Sync with public repo (GoogleCloudPlatform#46)

* Initial commit

* Updated README

* [Fix] Review Comments addressed

* Updated README and variables

* Removed iam_binding from CHANGELOG

* Review comments addressed

* Test case and README updated

* Updated IAM Role and README

* chore: release 0.1.0

Release-As: 0.1.0

* chore: switch to release-please action (GoogleCloudPlatform#14)

* Revert "chore: switch to release-please action (GoogleCloudPlatform#14)" (GoogleCloudPlatform#17)

This reverts commit d06513c.

* chore: fix release-please config

* chore: fix readme to match release version (GoogleCloudPlatform#16)

* chore: release 0.1.0 (GoogleCloudPlatform#18)

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

* fix: Updates to README and descriptions (GoogleCloudPlatform#19)

* fix: Updates to README and descriptions

* fix: domain map resource

* Update README.md

Co-authored-by: Bharath KKB <bbaiju@google.com>

Co-authored-by: Bharath KKB <bbaiju@google.com>

* chore: Added CODEOWNERS

* chore: release 0.1.1 (GoogleCloudPlatform#20)

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

* feat: update TPG version constraints to allow 4.0 (GoogleCloudPlatform#25)

* feat: update TPG version constraints to allow 4.0

* skip verify version

* chore(main): release 0.2.0 (GoogleCloudPlatform#26)

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

* chore: update readme to reflect TPG version constraints (GoogleCloudPlatform#27)

* feat: add cmek support (GoogleCloudPlatform#33)

* Add CMEK variable, add configuration to template_annotations to support CMEK configuration

* Add description to variable

* Add example and test fixture

* Adds integration test for cloud run + cmek example

* Adds integration test

* Fixes linting issues

* Fix typo

* Fix code review issues

* Change mode to get  annotations

* Fix software requirements for cmek example

* Fix code review issues: remove commented code, remove swap step in integration build, fix readme title for new example

* fix: Set default container limits and concurrency value (GoogleCloudPlatform#31)

* Set default container limits and concurrency value

* Update README.md

Update defaults to match new variables file

* Fixed limits variable block

* variables.tf formatting

* terraform fmt

* generated docs

* updates variables to null

* generated_docs

Co-authored-by: Jonathan Greger <jmgreger@google.com>

* chore(main): release 0.3.0 (GoogleCloudPlatform#34)

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

* Adds initial version of security cloud run security module

* Adds meta info

* Test enabling compute engine api

* Keeps default service account enabled

* Removes compute sa keep test

* Fixed code review issues, add vscode files on gitignore

* chore: Add service account creation in each example (GoogleCloudPlatform#38)

* Adds service account creation in each example

* Updates README

* Fixes linting

* Adds initial version of security cloud run core module

* Updating Cloud Armor rules to version 3.3

* chore: add anamer to CODEOWNERS (GoogleCloudPlatform#44)

Requesting approval and merge permissions to this repo.

* Apply suggestions from code review

Co-authored-by: Daniel Andrade <dandrade@ciandt.com>
Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>

* renaming serverless_project_id variable to project_id

* removing unnecessary outputs

* update source to point to registry paths

* updating source to point to local module

* update source to point to registry paths

* update source to point to local module

* update owasp_rules variable description

* updating value signal

* fix lint

* chore: add mitchelljamie to CODEOWNERS (GoogleCloudPlatform#47)

* Add 'secure-cloud-run-net' sub-module (GoogleCloudPlatform#40)

* Module cloud-run-net

* Remove null default variable for subnet_name

* Update readme

* Moving source and target tags to locals.

* Using module to create firewall rules.

* Lint fixes.

* Add comparison for the connectors on readme

* BYO subnet

* Log config for subnetwork.

* User customization for flow_sampling.

* Fixes for connector and subnetwork.

* Fix lint.

* secure-cloud-run-net fixes. (GoogleCloudPlatform#49)

* Change connector_on_host_project variable default to false.

* Change SA role to networkUser.

* Update readme.

* Adds secure-cloud-run main submodule (GoogleCloudPlatform#48)

* Adding secure-cloud-run submodule

* removing provider beta from google_artifact_registry_repository_iam_member

* adding defaults for resources which we do not need explicitly need from the user.

