7.1 KiB
7.1 KiB
GCP Cloud Storage Setup Guide for RE Workflow
Project Information
| Item | Value |
|---|---|
| Application | RE Workflow System |
| Environment | UAT |
| Domain | https://reflow-uat.royalenfield.com |
| Purpose | Store workflow documents and attachments |
1. Requirements Overview
The RE Workflow application needs Google Cloud Storage to store:
- Request documents (uploaded during workflow creation)
- Attachments (added during approval process)
- Supporting documents
Folder Structure in Bucket
reflow-documents-uat/
├── requests/
│ ├── REQ-2025-12-0001/
│ │ ├── documents/
│ │ │ ├── proposal.pdf
│ │ │ └── specification.docx
│ │ └── attachments/
│ │ ├── approval_note.pdf
│ │ └── signature.png
│ │
│ ├── REQ-2025-12-0002/
│ │ ├── documents/
│ │ │ └── budget_report.xlsx
│ │ └── attachments/
│ │ └── manager_approval.pdf
│ │
│ └── REQ-2025-12-0003/
│ ├── documents/
│ └── attachments/
│
└── temp/
└── (temporary uploads before processing)
2. GCP Bucket Configuration
2.1 Create Bucket
| Setting | Value |
|---|---|
| Bucket Name | reflow-documents-uat (UAT) / reflow-documents-prod (Production) |
| Location Type | Region |
| Region | asia-south1 (Mumbai) |
| Storage Class | Standard |
| Access Control | Uniform |
| Public Access Prevention | Enforced (Block all public access) |
2.2 Console Commands (gcloud CLI)
# Create bucket
gcloud storage buckets create gs://reflow-documents-uat \
--project=YOUR_PROJECT_ID \
--location=asia-south1 \
--uniform-bucket-level-access
# Block public access
gcloud storage buckets update gs://reflow-documents-uat \
--public-access-prevention
3. Service Account Setup
3.1 Create Service Account
| Setting | Value |
|---|---|
| Name | reflow-storage-sa |
| Description | Service account for RE Workflow file storage |
# Create service account
gcloud iam service-accounts create reflow-storage-sa \
--display-name="RE Workflow Storage Service Account" \
--project=YOUR_PROJECT_ID
3.2 Assign Permissions
The service account needs these roles:
| Role | Purpose |
|---|---|
roles/storage.objectCreator |
Upload files |
roles/storage.objectViewer |
Download/preview files |
roles/storage.objectAdmin |
Delete files |
# Grant permissions
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:reflow-storage-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/storage.objectAdmin"
3.3 Generate JSON Key
# Generate key file
gcloud iam service-accounts keys create gcp-key.json \
--iam-account=reflow-storage-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com
⚠️ Security: Share this key file securely (not via email). Use a secure file transfer method.
4. CORS Configuration
Apply this CORS policy to allow browser uploads:
4.1 Create cors-config.json
[
{
"origin": [
"https://reflow-uat.royalenfield.com",
"https://reflow.royalenfield.com"
],
"method": ["GET", "PUT", "POST", "DELETE", "HEAD", "OPTIONS"],
"responseHeader": [
"Content-Type",
"Content-Disposition",
"Content-Length",
"Cache-Control",
"x-goog-meta-*"
],
"maxAgeSeconds": 3600
}
]
4.2 Apply CORS Policy
gcloud storage buckets update gs://reflow-documents-uat \
--cors-file=cors-config.json
5. Lifecycle Rules (Optional but Recommended)
5.1 Auto-delete Temporary Files
Delete files in temp/ folder after 24 hours:
{
"lifecycle": {
"rule": [
{
"action": { "type": "Delete" },
"condition": {
"age": 1,
"matchesPrefix": ["temp/"]
}
}
]
}
}
gcloud storage buckets update gs://reflow-documents-uat \
--lifecycle-file=lifecycle-config.json
6. Bucket Versioning (Recommended)
Enable versioning for accidental delete recovery:
gcloud storage buckets update gs://reflow-documents-uat \
--versioning
7. Deliverables to Application Team
Please provide the following to the development team:
7.1 Environment Variables
| Variable | Value |
|---|---|
GCP_PROJECT_ID |
your-gcp-project-id |
GCP_BUCKET_NAME |
reflow-documents-uat |
GCP_KEY_FILE |
./config/gcp-key.json |
7.2 Files to Share
| File | Description | How to Share |
|---|---|---|
gcp-key.json |
Service account key | Secure transfer (not email) |
8. Verification Steps
After setup, verify with:
# List bucket contents
gcloud storage ls gs://reflow-documents-uat/
# Test upload
echo "test" > test.txt
gcloud storage cp test.txt gs://reflow-documents-uat/temp/
# Test download
gcloud storage cp gs://reflow-documents-uat/temp/test.txt ./downloaded.txt
# Test delete
gcloud storage rm gs://reflow-documents-uat/temp/test.txt
9. Environment-Specific Buckets
| Environment | Bucket Name | Region |
|---|---|---|
| Development | reflow-documents-dev |
asia-south1 |
| UAT | reflow-documents-uat |
asia-south1 |
| Production | reflow-documents-prod |
asia-south1 |
10. Monitoring & Alerts (Optional)
10.1 Enable Logging
gcloud storage buckets update gs://reflow-documents-uat \
--log-bucket=gs://your-logging-bucket \
--log-object-prefix=reflow-storage-logs/
10.2 Storage Alerts
Set up alerts for:
- Storage exceeds 80% of quota
- Unusual download patterns
- Failed access attempts
11. Cost Estimation
| Item | Estimate (Monthly) |
|---|---|
| Storage (100GB) | ~$2.00 |
| Operations (10K) | ~$0.05 |
| Network Egress | Varies by usage |
12. Security Checklist
- Public access prevention enabled
- Service account has minimal required permissions
- JSON key stored securely (not in Git)
- CORS configured for specific domains only
- Bucket versioning enabled
- Lifecycle rules for temp files
- Access logging enabled
13. Contact
| Role | Contact |
|---|---|
| Application Team | [Your Email] |
| DevOps Team | [DevOps Email] |
Appendix: Quick Reference
GCP Console URLs
- Buckets: https://console.cloud.google.com/storage/browser
- Service Accounts: https://console.cloud.google.com/iam-admin/serviceaccounts
- IAM: https://console.cloud.google.com/iam-admin/iam
gcloud Commands Summary
# Create bucket
gcloud storage buckets create gs://BUCKET_NAME --location=asia-south1
# Create service account
gcloud iam service-accounts create SA_NAME
# Generate key
gcloud iam service-accounts keys create key.json --iam-account=SA@PROJECT.iam.gserviceaccount.com
# Set CORS
gcloud storage buckets update gs://BUCKET_NAME --cors-file=cors.json
# Enable versioning
gcloud storage buckets update gs://BUCKET_NAME --versioning