GoogleCloudPlatform · mitchelljamie · Aug 10, 2022 · Jun 14, 2022 · Jun 15, 2022 · Jun 15, 2022
@@ -0,0 +1,83 @@
+# Secure Cloud Run Network
+
+This module handles the basic deployment network configurations for Cloud Run usage.
+
+The resources/services/activations/deletions that this module will create/trigger are:
+
+* Creates Firewall rules on your **VPC Project**.
+* Creates a sub network to VPC Connector usage purpose.
+* Creates Serverless Connector on your **VPC Project** or **Serverless Project**. Refer the comparison below:
+  * Advantages of creating connectors in the [VPC Project](https://cloud.google.com/run/docs/configuring/connecting-shared-vpc#host-project)
+  * Advantages of creating connectors in the [Serverless Project](https://cloud.google.com/run/docs/configuring/connecting-shared-vpc#service-projects)
+* Grant the necessary roles for Cloud Run are able to use VPC Connector on your VPC.
+
+## Requirements
+
+### Software
+
+The following dependencies must be available:
+
+* [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
+* [Terraform Provider for GCP][terraform-provider-gcp] plugin v3.53
+
+### APIs
+
+The Serverless and Network project with the following APIs enabled must be used to host the
+resources of this module:
+
+* Google VPC Access API: `vpcaccess.googleapis.com`
+* Compute API: `compute.googleapis.com`
+
+### Service Account
+
+A service account with one of the following roles must be used to provision
+the resources of this module:
+
+* Network Project
+  * Compute Shared VPC Admin: `roles/compute.xpnAdmin`
+  * Network Admin: `roles/compute.networkAdmin`
+  * Security Admin: `roles/compute.securityAdmin`
+  * Serverless VPC Access Admin: `roles/vpcaccess.admin`
+* Serverless Project
+  * Security Admin: `roles/compute.securityAdmin`
+  * Serverless VPC Access Admin: `roles/vpcaccess.admin`
+
+## Usage
+
+```hcl
+module "cloud_run_network" {
+  source = "../secure-cloud-run-net"
+
+  connector_name            = <CONNECTOR NAME>
+  subnet_name               = <SUBNETWORK NAME>
+  location                  = <SUBNETWORK LOCATION>
+  vpc_project_id            = <VPC PROJECT ID>
+  serverless_project_id     = <SERVERLESS PROJECT ID>
+  shared_vpc_name           = <SHARED VPC NAME>
+  ip_cidr_range             = <IP CIDR RANGE>
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| connector\_name | The name of the serverless connector which is going to be created. | `string` | n/a | yes |
+| connector\_on\_host\_project | Connector is going to be created on the host project if true. When false, connector is going to be created on service project. For more information, access [documentation](https://cloud.google.com/run/docs/configuring/connecting-shared-vpc). | `bool` | `true` | no |
+| create\_subnet | The subnet will be created with the subnet\_name variable if true. When false, it will use the subnet\_name for the subnet. | `bool` | `true` | no |
+| flow\_sampling | Sampling rate of VPC flow logs. The value must be in [0,1]. Where 1.0 means all logs, 0.5 mean half of the logs and 0.0 means no logs are reported. | `number` | `1` | no |
+| ip\_cidr\_range | The range of internal addresses that are owned by this subnetwork. Provide this property when you create the subnetwork. For example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported | `string` | n/a | yes |
+| location | The location where resources are going to be deployed. | `string` | n/a | yes |
+| serverless\_project\_id | The project where cloud run is going to be deployed. | `string` | n/a | yes |
+| shared\_vpc\_name | Shared VPC name which is going to be used to create Serverless Connector. | `string` | n/a | yes |
+| subnet\_name | Subnet name to be re-used to create Serverless Connector. | `string` | n/a | yes |
+| vpc\_project\_id | The project where shared vpc is. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| connector\_id | VPC serverless connector ID. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -0,0 +1,147 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  tags = ["vpc-connector"]
+}
+
+module "firewall_rules" {
+  count = var.connector_on_host_project ? 0 : 1
+
+  source       = "terraform-google-modules/network/google//modules/firewall-rules"
+  project_id   = var.vpc_project_id
+  network_name = var.shared_vpc_name
+
+  rules = [{
+    name                    = "serverless-to-vpc-connector"
+    description             = null
+    priority                = null
+    direction               = "INGRESS"
+    ranges                  = ["107.178.230.64/26", "35.199.224.0/19"]
+    source_tags             = null
+    source_service_accounts = null
+    target_tags             = local.tags
+    target_service_accounts = null
+    allow = [{
+      protocol = "icmp"
+      ports    = []
+      },
+      {
+        protocol = "tcp"
+        ports    = ["667"]
+      },
+      {
+        protocol = "udp"
+        ports    = ["665", "666"]
+    }]
+    deny = []
+    log_config = {
+      metadata = "INCLUDE_ALL_METADATA"
+    }
+    },
+    {
+      name                    = "vpc-connector-to-serverless"
+      description             = null
+      priority                = null
+      direction               = "EGRESS"
+      ranges                  = ["107.178.230.64/26", "35.199.224.0/19"]
