Adds secure-cloud-run main submodule (#48)

* Adding secure-cloud-run submodule

* removing provider beta from google_artifact_registry_repository_iam_member

* adding defaults for resources which we do not need explicitly need from the user.

* Providing defaults for all of the resource which we do not need explicitly need from the user.

* chanign resource google_project_service for modules/project_services

* updating serverless_negs version

* adding create_subnet variable on secure-cloud-run module

* switching permission validation for artifact_registry

* adding domain variable on secure-cloud-run module

modules/secure-cloud-run-core/README.md

@@ -61,7 +61,7 @@ module "cloud_run_core" {
 |------|-------------|------|---------|:--------:|
 | cloud\_run\_sa | Service account to be used on Cloud Run. | `string` | n/a | yes |
 | default\_rules | Default rule for Cloud Armor. | <pre>map(object({<br>    action         = string<br>    priority       = string<br>    versioned_expr = string<br>    src_ip_ranges  = list(string)<br>    description    = string<br>  }))</pre> | <pre>{<br>  "default_rule": {<br>    "action": "allow",<br>    "description": "Default allow all rule",<br>    "priority": "2147483647",<br>    "src_ip_ranges": [<br>      "*"<br>    ],<br>    "versioned_expr": "SRC_IPS_V1"<br>  }<br>}</pre> | no |
-| domain | Domain name to run the load balancer on. Used if `ssl` is `true`. Modify the default value below for your `domain` name. | `string` | `"my-domain.com"` | no |
+| domain | Domain name to run the load balancer on. Used if `ssl` is `true`. Modify the default value below for your `domain` name. | `string` | n/a | yes |
 | encryption\_key | CMEK encryption key self-link expected in the format projects/PROJECT/locations/LOCATION/keyRings/KEY-RING/cryptoKeys/CRYPTO-KEY. | `string` | n/a | yes |
 | env\_vars | Environment variables. | <pre>list(object({<br>    value = string<br>    name  = string<br>  }))</pre> | `[]` | no |
 | image | GAR hosted image URL to deploy. | `string` | n/a | yes |

modules/secure-cloud-run-core/loadbalancer.tf

@@ -16,7 +16,7 @@
 
 module "lb-http" {
   source                          = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
-  version                         = "~> 5.1"
+  version                         = "~> 6.3"
   name                            = var.lb_name
   project                         = var.project_id
   ssl                             = var.ssl

modules/secure-cloud-run-core/variables.tf

@@ -99,7 +99,6 @@ variable "ssl" {
 variable "domain" {
   description = "Domain name to run the load balancer on. Used if `ssl` is `true`. Modify the default value below for your `domain` name."
   type        = string
-  default     = "my-domain.com"
 }
 
 variable "lb_name" {

modules/secure-cloud-run/README.md

@@ -0,0 +1,44 @@
+# Secure Cloud Run
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| artifact\_registry\_repository\_location | Artifact Registry Repository location to grant serverless identity viewer role. | `string` | n/a | yes |
+| artifact\_registry\_repository\_name | Artifact Registry Repository name to grant serverless identity viewer role | `string` | n/a | yes |
+| artifact\_registry\_repository\_project\_id | Artifact Registry Repository Project ID to grant serverless identity viewer role. | `string` | n/a | yes |
+| cloud\_run\_sa | Service account to be used on Cloud Run. | `string` | n/a | yes |
+| connector\_name | The name for the connector to be created. | `string` | `"serverless-vpc-connector"` | no |
+| create\_subnet | The subnet will be created with the subnet\_name variable if true. When false, it will use the subnet\_name for the subnet. | `bool` | `true` | no |
+| domain | Domain name to run the load balancer on. Used if `ssl` is `true`. Modify the default value below for your `domain` name. | `string` | n/a | yes |
+| env\_vars | Environment variables (cleartext) | <pre>list(object({<br>    value = string<br>    name  = string<br>  }))</pre> | `[]` | no |
+| image | Image url to be deployed on Cloud Run. | `string` | n/a | yes |
+| ip\_cidr\_range | The range of internal addresses that are owned by this subnetwork. Provide this property when you create the subnetwork. For example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported | `string` | n/a | yes |
+| key\_name | The name of KMS Key to be created and used in Cloud Run. | `string` | `"cloud-run-kms-key"` | no |
+| key\_protection\_level | The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"] | `string` | `"HSM"` | no |
+| key\_rotation\_period | Period of key rotation in seconds. | `string` | `"2592000s"` | no |
+| keyring\_name | Keyring name. | `string` | `"cloud-run-kms-keyring"` | no |
+| kms\_project\_id | The project where KMS will be created. | `string` | n/a | yes |
+| location | The location where resources are going to be deployed. | `string` | n/a | yes |
+| members | Users/SAs to be given invoker access to the service with the prefix `serviceAccount:' for SAs and `user:` for users.` | `list(string)` | `[]` | no |
+| prevent\_destroy | Set the `prevent_destroy` lifecycle attribute on the Cloud KMS key. | `bool` | `true` | no |
+| region | Location for load balancer and Cloud Run resources. | `string` | n/a | yes |
+| serverless\_project\_id | The project to deploy the cloud run service. | `string` | n/a | yes |
+| service\_name | Shared VPC name. | `string` | n/a | yes |
+| shared\_vpc\_name | Shared VPC name which is going to be re-used to create Serverless Connector. | `string` | n/a | yes |
+| subnet\_name | Subnet name to be re-used to create Serverless Connector. | `string` | `null` | no |
+| use\_artifact\_registry\_image | When true it will give permission to read an image from your artifact registry. | `bool` | `false` | no |
+| vpc\_project\_id | The host project for the shared vpc. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| connector\_id | VPC serverless connector ID. |
+| key\_self\_link | Name of the Cloud KMS crypto key. |
+| keyring\_self\_link | Name of the Cloud KMS keyring. |
+| service\_id | ID of the created service. |
+| service\_url | Url of the created service. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/secure-cloud-run/main.tf

