Re_Backend/docs/GCP_STORAGE_SETUP.md

# GCP Cloud Storage Setup Guide for RE Workflow

## Project Information

| Item | Value |
|------|-------|
| **Application** | RE Workflow System |
| **Environment** | UAT |
| **Domain** | https://reflow-uat.royalenfield.com |
| **Purpose** | Store workflow documents and attachments |

---

## 1. Requirements Overview

The RE Workflow application needs Google Cloud Storage to store:
- Request documents (uploaded during workflow creation)
- Attachments (added during approval process)
- Supporting documents

### Folder Structure in Bucket

```
reflow-documents-uat/
├── requests/
│   ├── REQ-2025-12-0001/
│   │   ├── documents/
│   │   │   ├── proposal.pdf
│   │   │   └── specification.docx
│   │   └── attachments/
│   │       ├── approval_note.pdf
│   │       └── signature.png
│   │
│   ├── REQ-2025-12-0002/
│   │   ├── documents/
│   │   │   └── budget_report.xlsx
│   │   └── attachments/
│   │       └── manager_approval.pdf
│   │
│   └── REQ-2025-12-0003/
│       ├── documents/
│       └── attachments/
│
└── temp/
    └── (temporary uploads before processing)
```

---

## 2. GCP Bucket Configuration

### 2.1 Create Bucket

| Setting | Value |
|---------|-------|
| **Bucket Name** | `reflow-documents-uat` (UAT) / `reflow-documents-prod` (Production) |
| **Location Type** | Region |
| **Region** | `asia-south1` (Mumbai) |
| **Storage Class** | Standard |
| **Access Control** | Uniform |
| **Public Access Prevention** | Enforced (Block all public access) |

### 2.2 Console Commands (gcloud CLI)

```bash
# Create bucket
gcloud storage buckets create gs://reflow-documents-uat \
  --project=YOUR_PROJECT_ID \
  --location=asia-south1 \
  --uniform-bucket-level-access

# Block public access
gcloud storage buckets update gs://reflow-documents-uat \
  --public-access-prevention
```

---

## 3. Service Account Setup

### 3.1 Create Service Account

| Setting | Value |
|---------|-------|
| **Name** | `reflow-storage-sa` |
| **Description** | Service account for RE Workflow file storage |

```bash
# Create service account
gcloud iam service-accounts create reflow-storage-sa \
  --display-name="RE Workflow Storage Service Account" \
  --project=YOUR_PROJECT_ID
```

### 3.2 Assign Permissions

The service account needs these roles:

| Role | Purpose |
|------|---------|
| `roles/storage.objectCreator` | Upload files |
| `roles/storage.objectViewer` | Download/preview files |
| `roles/storage.objectAdmin` | Delete files |

```bash
# Grant permissions
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:reflow-storage-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/storage.objectAdmin"
```

### 3.3 Generate JSON Key

```bash
# Generate key file
gcloud iam service-accounts keys create gcp-key.json \
  --iam-account=reflow-storage-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com
```

⚠️ **Security:** Share this key file securely (not via email). Use a secure file transfer method.

---

## 4. CORS Configuration

Apply this CORS policy to allow browser uploads:

### 4.1 Create `cors-config.json`

```json
[
  {
    "origin": [
      "https://reflow-uat.royalenfield.com",
      "https://reflow.royalenfield.com"
    ],
    "method": ["GET", "PUT", "POST", "DELETE", "HEAD", "OPTIONS"],
    "responseHeader": [
      "Content-Type",
      "Content-Disposition",
      "Content-Length",
      "Cache-Control",
      "x-goog-meta-*"
    ],
    "maxAgeSeconds": 3600
  }
]
```

### 4.2 Apply CORS Policy

```bash
gcloud storage buckets update gs://reflow-documents-uat \
  --cors-file=cors-config.json
```

---

## 5. Lifecycle Rules (Optional but Recommended)

### 5.1 Auto-delete Temporary Files

Delete files in `temp/` folder after 24 hours:

```json
{
  "lifecycle": {
    "rule": [
      {
        "action": { "type": "Delete" },
        "condition": {
          "age": 1,
          "matchesPrefix": ["temp/"]
        }
      }
    ]
  }
}
```

```bash
gcloud storage buckets update gs://reflow-documents-uat \
  --lifecycle-file=lifecycle-config.json
```

---

## 6. Bucket Versioning (Recommended)

Enable versioning for accidental delete recovery:

```bash
gcloud storage buckets update gs://reflow-documents-uat \
  --versioning
```

---

## 7. Deliverables to Application Team

Please provide the following to the development team:

### 7.1 Environment Variables

| Variable | Value |
|----------|-------|
| `GCP_PROJECT_ID` | `your-gcp-project-id` |
| `GCP_BUCKET_NAME` | `reflow-documents-uat` |
| `GCP_KEY_FILE` | `./config/gcp-key.json` |

### 7.2 Files to Share

| File | Description | How to Share |
|------|-------------|--------------|
| `gcp-key.json` | Service account key | Secure transfer (not email) |

---

## 8. Verification Steps

After setup, verify with:

```bash
# List bucket contents
gcloud storage ls gs://reflow-documents-uat/

# Test upload
echo "test" > test.txt
gcloud storage cp test.txt gs://reflow-documents-uat/temp/

# Test download
gcloud storage cp gs://reflow-documents-uat/temp/test.txt ./downloaded.txt

# Test delete
gcloud storage rm gs://reflow-documents-uat/temp/test.txt
```

---

## 9. Environment-Specific Buckets

| Environment | Bucket Name | Region |
|-------------|-------------|--------|
| Development | `reflow-documents-dev` | asia-south1 |
| UAT | `reflow-documents-uat` | asia-south1 |
| Production | `reflow-documents-prod` | asia-south1 |

---

## 10. Monitoring & Alerts (Optional)

### 10.1 Enable Logging

```bash
gcloud storage buckets update gs://reflow-documents-uat \
  --log-bucket=gs://your-logging-bucket \
  --log-object-prefix=reflow-storage-logs/
```

### 10.2 Storage Alerts

Set up alerts for:
- Storage exceeds 80% of quota
- Unusual download patterns
- Failed access attempts

---

## 11. Cost Estimation

| Item | Estimate (Monthly) |
|------|-------------------|
| Storage (100GB) | ~$2.00 |
| Operations (10K) | ~$0.05 |
| Network Egress | Varies by usage |

---

## 12. Security Checklist

- [ ] Public access prevention enabled
- [ ] Service account has minimal required permissions
- [ ] JSON key stored securely (not in Git)
- [ ] CORS configured for specific domains only
- [ ] Bucket versioning enabled
- [ ] Lifecycle rules for temp files
- [ ] Access logging enabled

---

## 13. Contact

| Role | Contact |
|------|---------|
| Application Team | [Your Email] |
| DevOps Team | [DevOps Email] |

---

## Appendix: Quick Reference

### GCP Console URLs

- **Buckets:** https://console.cloud.google.com/storage/browser
- **Service Accounts:** https://console.cloud.google.com/iam-admin/serviceaccounts
- **IAM:** https://console.cloud.google.com/iam-admin/iam

### gcloud Commands Summary

```bash
# Create bucket
gcloud storage buckets create gs://BUCKET_NAME --location=asia-south1

# Create service account
gcloud iam service-accounts create SA_NAME

# Generate key
gcloud iam service-accounts keys create key.json --iam-account=SA@PROJECT.iam.gserviceaccount.com

# Set CORS
gcloud storage buckets update gs://BUCKET_NAME --cors-file=cors.json

# Enable versioning
gcloud storage buckets update gs://BUCKET_NAME --versioning
```