* Providing defaults for all of the resource which we do not need explicitly need from the user.

* chanign resource google_project_service for modules/project_services

* updating serverless_negs version

* adding create_subnet variable on secure-cloud-run module

* switching permission validation for artifact_registry

* adding domain variable on secure-cloud-run module

* Adding option to setup where org-policies will be applied (GoogleCloudPlatform#50)

adding option to setup where org-policies will be applied

* DRAFT - Adds secure-cloud-run example (GoogleCloudPlatform#51)

* Adds secure-cloud-run example

* fixing lint

* fixing lint and outputs

* adding integration tests for org-policies location

* Including support to Secrets Manager (GoogleCloudPlatform#52)

* including support to Secrets Manager

* Updating README.md and removing annotations variables

* adding missing variables on main.tf

* Removing env_secret_vars

* removing empty service_account_email variable

* Update README.md (GoogleCloudPlatform#45)

* Update README.md

Environment variables (Secret Manager)  is now GA

* chore: updated variable

* chore: updated beta variables

Co-authored-by: prabhu34 <18209477+prabhu34@users.noreply.github.com>

* Adds submodule for secure harness creation (GoogleCloudPlatform#54)

* Adds submodule for secure harness creation

* Fixes output

* fix issue: rule_canary should likely be called rule_rce (GoogleCloudPlatform#57)

* Add secure standalone example (GoogleCloudPlatform#55)

* Adds submodule for secure harness creation

* Adds standalone example

* Fixes output

* Adds discover test

* Fixes test command line

* Fixes discover location

* Updates go.mod

* Adds accesscontextmanager.googleapis.com

* Adds access context manager on setup project

* Comment previous steps in build

* uncomment build steps

* Comment steps

* Adds organization policy admin role

* Fixes org_iam_member

* Uncomment steps

* Fix domain variable

* Removes init credential

* Fixes access policy

* Adds folder creator

* Enables billing API

* Undo changes on setup for standalone

* Removes dependency of prepare step

* Removes env var

* Adds folder admin, policy admin and billing user for setup SA

* Adds cloud billing to be enabled

* Adds init_credentials

* Adds project creator and deleter

* Adds service account on perimeter

* Fixes variable

* Grant Org Policy admin

* Uncomment build steps

* Fixes indentation

* Adds sleep when destroying

* Adds time_sleep in service perimeter

* Improves Harness and Standalone READMEs (GoogleCloudPlatform#58)

Improves Harness and Standalone readmes

* Feat/integration tests for secure cloud run (GoogleCloudPlatform#56)

* Adds integration tests for secure_cloud_run example

* fix lint

* fix impersionate

* fix impersonate position

* changing terraformSA call

* split terraformSA

* setting access-context-manager on int.cloudbuild

* fixing cloudbuild syntax

* fixes concurrency errors in build

* fixes SA for terraform

* increasing time_sleep

* test:removing kms integration tests

* adding impersonate to KMS test

* reset and update ip_cidr_range variable

* fix missing fields

* Adds instructions in cloud run core sub-module (GoogleCloudPlatform#59)

* Adds instructions in cloud run core sub-module

* Fixes missing variables

* Adds requirements on secure-cloud-run-net module (GoogleCloudPlatform#60)

* fixes requirements section place (GoogleCloudPlatform#61)

Adds Requirements in secure-cloud-run-security sub-module

* Standalone updates - Readmes and variables (GoogleCloudPlatform#62)

* Readme and variables update to standalone and harness

* Secure-cloud-run readme update (GoogleCloudPlatform#63)

* Adds usage steps at README

* update README for secure-cloud-run module

* fix readme lint

* fix lint

* update variable description

* retry build

* Fix some minor issues

* Fix lint

Co-authored-by: Samir-Cit <samir@ciandt.com>

* Changes services accounts/identities description (GoogleCloudPlatform#64)

* Adds provider to standalone example. (GoogleCloudPlatform#65)

* Adds provider to secure_cloud_run_standalone example

* fixing providers for standalone example

* Adds improvements to access_context_manager (GoogleCloudPlatform#70)

* Fix roles - example/secure-cloud-run (GoogleCloudPlatform#68)

