FAQ | This is a LIVE service | Changelog

Skip to content
Snippets Groups Projects
Commit 041dc740 authored by Ryan Kowalewski's avatar Ryan Kowalewski :man_dancing:
Browse files

feat: migrate to use cloud run v2 resources

BREAKING CHANGE: migrate to cloud run v2 resources
parent 65a2882b
No related branches found
No related tags found
1 merge request!63Release 9.0
# load_balancer.tf configures Cloud Load Balancer resources for the Cloud Run
# service if var.use_load_balancer == true.
# load_balancer.tf configures Cloud Load Balancer resources for the Cloud Run service if
# var.enable_load_balancer == true.
# A network endpoint group for the "webapp" application.
resource "google_compute_region_network_endpoint_group" "webapp" {
count = var.use_load_balancer ? 1 : 0
count = var.enable_load_balancer ? 1 : 0
name = var.name
project = var.project
network_endpoint_type = "SERVERLESS"
region = var.cloud_run_region
region = var.region
cloud_run {
service = google_cloud_run_service.webapp.name
service = google_cloud_run_v2_service.webapp.name
}
provider = google-beta
}
resource "google_compute_ssl_policy" "default" {
count = var.use_load_balancer && var.ssl_policy == null ? 1 : 0
count = var.enable_load_balancer && var.ssl_policy == null ? 1 : 0
name = "${var.name}-modern"
project = var.project
profile = "MODERN"
min_tls_version = "TLS_1_2"
}
......@@ -28,7 +28,7 @@ resource "google_compute_ssl_policy" "default" {
#
# [1] https://registry.terraform.io/modules/GoogleCloudPlatform/lb-http/google/latest/submodules/serverless_negs
module "webapp_http_load_balancer" {
count = var.use_load_balancer ? 1 : 0
count = var.enable_load_balancer ? 1 : 0
# The double slash is important(!)
source = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
......@@ -38,7 +38,7 @@ module "webapp_http_load_balancer" {
name = var.name
ssl = true
managed_ssl_certificate_domains = var.dns_names
managed_ssl_certificate_domains = [for k, v in var.dns_names : v]
ssl_policy = var.ssl_policy == null ? google_compute_ssl_policy.default[0].id : var.ssl_policy
https_redirect = true
......
......@@ -4,36 +4,44 @@ locals {
# Project containing existing Cloud SQL instance.
sql_instance_project = coalesce(var.sql_instance_project, var.project)
pre_deploy_job_image_name = var.pre_deploy_job_image_name == null ? var.image_name : var.pre_deploy_job_image_name
ingress = var.enable_load_balancer ? "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER" : var.ingress
pre_deploy_job_environment_variables = var.pre_deploy_job_environment_variables == null ? var.environment_variables : var.pre_deploy_job_environment_variables
# Whether we should monitor the custom domain - only possible if there are a dns names set and unauthenticated
# invocation is enabled.
can_monitor_custom_dns = length(var.dns_names) > 0 && var.allow_unauthenticated_invocations
webapp_allowed_ingress = var.use_load_balancer ? "internal-and-cloud-load-balancing" : var.allowed_ingress
create_vpc_connector = var.vpc_access == null && (
var.enable_static_egress_ip || (var.enable_monitoring && local.ingress != "INGRESS_TRAFFIC_ALL")
)
# Whether we should monitor the custom domain - only possible if there are a dns names
# set and unauthenticated invocation is enabled.
can_monitor_custom_dns = length(var.dns_names) > 0 && var.allow_unauthenticated_invocations
# Determines which VPC connector should be used for the Cloud Run service.
vpc_access = local.create_vpc_connector ? {
connector = google_vpc_access_connector.main[0].id
egress = "ALL_TRAFFIC"
network_interfaces = null
} : var.vpc_access
# Holds which VPC connector can be used for the auth proxy Cloud Function egress settings
auth_proxy_egress_connector = var.enable_static_egress_ip ? google_vpc_access_connector.static-ip-connector[0].id : var.auth_proxy_egress_connector
auth_proxy_vpc_access = local.create_vpc_connector ? {
connector = google_vpc_access_connector.main[0].id
egress = "ALL_TRAFFIC"
