locals.tf

# locals.tf defines common expressions used by the module.

locals {
  # Project containing existing Cloud SQL instance.
  sql_instance_project = coalesce(var.sql_instance_project, var.project)

  # Should a DNS domain mapping be created?
  domain_mapping_present = anytrue([for dm in google_cloud_run_domain_mapping.webapp : true])

  # DNS names for web app
  dns_names = var.dns_name != "" ? [var.dns_name] : var.dns_names

  # DNS records for webapp. Merge records from any domain mappings or load balancers.
  dns_records = flatten(concat(
    [
      for domain_mapping in google_cloud_run_domain_mapping.webapp : [
        {
          type   = domain_mapping.status[0].resource_records[0].type
          rrdata = domain_mapping.status[0].resource_records[0].rrdata
        }
      ]
    ],
    [
      for load_balancer in module.webapp_http_load_balancer : [
        {
          type   = "A"
          rrdata = load_balancer.external_ip
        },
        {
          type   = "AAAA"
          rrdata = load_balancer.external_ipv6_address
        }
      ]
    ]
  ))

  pre_deploy_job_image_name = var.pre_deploy_job_image_name == null ? var.image_name : var.pre_deploy_job_image_name

  pre_deploy_job_environment_variables = var.pre_deploy_job_environment_variables == null ? var.environment_variables : var.pre_deploy_job_environment_variables

  # Certain ingress styles imply that we disallow external access to the base Cloud Run service.
  webapp_allowed_ingress = lookup({
    load-balancer = "internal-and-cloud-load-balancing"
  }, var.ingress_style, var.allowed_ingress)

  # Whether we should monitor the custom domain - only possible if there are a dns names
  # set and unauthenticated invocation is enabled.
  can_monitor_custom_dns = length(local.dns_names) > 0 && var.allow_unauthenticated_invocations

  # Holds which VPC connector can be used for the auth proxy Cloud Function egress settings
  auth_proxy_egress_connector = var.enable_static_egress_ip ? google_vpc_access_connector.static-ip-connector[0].id : var.auth_proxy_egress_connector

  # Map containing the hosts to monitor and whether an auth proxy and egress connector
  # should be configured.
  monitor_hosts = var.disable_monitoring ? {} : merge(
    {
      webapp = {
        host                    = trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/"),
        enable_auth_proxy       = !var.allow_unauthenticated_invocations || local.webapp_allowed_ingress != "all",
        enable_egress_connector = local.webapp_allowed_ingress != "all"
      },
    },
    local.can_monitor_custom_dns ? {
      for dns_name in local.dns_names :
      (dns_name) => {
        host                    = dns_name
        enable_auth_proxy       = local.webapp_allowed_ingress == "internal",
        enable_egress_connector = local.webapp_allowed_ingress == "internal"
      }
    } : {}
  )
}