Fix roles for secure-cloud-run example - README.md

* Readme to customize Foundation v2.3.1 for Secure Cloud Run (GoogleCloudPlatform#66)

* chore: update .github/renovate.json

* feat/Allow to map multiple subdomains on CloudRun main module (GoogleCloudPlatform#72)

Allow to add a list of subdomains on CloudRun main module

Co-authored-by: Jamie Mitchell <95890357+mitchelljamie@users.noreply.github.com>

* chore: update .github/workflows/stale.yml

* Remove hardcoded values for scaling on Cloud Run (GoogleCloudPlatform#74)

* feat: added variables for mix/max container instances
* feat: added variable to specify egress rules

* Adds flag to disable cloud armor creation and add variable to re-use one (GoogleCloudPlatform#73)

* Adds flag to disable cloud armor creation and add variable to re-use an existing cloud armor

Co-authored-by: prabhu34 <18209477+prabhu34@users.noreply.github.com>
Co-authored-by: bharathkkb <bharathkrishnakb@gmail.com>
Co-authored-by: Bharath KKB <bbaiju@google.com>
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: Wybren Kortstra <Langstra@users.noreply.github.com>
Co-authored-by: Jonathan Greger <43762185+jmgreger@users.noreply.github.com>
Co-authored-by: Jonathan Greger <jmgreger@google.com>
Co-authored-by: Renato Rudnicki <renatojr@ciandt.com>
Co-authored-by: Assaf Namer <assaf.namer@gmail.com>
Co-authored-by: Renato Rudnicki <77694243+renato-rudnicki@users.noreply.github.com>
Co-authored-by: Daniel Andrade <dandrade@ciandt.com>
Co-authored-by: Jamie Mitchell <95890357+mitchelljamie@users.noreply.github.com>
Co-authored-by: Samir Ribeiro <42391123+Samir-Cit@users.noreply.github.com>
Co-authored-by: Samir-Cit <samir@ciandt.com>
Co-authored-by: CFT Bot <cloud-foundation-bot@google.com>

.gitignore

@@ -4,6 +4,31 @@
 # Local tfvars terraform.tfvars
 **/terraform.tfvars
 *.tfvars.json
+# OSX leaves these everywhere on SMB shares
+._*
+
+# OSX trash
+.DS_Store
+
+# Python
+*.pyc
+
+# Emacs save files
+*~
+\#*\#
+.\#*
+
+# Vim-related files
+[._]*.s[a-w][a-z]
+[._]s[a-w][a-z]
+*.un~
+Session.vim
+.netrwhist
+
+### https://raw.github.com/github/gitignore/90f149de451a5433aebd94d02d11b0e28843a1af/Terraform.gitignore
+
+# Local .terraform directories
+**/.terraform/*
 
 # .tfstate files
 *.tfstate
@@ -34,3 +59,19 @@ override.tf.json
 # example: *tfplan*
 *.vscode
 *.vsls.json
+# Kitchen files
+**/inspec.lock
+**/.kitchen
+**/kitchen.local.yml
+**/Gemfile.lock
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+**/*.tfvars
+
+credentials.json
+
+.terraform*
+
+**/*.vscode

examples/secure_cloud_run_standalone/providers.tf.example

@@ -23,4 +23,3 @@ provider "google-beta" {
   impersonate_service_account = "YOUR-TERRAFORM-SA"
   request_timeout             = "60s"
 }
-

kitchen.yml

@@ -1,5 +1,3 @@
-
-
 # Copyright 2021 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

