forked from GoogleCloudPlatform/terraform-google-cloud-run
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adds initial version of security cloud run security module
- Loading branch information
1 parent
49c7bc1
commit d796202
Showing
6 changed files
with
306 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
# Secure Cloud Run Security | ||
|
||
This module handles the basic deployment security configurations for Cloud Run usage. | ||
|
||
The resources/services/activations/deletions that this module will create/trigger are: | ||
|
||
* Creates KMS Keyring and Key for [customer managed encryption keys](https://cloud.google.com/run/docs/securing/using-cmek) in the **KMS Project**. | ||
* Enables Organization Policies related to Cloud Run in the **Serverless Project**. | ||
* Allow Ingress only from internal and Cloud Load Balancing. | ||
* Allow VPC Egress to Private Ranges Only. | ||
|
||
## Requirements | ||
|
||
### Software | ||
|
||
The following dependencies must be available: | ||
|
||
* [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0 | ||
* [Terraform Provider for GCP][terraform-provider-gcp] plugin v3.53 | ||
|
||
### APIs | ||
|
||
A project with the following APIs enabled must be used to host the | ||
resources of this module: | ||
|
||
* KMS Project | ||
* Google Cloud Key Management Service: `cloudkms.googleapis.com` | ||
|
||
### Service Account | ||
|
||
A service account with the following roles must be used to provision | ||
the resources of this module: | ||
|
||
* KMS Project | ||
* Cloud KMS Admin: `roles/cloudkms.admin` | ||
* Serverless Project | ||
* Organization Policy Administrator: `roles/orgpolicy.policyAdmin` | ||
|
||
## Usage | ||
|
||
```hcl | ||
module "cloud_run_security" { | ||
source = "../secure-cloud-run-security" | ||
kms_project_id = <KMS PROJECT ID> | ||
location = <KMS LOCATION> | ||
serverless_project_id = <SERVERLESS PROJECT ID> | ||
key_name = <KEY NAME> | ||
keyring_name = <KEYRING NAME> | ||
key_rotation_period = <KEY ROTATION PERIOD> | ||
key_protection_level = <KEY PROTECTION LEVEL> | ||
encrypters = [ | ||
"serviceAccount:<SERVERLESS IDENTITY EMAIL>", | ||
"serviceAccount:<CLOUD RUN SERVICE ACCOUNT>" | ||
] | ||
decrypters = [ | ||
"serviceAccount:<SERVERLESS IDENTITY EMAIL>", | ||
"serviceAccount:<CLOUD RUN SERVICE ACCOUNT>" | ||
] | ||
} | ||
``` | ||
|
||
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| decrypters | List of comma-separated owners for each key declared in set\_decrypters\_for. | `list(string)` | `[]` | no | | ||
| encrypters | List of comma-separated owners for each key declared in set\_encrypters\_for. | `list(string)` | `[]` | no | | ||
| key\_name | Key name. | `string` | n/a | yes | | ||
| key\_protection\_level | The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"] | `string` | `"HSM"` | no | | ||
| key\_rotation\_period | Period of key rotation in seconds. | `string` | `"2592000s"` | no | | ||
| keyring\_name | Keyring name. | `string` | n/a | yes | | ||
| kms\_project\_id | The project where KMS will be created. | `string` | n/a | yes | | ||
| location | The location where resources are going to be deployed. | `string` | n/a | yes | | ||
| owners | List of comma-separated owners for each key declared in set\_owners\_for. | `list(string)` | `[]` | no | | ||
| prevent\_destroy | Set the prevent\_destroy lifecycle attribute on keys.. | `bool` | `true` | no | | ||
| serverless\_project\_id | The project where Cloud Run is going to be deployed. | `string` | n/a | yes | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| key | Key self link. | | ||
| keyring | Self link of the keyring. | | ||
| keyring\_name | Name of the keyring. | | ||
| keyring\_resource | Keyring resource. | | ||
|
||
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
/** | ||
* Copyright 2022 Google LLC | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
module "cloud_run_kms" { | ||
source = "terraform-google-modules/kms/google" | ||
version = "~> 2.1" | ||
|
||
project_id = var.kms_project_id | ||
location = var.location | ||
keyring = var.keyring_name | ||
keys = [var.key_name] | ||
