From baef071319d101034b93d717437015063c3660ba Mon Sep 17 00:00:00 2001
From: James Wiesebron <jameswiesebron@khanacademy.org>
Date: Wed, 4 Feb 2026 13:55:50 -0800
Subject: [PATCH] Add multi-platform build support to cloud-build-docker module

Add support for building Docker images for multiple architectures
(e.g., linux/amd64 and linux/arm64) using docker buildx.

Changes:
- Add `platforms` variable (default: ["linux/amd64"])
- Add cloudbuild-buildx.yml for multi-platform builds
- Update build_image.py to select buildx config when multiple platforms
- Update README with multi-platform documentation

When multiple platforms are specified, the module uses docker buildx
which supports efficient cross-compilation. For Go services with
multi-stage Dockerfiles using TARGETARCH/TARGETOS build args, this
is much faster than QEMU emulation.

Example usage:
```hcl
module "my_image" {
  source = "..."
  platforms = ["linux/amd64", "linux/arm64"]
  # ...
}
```

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../modules/cloud-build-docker/README.md      | 24 +++++++++++--
 .../modules/cloud-build-docker/build_image.py | 21 ++++++++++--
 .../cloud-build-docker/cloudbuild-buildx.yml  | 34 +++++++++++++++++++
 terraform/modules/cloud-build-docker/main.tf  |  2 ++
 .../modules/cloud-build-docker/variables.tf   | 11 ++++++
 5 files changed, 86 insertions(+), 6 deletions(-)
 create mode 100644 terraform/modules/cloud-build-docker/cloudbuild-buildx.yml

diff --git a/terraform/modules/cloud-build-docker/README.md b/terraform/modules/cloud-build-docker/README.md
index 5f3a6bd..8e299db 100644
--- a/terraform/modules/cloud-build-docker/README.md
+++ b/terraform/modules/cloud-build-docker/README.md
@@ -5,6 +5,7 @@ A reusable Terraform module for building Docker images using Google Cloud Build
 ## Features
 