modules/secure-cloud-run-core/README.md

@@ -35,24 +35,41 @@ module "cloud_run_core" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| argument | Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments. | `list(string)` | `[]` | no |
+| certificate\_mode | The mode of the certificate (NONE or AUTOMATIC). | `string` | `"NONE"` | no |
 | cloud\_armor\_policies\_name | Cloud Armor policy name already created in the project. If `create_cloud_armor_policies` is `false`, this variable must be provided, If `create_cloud_armor_policies` is `true`, this variable will be ignored. | `string` | `null` | no |
 | cloud\_run\_sa | Service account to be used on Cloud Run. | `string` | n/a | yes |
-| create\_cloud\_armor\_policies | When `true` the terraform will create the Cloud Armor policies. When `false`, the user must provide his own Cloud Armor name in `cloud_armor_policies_name`. | `bool` | `true` | no |
+| container\_command | Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten. | `list(string)` | `[]` | no |
+| container\_concurrency | Concurrent request limits to the service. | `number` | `null` | no |
+| create\_cloud\_armor\_policies | When `true`, the terraform will create the Cloud Armor policies. When `false`, the user must provide their own Cloud Armor name in `cloud_armor_policies_name`. | `bool` | `true` | no |
 | default\_rules | Default rule for Cloud Armor. | <pre>map(object({<br>    action         = string<br>    priority       = string<br>    versioned_expr = string<br>    src_ip_ranges  = list(string)<br>    description    = string<br>  }))</pre> | <pre>{<br>  "default_rule": {<br>    "action": "allow",<br>    "description": "Default allow all rule",<br>    "priority": "2147483647",<br>    "src_ip_ranges": [<br>      "*"<br>    ],<br>    "versioned_expr": "SRC_IPS_V1"<br>  }<br>}</pre> | no |
+| domain\_map\_annotations | Annotations to the domain map. | `map(string)` | `{}` | no |
+| domain\_map\_labels | A set of key/value label pairs to assign to the Domain mapping. | `map(string)` | `{}` | no |
 | encryption\_key | CMEK encryption key self-link expected in the format projects/PROJECT/locations/LOCATION/keyRings/KEY-RING/cryptoKeys/CRYPTO-KEY. | `string` | n/a | yes |
 | env\_vars | Environment variables. | <pre>list(object({<br>    value = string<br>    name  = string<br>  }))</pre> | `[]` | no |
+| force\_override | Option to force override existing mapping. | `bool` | `false` | no |
+| generate\_revision\_name | Option to enable revision name generation. | `bool` | `true` | no |
 | image | GAR hosted image URL to deploy. | `string` | n/a | yes |
 | lb\_name | Name for load balancer and associated resources. | `string` | `"tf-cr-lb"` | no |
+| limits | Resource limits to the container. | `map(string)` | `null` | no |
 | location | The location where resources are going to be deployed. | `string` | n/a | yes |
 | max\_scale\_instances | Sets the maximum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this [documentation](https://cloud.google.com/run/docs/about-instance-autoscaling). | `number` | `2` | no |
 | members | Users/SAs to be given invoker access to the service with the prefix `serviceAccount:' for SAs and `user:` for users.` | `list(string)` | `[]` | no |
 | min\_scale\_instances | Sets the minimum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this [documentation](https://cloud.google.com/run/docs/about-instance-autoscaling). | `number` | `1` | no |
-| owasp\_rules | These are additional Cloud Armor rules for SQLi, XSS, LFI, RCE, RFI, Scannerdetection, Protocolattack and Sessionfixation (requires Cloud Armor default\_rule). | <pre>map(object({<br>    action     = string<br>    priority   = string<br>    expression = string<br>  }))</pre> | <pre>{<br>  "rule_lfi": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('lfi-v33-stable')",<br>    "priority": "1002"<br>  },<br>  "rule_protocolattack": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('protocolattack-v33-stable')",<br>    "priority": "1006"<br>  },<br>  "rule_rce": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('rce-v33-stable')",<br>    "priority": "1003"<br>  },<br>  "rule_rfi": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('rfi-v33-stable')",<br>    "priority": "1004"<br>  },<br>  "rule_scannerdetection": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('scannerdetection-v33-stable')",<br>    "priority": "1005"<br>  },<br>  "rule_sessionfixation": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('sessionfixation-v33-stable')",<br>    "priority": "1007"<br>  },<br>  "rule_sqli": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('sqli-v33-stable')",<br>    "priority": "1000"<br>  },<br>  "rule_xss": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('xss-v33-stable')",<br>    "priority": "1001"<br>  }<br>}</pre> | no |
