Skip to content

Commit

Permalink
Updating code and READMEs
Browse files Browse the repository at this point in the history
  • Loading branch information
@renato-rudnicki
renato-rudnicki committed Sep 29, 2022
1 parent 2a04a25 commit ee6d59d
Show file tree
Hide file tree
Showing 9 changed files with 180 additions and 65 deletions.
9 changes: 5 additions & 4 deletions examples/secure_cloud_run/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,15 +58,14 @@ This example assumes that below mentioned pre-requisites are in place before con

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| artifact\_registry\_repository\_location | Artifact Registry Repository location to grant serverless identity viewer role. | `string` | n/a | yes |
| artifact\_registry\_repository\_name | Artifact Registry Repository name to grant serverless identity viewer role | `string` | n/a | yes |
| artifact\_registry\_repository\_project\_id | Artifact Registry Repository Project ID to grant serverless identity viewer role. | `string` | n/a | yes |
| cloud\_run\_sa | Service account to be used on Cloud Run. | `string` | n/a | yes |
| domain | Domain name to run the load balancer on. Used if `ssl` is `true`. Modify the default value below for your `domain` name | `string` | n/a | yes |
| domain | Domain name to run the load balancer on. Used if `ssl` is `true`. | `string` | n/a | yes |
| folder\_id | The folder ID to apply the policy to. | `string` | `""` | no |
| ip\_cidr\_range | The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. | `string` | n/a | yes |
| kms\_project\_id | The project where KMS will be created. | `string` | n/a | yes |
| organization\_id | The organization ID to apply the policy to. | `string` | `""` | no |
| policy\_for | Policy Root: set one of the following values to determine where the policy is applied. Possible values: ["project", "folder", "organization"]. | `string` | `"project"` | no |
| resource\_names\_suffix | A suffix to concat in the end of the network resources names. | `string` | `null` | no |
| serverless\_project\_id | The project where cloud run is going to be deployed. | `string` | n/a | yes |
| shared\_vpc\_name | Shared VPC name which is going to be re-used to create Serverless Connector. | `string` | n/a | yes |
| ssl | Run load balancer on HTTPS and provision managed certificate with provided `domain`. | `bool` | `true` | no |
Expand All @@ -78,6 +77,7 @@ This example assumes that below mentioned pre-requisites are in place before con
|------|-------------|
| cloud\_services\_sa | Service Account for Cloud Run Service. |
| connector\_id | VPC serverless connector ID. |
| domain | Domain name to run the load balancer on. Used if `ssl` is `true`. |
| domain\_map\_id | Unique Identifier for the created domain map. |
| domain\_map\_status | Status of Domain mapping. |
| folder\_id | The folder ID to apply the policy to. |
Expand All @@ -94,6 +94,7 @@ This example assumes that below mentioned pre-requisites are in place before con
| service\_id | Unique Identifier for the created service. |
| service\_status | Status of the created service. |
| service\_url | The URL on which the deployed service is available. |
| shared\_vpc\_name | Shared VPC name which is going to be re-used to create Serverless Connector. |
| vpc\_project\_id | The project where VPC Connector is going to be deployed. |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Expand Down
52 changes: 24 additions & 28 deletions examples/secure_cloud_run/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,37 +15,33 @@
*/

locals {
cloudrun_key_name = "cloud-run-${random_id.suffix.hex}"
cloudrun_keyring_name = "cloud-run-keyring-${random_id.suffix.hex}"
}
resource "random_id" "suffix" {
byte_length = 4
cloudrun_key_name = "cloud-run-${var.resource_names_suffix}"
cloudrun_keyring_name = "cloud-run-keyring-${var.resource_names_suffix}"
}

module "secure_cloud_run" {
source = "../../modules/secure-cloud-run"

