Skip to content

Latest commit

 

History

History

secure-cloud-run

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
metadata.yaml
metadata.yaml
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

Secure Cloud Run

This module handles the deployment required for Cloud Run usage. Secure-cloud-run module will call the secure-cloud-run-core, secure-serverless-net and secure-cloud-run-security modules.

When using a Shared VPC, you can chose where to create the VPC Connector.

Note: When using a single VPC you should provides VPC and Serverless project id with the same value and the value for connector_on_host_project variable must be false.

The resources/services/activations/deletions that this module will create/trigger are:

  • secure-serverless-net module will apply:

    • Creates Firewall rules on your VPC Project.
      • Serverless to VPC Connector
      • VPC Connector to Serverless
      • VPC Connector to LB
      • VPC Connector Health Checks
    • Creates a sub network to VPC Connector usage purpose.
    • Creates Serverless Connector on your VPC Project or Serverless Project. Refer the comparison below:
    • Grant the necessary roles for Cloud Run be able to use VPC Connector on your Shared VPC when creating VPC Connector in host project.
      • Grant Network User role to Cloud Services service account.
      • Grant VPC Access User to Cloud Run Service Identity when deploying VPC Access.

  • secure-cloud-run-security module will apply:

    • Creates KMS Keyring and Key for customer managed encryption keys in the KMS Project to be used by Cloud Run.
    • Enables Organization Policies related to Cloud Run in the Serverless Project.
    • Allow Ingress only from internal and Cloud Load Balancing.
    • Allow VPC Egress to Private Ranges Only.
    • When groups emails are provided, this module will grant the roles for each persona.
      • Serverless Administrator - Service Project
        • Cloud Run Administrator: roles/run.admin
        • Cloud Compute Network Viewer: roles/compute.networkViewer
        • Cloud Compute Network User: compute.networkUser
      • Servervless Security Administrator - Security Project
        • Cloud Run Viewer: roles/run.viewer
        • Cloud KMS Viewer: roles/cloudkms.viewer
        • roles/artifactregistry.reader
      • Cloud Run developer - Security Project
        • Cloud Run Develper: roles/run.developer
        • Cloud Run: roles/artifactregistry.writer
        • Cloud Run KMS Encrypter: roles/cloudkms.cryptoKeyEncrypter
      • Cloud Run user - Security Project
        • Cloud Run Invoker: roles/run.invoker

  • secure-cloud-run-core module will apply:

    • Creates a Cloud Run Service.
    • Creates a Load Balancer Service using Google-managed SSL certificates.
    • Creates Cloud Armor Service only including the pre-configured rules for SQLi, XSS, LFI, RCE, RFI, Scannerdetection, Protocolattack and Sessionfixation.

Usage

Basic usage of this module is as follows:

module "secure_cloud_run" {
  source = "../modules/secure-cloud-run"

  vpc_project_id                          = <VPC Project ID>
  kms_project_id                          = <KMS Project ID>
  serverless_project_id                   = <Serverless Project ID>
  domain                                  = <Domain>
  shared_vpc_name                         = <Shared VPC Name
  ip_cidr_range                           = <IP CIDR Range>
  service_name                            = <Service Name>
  location                                = <Location>
  region                                  = <Region>
  image                                   = <Image>
  cloud_run_sa                            = <Cloud Run Service Account>
  artifact_registry_repository_location   = <Artifact Registry Repository Location>
  artifact_registry_repository_name       = <Artifact Registry Repository Name>
  artifact_registry_repository_project_id = <Artifact Registry Repository Project ID>
}

