Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds instructions in cloud run core sub-module #59

Merged
merged 3 commits into from
Sep 30, 2022
Merged

Adds instructions in cloud run core sub-module #59

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
25d5f39
Adds instructions in cloud run core sub-module
amandakarina Sep 22, 2022
0530674
Fixes missing variables
amandakarina Sep 22, 2022
252312c
Merge branch 'main' into feat/improves-cloud-run-core-readme
amandakarina Sep 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 33 additions & 34 deletions modules/secure-cloud-run-core/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,47 +6,19 @@ The resources/services/activations/deletions that this module will create/trigge

* Creates a Cloud Run Service.
* Creates a Load Balancer Service using Google-managed SSL certificates.
* Creates Cloud Armor Service only including the preconfigured rules for SQLi, XSS, LFI, RCE, RFI, Scannerdetection, Protocolattack and Sessionfixation.

## Requirements

### Software

The following dependencies must be available:

* [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
* [Terraform Provider for GCP][terraform-provider-gcp] plugin v3.53

### APIs

A project with the following APIs enabled must be used to host the
resources of this module:

* Serverless Project
* Google Cloud Run Service: `run.googleapis.com`

**Note:** `Secret Manager API` needs to be enabled in case of using secrets.

### Service Account

A service account with the following roles must be used to provision
the resources of this module:

* Cloud Run Developer: `roles/run.developer`
* Compute Network User: `roles/compute.networkUser`
* Artifact Registry Reader: `roles/artifactregistry.reader`

**Note:** [Secret Manager Secret Accessor](https://cloud.google.com/run/docs/configuring/secrets#access-secret) role must be granted to the Cloud Run service account to allow read access on the secret.
* Creates Cloud Armor Service only including the pre-configured rules for SQLi, XSS, LFI, RCE, RFI, Scanner Detection, Protocol Attack and Session Fixation.

