FAQ | This is a LIVE service | Changelog

Commit 58904879 authored by Mike Bamford's avatar Mike Bamford
Browse files

Merge branch 'uptime-function-egress' into 'v3'

Added interface for auth proxy egress settings

See merge request !36
parents e3638ca3 4c97f487
Pipeline #105394 passed with stage
in 49 seconds
......@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [3.1.3] - 2021-07-16
### Changed
- Added interface for authentication proxy Cloud Function egress settings. Required
for uptime check configuration of internal services.
## [3.1.2] - 2021-07-15
### Changed
- Surface Cloud NAT variable for minimum number of SNAT tuples, supporting a larger
......
......@@ -17,10 +17,21 @@ locals {
# set and unauthenticated invocation is enabled
can_monitor_custom_dns = var.dns_name != "" && var.allow_unauthenticated_invocations
# Hosts to monitor. We use the automatic host from Cloud Run and any custom
# domain mapped host, if can_monitor_custom_dns is true
monitor_hosts = var.disable_monitoring ? [] : concat(
[trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/")],
local.can_monitor_custom_dns ? [var.dns_name] : []
# Holds which VPC connector can be used for the auth proxy Cloud Function egress settings
auth_proxy_egress_connector = var.enable_static_egress_ip ? google_vpc_access_connector.static-ip-connector[0].id : var.auth_proxy_egress_connector
# Map containing the hosts to monitor and whether an auth proxy and egress connector
# should be configured.
monitor_hosts = var.disable_monitoring ? {} : merge(
{
trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/") = {
"enable_auth_proxy" = !var.allow_unauthenticated_invocations || var.allowed_ingress != "all",
"enable_egress_connector" = var.allowed_ingress != "all"
},
},
local.can_monitor_custom_dns ? { (var.dns_name) = {
"enable_auth_proxy" = var.allowed_ingress == "internal",
"enable_egress_connector" = var.allowed_ingress == "internal"
} } : {}
)
}
......@@ -240,11 +240,11 @@ resource "google_cloud_run_domain_mapping" "webapp" {
}
module "uptime_monitoring" {
for_each = toset(local.monitor_hosts)
for_each = local.monitor_hosts
source = "git::https://gitlab.developers.cam.ac.uk/uis/devops/infra/terraform/gcp-site-monitoring.git?ref=v1"
host = each.value
host = each.key
project = var.project
alert_email_addresses = var.alerting_email_address != "" ? [var.alerting_email_address] : []
......@@ -264,15 +264,16 @@ module "uptime_monitoring" {
alert_enabled = var.alerting_enabled
}
# if unathenticated access is not allowed, configure the monitoring to use
# an authentication proxy, allowing the monitoring checks to invoke the cloud
# run instance.
authentication_proxy = !var.allow_unauthenticated_invocations ? {
enabled = true
cloud_run_project = google_cloud_run_service.webapp.project
cloud_run_service_name = google_cloud_run_service.webapp.name
cloud_run_region = var.cloud_run_region
} : {}
# If required, configure the monitoring to use an authentication proxy, allowing
# the monitoring checks to invoke the cloud run instance.
authentication_proxy = {
enabled = each.value.enable_auth_proxy
cloud_run_project = google_cloud_run_service.webapp.project
cloud_run_service_name = google_cloud_run_service.webapp.name
cloud_run_region = var.cloud_run_region
egress_connector = each.value.enable_egress_connector ? local.auth_proxy_egress_connector : ""
egress_connector_settings = each.value.enable_egress_connector && local.auth_proxy_egress_connector != "" ? "ALL_TRAFFIC" : null
}
providers = {
google = google.stackdriver
......
......@@ -215,7 +215,19 @@ variable "min_ports_per_vm" {
description = <<-EOL
When using Cloud NAT to provide an egress route, Cloud NAT's minimum ports per VM
can be configured to determine how many concurrent connections can be established
to the same destination IP address and port.
to the same destination IP address and port.
EOL
}
variable "auth_proxy_egress_connector" {
type = string
default = ""
description = <<-EOL
When an auth proxy Function is created for uptime check of internal services, a VPC connector
should be provided to route the Function's egress traffic through it to reach the webapp
Cloud Run service.
If static IP is enabled, its configured VPC connector will be used instead.
EOL
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment