From d7962025818e2359feec47085ab99745feb016f0 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Thu, 9 Jun 2022 14:28:15 -0300 Subject: [PATCH] Adds initial version of security cloud run security module --- modules/secure-cloud-run-security/README.md | 92 +++++++++++++++++++ modules/secure-cloud-run-security/kms.tf | 34 +++++++ .../secure-cloud-run-security/org_policies.tf | 39 ++++++++ modules/secure-cloud-run-security/outputs.tf | 35 +++++++ .../secure-cloud-run-security/variables.tf | 76 +++++++++++++++ modules/secure-cloud-run-security/versions.tf | 30 ++++++ 6 files changed, 306 insertions(+) create mode 100644 modules/secure-cloud-run-security/README.md create mode 100644 modules/secure-cloud-run-security/kms.tf create mode 100644 modules/secure-cloud-run-security/org_policies.tf create mode 100644 modules/secure-cloud-run-security/outputs.tf create mode 100644 modules/secure-cloud-run-security/variables.tf create mode 100644 modules/secure-cloud-run-security/versions.tf diff --git a/modules/secure-cloud-run-security/README.md b/modules/secure-cloud-run-security/README.md new file mode 100644 index 00000000..d7ff401b --- /dev/null +++ b/modules/secure-cloud-run-security/README.md @@ -0,0 +1,92 @@ +# Secure Cloud Run Security + +This module handles the basic deployment security configurations for Cloud Run usage. + +The resources/services/activations/deletions that this module will create/trigger are: + +* Creates KMS Keyring and Key for [customer managed encryption keys](https://cloud.google.com/run/docs/securing/using-cmek) in the **KMS Project**. +* Enables Organization Policies related to Cloud Run in the **Serverless Project**. + * Allow Ingress only from internal and Cloud Load Balancing. + * Allow VPC Egress to Private Ranges Only. + +## Requirements + +### Software + +The following dependencies must be available: + +* [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0 +* [Terraform Provider for GCP][terraform-provider-gcp] plugin v3.53 + +### APIs + +A project with the following APIs enabled must be used to host the +resources of this module: + +* KMS Project + * Google Cloud Key Management Service: `cloudkms.googleapis.com` + +### Service Account + +A service account with the following roles must be used to provision +the resources of this module: + +* KMS Project + * Cloud KMS Admin: `roles/cloudkms.admin` +* Serverless Project + * Organization Policy Administrator: `roles/orgpolicy.policyAdmin` + +## Usage + +```hcl +module "cloud_run_security" { + source = "../secure-cloud-run-security" + + kms_project_id = + location = + serverless_project_id = + key_name = + keyring_name = + key_rotation_period = + key_protection_level = + + encrypters = [ + "serviceAccount:", + "serviceAccount:" + ] + + decrypters = [ + "serviceAccount:", + "serviceAccount:" + ] +} +``` + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| decrypters | List of comma-separated owners for each key declared in set\_decrypters\_for. | `list(string)` | `[]` | no | +| encrypters | List of comma-separated owners for each key declared in set\_encrypters\_for. | `list(string)` | `[]` | no | +| key\_name | Key name. | `string` | n/a | yes | +| key\_protection\_level | The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"] | `string` | `"HSM"` | no | +| key\_rotation\_period | Period of key rotation in seconds. | `string` | `"2592000s"` | no | +| keyring\_name | Keyring name. | `string` | n/a | yes | +| kms\_project\_id | The project where KMS will be created. | `string` | n/a | yes | +| location | The location where resources are going to be deployed. | `string` | n/a | yes | +| owners | List of comma-separated owners for each key declared in set\_owners\_for. | `list(string)` | `[]` | no | +| prevent\_destroy | Set the prevent\_destroy lifecycle attribute on keys.. | `bool` | `true` | no | +| serverless\_project\_id | The project where Cloud Run is going to be deployed. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| key | Key self link. | +| keyring | Self link of the keyring. | +| keyring\_name | Name of the keyring. | +| keyring\_resource | Keyring resource. | + + + diff --git a/modules/secure-cloud-run-security/kms.tf b/modules/secure-cloud-run-security/kms.tf new file mode 100644 index 00000000..482c2c8e --- /dev/null +++ b/modules/secure-cloud-run-security/kms.tf @@ -0,0 +1,34 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "cloud_run_kms" { + source = "terraform-google-modules/kms/google" + version = "~> 2.1" + + project_id = var.kms_project_id + location = var.location + keyring = var.keyring_name + keys = [var.key_name] + set_decrypters_for = length(var.decrypters) > 0 ? [var.key_name] : [] + set_encrypters_for = length(var.encrypters) > 0 ? [var.key_name] : [] + decrypters = var.decrypters + encrypters = var.encrypters + set_owners_for = length(var.owners) > 0 ? [var.key_name] : [] + owners = var.owners + prevent_destroy = var.prevent_destroy + key_rotation_period = var.key_rotation_period + key_protection_level = var.key_protection_level +} diff --git a/modules/secure-cloud-run-security/org_policies.tf b/modules/secure-cloud-run-security/org_policies.tf new file mode 100644 index 00000000..2bb8093c --- /dev/null +++ b/modules/secure-cloud-run-security/org_policies.tf @@ -0,0 +1,39 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "cloudrun_allowed_ingress" { + source = "terraform-google-modules/org-policy/google" + version = "~> 5.1" + + constraint = "constraints/run.allowedIngress" + policy_for = "project" + project_id = var.serverless_project_id + policy_type = "list" + allow = ["is:internal-and-cloud-load-balancing"] + allow_list_length = 1 +} + +module "cloudrun_allowed_vpc_egress" { + source = "terraform-google-modules/org-policy/google" + version = "~> 5.1" + + policy_for = "project" + project_id = var.serverless_project_id + constraint = "constraints/run.allowedVPCEgress" + policy_type = "list" + allow = ["private-ranges-only"] + allow_list_length = 1 +} diff --git a/modules/secure-cloud-run-security/outputs.tf b/modules/secure-cloud-run-security/outputs.tf new file mode 100644 index 00000000..01832bcd --- /dev/null +++ b/modules/secure-cloud-run-security/outputs.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "key" { + description = "Key self link." + value = module.cloud_run_kms.keys[var.key_name] +} + +output "keyring" { + description = "Self link of the keyring." + value = module.cloud_run_kms.keyring +} + +output "keyring_name" { + description = "Name of the keyring." + value = module.cloud_run_kms.keyring_name +} + +output "keyring_resource" { + description = "Keyring resource." + value = module.cloud_run_kms.keyring_resource +} diff --git a/modules/secure-cloud-run-security/variables.tf b/modules/secure-cloud-run-security/variables.tf new file mode 100644 index 00000000..e29ed764 --- /dev/null +++ b/modules/secure-cloud-run-security/variables.tf @@ -0,0 +1,76 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "kms_project_id" { + description = "The project where KMS will be created." + type = string +} + +variable "serverless_project_id" { + description = "The project where Cloud Run is going to be deployed." + type = string +} + +variable "prevent_destroy" { + description = "Set the prevent_destroy lifecycle attribute on keys.." + type = bool + default = true +} + +variable "keyring_name" { + description = "Keyring name." + type = string +} + +variable "key_rotation_period" { + description = "Period of key rotation in seconds." + type = string + default = "2592000s" +} + +variable "key_name" { + description = "Key name." + type = string +} + +variable "key_protection_level" { + description = "The protection level to use when creating a version based on this template. Possible values: [\"SOFTWARE\", \"HSM\"]" + type = string + default = "HSM" +} + +variable "location" { + description = "The location where resources are going to be deployed." + type = string +} + +variable "owners" { + description = "List of comma-separated owners for each key declared in set_owners_for." + type = list(string) + default = [] +} + +variable "encrypters" { + description = "List of comma-separated owners for each key declared in set_encrypters_for." + type = list(string) + default = [] +} + +variable "decrypters" { + description = "List of comma-separated owners for each key declared in set_decrypters_for." + type = list(string) + default = [] +} diff --git a/modules/secure-cloud-run-security/versions.tf b/modules/secure-cloud-run-security/versions.tf new file mode 100644 index 00000000..5ab5669d --- /dev/null +++ b/modules/secure-cloud-run-security/versions.tf @@ -0,0 +1,30 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 0.13" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 3.53, < 5.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 3.53, < 5.0" + } + } +}