+      source_tags             = null
+      source_service_accounts = null
+      target_tags             = local.tags
+      target_service_accounts = null
+      allow = [{
+        protocol = "icmp"
+        ports    = []
+        },
+        {
+          protocol = "tcp"
+          ports    = ["667"]
+        },
+        {
+          protocol = "udp"
+          ports    = ["665", "666"]
+      }]
+      deny = []
+      log_config = {
+        metadata = "INCLUDE_ALL_METADATA"
+      }
+    },
+    {
+      name                    = "vpc-connector-to-lb"
+      description             = null
+      priority                = null
+      direction               = "EGRESS"
+      ranges                  = []
+      source_tags             = null
+      source_service_accounts = null
+      target_tags             = local.tags
+      target_service_accounts = null
+      allow = [{
+        protocol = "tcp"
+        ports    = ["80"]
+      }]
+      deny = []
+      log_config = {
+        metadata = "INCLUDE_ALL_METADATA"
+      }
+    },
+    {
+      name                    = "vpc-connector-health-checks"
+      description             = null
+      priority                = null
+      direction               = "INGRESS"
+      ranges                  = ["130.211.0.0/22", "35.191.0.0/16", "108.170.220.0/23"]
+      source_tags             = null
+      source_service_accounts = null
+      target_tags             = local.tags
+      target_service_accounts = null
+      allow = [{
+        protocol = "tcp"
+        ports    = ["667"]
+      }]
+      deny = []
+      log_config = {
+        metadata = "INCLUDE_ALL_METADATA"
+      }
+    },
+    {
+      name                    = "vpc-connector-requests"
+      description             = null
+      priority                = null
+      direction               = "INGRESS"
+      ranges                  = []
+      source_tags             = local.tags
+      source_service_accounts = null
+      target_tags             = null
+      target_service_accounts = null
+      allow = [{
+        protocol = "icmp"
+        ports    = []
+        },
+        {
+          protocol = "tcp"
+          ports    = []
+        },
+        {
+          protocol = "udp"
+          ports    = []
+      }]
+      deny = []
+      log_config = {
+        metadata = "INCLUDE_ALL_METADATA"
+      }
+  }]
+}
@@ -0,0 +1,55 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+data "google_project" "serverless_project_id" {
+  project_id = var.serverless_project_id
+}
+
+resource "google_project_service_identity" "vpcaccess_identity_sa" {
+  provider = google-beta
+
+  project = var.serverless_project_id
+  service = "vpcaccess.googleapis.com"
+}
+resource "google_project_service_identity" "run_identity_sa" {
+  provider = google-beta
+
+  project = var.serverless_project_id
+  service = "run.googleapis.com"
+}
+resource "google_project_iam_member" "gca_sa_vpcaccess" {
+  count = var.connector_on_host_project ? 0 : 1
+
+  project = var.vpc_project_id
+  role    = "roles/compute.networkAdmin"
+  member  = "serviceAccount:${google_project_service_identity.vpcaccess_identity_sa.email}"
+}
+
+resource "google_project_iam_member" "cloud_services" {
+  count = var.connector_on_host_project ? 0 : 1
+
+  project = var.vpc_project_id
+  role    = "roles/compute.networkUser"
+  member  = "serviceAccount:${data.google_project.serverless_project_id.number}@cloudservices.gserviceaccount.com"
+}
+
+resource "google_project_iam_member" "run_identity_services" {
+  count = var.connector_on_host_project ? 1 : 0
+
+  project = var.vpc_project_id
+  role    = "roles/vpcaccess.user"
+  member  = "serviceAccount:${google_project_service_identity.run_identity_sa.email}"
+}
@@ -0,0 +1,57 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_compute_subnetwork" "vpc_subnetwork" {
+  count = var.create_subnet ? 1 : 0
+
+  name                     = var.subnet_name
+  project                  = var.vpc_project_id
+  network                  = var.shared_vpc_name
+  ip_cidr_range            = var.ip_cidr_range
+  region                   = var.location
+  private_ip_google_access = true
+
+  log_config {
+    aggregation_interval = "INTERVAL_10_MIN"
+    flow_sampling        = var.flow_sampling
+    metadata             = "INCLUDE_ALL_METADATA"
+  }
+}
+
+module "serverless_connector" {
+  source  = "terraform-google-modules/network/google//modules/vpc-serverless-connector-beta"
+  version = "~> 5.0"
+
+  project_id = var.connector_on_host_project ? var.vpc_project_id : var.serverless_project_id
+  vpc_connectors = [{
+    name            = var.connector_name
+    region          = var.location
+    subnet_name     = var.subnet_name
+    host_project_id = var.vpc_project_id
+    machine_type    = "e2-micro"
+    min_instances   = 2
+    max_instances   = 7
+    max_throughput  = 700
+    }
+  ]
+  depends_on = [
+    google_project_iam_member.gca_sa_vpcaccess,
+    google_project_iam_member.cloud_services,
+    google_project_iam_member.run_identity_services,
+    google_compute_subnetwork.vpc_subnetwork
+  ]
+}
+
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "connector_id" {
+  value       = tolist(module.serverless_connector.connector_ids)[0]
+  description = "VPC serverless connector ID."
+}