locals.tf

# locals.tf defines common expressions used by the module.

locals {
  # Project containing existing Cloud SQL instance.
  sql_instance_project = coalesce(var.sql_instance_project, var.project)

  # Should a DNS domain mapping be created?
  domain_mapping_present = anytrue([for dm in google_cloud_run_domain_mapping.webapp : true])

  # DNS names for web app
  dns_names = var.dns_name != "" ? [var.dns_name] : var.dns_names

  # DNS records for webapp. Merge records from any domain mappings or load balancers.
  dns_records = flatten(concat(
    [
      for domain_mapping in google_cloud_run_domain_mapping.webapp : [
        {
          type   = domain_mapping.status[0].resource_records[0].type
          rrdata = domain_mapping.status[0].resource_records[0].rrdata
        }
      ]
    ],
    [
      for load_balancer in module.webapp_http_load_balancer : [
        {
          type   = "A"
          rrdata = load_balancer.external_ip
        },
        {
          type   = "AAAA"
          rrdata = load_balancer.external_ipv6_address
        }
      ]
    ]
  ))

  # Certain ingress styles imply that we disallow external access to the base Cloud Run service.
  webapp_allowed_ingress = lookup({
    load-balancer = "internal-and-cloud-load-balancing"
  }, var.ingress_style, var.allowed_ingress)

  # Do we need to enable the 'beta' launch stage - only required if certain beta
  # functionality is being used, or if `enable_beta_launch_stage` is set downstream.
  enable_beta_launch_stage = (
    var.enable_beta_launch_stage || length(var.secrets_volume) != 0 || length(var.secrets_envars) != 0
  )

  # Whether we should monitor the custom domain - only possible if there is a dns_name
  # set and unauthenticated invocation is enabled
  can_monitor_custom_dns = var.dns_name != "" && var.allow_unauthenticated_invocations

  # Holds which VPC connector can be used for the auth proxy Cloud Function egress settings
  auth_proxy_egress_connector = var.enable_static_egress_ip ? google_vpc_access_connector.static-ip-connector[0].id : var.auth_proxy_egress_connector

  # Map containing the hosts to monitor and whether an auth proxy and egress connector
  # should be configured.
  monitor_hosts = var.disable_monitoring ? {} : merge(
    {
      trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/") = {
        "enable_auth_proxy"       = !var.allow_unauthenticated_invocations || local.webapp_allowed_ingress != "all",
        "enable_egress_connector" = local.webapp_allowed_ingress != "all"
      },
    },
    local.can_monitor_custom_dns ? { (var.dns_name) = {
      "enable_auth_proxy"       = local.webapp_allowed_ingress == "internal",
      "enable_egress_connector" = local.webapp_allowed_ingress == "internal"
    } } : {}
  )
}