+| owasp\_rules | These are additional Cloud Armor rules for SQLi, XSS, LFI, RCE, RFI, Scannerdetection, Protocolattack and Sessionfixation (requires Cloud Armor default\_rule). | <pre>map(object({<br>    action     = string<br>    priority   = string<br>    expression = string<br>  }))</pre> | <pre>{<br>  "rule_canary": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('rce-v33-stable')",<br>    "priority": "1003"<br>  },<br>  "rule_lfi": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('lfi-v33-stable')",<br>    "priority": "1002"<br>  },<br>  "rule_protocolattack": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('protocolattack-v33-stable')",<br>    "priority": "1006"<br>  },<br>  "rule_rfi": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('rfi-v33-stable')",<br>    "priority": "1004"<br>  },<br>  "rule_scannerdetection": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('scannerdetection-v33-stable')",<br>    "priority": "1005"<br>  },<br>  "rule_sessionfixation": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('sessionfixation-v33-stable')",<br>    "priority": "1007"<br>  },<br>  "rule_sqli": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('sqli-v33-stable')",<br>    "priority": "1000"<br>  },<br>  "rule_xss": {<br>    "action": "deny(403)",<br>    "expression": "evaluatePreconfiguredExpr('xss-v33-stable')",<br>    "priority": "1001"<br>  }<br>}</pre> | no |
+| ports | Port which the container listens to (http1 or h2c). | <pre>object({<br>    name = string<br>    port = number<br>  })</pre> | <pre>{<br>  "name": "http1",<br>  "port": 8080<br>}</pre> | no |
 | project\_id | The project where cloud run is going to be deployed. | `string` | n/a | yes |
 | region | Location for load balancer and Cloud Run resources. | `string` | n/a | yes |
+| requests | Resource requests to the container. | `map(string)` | `{}` | no |
+| service\_labels | A set of key/value label pairs to assign to the service. | `map(string)` | `{}` | no |
 | service\_name | The name of the Cloud Run service to create. | `string` | n/a | yes |
 | ssl\_certificates | A object with a list of domains to auto-generate SSL certificates or a list of SSL Certificates self-links in the pattern `projects/<PROJECT-ID>/global/sslCertificates/<CERT-NAME>` to be used by Load Balancer. | <pre>object({<br>    ssl_certificates_self_links       = list(string)<br>    generate_certificates_for_domains = list(string)<br>  })</pre> | n/a | yes |
-| verified\_domain\_name | Custom Domain Name | `list(string)` | n/a | yes |
+| template\_labels | A set of key/value label pairs to assign to the container metadata. | `map(string)` | `{}` | no |
+| timeout\_seconds | Timeout for each request. | `number` | `120` | no |
+| traffic\_split | Managing traffic routing to the service. | <pre>list(object({<br>    latest_revision = bool<br>    percent         = number<br>    revision_name   = string<br>  }))</pre> | <pre>[<br>  {<br>    "latest_revision": true,<br>    "percent": 100,<br>    "revision_name": "v1-0-0"<br>  }<br>]</pre> | no |
+| verified\_domain\_name | List of custom Domain Name. | `list(string)` | n/a | yes |
+| volume\_mounts | [Beta] Volume Mounts to be attached to the container (when using secret). | <pre>list(object({<br>    mount_path = string<br>    name       = string<br>  }))</pre> | `[]` | no |
+| volumes | [Beta] Volumes needed for environment variables (when using secret). | <pre>list(object({<br>    name = string<br>    secret = set(object({<br>      secret_name = string<br>      items       = map(string)<br>    }))<br>  }))</pre> | `[]` | no |
 | vpc\_connector\_id | VPC Connector id in the format projects/PROJECT/locations/LOCATION/connectors/NAME. | `string` | n/a | yes |
 | vpc\_egress\_value | Sets VPC Egress firewall rule. Supported values are all-traffic, all (deprecated), and private-ranges-only. all-traffic and all provide the same functionality. all is deprecated but will continue to be supported. Prefer all-traffic. | `string` | `"private-ranges-only"` | no |
 

