Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improves Harness and Standalone READMEs #58

Merged
merged 1 commit into from
Sep 26, 2022
Merged

Improves Harness and Standalone READMEs #58

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 17 additions & 15 deletions examples/secure_cloud_run_standalone/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,35 +1,37 @@
# Secure Cloud Run Standalone Example

This example showcases the full deployment Secure Cloud Run with harness infrastructure.
This example showcases the full deployment Secure Cloud Run with harness infrastructure included.

The resources/services/activations/deletions that this example will create/trigger are:

* A folder to store Serverless infrastructure.
* A project to deploy Cloud run.
* A project to store KMS and Artifact Register.
* Keyring and Key created for Artifact Register.
* Artifact Register created with Encryption Key.
* Hello World example image copied to Artifact Register.
* The service project where Cloud Run is going to be deployed.
* The security project where KMS and Artifact Registry are going to be created.
* Keyring and Key created for Artifact Registry.
* Artifact Registry created with Encryption Key.
* Hello World example image copied to Artifact Registry.
* A network and one subnetwork.
* Firewall rules:
* Deny all egress traffic.
* Allow Restricted and Private Google APIs.
* Configure a Private Service Connect.
* Creates an Access Level and a Service Perimeter with both projects and with the services restricted:
* Creates an Access Level and a Service Perimeter with both projects and restricting the services bellow:
* Cloud KMS.
* Cloud Run.
* Artifact Register.
* Container Register.
* Artifact Registry.
* Container Registry.
* Container Analysis.
* Binary Authorization.
* A Service Account to be used by Cloud Run.
* Creates Load Balancer
* Creates Cloud Armor
* Creates Organization Policies in Serverless Project level.
* Creates Serverless VPC Connector.
* Creates Load Balancer at service project.
* Creates Google Cloud Armor with pre-configured WAF rules at service project.
* Creates Organization Policies at service project level.
* Allowed Ingress: Internal and Cloud Load Balancing Only.
* Allowed VPC Egress: Private Range Only.
* Creates Serverless VPC Connector at service project.
* Creates Firewall rules for Serverless VPC Access.
* Creates KMS Keyring and Key for Cloud Run usage.
* Creates a Cloud Run service.
* Creates KMS Keyring and Key for Cloud Run usage at security project.
* Creates a Cloud Run service at service project.

## Assumptions and Prerequisites

Expand Down
83 changes: 53 additions & 30 deletions modules/secure-cloud-run-harness/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,48 @@ This module creates the infrastructure required by Secure Cloud Run module.

This module deploys:

- A folder to store Serverless infrastructure.
- A project to deploy Cloud run.
- A project to store KMS and Artifact Register.
- Keyring and Key created for Artifact Register.
- Artifact Register created with Encryption Key.
- Hello World example image copied to Artifact Register.
- A network and one subnetwork.
- Firewall rules:
- Deny all egress traffic.
- Allow Restricted and Private Google APIs.
- Configure a Private Service Connect.
- Creates an Access Level and a Service Perimeter with both projects and with the services restricted:
- Cloud KMS.
- Cloud Run.
- Artifact Register.
- Container Register.
- Container Analysis.
- Binary Authorization.
- A Service Account to be used by Cloud Run.
* A folder to store Serverless infrastructure.
* The service project where Cloud Run is going to be deployed.
* The security project where KMS and Artifact Registry are going to be created.
* Keyring and Key created for Artifact Registry.
* Artifact Registry created with Encryption Key.
* Hello World example image copied to Artifact Registry.
* A network and one subnetwork.
* Firewall rules:
* Deny all egress traffic.
* Allow Restricted and Private Google APIs.
* Configure a Private Service Connect.
* Creates an Access Level and a Service Perimeter with both projects and restricting the services bellow:
* Cloud KMS.
* Cloud Run.
* Artifact Registry.
* Container Registry.
* Container Analysis.
* Binary Authorization.

## Usage

Basic usage of this module is as follows:

```hcl
module "secure_cloud_run_harness" {
source = "GoogleCloudPlatform/cloud-run/google//modules/secure-cloud-run-harness"
version = "~> 0.3.0"

# Required variables
billing_account = "<BILLING ACCOUNT>"
security_project_name = "<SECURITY PROJECT NAME>"
serverless_project_name = "<SERVERLESS PROJECT NAME>"
org_id = "<ORGANIZATION ID>"
region = "<REGION>"
location = "<LOCATION>"
vpc_name = "<VPC NAME>"
subnet_ip = "<SUBNET IP RANGE>"
artifact_registry_repository_name = "<ARTIFACT REGISTRY NAME>"
keyring_name = "<KEYRING NAME>"
key_name = "<KEY NAME>"
}
```

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs
Expand Down Expand Up @@ -85,22 +108,22 @@ These sections describe requirements for using this module.

### Software

- [Terraform](https://www.terraform.io/downloads.html) ~> v0.13+
- [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) >= 3.53, < 5.0
- [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 3.53, < 5.0
* [Terraform](https://www.terraform.io/downloads.html) ~> v0.13+
* [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) < 5.0
* [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 3.53, < 5.0

### Service Account

A service account can be used with required roles to execute this module:

- Organization Level:
- Access Context Manager Editor: `roles/accesscontextmanager.policyEditor`
- Parent level - Organization or Folder level:
- Folder Admin - `roles/resourcemanager.folderAdmin`
- Project Creator - `roles/resourcemanager.projectCreator`
- Project Deleter - `roles/resourcemanager.projectDeleter`
- Billing
- Billing User - `roles/billing.user`
* Organization Level:
* Access Context Manager Editor: `roles/accesscontextmanager.policyEditor`
* Parent level - Organization or Folder level:
* Folder Admin - `roles/resourcemanager.folderAdmin`
* Project Creator - `roles/resourcemanager.projectCreator`
* Project Deleter - `roles/resourcemanager.projectDeleter`
* Billing
* Billing User - `roles/billing.user`

Know more about [Cloud Run Deployment Permissions](https://cloud.google.com/run/docs/reference/iam/roles#additional-configuration).

Expand Down