Skip to content

Latest commit

 

History

History

secure-serverless-harness

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

README.md

README.md

 
 

main.tf

main.tf

 
 

network.tf

network.tf

 
 

outputs.tf

outputs.tf

 
 

private_service_connect.tf

private_service_connect.tf

 
 

service_perimeter.tf

service_perimeter.tf

 
 

variables.tf

variables.tf

 
 

versions.tf

versions.tf

 
 

README.md

Secure Serverless Harness

This module creates the infrastructure required by Secure Serverless blueprint.

This module deploys:

  • A folder to store Serverless infrastructure.
  • The service project where Serverless application is going to be deployed.
  • The security project where KMS and Artifact Registry are going to be created.
    • Keyring and Key created for Artifact Registry.
    • Artifact Registry created with Encryption Key.
    • Hello World example image copied to Artifact Registry.
  • A network and one subnetwork.
  • Firewall rules:
    • Deny all egress traffic.
    • Allow Restricted and Private Google APIs.
  • Configure a Private Service Connect.
  • Creates an Access Level and a Service Perimeter with both projects and restricting all the supported services.

Usage

Basic usage of this module is as follows:

module "secure_cloud_run_harness" {
  source  = "GoogleCloudPlatform/cloud-run/google//modules/secure-cloud-serverless-harness"
  version = "~> 0.9.1"

  # Required variables
  billing_account                   = "<BILLING ACCOUNT>"
  security_project_name             = "<SECURITY PROJECT NAME>"
  serverless_project_name           = "<SERVERLESS PROJECT NAME>"
  org_id                            = "<ORGANIZATION ID>"
  region                            = "<REGION>"
  location                          = "<LOCATION>"
  vpc_name                          = "<VPC NAME>"
  subnet_ip                         = "<SUBNET IP RANGE>"
  artifact_registry_repository_name = "<ARTIFACT REGISTRY NAME>"
  keyring_name                      = "<KEYRING NAME>"
  key_name                          = "<KEY NAME>"
  access_level_members              =["user:<USER-EMAIL>", "serviceAccount:<SERVICE-ACCOUNT-EMAIL>"]
  base_serverless_api               = "<RUN-OR-CLOUD-FUNCTIONS>.googleapis.com"
  private_service_connect_ip        = "<INTERNAL-IP-USED-BY-PRIVATE-SERVICE-CONNECT>"
}

Inputs

Name Description Type Default Required
access_context_manager_policy_id The ID of the default Access Context Manager policy. Can be obtained by running gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)". number null no
access_level_members The list of additional members who will be in the access level. list(string) n/a yes
artifact_registry_repository_description The description of the Artifact Registry Repository to be created. string "Secure Cloud Run Artifact Registry Repository" no
artifact_registry_repository_format The format of the Artifact Registry Repository to be created. string "DOCKER" no
artifact_registry_repository_name The name of the Artifact Registry Repository to be created. string n/a yes
base_serverless_api This variable will enable Cloud Function or Cloud Run specific resources. Cloud Run API will be used for the terraform-google-cloud-run repository while Cloud Function API will be used in the terraform-google-cloud-functions repository. It supports only run.googleapis.com or cloudfunctions.googleapis.com string n/a yes
billing_account The ID of the billing account to associate this project with. string n/a yes
create_access_context_manager_access_policy Defines if Access Context Manager will be created by Terraform. bool false no
decrypters List of comma-separated owners for each key declared in set_decrypters_for. list(string) [] no
disable_services_on_destroy Whether project services will be disabled when the resources are destroyed bool false no
dns_enable_inbound_forwarding Toggle inbound query forwarding for VPC DNS. bool true no
dns_enable_logging Toggle DNS logging for VPC DNS. bool true no
egress_policies A list of all egress policies, each list object has a from and to value that describes egress_from and egress_to.

