FAQ | This is a LIVE service | Changelog

Commit 257eae6b authored by Dr Abraham Martin's avatar Dr Abraham Martin
Browse files

Merge branch '31-merge-master-into-v4' into 'v4'

Merge master into v4

See merge request !40
parents c3350c00 5a7f9d85
Pipeline #111769 passed with stage
in 47 seconds
......@@ -18,6 +18,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Add the requirement for an explicit image_name to deploy, which breaks previous
versions that ignored image updates.
## [3.1.3] - 2021-07-16
### Changed
- Added interface for authentication proxy Cloud Function egress settings. Required
for uptime check configuration of internal services.
## [3.1.2] - 2021-07-15
### Changed
- Surface Cloud NAT variable for minimum number of SNAT tuples, supporting a larger
......
......@@ -45,10 +45,25 @@ locals {
var.enable_beta_launch_stage || length(var.secrets_volume) != 0 || length(var.secrets_envars) != 0
)
# Hosts to monitor. We use the automatic host from Cloud Run and any custom
# domain mapped host.
monitor_hosts = var.disable_monitoring ? [] : concat(
[trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/")],
var.allow_unauthenticated_invocations ? local.dns_names : [],
# Whether we should monitor the custom domain - only possible if there is a dns_name
# set and unauthenticated invocation is enabled
can_monitor_custom_dns = var.dns_name != "" && var.allow_unauthenticated_invocations
# Holds which VPC connector can be used for the auth proxy Cloud Function egress settings
auth_proxy_egress_connector = var.enable_static_egress_ip ? google_vpc_access_connector.static-ip-connector[0].id : var.auth_proxy_egress_connector
# Map containing the hosts to monitor and whether an auth proxy and egress connector
# should be configured.
monitor_hosts = var.disable_monitoring ? {} : merge(
{
trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/") = {
"enable_auth_proxy" = !var.allow_unauthenticated_invocations || var.allowed_ingress != "all",
"enable_egress_connector" = var.allowed_ingress != "all"
},
},
local.can_monitor_custom_dns ? { (var.dns_name) = {
"enable_auth_proxy" = var.allowed_ingress == "internal",
"enable_egress_connector" = var.allowed_ingress == "internal"
} } : {}
)
}
......@@ -233,11 +233,11 @@ resource "google_cloud_run_domain_mapping" "webapp" {
}
module "uptime_monitoring" {
for_each = toset(local.monitor_hosts)
for_each = local.monitor_hosts
source = "git::https://gitlab.developers.cam.ac.uk/uis/devops/infra/terraform/gcp-site-monitoring.git?ref=v1"
host = each.value
host = each.key
project = var.project
alert_email_addresses = var.alerting_email_address != "" ? [var.alerting_email_address] : []
......@@ -257,15 +257,16 @@ module "uptime_monitoring" {
alert_enabled = var.alerting_enabled
}
# if unathenticated access is not allowed, configure the monitoring to use
# an authentication proxy, allowing the monitoring checks to invoke the cloud
# run instance.
authentication_proxy = !var.allow_unauthenticated_invocations ? {
enabled = true
cloud_run_project = google_cloud_run_service.webapp.project
cloud_run_service_name = google_cloud_run_service.webapp.name
cloud_run_region = var.cloud_run_region
} : {}
# If required, configure the monitoring to use an authentication proxy, allowing
# the monitoring checks to invoke the cloud run instance.
authentication_proxy = {
enabled = each.value.enable_auth_proxy
cloud_run_project = google_cloud_run_service.webapp.project
cloud_run_service_name = google_cloud_run_service.webapp.name
cloud_run_region = var.cloud_run_region
egress_connector = each.value.enable_egress_connector ? local.auth_proxy_egress_connector : ""
egress_connector_settings = each.value.enable_egress_connector && local.auth_proxy_egress_connector != "" ? "ALL_TRAFFIC" : null
}
providers = {
google = google.stackdriver
......
......@@ -280,7 +280,19 @@ variable "min_ports_per_vm" {
description = <<-EOL
When using Cloud NAT to provide an egress route, Cloud NAT's minimum ports per VM
can be configured to determine how many concurrent connections can be established
to the same destination IP address and port.
to the same destination IP address and port.
EOL
}
variable "auth_proxy_egress_connector" {
type = string
default = ""
description = <<-EOL
When an auth proxy Function is created for uptime check of internal services, a VPC connector
should be provided to route the Function's egress traffic through it to reach the webapp
Cloud Run service.
If static IP is enabled, its configured VPC connector will be used instead.
EOL
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment