fix: fix vpc connector creation in Shared VPCs (#137)

GoogleCloudPlatform · Jul 26, 2023 · 5979144 · 5979144
1 parent c6f0db9
commit 5979144
Show file tree

Hide file tree

Showing 9 changed files with 51 additions and 32 deletions.
diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
@@ -45,7 +45,6 @@ steps:
   - 'TF_VAR_create_access_context_manager_access_policy=false'
   waitFor:
   - prepare
-  allowFailure: true
 - id: create
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']

diff --git a/modules/secure-serverless-harness/README.md b/modules/secure-serverless-harness/README.md
@@ -95,12 +95,14 @@ module "secure_cloud_run_harness" {
 
 | Name | Description |
 |------|-------------|
+| access\_context\_manager\_policy\_id | Access Context Manager ID. |
 | artifact\_registry\_key | Artifact Registry KMS Key. |
 | artifact\_registry\_repository\_id | The Artifact Registry Repository full identifier where the images should be stored. |
 | artifact\_registry\_repository\_name | The Artifact Registry Repository last part of the repository name where the images should be stored. |
 | cloud\_serverless\_service\_identity\_email | The Cloud Run Service Identity email. |
 | network\_project\_id | Project ID of the project created to host the Cloud Run Network. |
 | restricted\_access\_level\_name | Access level name. |
+| restricted\_access\_level\_name\_id | Access level name id. |
 | restricted\_service\_perimeter\_name | Service Perimeter name. |
 | security\_project\_id | Project ID of the project created for KMS and Artifact Register. |
 | security\_project\_number | Project number of the project created for KMS and Artifact Register. |

diff --git a/modules/secure-serverless-harness/outputs.tf b/modules/secure-serverless-harness/outputs.tf
@@ -122,6 +122,15 @@ output "cloud_serverless_service_identity_email" {
   ]
 }
 
+output "access_context_manager_policy_id" {
+  value       = local.access_context_manager_policy_id
+  description = "Access Context Manager ID."
+
+  depends_on = [
+    time_sleep.wait_vpc_sc_propagation
+  ]
+}
+
 output "restricted_service_perimeter_name" {
   value       = module.regular_service_perimeter.perimeter_name
   description = "Service Perimeter name."
@@ -140,6 +149,15 @@ output "restricted_access_level_name" {
   ]
 }
 
+output "restricted_access_level_name_id" {
+  value       = module.access_level_members.name_id
+  description = "Access level name id."
+
+  depends_on = [
+    time_sleep.wait_vpc_sc_propagation
+  ]
+}
+
 output "artifact_registry_key" {
   value       = module.artifact_registry_kms.keys[var.key_name]
   description = "Artifact Registry KMS Key."

diff --git a/modules/secure-serverless-harness/service_perimeter.tf b/modules/secure-serverless-harness/service_perimeter.tf
@@ -21,7 +21,8 @@ locals {
   access_context_manager_policy_id = var.create_access_context_manager_access_policy ? google_access_context_manager_access_policy.access_policy[0].id : var.access_context_manager_policy_id
   access_level_members = concat(var.access_level_members,
     [for project in module.serverless_project : "serviceAccount:${project.services_identities["cloudbuild"]}"],
-    [for project in module.serverless_project : "serviceAccount:${project.services_identities["gcs"]}"]
+    [for project in module.serverless_project : "serviceAccount:${project.services_identities["gcs"]}"],
+    [for project in module.serverless_project : "serviceAccount:${project.services_identities["cloudservices"]}"]
   )
 }
 

diff --git a/modules/secure-serverless-net/network.tf b/modules/secure-serverless-net/network.tf
@@ -34,22 +34,20 @@ resource "google_compute_subnetwork" "vpc_subnetwork" {
   }
 }
 
-module "serverless_connector" {
-  source  = "terraform-google-modules/network/google//modules/vpc-serverless-connector-beta"
-  version = "~> 5.0"
+resource "google_vpc_access_connector" "serverless_connector" {
+  name           = "${var.connector_name}${local.suffix}"
+  region         = var.location
+  project        = var.connector_on_host_project ? var.vpc_project_id : var.serverless_project_id
+  machine_type   = "e2-micro"
+  min_instances  = 2
+  max_instances  = 10
+  min_throughput = 200
+  max_throughput = 1000
+  subnet {
+    name       = local.subnet_name
+    project_id = var.vpc_project_id
+  }
 