Inputs

Name Description Type Default Required
artifact_registry_repository_location Artifact Registry Repository location to grant serverless identity viewer role. string null no
artifact_registry_repository_name Artifact Registry Repository name to grant serverless identity viewer role string null no
artifact_registry_repository_project_id Artifact Registry Repository Project ID to grant serverless identity viewer role. string null no
cloud_armor_policies_name Cloud Armor policy name already created in the project. If create_cloud_armor_policies is false, this variable must be provided, If create_cloud_armor_policies is true, this variable will be ignored. string null no
cloud_run_sa Service account to be used on Cloud Run. string n/a yes
connector_name The name for the connector to be created. string "serverless-vpc-connector" no
create_cloud_armor_policies When true, the terraform will create the Cloud Armor policies. When false, the user must provide their own Cloud Armor name in cloud_armor_policies_name. bool true no
create_subnet The subnet will be created with the subnet_name variable if true. When false, it will use the subnet_name for the subnet. bool true no
env_vars Environment variables (cleartext) 
list(object({
    value = string
    name  = string
  }))
 [] no
folder_id The folder ID to apply the policy to. string "" no
grant_artifact_register_reader When true it will grant permission to read an image from your artifact registry. When true, you must provide artifact_registry_repository_project_id, artifact_registry_repository_location and artifact_registry_repository_name. bool false no
groups Groups which will have roles assigned.
The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.
The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.
The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.
The Cloud Run User email group which the following roles will be added: Cloud Run Invoker.		 
object({
    group_serverless_administrator          = optional(string, null)
    group_serverless_security_administrator = optional(string, null)
    group_cloud_run_developer               = optional(string, null)
    group_cloud_run_user                    = optional(string, null)
  })
 {} no
image Image url to be deployed on Cloud Run. string n/a yes
ip_cidr_range The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. string n/a yes
key_name The name of KMS Key to be created and used in Cloud Run. string "cloud-run-kms-key" no
key_protection_level The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"] string "HSM" no
key_rotation_period Period of key rotation in seconds. string "2592000s" no
keyring_name Keyring name. string "cloud-run-kms-keyring" no
kms_project_id The project where KMS will be created. string n/a yes
location The location where resources are going to be deployed. string n/a yes
max_scale_instances Sets the maximum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this documentation. number 2 no
members Users/SAs to be given invoker access to the service with the prefix serviceAccount:' for SAs and user: for users. list(string) [] no
min_scale_instances Sets the minimum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this documentation. number 1 no
organization_id The organization ID to apply the policy to. string "" no
policy_for Policy Root: set one of the following values to determine where the policy is applied. Possible values: ["project", "folder", "organization"]. string "project" no
prevent_destroy Set the prevent_destroy lifecycle attribute on the Cloud KMS key. bool true no
region Location for load balancer and Cloud Run resources. string n/a yes
resource_names_suffix A suffix to concat in the end of the network resources names being created. string null no
serverless_project_id The project to deploy the cloud run service. string n/a yes
service_name Shared VPC name. string n/a yes
shared_vpc_name Shared VPC name which is going to be re-used to create Serverless Connector. string n/a yes
ssl_certificates A object with a list of domains to auto-generate SSL certificates or a list of SSL Certificates self-links in the pattern projects/<PROJECT-ID>/global/sslCertificates/<CERT-NAME> to be used by Load Balancer. 
object({
    ssl_certificates_self_links       = list(string)
    generate_certificates_for_domains = list(string)
  })
 n/a yes
subnet_name Subnet name to be re-used to create Serverless Connector. string null no
verified_domain_name List of Custom Domain Name list(string) [] no
volumes [Beta] Volumes needed for environment variables (when using secret). 
list(object({
    name = string
    secret = set(object({
      secret_name = string
      items       = map(string)
    }))
  }))
 [] no
vpc_egress_value Sets VPC Egress firewall rule. Supported values are all-traffic, all (deprecated), and private-ranges-only. all-traffic and all provide the same functionality. all is deprecated but will continue to be supported. Prefer all-traffic. string "private-ranges-only" no
vpc_project_id The host project for the shared vpc. string n/a yes

Outputs

Name Description
cloud_services_sa Service Account for Cloud Run Service.
connector_id VPC serverless connector ID.
domain_map_id Unique Identifier for the created domain map.
domain_map_status Status of Domain mapping.
gca_vpcaccess_sa Service Account for VPC Access.
key_self_link Name of the Cloud KMS crypto key.
keyring_self_link Name of the Cloud KMS keyring.
load_balancer_ip IP Address used by Load Balancer.
revision Deployed revision for the service.
run_identity_services_sa Service Identity to run services.
service_id ID of the created service.
service_status Status of the created service.
service_url Url of the created service.

Requirements

Software

The following dependencies must be available:

APIs

The Secure-cloud-run module will enable the following APIs to the Serverlesss Project:

  • Google VPC Access API: vpcaccess.googleapis.com
  • Compute API: compute.googleapis.com
  • Container Registry API: container.googleapis.com
  • Cloud Run API: run.googleapis.com

The Secure-cloud-run module will enable the following APIs to the VPC Project:

  • Google VPC Access API: vpcaccess.googleapis.com
  • Compute API: compute.googleapis.com

The Secure-cloud-run module will enable the following APIs to the KMS Project:

  • Cloud KMS API: cloudkms.googleapis.com

Service Account

A service account with the following roles must be used to provision the resources of this module:

  • VPC Project
    • Compute Shared VPC Admin: roles/compute.xpnAdmin
    • Network Admin: roles/compute.networkAdmin
    • Security Admin: roles/compute.securityAdmin
    • Serverless VPC Access Admin: roles/vpcaccess.admin
  • KMS Project
    • Cloud KMS Admin: roles/cloudkms.admin
  • Serverless Project
    • Security Admin: roles/compute.securityAdmin
    • Serverless VPC Access Admin: roles/vpcaccess.admin
    • Cloud Run Developer: roles/run.developer
    • Compute Network User: roles/compute.networkUser
    • Artifact Registry Reader: roles/artifactregistry.reader

Note: Secret Manager Secret Accessor role must be granted to the Cloud Run service account to allow read access on the secret.