@@ -0,0 +1,123 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "serverless_project_apis" {
+  source  = "terraform-google-modules/project-factory/google//modules/project_services"
+  version = "~> 13.0"
+
+  project_id                  = var.serverless_project_id
+  disable_services_on_destroy = false
+
+  activate_apis = [
+    "vpcaccess.googleapis.com",
+    "compute.googleapis.com",
+    "container.googleapis.com",
+    "run.googleapis.com",
+    "cloudkms.googleapis.com"
+  ]
+}
+
+module "vpc_project_apis" {
+  source  = "terraform-google-modules/project-factory/google//modules/project_services"
+  version = "~> 13.0"
+
+  project_id                  = var.vpc_project_id
+  disable_services_on_destroy = false
+
+  activate_apis = [
+    "vpcaccess.googleapis.com",
+    "compute.googleapis.com"
+  ]
+}
+
+module "cloud_run_network" {
+  source = "../secure-cloud-run-net"
+
+  connector_name            = var.connector_name
+  subnet_name               = var.subnet_name
+  location                  = var.location
+  vpc_project_id            = var.vpc_project_id
+  serverless_project_id     = var.serverless_project_id
+  shared_vpc_name           = var.shared_vpc_name
+  connector_on_host_project = true
+  ip_cidr_range             = var.ip_cidr_range
+  create_subnet             = var.create_subnet
+
+  depends_on = [
+    module.vpc_project_apis
+  ]
+}
+
+resource "google_project_service_identity" "serverless_sa" {
+  provider = google-beta
+
+  project = var.serverless_project_id
+  service = "run.googleapis.com"
+}
+
+resource "google_artifact_registry_repository_iam_member" "artifact_registry_iam" {
+  count = var.use_artifact_registry_image ? 1 : 0
+
+  project    = var.artifact_registry_repository_project_id
+  location   = var.artifact_registry_repository_location
+  repository = var.artifact_registry_repository_name
+  role       = "roles/artifactregistry.reader"
+  member     = "serviceAccount:${google_project_service_identity.serverless_sa.email}"
+}
+
+module "cloud_run_security" {
+  source = "../secure-cloud-run-security"
+
+  kms_project_id        = var.kms_project_id
+  location              = var.location
+  serverless_project_id = var.serverless_project_id
+  prevent_destroy       = var.prevent_destroy
+  key_name              = var.key_name
+  keyring_name          = var.keyring_name
+  key_rotation_period   = var.key_rotation_period
+  key_protection_level  = var.key_protection_level
+
+  encrypters = [
+    "serviceAccount:${google_project_service_identity.serverless_sa.email}",
+    "serviceAccount:${var.cloud_run_sa}"
+  ]
+
+  decrypters = [
+    "serviceAccount:${google_project_service_identity.serverless_sa.email}",
+    "serviceAccount:${var.cloud_run_sa}"
+  ]
+}
+
+module "cloud_run_core" {
+  source = "../secure-cloud-run-core"
+
+  service_name     = var.service_name
+  location         = var.location
+  project_id       = var.serverless_project_id
+  image            = var.image
+  cloud_run_sa     = var.cloud_run_sa
+  vpc_connector_id = module.cloud_run_network.connector_id
+  encryption_key   = module.cloud_run_security.key_self_link
+  domain           = var.domain
+  env_vars         = var.env_vars
+  members          = var.members
+  region           = var.region
+
+  depends_on = [
+    module.serverless_project_apis,
+    google_artifact_registry_repository_iam_member.artifact_registry_iam
+  ]
+}

