Skip to content

Latest commit

 

History

History

secure-cloud-run-security

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

README.md

README.md

 
 

iam.tf

iam.tf

 
 

kms.tf

kms.tf

 
 

org_policies.tf

org_policies.tf

 
 

outputs.tf

outputs.tf

 
 

variables.tf

variables.tf

 
 

versions.tf

versions.tf

 
 

README.md

Secure Cloud Run Security

This module handles the basic deployment security configurations for Cloud Run usage.

The resources/services/activations/deletions that this module will create/trigger are:

  • Creates KMS Keyring and Key for customer managed encryption keys in the KMS Project to be used by Cloud Run.
  • Enables Organization Policies related to Cloud Run in the Serverless Project.
    • Allow Ingress only from internal and Cloud Load Balancing.
    • Allow VPC Egress to Private Ranges Only.
  • When groups emails are provided, this module will grant the roles for each persona.
    • Serverless administrator - Service Project
      • roles/run.admin
      • roles/compute.networkViewer
      • compute.networkUser
    • Servervless Security Administrator - Security project
      • roles/run.viewer
      • roles/cloudkms.viewer
      • roles/artifactregistry.reader
    • Cloud Run developer - Security project
      • roles/run.developer
      • roles/artifactregistry.writer
      • roles/cloudkms.cryptoKeyEncrypter
    • Cloud Run user - Service project
      • roles/run.invoker

Usage

module "cloud_run_security" {
  source = "../secure-cloud-run-security"

  kms_project_id        = <KMS PROJECT ID>
  location              = <KMS LOCATION>
  serverless_project_id = <SERVERLESS PROJECT ID>
  key_name              = <KEY NAME>
  keyring_name          = <KEYRING NAME>
  key_rotation_period   = <KEY ROTATION PERIOD>
  key_protection_level  = <KEY PROTECTION LEVEL>

  encrypters = [
    "serviceAccount:<SERVERLESS IDENTITY EMAIL>",
    "serviceAccount:<CLOUD RUN SERVICE ACCOUNT>"
  ]

  decrypters = [
    "serviceAccount:<SERVERLESS IDENTITY EMAIL>",
    "serviceAccount:<CLOUD RUN SERVICE ACCOUNT>"
  ]
}

Inputs

Name Description Type Default Required
decrypters List of comma-separated owners for each key declared in set_decrypters_for. list(string) [] no
encrypters List of comma-separated owners for each key declared in set_encrypters_for. list(string) [] no
folder_id The folder ID to apply the policy to. string "" no
groups Groups which will have roles assigned.
The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.
The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.
The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.
The Cloud Run User email group which the following roles will be added: Cloud Run Invoker.		 
object({
    group_serverless_administrator          = optional(string, null)
    group_serverless_security_administrator = optional(string, null)
    group_cloud_run_developer               = optional(string, null)
    group_cloud_run_user                    = optional(string, null)
  })
 {} no
key_name Key name. string n/a yes
key_protection_level The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"] string "HSM" no
key_rotation_period Period of key rotation in seconds. string "2592000s" no
keyring_name Keyring name. string n/a yes
kms_project_id The project where KMS will be created. string n/a yes
location The location where resources are going to be deployed. string n/a yes
organization_id The organization ID to apply the policy to. string "" no
owners List of comma-separated owners for each key declared in set_owners_for. list(string) [] no
policy_for Policy Root: set one of the following values to determine where the policy is applied. Possible values: ["project", "folder", "organization"]. string "project" no
prevent_destroy Set the prevent_destroy lifecycle attribute on keys.. bool true no
serverless_project_id The project where Cloud Run is going to be deployed. string n/a yes

Outputs

Name Description
key_self_link Key self link.
keyring_resource Keyring resource.
keyring_self_link Self link of the keyring.

Requirements

Software

The following dependencies must be available:

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • KMS Project
    • Google Cloud Key Management Service: cloudkms.googleapis.com

Service Account

A service account with the following roles must be used to provision the resources of this module:

  • KMS Project
    • Cloud KMS Admin: roles/cloudkms.admin
  • Serverless Project
    • Organization Policy Administrator: roles/orgpolicy.policyAdmin