connector_name = "serverless-connector"
subnet_name = "vpc-subnet"
vpc_project_id = var.vpc_project_id
serverless_project_id = var.serverless_project_id
domain = var.domain
kms_project_id = var.kms_project_id
shared_vpc_name = var.shared_vpc_name
ip_cidr_range = "10.35.0.0/28"
key_name = local.cloudrun_key_name
keyring_name = local.cloudrun_keyring_name
prevent_destroy = false
key_rotation_period = "2592000s"
service_name = "hello-world"
location = "us-central1"
region = "us-central1"
image = "us-docker.pkg.dev/cloudrun/container/hello"
cloud_run_sa = var.cloud_run_sa
artifact_registry_repository_location = var.artifact_registry_repository_location
artifact_registry_repository_name = var.artifact_registry_repository_name
artifact_registry_repository_project_id = var.artifact_registry_repository_project_id
policy_for = var.policy_for
folder_id = var.folder_id
organization_id = var.organization_id
connector_name = "con-run"
subnet_name = "vpc-subnet"
vpc_project_id = var.vpc_project_id
serverless_project_id = var.serverless_project_id
domain = var.domain
kms_project_id = var.kms_project_id
shared_vpc_name = var.shared_vpc_name
ip_cidr_range = var.ip_cidr_range
key_name = local.cloudrun_key_name
keyring_name = local.cloudrun_keyring_name
prevent_destroy = false
key_rotation_period = "2592000s"
service_name = "hello-world"
location = "us-central1"
region = "us-central1"
image = "us-docker.pkg.dev/cloudrun/container/hello"
cloud_run_sa = var.cloud_run_sa
policy_for = var.policy_for
folder_id = var.folder_id
organization_id = var.organization_id
resource_names_suffix = var.resource_names_suffix
create_subnet = true
}
10 changes: 10 additions & 0 deletions examples/secure_cloud_run/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,3 +108,13 @@ output "organization_id" {
description = "The organization ID to apply the policy to."
value = var.organization_id
}

output "domain" {
description = "Domain name to run the load balancer on. Used if `ssl` is `true`."
value = var.domain
}

output "shared_vpc_name" {
description = "Shared VPC name which is going to be re-used to create Serverless Connector."
value = var.shared_vpc_name
}
28 changes: 12 additions & 16 deletions examples/secure_cloud_run/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,22 +46,7 @@ variable "kms_project_id" {
}

variable "domain" {
description = "Domain name to run the load balancer on. Used if `ssl` is `true`. Modify the default value below for your `domain` name"
type = string
}

variable "artifact_registry_repository_project_id" {
description = "Artifact Registry Repository Project ID to grant serverless identity viewer role."
type = string
}

variable "artifact_registry_repository_location" {
description = "Artifact Registry Repository location to grant serverless identity viewer role."
type = string
}

variable "artifact_registry_repository_name" {
description = "Artifact Registry Repository name to grant serverless identity viewer role"
description = "Domain name to run the load balancer on. Used if `ssl` is `true`."
type = string
}

Expand All @@ -82,3 +67,14 @@ variable "organization_id" {
type = string
default = ""
}

variable "resource_names_suffix" {
description = "A suffix to concat in the end of the network resources names."
type = string
default = null
}

variable "ip_cidr_range" {
description = "The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported."
type = string
}
4 changes: 2 additions & 2 deletions examples/secure_cloud_run/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 3.53, < 5.0"
version = "< 5.0"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 3.53, < 5.0"
version = "< 5.0"
}
}
}
115 changes: 109 additions & 6 deletions modules/secure-cloud-run/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,79 @@
# Secure Cloud Run

This module handles the deployment required for Cloud Run usage. Secure-cloud-run module will call the secure-cloud-run-core, secure-cloud-run-net and secure-cloud-run-net modules.

When using a Shared VPC, you can chose where to create the VPC Connector.

_Note:_ When using a single VPC you should provides VPC and Serverless project id with the same value and the value for `connector_on_host_project` variable must be `false`.

The resources/services/activations/deletions that this module will create/trigger are:

* Creates Firewall rules on your **VPC Project**.
* Serverless to VPC Connector
* VPC Connector to Serverless
* VPC Connector to LB
* VPC Connector Health Checks
* Creates a sub network to VPC Connector usage purpose.
* Creates Serverless Connector on your **VPC Project** or **Serverless Project**. Refer the comparison below:
* Advantages of creating connectors in the [VPC Project](https://cloud.google.com/run/docs/configuring/connecting-shared-vpc#host-project)
* Advantages of creating connectors in the [Serverless Project](https://cloud.google.com/run/docs/configuring/connecting-shared-vpc#service-projects)
* Grant the necessary roles for Cloud Run are able to use VPC Connector on your Shared VPC when creating VPC Connector in host project.
* Grant Network User role to Cloud Services service account.
* Grant VPC Access User to Cloud Run Service Identity when deploying VPC Access.