modules/secure-cloud-run/outputs.tf

@@ -0,0 +1,40 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "connector_id" {
+  description = "VPC serverless connector ID."
+  value       = module.cloud_run_network.connector_id
+}
+
+output "keyring_self_link" {
+  description = "Name of the Cloud KMS keyring."
+  value       = module.cloud_run_security.keyring_self_link
+}
+
+output "key_self_link" {
+  description = "Name of the Cloud KMS crypto key."
+  value       = module.cloud_run_security.key_self_link
+}
+
+output "service_id" {
+  value       = module.cloud_run_core.service_id
+  description = "ID of the created service."
+}
+
+output "service_url" {
+  value       = module.cloud_run_core.service_url
+  description = "Url of the created service."
+}

modules/secure-cloud-run/variables.tf

@@ -0,0 +1,155 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+variable "location" {
+  description = "The location where resources are going to be deployed."
+  type        = string
+}
+
+variable "region" {
+  description = "Location for load balancer and Cloud Run resources."
+  type        = string
+}
+
+variable "serverless_project_id" {
+  description = "The project to deploy the cloud run service."
+  type        = string
+}
+
+variable "vpc_project_id" {
+  description = "The host project for the shared vpc."
+  type        = string
+}
+
+variable "key_name" {
+  description = "The name of KMS Key to be created and used in Cloud Run."
+  type        = string
+  default     = "cloud-run-kms-key"
+}
+
+variable "kms_project_id" {
+  description = "The project where KMS will be created."
+  type        = string
+}
+
+variable "service_name" {
+  description = "Shared VPC name."
+  type        = string
+}
+
+variable "image" {
+  description = "Image url to be deployed on Cloud Run."
+  type        = string
+}
+
+variable "cloud_run_sa" {
+  description = "Service account to be used on Cloud Run."
+  type        = string
+}
+
+variable "connector_name" {
+  description = "The name for the connector to be created."
+  type        = string
+  default     = "serverless-vpc-connector"
+}
+
+variable "subnet_name" {
+  description = "Subnet name to be re-used to create Serverless Connector."
+  type        = string
+  default     = null
+}
+
+variable "shared_vpc_name" {
+  description = "Shared VPC name which is going to be re-used to create Serverless Connector."
+  type        = string
+}
+
+variable "env_vars" {
+  type = list(object({
+    value = string
+    name  = string
+  }))
+  description = "Environment variables (cleartext)"
+  default     = []
+}
+
+variable "members" {
+  type        = list(string)
+  description = "Users/SAs to be given invoker access to the service with the prefix `serviceAccount:' for SAs and `user:` for users."
+  default     = []
+}
+
+variable "prevent_destroy" {
+  description = "Set the `prevent_destroy` lifecycle attribute on the Cloud KMS key."
+  type        = bool
+  default     = true
+}
+
+variable "keyring_name" {
+  description = "Keyring name."
+  type        = string
+  default     = "cloud-run-kms-keyring"
+}
+
+variable "key_rotation_period" {
+  description = "Period of key rotation in seconds."
+  type        = string
+  default     = "2592000s"
+}
+
+variable "key_protection_level" {
+  description = "The protection level to use when creating a version based on this template. Possible values: [\"SOFTWARE\", \"HSM\"]"
+  type        = string
+  default     = "HSM"
+}
+
+variable "ip_cidr_range" {
+  description = "The range of internal addresses that are owned by this subnetwork. Provide this property when you create the subnetwork. For example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported"
+  type        = string
+}
+
+variable "artifact_registry_repository_project_id" {
+  description = "Artifact Registry Repository Project ID to grant serverless identity viewer role."
+  type        = string
+}
+
+variable "artifact_registry_repository_location" {
+  description = "Artifact Registry Repository location to grant serverless identity viewer role."
+  type        = string
+}
+
+variable "artifact_registry_repository_name" {
+  description = "Artifact Registry Repository name to grant serverless identity viewer role"
+  type        = string
+}
+
+variable "use_artifact_registry_image" {
+  description = "When true it will give permission to read an image from your artifact registry."
+  type        = bool
+  default     = false
+}
+
+variable "create_subnet" {
+  description = "The subnet will be created with the subnet_name variable if true. When false, it will use the subnet_name for the subnet."
+  type        = bool
+  default     = true
+}
+
+variable "domain" {
+  description = "Domain name to run the load balancer on. Used if `ssl` is `true`. Modify the default value below for your `domain` name."
+  type        = string
+}