network_interfaces = null
} : var.vpc_access
# Map containing the hosts to monitor and whether an auth proxy and egress connector
# should be configured.
monitor_hosts = var.disable_monitoring ? {} : merge(
{
webapp = {
host = trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/"),
enable_auth_proxy = !var.allow_unauthenticated_invocations || local.webapp_allowed_ingress != "all",
enable_egress_connector = local.webapp_allowed_ingress != "all"
},
# Map containing the hosts to monitor and whether an auth proxy and egress vpc access connector should be configured.
monitor_hosts = var.enable_monitoring ? merge({
default = {
host = trimsuffix(trimprefix(google_cloud_run_v2_service.webapp.uri, "https://"), "/"),
enable_auth_proxy = var.allow_unauthenticated_invocations == false || local.ingress != "INGRESS_TRAFFIC_ALL",
enable_egress_connector = local.ingress != "INGRESS_TRAFFIC_ALL"
},
},
local.can_monitor_custom_dns ? {
for dns_name in var.dns_names :
(dns_name) => {
host = dns_name
enable_auth_proxy = local.webapp_allowed_ingress == "internal",
enable_egress_connector = local.webapp_allowed_ingress == "internal"
for k, v in var.dns_names :
k => {
host = v
enable_auth_proxy = local.ingress == "INGRESS_TRAFFIC_INTERNAL_ONLY",
enable_egress_connector = local.ingress == "INGRESS_TRAFFIC_INTERNAL_ONLY"
}
} : {}
)
) : {}
}
This diff is collapsed.
......@@ -2,7 +2,7 @@
output "service" {
description = "Webapp Cloud Run service resource"
value = google_cloud_run_service.webapp
value = google_cloud_run_v2_service.webapp
}
output "service_account" {
......@@ -12,7 +12,7 @@ output "service_account" {
output "load_balancer" {
description = "Load balancer for the webapp"
value = module.webapp_http_load_balancer
value = try(module.webapp_http_load_balancer[0], null)
}
output "static_egress_ip" {
......@@ -20,5 +20,5 @@ output "static_egress_ip" {
The static egress IP assigned to this cloud run instance. Only populated
if the variable `enable_static_egress_ip` is true.
EOI
value = var.enable_static_egress_ip ? google_compute_address.static-ip[0].address : ""
value = var.enable_static_egress_ip ? google_compute_address.static_ip[0].address : ""
}
# secrets.tf
# The Cloud Run service accounts need access to the Secret Manager secrets
# to be able to mount them as volumes or envars.
locals {
# List containing Secret Manager secrets IDs used in `var.secrets_volume`
# and `var.secrets_envars`
secret_ids = toset([
for secret in concat(var.secrets_volume, var.secrets_envars) : secret.id
])
}
# Grant the Cloud Run service account "secretmanager.secretAccessor" role
# to be able to access Secret Manager secrets to be mounted as volumes
# or environment variables.
resource "google_secret_manager_secret_iam_member" "secrets_access" {
for_each = local.secret_ids
project = var.project
secret_id = each.key
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.webapp.email}"