-  project_id = var.connector_on_host_project ? var.vpc_project_id : var.serverless_project_id
-  vpc_connectors = [{
-    name            = "${var.connector_name}${local.suffix}"
-    region          = var.location
-    subnet_name     = local.subnet_name
-    host_project_id = var.vpc_project_id
-    machine_type    = "e2-micro"
-    min_instances   = 2
-    max_instances   = 7
-    max_throughput  = 700
-    }
-  ]
   depends_on = [
     google_project_iam_member.gca_sa_vpcaccess,
     google_project_iam_member.cloud_services,

diff --git a/modules/secure-serverless-net/outputs.tf b/modules/secure-serverless-net/outputs.tf
@@ -15,7 +15,7 @@
  */
 
 output "connector_id" {
-  value       = tolist(module.serverless_connector.connector_ids)[0]
+  value       = google_vpc_access_connector.serverless_connector.id
   description = "VPC serverless connector ID."
 }
 

diff --git a/modules/service-project-factory/outputs.tf b/modules/service-project-factory/outputs.tf
@@ -36,10 +36,11 @@ output "cloud_serverless_service_identity_email" {
 
 output "services_identities" {
   value = {
-    "eventarc"   = google_project_service_identity.eventarc_sa.email,
-    "cloudbuild" = google_project_service_identity.cloudbuild_sa.email,
-    "gcs"        = data.google_storage_project_service_account.gcs_account.email_address,
-    "serverless" = google_project_service_identity.serverless_sa.email
+    "eventarc"      = google_project_service_identity.eventarc_sa.email,
+    "cloudbuild"    = google_project_service_identity.cloudbuild_sa.email,
+    "gcs"           = data.google_storage_project_service_account.gcs_account.email_address,
+    "serverless"    = google_project_service_identity.serverless_sa.email,
+    "cloudservices" = "${module.serverless_project.project_number}@cloudservices.gserviceaccount.com"
   }
   description = "Services Identities for the serverless project."
 }
diff --git a/test/integration/secure_cloud_run/secure_cloud_run_test.go b/test/integration/secure_cloud_run/secure_cloud_run_test.go
@@ -95,9 +95,9 @@ func TestSecureCloudRun(t *testing.T) {
 		assert.Equal(connectorId, opVPCConnector.Get("name").String(), fmt.Sprintf("Should have same id: %s", connectorId))
 		assert.Equal(expectedSubnet, opVPCConnector.Get("subnet.name").String(), fmt.Sprintf("Should have same subnetwork: %s", expectedSubnet))
 		assert.Equal(expectedMachineType, opVPCConnector.Get("machineType").String(), fmt.Sprintf("Should have same machineType: %s", expectedMachineType))
-		assert.Equal("7", opVPCConnector.Get("maxInstances").String(), "Should have maxInstances equals to 7")
+		assert.Equal("10", opVPCConnector.Get("maxInstances").String(), "Should have maxInstances equals to 10")
 		assert.Equal("2", opVPCConnector.Get("minInstances").String(), "Should have minInstances equals to 2")
-		assert.Equal("700", opVPCConnector.Get("maxThroughput").String(), "Should have maxThroughput equals to 700")
+		assert.Equal("1000", opVPCConnector.Get("maxThroughput").String(), "Should have maxThroughput equals to 1000")
 		assert.Equal("200", opVPCConnector.Get("minThroughput").String(), "Should have minThroughput equals to 200")
 
