.pkg.dev/$PROJECT_ID/$GCP_REPO_NAME/taco-statesman:latest
docker push $GCP_REGION-docker.pkg.dev/$PROJECT_ID/$GCP_REPO_NAME/taco-statesman:latest

echo "Deploying to Cloud Run..."
gcloud run deploy statesman \
  --image $GCP_REGION-docker.pkg.dev/$PROJECT_ID/$GCP_REPO_NAME/taco-statesman:latest \
  --region $GCP_REGION \
  --platform managed \
  --allow-unauthenticated \
  --env-vars-file cloud-run.env.yaml

echo "Artifact Registry and Cloud Run setup complete!"
echo "Your image is now at: $GCP_REGION-docker.pkg.dev/$PROJECT_ID/$GCP_REPO_NAME/taco-statesman:latest"
SERVICE_URL=$(gcloud run services describe statesman --region $GCP_REGION --format="value(status.url)")
echo "Service URL: $SERVICE_URL"
echo "Health check: $SERVICE_URL/readyz"
Once this service is up you can configure Auth0 with its cloud run url. Go to your application, and add the GCP url like so: [GCP URL]/oauth/oidc-callback. Mine looks like this: https://statesman-1234567890.us-central1.run.app/oauth/oidc-callback Allowed Callbacks Then run taco login. If you have not setup taco before it will prompt you for a server url. If you have run taco login before, you can do taco setup to configure the server url. In either case you would set the cloud run url as the server url. When the CLI asked me to enter my OpenTaco server url I pasted in: https://statesman-1234567890.us-central1.run.app