modules/secure-cloud-run-core/main.tf

@@ -17,15 +17,32 @@
 module "cloud_run" {
   source = "../.."
 
-  service_name          = var.service_name
-  project_id            = var.project_id
-  location              = var.location
-  image                 = var.image
-  service_account_email = var.cloud_run_sa
-  encryption_key        = var.encryption_key
-  members               = var.members
-  env_vars              = var.env_vars
-  verified_domain_name  = var.verified_domain_name
+  service_name           = var.service_name
+  project_id             = var.project_id
+  location               = var.location
+  image                  = var.image
+  service_account_email  = var.cloud_run_sa
+  encryption_key         = var.encryption_key
+  members                = var.members
+  env_vars               = var.env_vars
+  generate_revision_name = var.generate_revision_name
+  traffic_split          = var.traffic_split
+  service_labels         = var.service_labels
+  template_labels        = var.template_labels
+  container_concurrency  = var.container_concurrency
+  timeout_seconds        = var.timeout_seconds
+  volumes                = var.volumes
+  limits                 = var.limits
+  requests               = var.requests
+  ports                  = var.ports
+  argument               = var.argument
+  container_command      = var.container_command
+  volume_mounts          = var.volume_mounts
+  force_override         = var.force_override
+  certificate_mode       = var.certificate_mode
+  domain_map_labels      = var.domain_map_labels
+  domain_map_annotations = var.domain_map_annotations
+  verified_domain_name   = var.verified_domain_name
 
   service_annotations = {
     "run.googleapis.com/ingress" = "internal-and-cloud-load-balancing"

modules/secure-cloud-run-core/variables.tf

@@ -94,7 +94,7 @@ variable "owasp_rules" {
       priority   = "1002"
       expression = "evaluatePreconfiguredExpr('lfi-v33-stable')"
     }
-    rule_rce = {
+    rule_canary = {
       action     = "deny(403)"
       priority   = "1003"
       expression = "evaluatePreconfiguredExpr('rce-v33-stable')"
@@ -126,6 +126,7 @@ variable "owasp_rules" {
     expression = string
   }))
 }
+
 variable "lb_name" {
   description = "Name for load balancer and associated resources."
   default     = "tf-cr-lb"
@@ -146,21 +147,152 @@ variable "members" {
   default     = []
 }
 
-variable "create_cloud_armor_policies" {
+variable "generate_revision_name" {
+  description = "Option to enable revision name generation."
   type        = bool
-  description = "When `true` the terraform will create the Cloud Armor policies. When `false`, the user must provide his own Cloud Armor name in `cloud_armor_policies_name`."
   default     = true
 }
 
-variable "cloud_armor_policies_name" {
-  type        = string
-  description = "Cloud Armor policy name already created in the project. If `create_cloud_armor_policies` is `false`, this variable must be provided, If `create_cloud_armor_policies` is `true`, this variable will be ignored."
+variable "traffic_split" {
+  description = "Managing traffic routing to the service."
+  type = list(object({
+    latest_revision = bool
+    percent         = number
+    revision_name   = string
+  }))
+  default = [{
+    latest_revision = true
+    percent         = 100
+    revision_name   = "v1-0-0"
+  }]
+}
+
+variable "service_labels" {
+  description = "A set of key/value label pairs to assign to the service."
+  type        = map(string)
+  default     = {}
+}
+
+// Metadata
+variable "template_labels" {
+  description = "A set of key/value label pairs to assign to the container metadata."
+  type        = map(string)
+  default     = {}
+}
+
+// template spec
+variable "container_concurrency" {
+  description = "Concurrent request limits to the service."
+  type        = number
   default     = null
 }
 
