Adds flag to disable cloud armor creation and add variable to re-use …

…one (GoogleCloudPlatform#73) * Adds flag to disable cloud armor creation and add variable to re-use an existing cloud armor
datadrivers · Oct 31, 2022 · e8fd98f · e8fd98f
1 parent 59614bb
commit e8fd98f
Show file tree

Hide file tree

Showing 9 changed files with 90 additions and 38 deletions.
diff --git a/examples/secure_cloud_run/README.md b/examples/secure_cloud_run/README.md
@@ -58,7 +58,9 @@ This example assumes that below mentioned pre-requisites are in place before con
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| cloud\_armor\_policies\_name | Cloud Armor policy name already created in the project. If `create_cloud_armor_policies` is `false`, this variable must be provided, If `create_cloud_armor_policies` is `true`, this variable will be ignored. | `string` | `null` | no |
 | cloud\_run\_sa | Service account to be used on Cloud Run. | `string` | n/a | yes |
+| create\_cloud\_armor\_policies | When `true`, the terraform will create the Cloud Armor policies. When `false`, the user must provide their own Cloud Armor name in `cloud_armor_policies_name`. | `bool` | `true` | no |
 | domain | Domain name to run the load balancer on. Used if `ssl` is `true`. | `string` | n/a | yes |
 | folder\_id | The folder ID to apply the policy to. | `string` | `""` | no |
 | ip\_cidr\_range | The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. | `string` | n/a | yes |

diff --git a/examples/secure_cloud_run/main.tf b/examples/secure_cloud_run/main.tf
@@ -22,26 +22,28 @@ locals {
 module "secure_cloud_run" {
   source = "../../modules/secure-cloud-run"
 
-  connector_name        = "con-run"
-  subnet_name           = "vpc-subnet"
-  vpc_project_id        = var.vpc_project_id
-  serverless_project_id = var.serverless_project_id
-  domain                = var.domain
-  kms_project_id        = var.kms_project_id
-  shared_vpc_name       = var.shared_vpc_name
-  ip_cidr_range         = var.ip_cidr_range
-  key_name              = local.cloudrun_key_name
-  keyring_name          = local.cloudrun_keyring_name
-  prevent_destroy       = false
-  key_rotation_period   = "2592000s"
-  service_name          = "hello-world"
-  location              = "us-central1"
-  region                = "us-central1"
-  image                 = "us-docker.pkg.dev/cloudrun/container/hello"
-  cloud_run_sa          = var.cloud_run_sa
-  policy_for            = var.policy_for
-  folder_id             = var.folder_id
-  organization_id       = var.organization_id
-  resource_names_suffix = var.resource_names_suffix
-  create_subnet         = true
+  connector_name              = "con-run"
+  subnet_name                 = "vpc-subnet"
+  vpc_project_id              = var.vpc_project_id
+  serverless_project_id       = var.serverless_project_id
+  domain                      = var.domain
+  kms_project_id              = var.kms_project_id
+  shared_vpc_name             = var.shared_vpc_name
+  ip_cidr_range               = var.ip_cidr_range
+  key_name                    = local.cloudrun_key_name
+  keyring_name                = local.cloudrun_keyring_name
+  prevent_destroy             = false
+  key_rotation_period         = "2592000s"
+  service_name                = "hello-world"
+  location                    = "us-central1"
+  region                      = "us-central1"
+  image                       = "us-docker.pkg.dev/cloudrun/container/hello"
+  cloud_run_sa                = var.cloud_run_sa
+  policy_for                  = var.policy_for
+  folder_id                   = var.folder_id
+  organization_id             = var.organization_id
+  resource_names_suffix       = var.resource_names_suffix
+  create_subnet               = true
+  create_cloud_armor_policies = var.create_cloud_armor_policies
+  cloud_armor_policies_name   = var.cloud_armor_policies_name
 }
diff --git a/examples/secure_cloud_run/variables.tf b/examples/secure_cloud_run/variables.tf
@@ -78,3 +78,15 @@ variable "ip_cidr_range" {
   description = "The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported."
   type        = string
 }
+
+variable "create_cloud_armor_policies" {
+  type        = bool
+  description = "When `true`, the terraform will create the Cloud Armor policies. When `false`, the user must provide their own Cloud Armor name in `cloud_armor_policies_name`."
+  default     = true
+}
+
+variable "cloud_armor_policies_name" {
+  type        = string
+  description = "Cloud Armor policy name already created in the project. If `create_cloud_armor_policies` is `false`, this variable must be provided, If `create_cloud_armor_policies` is `true`, this variable will be ignored."
+  default     = null
+}
diff --git a/modules/secure-cloud-run-core/README.md b/modules/secure-cloud-run-core/README.md
@@ -37,9 +37,11 @@ module "cloud_run_core" {
 |------|-------------|------|---------|:--------:|
 | argument | Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments. | `list(string)` | `[]` | no |
 | certificate\_mode | The mode of the certificate (NONE or AUTOMATIC). | `string` | `"NONE"` | no |
+| cloud\_armor\_policies\_name | Cloud Armor policy name already created in the project. If `create_cloud_armor_policies` is `false`, this variable must be provided, If `create_cloud_armor_policies` is `true`, this variable will be ignored. | `string` | `null` | no |
 | cloud\_run\_sa | Service account to be used on Cloud Run. | `string` | n/a | yes |
 | container\_command | Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten. | `list(string)` | `[]` | no |
 | container\_concurrency | Concurrent request limits to the service. | `number` | `null` | no |
+| create\_cloud\_armor\_policies | When `true`, the terraform will create the Cloud Armor policies. When `false`, the user must provide their own Cloud Armor name in `cloud_armor_policies_name`. | `bool` | `true` | no |
 | default\_rules | Default rule for Cloud Armor. | <pre>map(object({<br>    action         = string<br>    priority       = string<br>    versioned_expr = string<br>    src_ip_ranges  = list(string)<br>    description    = string<br>  }))</pre> | <pre>{<br>  "default_rule": {<br>    "action": "allow",<br>    "description": "Default allow all rule",<br>    "priority": "2147483647",<br>    "src_ip_ranges": [<br>      "*"<br>    ],<br>    "versioned_expr": "SRC_IPS_V1"<br>  }<br>}</pre> | no |
 | domain | Domain name to run the load balancer on. Used if `ssl` is `true`. Modify the default value below for your `domain` name. | `string` | n/a | yes |
 | domain\_map\_annotations | Annotations to the domain map. | `map(string)` | `{}` | no |