}
# Create a subnet, vpc access connector, router and nat to allow a cloud run instance
# to be assigned a static ip.
# The VPC connector is assigned to the cloud run's annotations.
# This follows the steps detailed here: https://cloud.google.com/run/docs/configuring/static-outbound-ip
# Create a subnet, vpc access connector, router, and nat to allow a cloud run instance to be assigned a static ip. The
# VPC connector is assigned to the cloud run's annotations. This follows the steps detailed here:
# https://cloud.google.com/run/docs/configuring/static-outbound-ip
resource "google_compute_subnetwork" "isolated-subnet" {
count = var.enable_static_egress_ip ? 1 : 0
name = "${var.name}-isolated-subnet-for-static-ip"
ip_cidr_range = var.static_egress_ip_cidr_range
network = "default"
region = var.cloud_run_region
# trivy:ignore:AVD-GCP-0029
resource "google_compute_subnetwork" "vpc_connector" {
count = local.create_vpc_connector ? 1 : 0
name = "${var.name}-vpc-connector"
project = var.project
ip_cidr_range = var.static_egress_ip_cidr_range
network = "default"
region = var.region
private_ip_google_access = true
}
resource "google_vpc_access_connector" "static-ip-connector" {
count = var.enable_static_egress_ip ? 1 : 0
name = "${var.name}-connector"
subnet {
name = google_compute_subnetwork.isolated-subnet[0].name
}
region = var.cloud_run_region
resource "google_vpc_access_connector" "main" {
count = local.create_vpc_connector ? 1 : 0
name = "${var.name}-conn"
project = var.project
region = var.region
max_throughput = var.vpc_access_connector_max_throughput
lifecycle {
ignore_changes = [
network,
]
subnet {
name = google_compute_subnetwork.vpc_connector[0].name
}
provider = google-beta
}
resource "google_compute_router" "static-ip-router" {
count = var.enable_static_egress_ip ? 1 : 0
resource "google_compute_router" "static_ip" {
count = var.enable_static_egress_ip ? 1 : 0
name = "${var.name}-ip-router"
project = var.project
network = "default"
region = var.cloud_run_region
region = var.region
}
resource "google_compute_address" "static-ip" {
count = var.enable_static_egress_ip ? 1 : 0
name = "${var.name}-static-ip"
region = var.cloud_run_region
resource "google_compute_address" "static_ip" {
count = var.enable_static_egress_ip ? 1 : 0
name = "${var.name}-static-ip"
project = var.project
region = var.region
# We do not expect that static IPs should be regularly removed and recreated,
# as it's likely that they will be used within firewall configuration outside
......@@ -51,18 +52,43 @@ resource "google_compute_address" "static-ip" {
}
}
resource "google_compute_router_nat" "static-ip-nat" {
count = var.enable_static_egress_ip ? 1 : 0
name = "${var.name}-static-ip-nat"
router = google_compute_router.static-ip-router[0].name
nat_ips = [google_compute_address.static-ip[0].self_link]
nat_ip_allocate_option = "MANUAL_ONLY"
region = var.cloud_run_region
min_ports_per_vm = var.min_ports_per_vm
resource "google_compute_router_nat" "static_ip" {
count = var.enable_static_egress_ip ? 1 : 0
name = "${var.name}-static-ip-nat"
project = var.project
router = google_compute_router.static_ip[0].name
nat_ips = [google_compute_address.static_ip[0].self_link]
nat_ip_allocate_option = "MANUAL_ONLY"
region = var.region
min_ports_per_vm = var.min_ports_per_vm
source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
subnetwork {
name = google_compute_subnetwork.isolated-subnet[0].id
name = (
local.create_vpc_connector ? google_compute_subnetwork.vpc_connector[0].id : var.static_egress_ip_subnetwork_id
)
source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
}
}
moved {
from = google_compute_subnetwork.isolated-subnet
to = google_compute_subnetwork.vpc_connector
}
moved {
from = google_vpc_access_connector.static-ip-connector
to = google_vpc_access_connector.main
}
moved {
from = google_compute_router.static-ip-router
to = google_compute_router.static_ip
}
moved {
from = google_compute_address.static-ip
to = google_compute_address.static_ip
}
moved {
from = google_compute_router_nat.static-ip-nat
to = google_compute_router_nat.static_ip
}
This diff is collapsed.
# versions.tf defines minimum provider versions for the module
terraform {
required_version = ">= 1.3"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 3.70, < 5.0"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 3.70, < 5.0"
version = ">= 4.0"
}
null = {
source = "hashicorp/null"
version = ">= 3.0"
}
}
required_version = ">= 1.0, < 2.0"
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment