This module handles the basic deployment security configurations for Cloud Function (2nd Gen) usage.
The resources/services/activations/deletions that this module will create/trigger are:
- Creates KMS Keyring and Key for customer managed encryption keys in the KMS Project to be used by Cloud Function (2nd Gen).
- Enables Organization Policies related to Cloud Function (2nd Gen) in the Serverless Project.
- Allow Ingress only from internal and Cloud Load Balancing.
- Allow VPC Egress to Private Ranges Only.
- When groups emails are provided, this module will grant the roles for each persona.
- Serverless administrator - Service Project
- roles/run.admin
- roles/cloudfunctions.admin
- roles/compute.networkViewer
- compute.networkUser
- Servervless Security Administrator - Security project
- roles/cloudfunctions.viewer
- roles/run.viewer
- roles/cloudkms.viewer
- roles/artifactregistry.reader
- Cloud Function (2nd Gen) developer - Security project
- roles/cloudfunctions.developer
- roles/artifactregistry.writer
- roles/cloudkms.cryptoKeyEncrypter
- Cloud Function (2nd Gen) user - Service project
- roles/cloudfunctions.invoker
- Serverless administrator - Service Project
module "secure_cloud_function_security" {
source = "GoogleCloudPlatform/cloud-functions/google//modules/secure-cloud-serverless-security"
version = "~> 0.5"
kms_project_id = <KMS PROJECT ID>
location = <KMS LOCATION>
serverless_project_id = <SERVERLESS PROJECT ID>
key_name = <KEY NAME>
keyring_name = <KEYRING NAME>
key_rotation_period = <KEY ROTATION PERIOD>
key_protection_level = <KEY PROTECTION LEVEL>
encrypters = [
"serviceAccount:<SERVERLESS IDENTITY EMAIL>",
"serviceAccount:<Cloud Function (2nd Gen) SERVICE ACCOUNT>"
]
decrypters = [
"serviceAccount:<SERVERLESS IDENTITY EMAIL>",
"serviceAccount:<Cloud Function (2nd Gen) SERVICE ACCOUNT>"
]
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
decrypters | List of comma-separated owners for each key declared in set_decrypters_for. | list(string) |
[] |
no |
encrypters | List of comma-separated owners for each key declared in set_encrypters_for. | list(string) |
[] |
no |
folder_id | The folder ID to apply the policy to. | string |
"" |
no |
groups | Groups which will have roles assigned. The Serverless Administrators email group which the following roles will be added: Cloud Function Admin, Compute Network Viewer and Compute Network User. The Serverless Security Administrators email group which the following roles will be added: Cloud Function Viewer, Cloud KMS Viewer and Artifact Registry Reader. The Cloud Function Developer email group which the following roles will be added: Cloud Function Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter. The Cloud Function User email group which the following roles will be added: Cloud Function Invoker. |
object({ |
{} |
no |
key_name | Key name. | string |
n/a | yes |
key_protection_level | The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"] | string |
"HSM" |
no |
key_rotation_period | Period of key rotation in seconds. | string |
"2592000s" |
no |
keyring_name | Keyring name. | string |
n/a | yes |
kms_project_id | The project where KMS will be created. | string |
n/a | yes |
location | The location where resources are going to be deployed. | string |
"us-east4" |
no |
organization_id | The organization ID to apply the policy to. | string |
"" |
no |
owners | List of comma-separated owners for each key declared in set_owners_for. | list(string) |
[] |
no |
policy_for | Policy Root: set one of the following values to determine where the policy is applied. Possible values: ["project", "folder", "organization"]. | string |
"project" |
no |
prevent_destroy | Set the prevent_destroy lifecycle attribute on keys.. | bool |
true |
no |
serverless_project_id | The project where Cloud Function is going to be deployed. | string |
n/a | yes |
Name | Description |
---|---|
key_self_link | Key self link. |
keyring_resource | Keyring resource. |
keyring_self_link | Self link of the keyring. |
The following dependencies must be available:
- Terraform >= 1.3
- Terraform Provider for GCP < 5.0
A project with the following APIs enabled must be used to host the resources of this module:
- KMS Project
- Google Cloud Key Management Service:
cloudkms.googleapis.com
- Google Cloud Key Management Service:
A service account with the following roles must be used to provision the resources of this module:
- KMS Project
- Cloud KMS Admin:
roles/cloudkms.admin
- Cloud KMS Admin:
- Serverless Project
- Organization Policy Administrator:
roles/orgpolicy.policyAdmin
- Project IAM Admin:
roles/resourcemanager.projectIamAdmin
- Organization Policy Administrator: