This module creates the infrastructure required by Secure Serverless blueprint.
This module deploys:
- A folder to store Serverless infrastructure.
- The service project where Serverless application is going to be deployed.
- The security project where KMS and Artifact Registry are going to be created.
- Keyring and Key created for Artifact Registry.
- Artifact Registry created with Encryption Key.
- Hello World example image copied to Artifact Registry.
- A network and one subnetwork.
- Firewall rules:
- Deny all egress traffic.
- Allow Restricted and Private Google APIs.
- Configure a Private Service Connect.
- Creates an Access Level and a Service Perimeter with both projects and restricting all the supported services.
Basic usage of this module is as follows:
module "secure_cloud_run_harness" {
source = "GoogleCloudPlatform/cloud-run/google//modules/secure-cloud-serverless-harness"
version = "~> 0.9.1"
# Required variables
billing_account = "<BILLING ACCOUNT>"
security_project_name = "<SECURITY PROJECT NAME>"
serverless_project_name = "<SERVERLESS PROJECT NAME>"
org_id = "<ORGANIZATION ID>"
region = "<REGION>"
location = "<LOCATION>"
vpc_name = "<VPC NAME>"
subnet_ip = "<SUBNET IP RANGE>"
artifact_registry_repository_name = "<ARTIFACT REGISTRY NAME>"
keyring_name = "<KEYRING NAME>"
key_name = "<KEY NAME>"
access_level_members =["user:<USER-EMAIL>", "serviceAccount:<SERVICE-ACCOUNT-EMAIL>"]
base_serverless_api = "<RUN-OR-CLOUD-FUNCTIONS>.googleapis.com"
private_service_connect_ip = "<INTERNAL-IP-USED-BY-PRIVATE-SERVICE-CONNECT>"
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_context_manager_policy_id | The ID of the default Access Context Manager policy. Can be obtained by running gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)" . |
number |
null |
no |
access_level_members | The list of additional members who will be in the access level. | list(string) |
n/a | yes |
artifact_registry_repository_description | The description of the Artifact Registry Repository to be created. | string |
"Secure Cloud Run Artifact Registry Repository" |
no |
artifact_registry_repository_format | The format of the Artifact Registry Repository to be created. | string |
"DOCKER" |
no |
artifact_registry_repository_name | The name of the Artifact Registry Repository to be created. | string |
n/a | yes |
base_serverless_api | This variable will enable Cloud Function or Cloud Run specific resources. Cloud Run API will be used for the terraform-google-cloud-run repository while Cloud Function API will be used in the terraform-google-cloud-functions repository. It supports only run.googleapis.com or cloudfunctions.googleapis.com | string |
n/a | yes |
billing_account | The ID of the billing account to associate this project with. | string |
n/a | yes |
create_access_context_manager_access_policy | Defines if Access Context Manager will be created by Terraform. | bool |
false |
no |
decrypters | List of comma-separated owners for each key declared in set_decrypters_for. | list(string) |
[] |
no |
disable_services_on_destroy | Whether project services will be disabled when the resources are destroyed | bool |
false |
no |
dns_enable_inbound_forwarding | Toggle inbound query forwarding for VPC DNS. | bool |
true |
no |
dns_enable_logging | Toggle DNS logging for VPC DNS. | bool |
true |
no |
egress_policies | A list of all egress policies, each list object has a from and to value that describes egress_from and egress_to.Example: [{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}] Valid Values: ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow identities from list); ANY_IDENTITY ; ANY_USER_ACCOUNT ; ANY_SERVICE_ACCOUNT SRV_NAME = "* " (allow all services) or Specific ServicesOP_TYPE = methods or permissions. |
list(object({ |
[] |
no |
encrypters | List of comma-separated owners for each key declared in set_encrypters_for. | list(string) |
[] |
no |
ingress_policies | A list of all ingress policies, each list object has a from and to value that describes ingress_from and ingress_to.Example: [{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}] Valid Values: ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow identities from list); ANY_IDENTITY ; ANY_USER_ACCOUNT ; ANY_SERVICE_ACCOUNT SRV_NAME = "* " (allow all services) or Specific ServicesOP_TYPE = methods or permissions. |
list(object({ |
[] |
no |
key_name | Key name. | string |
n/a | yes |
key_protection_level | The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"]. | string |
"HSM" |
no |
key_rotation_period | Period of key rotation in seconds. Default value is equivalent to 30 days. | string |
"2592000s" |
no |
keyring_name | Keyring name. | string |
n/a | yes |
location | The location where resources are going to be deployed. | string |
n/a | yes |
network_project_extra_apis | The extra APIs to be enabled during network project creation. | list(string) |
[] |
no |
network_project_name | The name to give the shared vpc project. | string |
"" |
no |
org_id | The organization ID. | string |
n/a | yes |
owners | List of comma-separated owners for each key declared in set_owners_for. | list(string) |
[] |
no |
parent_folder_id | The ID of a folder to host the infrastructure created in this module. | string |
"" |
no |
prevent_destroy | Set the prevent_destroy lifecycle attribute on keys. | bool |
true |
no |
private_service_connect_ip | The internal IP to be used for the private service connect. | string |
n/a | yes |
region | The region in which the subnetwork will be created. | string |
n/a | yes |
security_project_extra_apis | The extra APIs to be enabled during security project creation. | list(string) |
[] |
no |
security_project_name | The name to give the security project. | string |
n/a | yes |
serverless_folder_suffix | The suffix to be concat in the Serverless folder name fldr-serverless-. | string |
"" |
no |
serverless_project_extra_apis | The extra APIs to be enabled during serverless projects creation. | map(list(string)) |
{} |
no |
serverless_project_names | The name to give the Cloud Serverless project. | list(string) |
n/a | yes |
service_account_project_roles | Common roles to apply to the Cloud Serverless service account in the serverless project. | map(list(string)) |
{} |
no |
subnet_ip | The CDIR IP range of the subnetwork. | string |
n/a | yes |
time_to_wait_vpc_sc_propagation | The time to wait VPC-SC propagation when applying and destroying. | string |
"180s" |
no |
use_shared_vpc | Defines if the network created will be a single or shared vpc. | bool |
false |
no |
vpc_name | The name of the network. | string |
n/a | yes |
Name | Description |
---|---|
access_context_manager_policy_id | Access Context Manager ID. |
artifact_registry_key | Artifact Registry KMS Key. |
artifact_registry_repository_id | The Artifact Registry Repository full identifier where the images should be stored. |
artifact_registry_repository_name | The Artifact Registry Repository last part of the repository name where the images should be stored. |
cloud_serverless_service_identity_email | The Cloud Run Service Identity email. |
network_project_id | Project ID of the project created to host the Serverless Network. |
restricted_access_level_name | Access level name. |
restricted_access_level_name_id | Access level name id. |
restricted_service_perimeter_name | Service Perimeter name. |
security_project_id | Project ID of the project created for KMS and Artifact Register. |
security_project_number | Project number of the project created for KMS and Artifact Register. |
serverless_folder_id | The folder created to allocate Serverless infra. |
serverless_project_ids | Project ID of the projects created to deploy Serverless application. |
serverless_project_numbers | Project number of the projects created to deploy Serverless applications. |
service_account_email | The email of the Service Account created to be used by Cloud Serverless. |
service_subnet | The sub-network name created in harness. |
service_vpc | The network created for Cloud Serverless. |
These sections describe requirements for using this module.
- Terraform ~> v0.13+
- Terraform Provider for GCP < 5.0
- Terraform Provider for GCP Beta >= 3.53, < 5.0
A service account can be used with required roles to execute this module:
- Organization Level:
- Access Context Manager Editor:
roles/accesscontextmanager.policyEditor
- Access Context Manager Editor:
- Parent level - Organization or Folder level:
- Folder Admin -
roles/resourcemanager.folderAdmin
- Project Creator -
roles/resourcemanager.projectCreator
- Project Deleter -
roles/resourcemanager.projectDeleter
- Folder Admin -
- Billing
- Billing User -
roles/billing.user
- Billing User -
Know more about Cloud Run Deployment Permissions or Cloud Functions Deployment Permissions.
The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.