 - **Cloud Build Integration**: Uses Google Cloud Build for reliable, scalable Docker image building
+- **Multi-Platform Builds**: Supports building for multiple architectures (amd64, arm64) via docker buildx
 - **Branch-based Caching**: Optimizes build times by caching layers based on branch names
 - **Cache Fallback**: Automatically falls back to "latest" tag if the specified cache tag doesn't exist, ensuring we always have some level of caching
 - **Digest Tracking**: Returns full image digests for precise versioning in Terraform
@@ -109,6 +110,24 @@ module "secure_app" {
 }
 ```
 
+### Multi-Platform Build (amd64 + arm64)
+
+```hcl
+module "cross_platform_app" {
+  source = "git::https://github.com/Khan/terraform-cloud-build-docker-module.git?ref=v1.0.0"
+
+  image_name       = "cross-platform-app"
+  context_path     = "./app"
+  project_id       = var.project_id
+  image_tag_suffix = "latest"
+
+  # Build for both amd64 and arm64 platforms
+  platforms = ["linux/amd64", "linux/arm64"]
+}
+```
+
+> **Note**: Multi-platform builds use docker buildx. For Go services with multi-stage Dockerfiles, cross-compilation is used (Go compiler runs on amd64 but produces binaries for each target platform via `TARGETARCH`/`TARGETOS` build args), which is much faster than QEMU emulation.
+
 ## Requirements & Inputs
 
 ### Required
@@ -122,9 +141,8 @@ module "secure_app" {
 
 - `dockerfile_path` - Path to the Dockerfile relative to context_path ("Dockerfile")
 - `base_digest` - Base image digest for build args ("latest")
-- `cloud_build_config` - Custom Cloud Build config file (null)
-- `build_args` - Additional build arguments ({})
-- `cache_enabled` - Enable branch-based caching (true)
+- `region` - GCP region for Cloud Build ("us-central1")
+- `platforms` - Target platforms for multi-arch builds (["linux/amd64"]). Use ["linux/amd64", "linux/arm64"] for cross-platform builds.
 
 ## Outputs
 
diff --git a/terraform/modules/cloud-build-docker/build_image.py b/terraform/modules/cloud-build-docker/build_image.py
index ba829a3..fa96ead 100755
--- a/terraform/modules/cloud-build-docker/build_image.py
+++ b/terraform/modules/cloud-build-docker/build_image.py
@@ -108,8 +108,13 @@ def build_image(
     image_tag_suffix,
     base_digest="latest",
     region="us-central1",
+    platforms="linux/amd64",
 ):
-    """Build a Docker image via Cloud Build and return its digest."""
+    """Build a Docker image via Cloud Build and return its digest.
+
+    For multi-platform builds (when platforms contains multiple architectures),
+    docker buildx is used for efficient cross-compilation.
+    """
 
     # Construct image URIs
     image_uri = f"gcr.io/{project_id}/{image_name}"
@@ -168,13 +173,21 @@ def build_image(
             "_IMAGE_TAG": image_tag,
             "_BASE_DIGEST": base_digest,
             "_CACHE_TAG": effective_cache_tag,  # Use effective cache tag (with fallback to latest)
+            "_PLATFORMS": platforms,
         }
         subs_str = ",".join(f"{k}={v}" for k, v in substitutions.items())
 
         # Submit to Cloud Build
-        # Get the directory where this script is located to find cloudbuild.yml
+        # Get the directory where this script is located to find cloudbuild config
         script_dir = os.path.dirname(os.path.abspath(__file__))
-        cloudbuild_config = os.path.join(script_dir, "cloudbuild.yml")
+
+        # Use buildx config for multi-platform builds
+        is_multiplatform = "," in platforms
+        if is_multiplatform:
+            cloudbuild_config = os.path.join(script_dir, "cloudbuild-buildx.yml")
+            print(f"Using buildx for multi-platform build: {platforms}", file=sys.stderr)
+        else:
+            cloudbuild_config = os.path.join(script_dir, "cloudbuild.yml")
         
         # TODO(jwbron): Consider adding automatic GCS bucket creation with import support for existing buckets in terraform
         # Use --polling-interval to reduce API calls and avoid rate limits when running many parallel builds
@@ -226,6 +239,7 @@ def main():
         image_tag_suffix = input_data["image_tag_suffix"]
         base_digest = input_data.get("base_digest", "latest")
         region = input_data.get("region", "us-central1")
+        platforms = input_data.get("platforms", "linux/amd64")
 
         # Validate that image_tag_suffix is not empty
         if not image_tag_suffix or image_tag_suffix.strip() == "":
@@ -240,6 +254,7 @@ def main():
             image_tag_suffix=image_tag_suffix,
             base_digest=base_digest,
             region=region,
+            platforms=platforms,
         )
 
         # Return JSON output for Terraform
diff --git a/terraform/modules/cloud-build-docker/cloudbuild-buildx.yml b/terraform/modules/cloud-build-docker/cloudbuild-buildx.yml
new file mode 100644
index 0000000..5f11e09
--- /dev/null
+++ b/terraform/modules/cloud-build-docker/cloudbuild-buildx.yml
@@ -0,0 +1,34 @@
+# Cloud Build configuration for multi-platform builds using docker buildx.
+# This config is used when multiple platforms are specified (e.g., linux/amd64,linux/arm64).
+# Uses efficient Go cross-compilation via TARGETARCH/TARGETOS build args.
+steps:
+- name: 'gcr.io/cloud-builders/docker'
+  id: Setup buildx
+  entrypoint: bash
+  args:
+  - -c
+  - |
+    echo "Setting up docker buildx..."
+    docker buildx create --name multiarch-builder --use
+    docker buildx inspect --bootstrap
+
+- name: 'gcr.io/cloud-builders/docker'
+  id: Build and push multi-arch image
+  entrypoint: bash
+  args:
+  - -c
+  - |
+    echo "Building multi-platform image for: $_PLATFORMS"
+
+    # buildx builds must push directly (can't load multi-arch images locally)
+    # --cache-from and --cache-to use registry-based caching
+    docker buildx build \
+      --platform="$_PLATFORMS" \
+      --tag="$_IMAGE_TAG" \
+      --tag="$_IMAGE_NAME:$_CACHE_TAG" \
+      --build-arg BASE_IMAGE="$_BASE_DIGEST" \
+      --push \
+      .
+  waitFor: ['Setup buildx']
+
+# No 'images' section needed - buildx pushes directly during build
diff --git a/terraform/modules/cloud-build-docker/main.tf b/terraform/modules/cloud-build-docker/main.tf
index 09f610c..b85a22e 100644
--- a/terraform/modules/cloud-build-docker/main.tf
+++ b/terraform/modules/cloud-build-docker/main.tf
@@ -29,6 +29,8 @@ data "external" "image_build" {
     image_tag_suffix = var.image_tag_suffix
     base_digest      = var.base_digest
     region           = var.region
+    # Pass platforms as comma-separated string for the external script
+    platforms        = join(",", var.platforms)
   }
 
   # Trigger rebuild when any of these change
diff --git a/terraform/modules/cloud-build-docker/variables.tf b/terraform/modules/cloud-build-docker/variables.tf
index 0cd2d1b..909d3c1 100644
--- a/terraform/modules/cloud-build-docker/variables.tf
+++ b/terraform/modules/cloud-build-docker/variables.tf
@@ -45,3 +45,14 @@ variable "region" {
   type        = string
   default     = "us-central1"
 }
+
+variable "platforms" {
+  description = "Target platforms for multi-arch builds (e.g., ['linux/amd64', 'linux/arm64']). When multiple platforms are specified, docker buildx is used for cross-platform builds."
+  type        = list(string)
+  default     = ["linux/amd64"]
+
+  validation {
+    condition     = length(var.platforms) > 0
+    error_message = "At least one platform must be specified."
+  }
+}