From 1b91f0d11ea9c8d538143388eba90323ce57bd8a Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Fri, 30 Sep 2022 15:26:50 -0300 Subject: [PATCH] Adds requirements on secure-cloud-run-net module (#60) --- modules/secure-cloud-run-net/README.md | 75 +++++++++++++---------- modules/secure-cloud-run-net/variables.tf | 2 +- 2 files changed, 43 insertions(+), 34 deletions(-) diff --git a/modules/secure-cloud-run-net/README.md b/modules/secure-cloud-run-net/README.md index c9e8a73f..35ec0f1a 100644 --- a/modules/secure-cloud-run-net/README.md +++ b/modules/secure-cloud-run-net/README.md @@ -1,46 +1,24 @@ # Secure Cloud Run Network This module handles the basic deployment network configurations for Cloud Run usage. +When using a Shared VPC, you can chose where to create the VPC Connector. + +_Note:_ When using a single VPC you should provides VPC and Serverless project id with the same value and the value for `connector_on_host_project` variable must be `false`. The resources/services/activations/deletions that this module will create/trigger are: * Creates Firewall rules on your **VPC Project**. + * Serverless to VPC Connector + * VPC Connector to Serverless + * VPC Connector to LB + * VPC Connector Health Checks * Creates a sub network to VPC Connector usage purpose. * Creates Serverless Connector on your **VPC Project** or **Serverless Project**. Refer the comparison below: * Advantages of creating connectors in the [VPC Project](https://cloud.google.com/run/docs/configuring/connecting-shared-vpc#host-project) * Advantages of creating connectors in the [Serverless Project](https://cloud.google.com/run/docs/configuring/connecting-shared-vpc#service-projects) -* Grant the necessary roles for Cloud Run are able to use VPC Connector on your VPC. - -## Requirements - -### Software - -The following dependencies must be available: - -* [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0 -* [Terraform Provider for GCP][terraform-provider-gcp] plugin v3.53 - -### APIs - -The Serverless and Network project with the following APIs enabled must be used to host the -resources of this module: - -* Google VPC Access API: `vpcaccess.googleapis.com` -* Compute API: `compute.googleapis.com` - -### Service Account - -A service account with one of the following roles must be used to provision -the resources of this module: - -* Network Project - * Compute Shared VPC Admin: `roles/compute.xpnAdmin` - * Network Admin: `roles/compute.networkAdmin` - * Security Admin: `roles/compute.securityAdmin` - * Serverless VPC Access Admin: `roles/vpcaccess.admin` -* Serverless Project - * Security Admin: `roles/compute.securityAdmin` - * Serverless VPC Access Admin: `roles/vpcaccess.admin` +* Grant the necessary roles for Cloud Run are able to use VPC Connector on your Shared VPC when creating VPC Connector in host project. + * Grant Network User role to Cloud Services service account. + * Grant VPC Access User to Cloud Run Service Identity when deploying VPC Access. ## Usage @@ -67,7 +45,7 @@ module "cloud_run_network" { | connector\_on\_host\_project | Connector is going to be created on the host project if true. When false, connector is going to be created on service project. For more information, access [documentation](https://cloud.google.com/run/docs/configuring/connecting-shared-vpc). | `bool` | `false` | no | | create\_subnet | The subnet will be created with the subnet\_name variable if true. When false, it will use the subnet\_name for the subnet. | `bool` | `true` | no | | flow\_sampling | Sampling rate of VPC flow logs. The value must be in [0,1]. Where 1.0 means all logs, 0.5 mean half of the logs and 0.0 means no logs are reported. | `number` | `1` | no | -| ip\_cidr\_range | The range of internal addresses that are owned by this subnetwork. Provide this property when you create the subnetwork. For example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported | `string` | n/a | yes | +| ip\_cidr\_range | The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. | `string` | n/a | yes | | location | The location where resources are going to be deployed. | `string` | n/a | yes | | resource\_names\_suffix | A suffix to concat in the end of the resources names. | `string` | `null` | no | | serverless\_project\_id | The project where cloud run is going to be deployed. | `string` | n/a | yes | @@ -86,3 +64,34 @@ module "cloud_run_network" { | subnet\_name | The name of the sub-network used to create VPC Connector. | + +## Requirements + +### Software + +The following dependencies must be available: + +* [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0 +* [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) plugin < 5.0 + +### APIs + +The Serverless and Network project with the following APIs enabled must be used to host the +resources of this module: + +* Google VPC Access API: `vpcaccess.googleapis.com` +* Compute API: `compute.googleapis.com` + +### Service Account + +A service account with one of the following roles must be used to provision +the resources of this module: + +* Network Project + * Compute Shared VPC Admin: `roles/compute.xpnAdmin` + * Network Admin: `roles/compute.networkAdmin` + * Security Admin: `roles/compute.securityAdmin` + * Serverless VPC Access Admin: `roles/vpcaccess.admin` +* Serverless Project + * Security Admin: `roles/compute.securityAdmin` + * Serverless VPC Access Admin: `roles/vpcaccess.admin` diff --git a/modules/secure-cloud-run-net/variables.tf b/modules/secure-cloud-run-net/variables.tf index 13cbaff7..e456bdd0 100644 --- a/modules/secure-cloud-run-net/variables.tf +++ b/modules/secure-cloud-run-net/variables.tf @@ -51,7 +51,7 @@ variable "connector_on_host_project" { } variable "ip_cidr_range" { - description = "The range of internal addresses that are owned by this subnetwork. Provide this property when you create the subnetwork. For example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported" + description = "The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported." type = string }