 		expectedCloudArmorName := "cloud-armor-waf-policy"
@@ -155,7 +155,7 @@ func TestSecureCloudRun(t *testing.T) {
 			allow      []Protocols
 		}{
 			{
-				name:       "fw-serverless-to-vpc-connector",
+				name:       fmt.Sprintf("fw-serverless-to-vpc-connector-%s", resourcesSuffix),
 				direction:  "INGRESS",
 				ranges:     []string{"107.178.230.64/26", "35.199.224.0/19"},
 				targetTags: []string{"vpc-connector"},
@@ -174,7 +174,7 @@ func TestSecureCloudRun(t *testing.T) {
 					}},
 			},
 			{
-				name:       "fw-vpc-connector-to-serverless",
+				name:       fmt.Sprintf("fw-vpc-connector-to-serverless-%s", resourcesSuffix),
 				direction:  "EGRESS",
 				ranges:     []string{"107.178.230.64/26", "35.199.224.0/19"},
 				targetTags: []string{"vpc-connector"},
@@ -193,7 +193,7 @@ func TestSecureCloudRun(t *testing.T) {
 					}},
 			},
 			{
-				name:       "fw-vpc-connector-health-checks",
+				name:       fmt.Sprintf("fw-vpc-connector-health-checks-%s", resourcesSuffix),
 				direction:  "INGRESS",
 				ranges:     []string{"130.211.0.0/22", "35.191.0.0/16", "108.170.220.0/23"},
 				targetTags: []string{"vpc-connector"},
@@ -206,7 +206,7 @@ func TestSecureCloudRun(t *testing.T) {
 				},
 			},
 			{
-				name:       "fw-vpc-connector-requests",
+				name:       fmt.Sprintf("fw-vpc-connector-requests-%s", resourcesSuffix),
 				direction:  "INGRESS",
 				ranges:     []string{},
 				sourceTags: []string{"vpc-connector"},
@@ -226,7 +226,7 @@ func TestSecureCloudRun(t *testing.T) {
 				},
 			},
 			{
-				name:       "fw-vpc-connector-to-lb",
+				name:       fmt.Sprintf("fw-vpc-connector-to-lb-%s", resourcesSuffix),
 				direction:  "EGRESS",
 				ranges:     []string{"0.0.0.0/0"},
 				targetTags: []string{"vpc-connector"},
@@ -238,7 +238,7 @@ func TestSecureCloudRun(t *testing.T) {
 				},
 			},
 		} {
-			fwRule := gcloud.Runf(t, "compute firewall-rules describe %s --project %s", firewall_rules.name, vpcProjectId)
+			fwRule := gcloud.Runf(t, "compute firewall-rules describe %s --project %s --impersonate-service-account=%s", firewall_rules.name, vpcProjectId, serviceaccount)
 			assert.Equal(firewall_rules.name, fwRule.Get("name").String(), fmt.Sprintf("firewall rule %s should exist", firewall_rules.name))
 			assert.Equal(firewall_rules.direction, fwRule.Get("direction").String(), fmt.Sprintf("firewall rule %s direction should be %s", firewall_rules.name, firewall_rules.direction))
 			assert.False(fwRule.Get("disabled").Bool(), fmt.Sprintf("firewall rule %s should be ENABLED", firewall_rules.name))

diff --git a/test/integration/secure_cloud_run_standalone/secure_cloud_run_standalone_test.go b/test/integration/secure_cloud_run_standalone/secure_cloud_run_standalone_test.go
@@ -304,9 +304,9 @@ func TestSecureCloudRunStandalone(t *testing.T) {
 			assert.Equal(connectorId, opVPCConnector.Get("name").String(), fmt.Sprintf("Should have same id: %s", connectorId))
 			assert.Equal(expectedSubnet, opVPCConnector.Get("subnet.name").String(), fmt.Sprintf("Should have same subnetwork: %s", expectedSubnet))
 			assert.Equal(expectedMachineType, opVPCConnector.Get("machineType").String(), fmt.Sprintf("Should have same machineType: %s", expectedMachineType))
-			assert.Equal("7", opVPCConnector.Get("maxInstances").String(), "Should have maxInstances equals to 7")
+			assert.Equal("10", opVPCConnector.Get("maxInstances").String(), "Should have maxInstances equals to 10")
 			assert.Equal("2", opVPCConnector.Get("minInstances").String(), "Should have minInstances equals to 2")
-			assert.Equal("700", opVPCConnector.Get("maxThroughput").String(), "Should have maxThroughput equals to 700")
+			assert.Equal("1000", opVPCConnector.Get("maxThroughput").String(), "Should have maxThroughput equals to 1000")
 			assert.Equal("200", opVPCConnector.Get("minThroughput").String(), "Should have minThroughput equals to 200")
 
 			// Cloud Armor tests