Adds initial version of security cloud run security module

modules/secure-cloud-run-security/README.md

@@ -0,0 +1,92 @@
+# Secure Cloud Run Security
+
+This module handles the basic deployment security configurations for Cloud Run usage.
+
+The resources/services/activations/deletions that this module will create/trigger are:
+
+* Creates KMS Keyring and Key for [customer managed encryption keys](https://cloud.google.com/run/docs/securing/using-cmek) in the **KMS Project**.
+* Enables Organization Policies related to Cloud Run in the **Serverless Project**.
+  * Allow Ingress only from internal and Cloud Load Balancing.
+  * Allow VPC Egress to Private Ranges Only.
+
+## Requirements
+
+### Software
+
+The following dependencies must be available:
+
+* [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
+* [Terraform Provider for GCP][terraform-provider-gcp] plugin v3.53
+
+### APIs
+
+A project with the following APIs enabled must be used to host the
+resources of this module:
+
+* KMS Project
+  * Google Cloud Key Management Service: `cloudkms.googleapis.com`
+
+### Service Account
+
+A service account with the following roles must be used to provision
+the resources of this module:
+
+* KMS Project
+  * Cloud KMS Admin: `roles/cloudkms.admin`
+* Serverless Project
+  * Organization Policy Administrator: `roles/orgpolicy.policyAdmin`
+
+## Usage
+
+```hcl
+module "cloud_run_security" {
+  source = "../secure-cloud-run-security"
+
+  kms_project_id        = <KMS PROJECT ID>
+  location              = <KMS LOCATION>
+  serverless_project_id = <SERVERLESS PROJECT ID>
+  key_name              = <KEY NAME>
+  keyring_name          = <KEYRING NAME>
+  key_rotation_period   = <KEY ROTATION PERIOD>
+  key_protection_level  = <KEY PROTECTION LEVEL>
+
+  encrypters = [
+    "serviceAccount:<SERVERLESS IDENTITY EMAIL>",
+    "serviceAccount:<CLOUD RUN SERVICE ACCOUNT>"
+  ]
+
+  decrypters = [
+    "serviceAccount:<SERVERLESS IDENTITY EMAIL>",
+    "serviceAccount:<CLOUD RUN SERVICE ACCOUNT>"
+  ]
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| decrypters | List of comma-separated owners for each key declared in set\_decrypters\_for. | `list(string)` | `[]` | no |
+| encrypters | List of comma-separated owners for each key declared in set\_encrypters\_for. | `list(string)` | `[]` | no |
+| key\_name | Key name. | `string` | n/a | yes |
+| key\_protection\_level | The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"] | `string` | `"HSM"` | no |
+| key\_rotation\_period | Period of key rotation in seconds. | `string` | `"2592000s"` | no |
+| keyring\_name | Keyring name. | `string` | n/a | yes |
+| kms\_project\_id | The project where KMS will be created. | `string` | n/a | yes |
+| location | The location where resources are going to be deployed. | `string` | n/a | yes |
+| owners | List of comma-separated owners for each key declared in set\_owners\_for. | `list(string)` | `[]` | no |
+| prevent\_destroy | Set the prevent\_destroy lifecycle attribute on keys.. | `bool` | `true` | no |
+| serverless\_project\_id | The project where Cloud Run is going to be deployed. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| key | Key self link. |
+| keyring | Self link of the keyring. |
+| keyring\_name | Name of the keyring. |
+| keyring\_resource | Keyring resource. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+

modules/secure-cloud-run-security/kms.tf

@@ -0,0 +1,34 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "cloud_run_kms" {
+  source  = "terraform-google-modules/kms/google"
+  version = "~> 2.1"
+
+  project_id           = var.kms_project_id
+  location             = var.location
+  keyring              = var.keyring_name
+  keys                 = [var.key_name]
+  set_decrypters_for   = length(var.decrypters) > 0 ? [var.key_name] : []
+  set_encrypters_for   = length(var.encrypters) > 0 ? [var.key_name] : []
+  decrypters           = var.decrypters
+  encrypters           = var.encrypters
+  set_owners_for       = length(var.owners) > 0 ? [var.key_name] : []
+  owners               = var.owners
+  prevent_destroy      = var.prevent_destroy
+  key_rotation_period  = var.key_rotation_period
+  key_protection_level = var.key_protection_level
+}

modules/secure-cloud-run-security/org_policies.tf

@@ -0,0 +1,39 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "cloudrun_allowed_ingress" {
+  source  = "terraform-google-modules/org-policy/google"
+  version = "~> 5.1"
+
+  constraint        = "constraints/run.allowedIngress"
+  policy_for        = "project"
+  project_id        = var.serverless_project_id
+  policy_type       = "list"
+  allow             = ["is:internal-and-cloud-load-balancing"]
+  allow_list_length = 1
+}
+
+module "cloudrun_allowed_vpc_egress" {
+  source  = "terraform-google-modules/org-policy/google"
+  version = "~> 5.1"
+
+  policy_for        = "project"
+  project_id        = var.serverless_project_id
+  constraint        = "constraints/run.allowedVPCEgress"
+  policy_type       = "list"
+  allow             = ["private-ranges-only"]
+  allow_list_length = 1
+}

modules/secure-cloud-run-security/outputs.tf

@@ -0,0 +1,35 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "key" {
+  description = "Key self link."
+  value       = module.cloud_run_kms.keys[var.key_name]
+}
+
+output "keyring" {
+  description = "Self link of the keyring."
+  value       = module.cloud_run_kms.keyring
+}
+
+output "keyring_name" {
+  description = "Name of the keyring."
+  value       = module.cloud_run_kms.keyring_name
+}
+
+output "keyring_resource" {
+  description = "Keyring resource."
+  value       = module.cloud_run_kms.keyring_resource
+}

modules/secure-cloud-run-security/variables.tf

@@ -0,0 +1,76 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "kms_project_id" {
+  description = "The project where KMS will be created."
+  type        = string
+}
+
+variable "serverless_project_id" {
+  description = "The project where Cloud Run is going to be deployed."
+  type        = string
+}
+
+variable "prevent_destroy" {
+  description = "Set the prevent_destroy lifecycle attribute on keys.."
+  type        = bool
+  default     = true
+}
+
+variable "keyring_name" {
+  description = "Keyring name."
+  type        = string
+}
+
+variable "key_rotation_period" {
+  description = "Period of key rotation in seconds."
+  type        = string
+  default     = "2592000s"
+}
+
+variable "key_name" {
+  description = "Key name."
+  type        = string
+}
+
+variable "key_protection_level" {
+  description = "The protection level to use when creating a version based on this template. Possible values: [\"SOFTWARE\", \"HSM\"]"
+  type        = string
+  default     = "HSM"
+}
+
+variable "location" {
+  description = "The location where resources are going to be deployed."
+  type        = string
+}
+
+variable "owners" {
+  description = "List of comma-separated owners for each key declared in set_owners_for."
+  type        = list(string)
+  default     = []
+}
+
+variable "encrypters" {
+  description = "List of comma-separated owners for each key declared in set_encrypters_for."
+  type        = list(string)
+  default     = []
+}
+
+variable "decrypters" {
+  description = "List of comma-separated owners for each key declared in set_decrypters_for."
+  type        = list(string)
+  default     = []
+}

modules/secure-cloud-run-security/versions.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 3.53, < 5.0"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 3.53, < 5.0"
+    }
+  }
+}