diff --git a/modules/secure-cloud-run-core/loadbalancer.tf b/modules/secure-cloud-run-core/loadbalancer.tf
@@ -14,6 +14,10 @@
  * limitations under the License.
  */
 
+locals {
+  cloud_armor_id = var.create_cloud_armor_policies ? google_compute_security_policy.cloud-armor-security-policy[0].id : "projects/${var.project_id}/global/securityPolicies/${var.cloud_armor_policies_name}"
+}
+
 module "lb-http" {
   source                          = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
   version                         = "~> 6.3"
@@ -32,7 +36,7 @@ module "lb-http" {
         }
       ]
       enable_cdn              = false
-      security_policy         = google_compute_security_policy.cloud-armor-security-policy.id
+      security_policy         = local.cloud_armor_id
       custom_request_headers  = null
       custom_response_headers = null
 
@@ -61,6 +65,7 @@ resource "google_compute_region_network_endpoint_group" "serverless_neg" {
 }
 
 resource "google_compute_security_policy" "cloud-armor-security-policy" {
+  count   = var.create_cloud_armor_policies ? 1 : 0
   project = var.project_id
   name    = "cloud-armor-waf-policy"
   dynamic "rule" {

diff --git a/modules/secure-cloud-run-core/variables.tf b/modules/secure-cloud-run-core/variables.tf
@@ -294,6 +294,18 @@ variable "domain_map_annotations" {
   default     = {}
 }
 
+variable "create_cloud_armor_policies" {
+  type        = bool
+  description = "When `true`, the terraform will create the Cloud Armor policies. When `false`, the user must provide their own Cloud Armor name in `cloud_armor_policies_name`."
+  default     = true
+}
+
+variable "cloud_armor_policies_name" {
+  type        = string
+  description = "Cloud Armor policy name already created in the project. If `create_cloud_armor_policies` is `false`, this variable must be provided, If `create_cloud_armor_policies` is `true`, this variable will be ignored."
+  default     = null
+}
+
 variable "max_scale_instances" {
   description = "Sets the maximum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this [documentation](https://cloud.google.com/run/docs/about-instance-autoscaling)."
   type        = number