Example: [{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]

Valid Values:
ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow identities from list); ANY_IDENTITY; ANY_USER_ACCOUNT; ANY_SERVICE_ACCOUNT
SRV_NAME = "*" (allow all services) or Specific Services
OP_TYPE = methods or permissions.		 
list(object({
    from = any
    to   = any
  }))
 [] no
encrypters List of comma-separated owners for each key declared in set_encrypters_for. list(string) [] no
ingress_policies A list of all ingress policies, each list object has a from and to value that describes ingress_from and ingress_to.

Example: [{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]

Valid Values:
ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow identities from list); ANY_IDENTITY; ANY_USER_ACCOUNT; ANY_SERVICE_ACCOUNT
SRV_NAME = "*" (allow all services) or Specific Services
OP_TYPE = methods or permissions.		 
list(object({
    from = any
    to   = any
  }))
 [] no
key_name Key name. string n/a yes
key_protection_level The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"]. string "HSM" no
key_rotation_period Period of key rotation in seconds. Default value is equivalent to 30 days. string "2592000s" no
keyring_name Keyring name. string n/a yes
location The location where resources are going to be deployed. string n/a yes
network_project_extra_apis The extra APIs to be enabled during network project creation. list(string) [] no
network_project_name The name to give the shared vpc project. string "" no
org_id The organization ID. string n/a yes
owners List of comma-separated owners for each key declared in set_owners_for. list(string) [] no
parent_folder_id The ID of a folder to host the infrastructure created in this module. string "" no
prevent_destroy Set the prevent_destroy lifecycle attribute on keys. bool true no
private_service_connect_ip The internal IP to be used for the private service connect. string n/a yes
region The region in which the subnetwork will be created. string n/a yes
security_project_extra_apis The extra APIs to be enabled during security project creation. list(string) [] no
security_project_name The name to give the security project. string n/a yes
serverless_folder_suffix The suffix to be concat in the Serverless folder name fldr-serverless-. string "" no
serverless_project_extra_apis The extra APIs to be enabled during serverless projects creation. map(list(string)) {} no
serverless_project_names The name to give the Cloud Serverless project. list(string) n/a yes
service_account_project_roles Common roles to apply to the Cloud Serverless service account in the serverless project. map(list(string)) {} no
subnet_ip The CDIR IP range of the subnetwork. string n/a yes
time_to_wait_vpc_sc_propagation The time to wait VPC-SC propagation when applying and destroying. string "180s" no
use_shared_vpc Defines if the network created will be a single or shared vpc. bool false no
vpc_name The name of the network. string n/a yes

Outputs

Name Description
access_context_manager_policy_id Access Context Manager ID.
artifact_registry_key Artifact Registry KMS Key.
artifact_registry_repository_id The Artifact Registry Repository full identifier where the images should be stored.
artifact_registry_repository_name The Artifact Registry Repository last part of the repository name where the images should be stored.
cloud_serverless_service_identity_email The Cloud Run Service Identity email.
network_project_id Project ID of the project created to host the Serverless Network.
restricted_access_level_name Access level name.
restricted_access_level_name_id Access level name id.
restricted_service_perimeter_name Service Perimeter name.
security_project_id Project ID of the project created for KMS and Artifact Register.
security_project_number Project number of the project created for KMS and Artifact Register.
serverless_folder_id The folder created to allocate Serverless infra.
serverless_project_ids Project ID of the projects created to deploy Serverless application.
serverless_project_numbers Project number of the projects created to deploy Serverless applications.
service_account_email The email of the Service Account created to be used by Cloud Serverless.
service_subnet The sub-network name created in harness.
service_vpc The network created for Cloud Serverless.

Requirements

These sections describe requirements for using this module.

Software

Service Account

A service account can be used with required roles to execute this module:

  • Organization Level:
    • Access Context Manager Editor: roles/accesscontextmanager.policyEditor
  • Parent level - Organization or Folder level:
    • Folder Admin - roles/resourcemanager.folderAdmin
    • Project Creator - roles/resourcemanager.projectCreator
    • Project Deleter - roles/resourcemanager.projectDeleter
  • Billing
    • Billing User - roles/billing.user

Know more about Cloud Run Deployment Permissions or Cloud Functions Deployment Permissions.

The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.