* Secure-cloud-run-security module will apply:
* Creates KMS Keyring and Key for [customer managed encryption keys](https://cloud.google.com/run/docs/securing/using-cmek) in the **KMS Project** to be used by Cloud Run.
* Enables Organization Policies related to Cloud Run in the **Serverless Project**.
* Allow Ingress only from internal and Cloud Load Balancing.
* Allow VPC Egress to Private Ranges Only.

* Secure-cloud-run-core module will apply:
* Creates a Cloud Run Service.
* Creates a Load Balancer Service using Google-managed SSL certificates.
* Creates Cloud Armor Service only including the preconfigured rules for SQLi, XSS, LFI, RCE, RFI, Scannerdetection, Protocolattack and Sessionfixation.

## Usage

Basic usage of this module is as follows:

```hcl
module "secure_cloud_run" {
source = "../modules/secure-cloud-run"
vpc_project_id = <VPC Project ID>
kms_project_id = <KMS Project ID>
serverless_project_id = <Serverless Project ID>
domain = <Domain>
shared_vpc_name = <Shared VPC Name
ip_cidr_range = <IP CIDR Range>
service_name = <Service Name>
location = <Location>
region = <Region>
image = <Image>
cloud_run_sa = <Cloud Run Service Account>
artifact_registry_repository_location = <Artifact Registry Repository Location>
artifact_registry_repository_name = <Artifact Registry Repository Name>
artifact_registry_repository_project_id = <Artifact Registry Repository Project ID>
}
```

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| artifact\_registry\_repository\_location | Artifact Registry Repository location to grant serverless identity viewer role. | `string` | n/a | yes |
| artifact\_registry\_repository\_name | Artifact Registry Repository name to grant serverless identity viewer role | `string` | n/a | yes |
| artifact\_registry\_repository\_project\_id | Artifact Registry Repository Project ID to grant serverless identity viewer role. | `string` | n/a | yes |
| artifact\_registry\_repository\_location | Artifact Registry Repository location to grant serverless identity viewer role. | `string` | `null` | no |
| artifact\_registry\_repository\_name | Artifact Registry Repository name to grant serverless identity viewer role | `string` | `null` | no |
| artifact\_registry\_repository\_project\_id | Artifact Registry Repository Project ID to grant serverless identity viewer role. | `string` | `null` | no |
| cloud\_run\_sa | Service account to be used on Cloud Run. | `string` | n/a | yes |
| connector\_name | The name for the connector to be created. | `string` | `"serverless-vpc-connector"` | no |
| create\_subnet | The subnet will be created with the subnet\_name variable if true. When false, it will use the subnet\_name for the subnet. | `bool` | `true` | no |
| domain | Domain name to run the load balancer on. Used if `ssl` is `true`. Modify the default value below for your `domain` name. | `string` | n/a | yes |
| domain | Domain name to run the load balancer on. | `string` | n/a | yes |
| env\_vars | Environment variables (cleartext) | <pre>list(object({<br> value = string<br> name = string<br> }))</pre> | `[]` | no |
| folder\_id | The folder ID to apply the policy to. | `string` | `""` | no |
| grant\_artifact\_register\_reader | When true it will grant permission to read an image from your artifact registry. When true, you must provide `artifact_registry_repository_project_id`, `artifact_registry_repository_location` and `artifact_registry_repository_name`. | `bool` | `false` | no |
| image | Image url to be deployed on Cloud Run. | `string` | n/a | yes |
| ip\_cidr\_range | The range of internal addresses that are owned by this subnetwork. Provide this property when you create the subnetwork. For example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported | `string` | n/a | yes |
| ip\_cidr\_range | The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. | `string` | n/a | yes |
| key\_name | The name of KMS Key to be created and used in Cloud Run. | `string` | `"cloud-run-kms-key"` | no |
| key\_protection\_level | The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"] | `string` | `"HSM"` | no |
| key\_rotation\_period | Period of key rotation in seconds. | `string` | `"2592000s"` | no |
Expand All @@ -27,11 +85,11 @@
| policy\_for | Policy Root: set one of the following values to determine where the policy is applied. Possible values: ["project", "folder", "organization"]. | `string` | `"project"` | no |
| prevent\_destroy | Set the `prevent_destroy` lifecycle attribute on the Cloud KMS key. | `bool` | `true` | no |
| region | Location for load balancer and Cloud Run resources. | `string` | n/a | yes |
| resource\_names\_suffix | A suffix to concat in the end of the network resources names being created. | `string` | `null` | no |
| serverless\_project\_id | The project to deploy the cloud run service. | `string` | n/a | yes |
| service\_name | Shared VPC name. | `string` | n/a | yes |
| shared\_vpc\_name | Shared VPC name which is going to be re-used to create Serverless Connector. | `string` | n/a | yes |
| subnet\_name | Subnet name to be re-used to create Serverless Connector. | `string` | `null` | no |
| use\_artifact\_registry\_image | When true it will give permission to read an image from your artifact registry. | `bool` | `false` | no |
| vpc\_project\_id | The host project for the shared vpc. | `string` | n/a | yes |