## Usage

```hcl
module "cloud_run_core" {
source = "GoogleCloudPlatform/cloud-run/google//modules/cloud_run"
version = "~> 0.2.0"
source = "GoogleCloudPlatform/cloud-run/google//modules/secure-cloud-run-core"
version = "~> 0.3.0"

service_name = <SERVICE NAME>
location = <SERVICE LOCATION>
region = <REGION>
domain = <YOUR-DOMAIN>
serverless_project_id = <SERVICE PROJECT ID>
image = <IMAGE URL>
cloud_run_sa = <CLOUD RUN SERVICE ACCOUNT EMAIL>
Expand Down Expand Up @@ -81,7 +53,7 @@ module "cloud_run_core" {
| limits | Resource limits to the container. | `map(string)` | `null` | no |
| location | The location where resources are going to be deployed. | `string` | n/a | yes |
| members | Users/SAs to be given invoker access to the service with the prefix `serviceAccount:' for SAs and `user:` for users.` | `list(string)` | `[]` | no |
| owasp\_rules | These are additional Cloud Armor rules for SQLi, XSS, LFI, RCE, RFI, Scannerdetection, Protocolattack and Sessionfixation (requires Cloud Armor default\_rule). | <pre>map(object({<br> action = string<br> priority = string<br> expression = string<br> }))</pre> | <pre>{<br> "rule_lfi": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('lfi-v33-stable')",<br> "priority": "1002"<br> },<br> "rule_protocolattack": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('protocolattack-v33-stable')",<br> "priority": "1006"<br> },<br> "rule_rce": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('rce-v33-stable')",<br> "priority": "1003"<br> },<br> "rule_rfi": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('rfi-v33-stable')",<br> "priority": "1004"<br> },<br> "rule_scannerdetection": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('scannerdetection-v33-stable')",<br> "priority": "1005"<br> },<br> "rule_sessionfixation": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('sessionfixation-v33-stable')",<br> "priority": "1007"<br> },<br> "rule_sqli": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('sqli-v33-stable')",<br> "priority": "1000"<br> },<br> "rule_xss": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('xss-v33-stable')",<br> "priority": "1001"<br> }<br>}</pre> | no |
| owasp\_rules | These are additional Cloud Armor rules for SQLi, XSS, LFI, RCE, RFI, Scannerdetection, Protocolattack and Sessionfixation (requires Cloud Armor default\_rule). | <pre>map(object({<br> action = string<br> priority = string<br> expression = string<br> }))</pre> | <pre>{<br> "rule_canary": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('rce-v33-stable')",<br> "priority": "1003"<br> },<br> "rule_lfi": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('lfi-v33-stable')",<br> "priority": "1002"<br> },<br> "rule_protocolattack": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('protocolattack-v33-stable')",<br> "priority": "1006"<br> },<br> "rule_rfi": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('rfi-v33-stable')",<br> "priority": "1004"<br> },<br> "rule_scannerdetection": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('scannerdetection-v33-stable')",<br> "priority": "1005"<br> },<br> "rule_sessionfixation": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('sessionfixation-v33-stable')",<br> "priority": "1007"<br> },<br> "rule_sqli": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('sqli-v33-stable')",<br> "priority": "1000"<br> },<br> "rule_xss": {<br> "action": "deny(403)",<br> "expression": "evaluatePreconfiguredExpr('xss-v33-stable')",<br> "priority": "1001"<br> }<br>}</pre> | no |
| ports | Port which the container listens to (http1 or h2c). | <pre>object({<br> name = string<br> port = number<br> })</pre> | <pre>{<br> "name": "http1",<br> "port": 8080<br>}</pre> | no |
| project\_id | The project where cloud run is going to be deployed. | `string` | n/a | yes |
| region | Location for load balancer and Cloud Run resources. | `string` | n/a | yes |
Expand Down Expand Up @@ -110,3 +82,30 @@ module "cloud_run_core" {
| service\_url | The URL on which the deployed service is available. |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Requirements

### Software

The following dependencies must be available:

* [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
* [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) plugin < 5.0

### APIs

A project with the following APIs enabled must be used to host the
resources of this module:

* Serverless Project
* Google Cloud Run Service: `run.googleapis.com`
* Google Compute Service: `compute.googleapis.com`

### Service Account

A service account with the following roles must be used to provision
the resources of this module:

* Cloud Run Developer: `roles/run.developer`
* Compute Network User: `roles/compute.networkUser`
* Artifact Registry Reader: `roles/artifactregistry.reader`
96 changes: 49 additions & 47 deletions modules/secure-cloud-run-core/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,53 @@
* limitations under the License.
*/



variable "location" {
description = "The location where resources are going to be deployed."
type = string
}

variable "project_id" {
description = "The project where cloud run is going to be deployed."
type = string
}

variable "service_name" {
description = "The name of the Cloud Run service to create."
type = string
}

variable "image" {
description = "GAR hosted image URL to deploy."
type = string
}

variable "cloud_run_sa" {
description = "Service account to be used on Cloud Run."
type = string
}

variable "vpc_connector_id" {
description = "VPC Connector id in the format projects/PROJECT/locations/LOCATION/connectors/NAME."
type = string
}

variable "encryption_key" {
description = "CMEK encryption key self-link expected in the format projects/PROJECT/locations/LOCATION/keyRings/KEY-RING/cryptoKeys/CRYPTO-KEY."
type = string
}

variable "region" {
description = "Location for load balancer and Cloud Run resources."
type = string
}

variable "domain" {
description = "Domain name to run the load balancer on. Used if `ssl` is `true`. Modify the default value below for your `domain` name."
type = string
}

variable "default_rules" {
description = "Default rule for Cloud Armor."
default = {
Expand Down Expand Up @@ -52,7 +99,7 @@ variable "owasp_rules" {
priority = "1002"
expression = "evaluatePreconfiguredExpr('lfi-v33-stable')"
}
rule_rce = {
rule_canary = {
action = "deny(403)"
priority = "1003"
expression = "evaluatePreconfiguredExpr('rce-v33-stable')"
Expand Down Expand Up @@ -85,62 +132,17 @@ variable "owasp_rules" {
}))
}

variable "region" {
description = "Location for load balancer and Cloud Run resources."
type = string
}

variable "ssl" {
description = "Run load balancer on HTTPS and provision managed certificate with provided `domain`."
type = bool
default = true
}

variable "domain" {
description = "Domain name to run the load balancer on. Used if `ssl` is `true`. Modify the default value below for your `domain` name."
type = string
}

variable "lb_name" {
description = "Name for load balancer and associated resources."
default = "tf-cr-lb"
}

variable "location" {
description = "The location where resources are going to be deployed."
type = string
}

variable "project_id" {
description = "The project where cloud run is going to be deployed."
type = string
}

variable "service_name" {
description = "The name of the Cloud Run service to create."
type = string
}

variable "image" {
description = "GAR hosted image URL to deploy."
type = string
}

variable "cloud_run_sa" {
description = "Service account to be used on Cloud Run."
type = string
}

variable "vpc_connector_id" {
description = "VPC Connector id in the format projects/PROJECT/locations/LOCATION/connectors/NAME."
type = string
}

variable "encryption_key" {
description = "CMEK encryption key self-link expected in the format projects/PROJECT/locations/LOCATION/keyRings/KEY-RING/cryptoKeys/CRYPTO-KEY."
type = string
}

variable "env_vars" {
type = list(object({
value = string
Expand All @@ -151,8 +153,8 @@ variable "env_vars" {
}

variable "members" {
description = "Users/SAs to be given invoker access to the service with the prefix `serviceAccount:' for SAs and `user:` for users."
type = list(string)
description = "Users/SAs to be given invoker access to the service with the prefix `serviceAccount:' for SAs and `user:` for users."
default = []
}

Expand Down