+variable "timeout_seconds" {
+  description = "Timeout for each request."
+  type        = number
+  default     = 120
+}
+
+variable "volumes" {
+  description = "[Beta] Volumes needed for environment variables (when using secret)."
+  type = list(object({
+    name = string
+    secret = set(object({
+      secret_name = string
+      items       = map(string)
+    }))
+  }))
+  default = []
+}
+
+# template spec container
+# resources
+# cpu = (core count * 1000)m
+# memory = (size) in Mi/Gi
+variable "limits" {
+  description = "Resource limits to the container."
+  type        = map(string)
+  default     = null
+}
+variable "requests" {
+  description = "Resource requests to the container."
+  type        = map(string)
+  default     = {}
+}
+
+variable "ports" {
+  description = "Port which the container listens to (http1 or h2c)."
+  type = object({
+    name = string
+    port = number
+  })
+  default = {
+    name = "http1"
+    port = 8080
+  }
+}
+
+variable "argument" {
+  description = "Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments."
+  type        = list(string)
+  default     = []
+}
+
+variable "container_command" {
+  description = "Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten."
+  type        = list(string)
+  default     = []
+}
+
+variable "volume_mounts" {
+  type = list(object({
+    mount_path = string
+    name       = string
+  }))
+  description = "[Beta] Volume Mounts to be attached to the container (when using secret)."
+  default     = []
+}
+
+// Domain Mapping
 variable "verified_domain_name" {
+  description = "List of custom Domain Name."
   type        = list(string)
-  description = "Custom Domain Name"
+}
+
+variable "force_override" {
+  description = "Option to force override existing mapping."
+  type        = bool
+  default     = false
+}
+
+variable "certificate_mode" {
+  description = "The mode of the certificate (NONE or AUTOMATIC)."
+  type        = string
+  default     = "NONE"
+}
+
+variable "domain_map_labels" {
+  description = "A set of key/value label pairs to assign to the Domain mapping."
+  type        = map(string)
+  default     = {}
+}
+
+variable "domain_map_annotations" {
+  description = "Annotations to the domain map."
+  type        = map(string)
+  default     = {}
+}
+
+variable "create_cloud_armor_policies" {
+  type        = bool
+  description = "When `true`, the terraform will create the Cloud Armor policies. When `false`, the user must provide their own Cloud Armor name in `cloud_armor_policies_name`."
+  default     = true
+}
+
+variable "cloud_armor_policies_name" {
+  type        = string
+  description = "Cloud Armor policy name already created in the project. If `create_cloud_armor_policies` is `false`, this variable must be provided, If `create_cloud_armor_policies` is `true`, this variable will be ignored."
+  default     = null
 }
 
 variable "max_scale_instances" {
@@ -180,7 +312,6 @@ variable "vpc_egress_value" {
   type        = string
   default     = "private-ranges-only"
 }
-
 variable "ssl_certificates" {
   type = object({
     ssl_certificates_self_links       = list(string)

modules/secure-cloud-run-net/variables.tf

@@ -66,6 +66,7 @@ variable "flow_sampling" {
   type        = number
   default     = 1.0
 }
+
 variable "resource_names_suffix" {
   description = "A suffix to concat in the end of the resources names."
   type        = string

modules/secure-cloud-run/README.md

@@ -129,15 +129,15 @@ The following dependencies must be available:
 
 ### APIs
 
-The Secure-cloud-run project will enable the following APIs to the Serverlesss Project:
+The Secure-cloud-run module will enable the following APIs to the Serverlesss Project:
 
 * Google VPC Access API: `vpcaccess.googleapis.com`
 * Compute API: `compute.googleapis.com`
 * Container Registry API: `container.googleapis.com`
 * Cloud Run API: `run.googleapis.com`
 * Cloud KMS API: `cloudkms.googleapis.com`
 
-The Secure-cloud-run project will enable the following APIs to the VPC Project:
+The Secure-cloud-run module will enable the following APIs to the VPC Project:
 
 * Google VPC Access API: `vpcaccess.googleapis.com`
 * Compute API: `compute.googleapis.com`

modules/secure-cloud-run/main.tf

@@ -26,7 +26,8 @@ module "serverless_project_apis" {
     "compute.googleapis.com",
     "container.googleapis.com",
     "run.googleapis.com",
-    "cloudkms.googleapis.com"
+    "cloudkms.googleapis.com",
+    "run.googleapis.com"
   ]
 }
 
@@ -43,6 +44,18 @@ module "vpc_project_apis" {
   ]
 }
 
+module "kms_project_apis" {
+  source  = "terraform-google-modules/project-factory/google//modules/project_services"
+  version = "~> 13.0"
+
+  project_id                  = var.kms_project_id
+  disable_services_on_destroy = false
+
+  activate_apis = [
+    "cloudkms.googleapis.com"
+  ]
+}
+
 module "cloud_run_network" {
   source = "../secure-cloud-run-net"
 

modules/secure-cloud-run/variables.tf

@@ -150,6 +150,7 @@ variable "create_subnet" {
   type        = bool
   default     = true
 }
+
 variable "policy_for" {
   description = "Policy Root: set one of the following values to determine where the policy is applied. Possible values: [\"project\", \"folder\", \"organization\"]."
   type        = string