set_decrypters_for = length(var.decrypters) > 0 ? [var.key_name] : [] | ||
set_encrypters_for = length(var.encrypters) > 0 ? [var.key_name] : [] | ||
decrypters = var.decrypters | ||
encrypters = var.encrypters | ||
set_owners_for = length(var.owners) > 0 ? [var.key_name] : [] | ||
owners = var.owners | ||
prevent_destroy = var.prevent_destroy | ||
key_rotation_period = var.key_rotation_period | ||
key_protection_level = var.key_protection_level | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
/** | ||
* Copyright 2022 Google LLC | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
module "cloudrun_allowed_ingress" { | ||
source = "terraform-google-modules/org-policy/google" | ||
version = "~> 5.1" | ||
|
||
constraint = "constraints/run.allowedIngress" | ||
policy_for = "project" | ||
project_id = var.serverless_project_id | ||
policy_type = "list" | ||
allow = ["is:internal-and-cloud-load-balancing"] | ||
allow_list_length = 1 | ||
} | ||
|
||
module "cloudrun_allowed_vpc_egress" { | ||
source = "terraform-google-modules/org-policy/google" | ||
version = "~> 5.1" | ||
|
||
policy_for = "project" | ||
project_id = var.serverless_project_id | ||
constraint = "constraints/run.allowedVPCEgress" | ||
policy_type = "list" | ||
allow = ["private-ranges-only"] | ||
allow_list_length = 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
/** | ||
* Copyright 2022 Google LLC | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
output "key" { | ||
description = "Key self link." | ||
value = module.cloud_run_kms.keys[var.key_name] | ||
} | ||
|
||
output "keyring" { | ||
description = "Self link of the keyring." | ||
value = module.cloud_run_kms.keyring | ||
} | ||
|
||
output "keyring_name" { | ||
description = "Name of the keyring." | ||
value = module.cloud_run_kms.keyring_name | ||
} | ||
|
||
output "keyring_resource" { | ||
description = "Keyring resource." | ||
value = module.cloud_run_kms.keyring_resource | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
/** | ||
* Copyright 2022 Google LLC | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
variable "kms_project_id" { | ||
description = "The project where KMS will be created." | ||
type = string | ||
} | ||
|
||
variable "serverless_project_id" { | ||
description = "The project where Cloud Run is going to be deployed." | ||
type = string | ||
} | ||
|
||
variable "prevent_destroy" { | ||
description = "Set the prevent_destroy lifecycle attribute on keys.." | ||
type = bool | ||
default = true | ||
} | ||
|
||
variable "keyring_name" { | ||
description = "Keyring name." | ||
type = string | ||
} | ||
|
||
variable "key_rotation_period" { | ||
description = "Period of key rotation in seconds." | ||
type = string | ||
default = "2592000s" | ||
} | ||
|
||
variable "key_name" { | ||
description = "Key name." | ||
type = string | ||
} | ||
|
||
variable "key_protection_level" { | ||
description = "The protection level to use when creating a version based on this template. Possible values: [\"SOFTWARE\", \"HSM\"]" | ||
type = string | ||
default = "HSM" | ||
} | ||
|
||
variable "location" { | ||
description = "The location where resources are going to be deployed." | ||
type = string | ||
} | ||
|
||
variable "owners" { | ||
description = "List of comma-separated owners for each key declared in set_owners_for." | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "encrypters" { | ||
description = "List of comma-separated owners for each key declared in set_encrypters_for." | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "decrypters" { | ||
description = "List of comma-separated owners for each key declared in set_decrypters_for." | ||
type = list(string) | ||
default = [] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/** | ||
* Copyright 2022 Google LLC | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
terraform { | ||
required_version = ">= 0.13" | ||
|
||
required_providers { | ||
google = { | ||
source = "hashicorp/google" | ||
version = ">= 3.53, < 5.0" | ||
} | ||
google-beta = { | ||
source = "hashicorp/google-beta" | ||
version = ">= 3.53, < 5.0" | ||
} | ||
} | ||
} |