## Outputs
Expand All @@ -53,3 +111,48 @@
| service\_url | Url of the created service. |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Requirements

### Software

The following dependencies must be available:

* [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
* [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) < 5.0

### APIs

The Secure-cloud-run project will enable the following APIs to the Serverlesss Project:

* Google VPC Access API: `vpcaccess.googleapis.com`
* Compute API: `compute.googleapis.com`
* Container Registry API: `container.googleapis.com`
* Cloud Run API: `run.googleapis.com`
* Cloud KMS API: `cloudkms.googleapis.com`

The Secure-cloud-run project will enable the following APIs to the VPC Project:

* Google VPC Access API: `vpcaccess.googleapis.com`
* Compute API: `compute.googleapis.com`

### Service Account

A service account with the following roles must be used to provision
the resources of this module:

* VPC Project
* Compute Shared VPC Admin: `roles/compute.xpnAdmin`
* Network Admin: `roles/compute.networkAdmin`
* Security Admin: `roles/compute.securityAdmin`
* Serverless VPC Access Admin: `roles/vpcaccess.admin`
* KMS Project
* Cloud KMS Admin: `roles/cloudkms.admin`
* Serverless Project
* Security Admin: `roles/compute.securityAdmin`
* Serverless VPC Access Admin: `roles/vpcaccess.admin`
* Cloud Run Developer: `roles/run.developer`
* Compute Network User: `roles/compute.networkUser`
* Artifact Registry Reader: `roles/artifactregistry.reader`

**Note:** [Secret Manager Secret Accessor](https://cloud.google.com/run/docs/configuring/secrets#access-secret) role must be granted to the Cloud Run service account to allow read access on the secret.
5 changes: 3 additions & 2 deletions modules/secure-cloud-run/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,10 @@ module "cloud_run_network" {
vpc_project_id = var.vpc_project_id
serverless_project_id = var.serverless_project_id
shared_vpc_name = var.shared_vpc_name
connector_on_host_project = true
connector_on_host_project = false
ip_cidr_range = var.ip_cidr_range
create_subnet = var.create_subnet
resource_names_suffix = var.resource_names_suffix

depends_on = [
module.vpc_project_apis
Expand All @@ -69,7 +70,7 @@ resource "google_project_service_identity" "serverless_sa" {
}

resource "google_artifact_registry_repository_iam_member" "artifact_registry_iam" {
count = var.use_artifact_registry_image ? 1 : 0
count = var.grant_artifact_register_reader ? 1 : 0

project = var.artifact_registry_repository_project_id
location = var.artifact_registry_repository_location
Expand Down
Loading

0 comments on commit ee6d59d

Please sign in to comment.