diff --git a/modules/secure-cloud-run/README.md b/modules/secure-cloud-run/README.md
@@ -65,8 +65,10 @@ module "secure_cloud_run" {
 | artifact\_registry\_repository\_location | Artifact Registry Repository location to grant serverless identity viewer role. | `string` | `null` | no |
 | artifact\_registry\_repository\_name | Artifact Registry Repository name to grant serverless identity viewer role | `string` | `null` | no |
 | artifact\_registry\_repository\_project\_id | Artifact Registry Repository Project ID to grant serverless identity viewer role. | `string` | `null` | no |
+| cloud\_armor\_policies\_name | Cloud Armor policy name already created in the project. If `create_cloud_armor_policies` is `false`, this variable must be provided, If `create_cloud_armor_policies` is `true`, this variable will be ignored. | `string` | `null` | no |
 | cloud\_run\_sa | Service account to be used on Cloud Run. | `string` | n/a | yes |
 | connector\_name | The name for the connector to be created. | `string` | `"serverless-vpc-connector"` | no |
+| create\_cloud\_armor\_policies | When `true`, the terraform will create the Cloud Armor policies. When `false`, the user must provide their own Cloud Armor name in `cloud_armor_policies_name`. | `bool` | `true` | no |
 | create\_subnet | The subnet will be created with the subnet\_name variable if true. When false, it will use the subnet\_name for the subnet. | `bool` | `true` | no |
 | domain | Domain name to run the load balancer on. | `string` | n/a | yes |
 | env\_vars | Environment variables (cleartext) | <pre>list(object({<br>    value = string<br>    name  = string<br>  }))</pre> | `[]` | no |

diff --git a/modules/secure-cloud-run/main.tf b/modules/secure-cloud-run/main.tf
@@ -119,21 +119,23 @@ module "cloud_run_security" {
 module "cloud_run_core" {
   source = "../secure-cloud-run-core"
 
-  service_name         = var.service_name
-  location             = var.location
-  project_id           = var.serverless_project_id
-  image                = var.image
-  cloud_run_sa         = var.cloud_run_sa
-  vpc_connector_id     = module.cloud_run_network.connector_id
-  encryption_key       = module.cloud_run_security.key_self_link
-  domain               = var.domain
-  env_vars             = var.env_vars
-  members              = var.members
-  region               = var.region
-  verified_domain_name = var.verified_domain_name
-  vpc_egress_value     = var.vpc_egress_value
-  min_scale_instances  = var.min_scale_instances
-  max_scale_instances  = var.max_scale_instances
+  service_name                = var.service_name
+  location                    = var.location
+  project_id                  = var.serverless_project_id
+  image                       = var.image
+  cloud_run_sa                = var.cloud_run_sa
+  vpc_connector_id            = module.cloud_run_network.connector_id
+  encryption_key              = module.cloud_run_security.key_self_link
+  domain                      = var.domain
+  env_vars                    = var.env_vars
+  members                     = var.members
+  region                      = var.region
+  create_cloud_armor_policies = var.create_cloud_armor_policies
+  cloud_armor_policies_name   = var.cloud_armor_policies_name
+  verified_domain_name        = var.verified_domain_name
+  vpc_egress_value            = var.vpc_egress_value
+  min_scale_instances         = var.min_scale_instances
+  max_scale_instances         = var.max_scale_instances
 
   depends_on = [
     module.serverless_project_apis,

diff --git a/modules/secure-cloud-run/variables.tf b/modules/secure-cloud-run/variables.tf
@@ -198,8 +198,21 @@ variable "vpc_egress_value" {
   default     = "private-ranges-only"
 }
 
+variable "create_cloud_armor_policies" {
+  type        = bool
+  description = "When `true`, the terraform will create the Cloud Armor policies. When `false`, the user must provide their own Cloud Armor name in `cloud_armor_policies_name`."
+  default     = true
+}
+
+variable "cloud_armor_policies_name" {
+  type        = string
+  description = "Cloud Armor policy name already created in the project. If `create_cloud_armor_policies` is `false`, this variable must be provided, If `create_cloud_armor_policies` is `true`, this variable will be ignored."
+  default     = null
+}
+
 variable "verified_domain_name" {
   type        = list(string)
   description = "List of Custom Domain Name"
   default     = []
 }
+