feat: migrate to use cloud run v2 resources

BREAKING CHANGE: migrate to cloud run v2 resources

feat: migrate to use cloud run v2 resources
BREAKING CHANGE: migrate to cloud run v2 resources
041dc740 · Ryan Kowalewski · 65a2882b · 041dc740 · 041dc740 · 041dc740
Commit 041dc740 authored 1 year ago by Ryan Kowalewski
--- a/load_balancer.tf
+++ b/load_balancer.tf
-# load_balancer.tf configures Cloud Load Balancer resources for the Cloud Run
-# service if var.use_load_balancer == true.
+# load_balancer.tf configures Cloud Load Balancer resources for the Cloud Run service if
+# var.enable_load_balancer == true.

 # A network endpoint group for the "webapp" application.
 resource "google_compute_region_network_endpoint_group" "webapp" {
-  count = var.use_load_balancer ? 1 : 0
+  count = var.enable_load_balancer ? 1 : 0

  name                  = var.name
+  project               = var.project
  network_endpoint_type = "SERVERLESS"
-  region                = var.cloud_run_region
+  region                = var.region
  cloud_run {
-    service = google_cloud_run_service.webapp.name
+    service = google_cloud_run_v2_service.webapp.name
  }
-
-  provider = google-beta
 }

 resource "google_compute_ssl_policy" "default" {
-  count = var.use_load_balancer && var.ssl_policy == null ? 1 : 0
+  count = var.enable_load_balancer && var.ssl_policy == null ? 1 : 0

  name            = "${var.name}-modern"
+  project         = var.project
  profile         = "MODERN"
  min_tls_version = "TLS_1_2"
 }
@@ -28,7 +28,7 @@ resource "google_compute_ssl_policy" "default" {
 #
 # [1] https://registry.terraform.io/modules/GoogleCloudPlatform/lb-http/google/latest/submodules/serverless_negs
 module "webapp_http_load_balancer" {
-  count = var.use_load_balancer ? 1 : 0
+  count = var.enable_load_balancer ? 1 : 0

  # The double slash is important(!)
  source  = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
@@ -38,7 +38,7 @@ module "webapp_http_load_balancer" {
  name    = var.name

  ssl                             = true
-  managed_ssl_certificate_domains = var.dns_names
+  managed_ssl_certificate_domains = [for k, v in var.dns_names : v]
  ssl_policy                      = var.ssl_policy == null ? google_compute_ssl_policy.default[0].id : var.ssl_policy
  https_redirect                  = true


--- a/locals.tf
+++ b/locals.tf
@@ -4,36 +4,44 @@ locals {
  # Project containing existing Cloud SQL instance.
  sql_instance_project = coalesce(var.sql_instance_project, var.project)

-  pre_deploy_job_image_name = var.pre_deploy_job_image_name == null ? var.image_name : var.pre_deploy_job_image_name
+  ingress = var.enable_load_balancer ? "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER" : var.ingress

-  pre_deploy_job_environment_variables = var.pre_deploy_job_environment_variables == null ? var.environment_variables : var.pre_deploy_job_environment_variables
+  # Whether we should monitor the custom domain - only possible if there are a dns names set and unauthenticated
+  # invocation is enabled.
+  can_monitor_custom_dns = length(var.dns_names) > 0 && var.allow_unauthenticated_invocations

-  webapp_allowed_ingress = var.use_load_balancer ? "internal-and-cloud-load-balancing" : var.allowed_ingress
+  create_vpc_connector = var.vpc_access == null && (
+    var.enable_static_egress_ip || (var.enable_monitoring && local.ingress != "INGRESS_TRAFFIC_ALL")
+  )

-  # Whether we should monitor the custom domain - only possible if there are a dns names
-  # set and unauthenticated invocation is enabled.
-  can_monitor_custom_dns = length(var.dns_names) > 0 && var.allow_unauthenticated_invocations
+  # Determines which VPC connector should be used for the Cloud Run service.
+  vpc_access = local.create_vpc_connector ? {
+    connector          = google_vpc_access_connector.main[0].id
+    egress             = "ALL_TRAFFIC"
+    network_interfaces = null
+  } : var.vpc_access

-  # Holds which VPC connector can be used for the auth proxy Cloud Function egress settings
-  auth_proxy_egress_connector = var.enable_static_egress_ip ? google_vpc_access_connector.static-ip-connector[0].id : var.auth_proxy_egress_connector
+  auth_proxy_vpc_access = local.create_vpc_connector ? {
+    connector          = google_vpc_access_connector.main[0].id
+    egress             = "ALL_TRAFFIC"
+    network_interfaces = null
+  } : var.vpc_access

-  # Map containing the hosts to monitor and whether an auth proxy and egress connector
-  # should be configured.
-  monitor_hosts = var.disable_monitoring ? {} : merge(
-    {
-      webapp = {
-        host                    = trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/"),
-        enable_auth_proxy       = !var.allow_unauthenticated_invocations || local.webapp_allowed_ingress != "all",
-        enable_egress_connector = local.webapp_allowed_ingress != "all"
-      },
+  # Map containing the hosts to monitor and whether an auth proxy and egress vpc access connector should be configured.
+  monitor_hosts = var.enable_monitoring ? merge({
+    default = {
+      host                    = trimsuffix(trimprefix(google_cloud_run_v2_service.webapp.uri, "https://"), "/"),
+      enable_auth_proxy       = var.allow_unauthenticated_invocations == false || local.ingress != "INGRESS_TRAFFIC_ALL",
+      enable_egress_connector = local.ingress != "INGRESS_TRAFFIC_ALL"
+    },
    },
    local.can_monitor_custom_dns ? {
-      for dns_name in var.dns_names :
-      (dns_name) => {
-        host                    = dns_name
-        enable_auth_proxy       = local.webapp_allowed_ingress == "internal",
-        enable_egress_connector = local.webapp_allowed_ingress == "internal"
+      for k, v in var.dns_names :
+      k => {
+        host                    = v
+        enable_auth_proxy       = local.ingress == "INGRESS_TRAFFIC_INTERNAL_ONLY",
+        enable_egress_connector = local.ingress == "INGRESS_TRAFFIC_INTERNAL_ONLY"
      }
    } : {}
-  )
+  ) : {}
 }
--- a/main.tf
+++ b/main.tf
--- a/outputs.tf
+++ b/outputs.tf
@@ -2,7 +2,7 @@

 output "service" {
  description = "Webapp Cloud Run service resource"
-  value       = google_cloud_run_service.webapp
+  value       = google_cloud_run_v2_service.webapp
 }

 output "service_account" {
@@ -12,7 +12,7 @@ output "service_account" {

 output "load_balancer" {
  description = "Load balancer for the webapp"
-  value       = module.webapp_http_load_balancer
+  value       = try(module.webapp_http_load_balancer[0], null)
 }

 output "static_egress_ip" {
@@ -20,5 +20,5 @@ output "static_egress_ip" {
 The static egress IP assigned to this cloud run instance. Only populated
 if the variable `enable_static_egress_ip` is true.
 EOI
-  value       = var.enable_static_egress_ip ? google_compute_address.static-ip[0].address : ""
+  value       = var.enable_static_egress_ip ? google_compute_address.static_ip[0].address : ""
 }
--- a/secrets.tf
+++ b/secrets.tf
-# secrets.tf
-# The Cloud Run service accounts need access to the Secret Manager secrets
-# to be able to mount them as volumes or envars.
-
-locals {
-  # List containing Secret Manager secrets IDs used in `var.secrets_volume`
-  # and `var.secrets_envars`
-  secret_ids = toset([
-    for secret in concat(var.secrets_volume, var.secrets_envars) : secret.id
-  ])
-}
-
-# Grant the Cloud Run service account "secretmanager.secretAccessor" role
-# to be able to access Secret Manager secrets to be mounted as volumes
-# or environment variables.
-resource "google_secret_manager_secret_iam_member" "secrets_access" {
-  for_each  = local.secret_ids
-  project   = var.project
-  secret_id = each.key
-  role      = "roles/secretmanager.secretAccessor"
-  member    = "serviceAccount:${google_service_account.webapp.email}"
-}
--- a/static_egress_ip.tf
+++ b/static_egress_ip.tf
-# Create a subnet, vpc access connector, router and nat to allow a cloud run instance
-# to be assigned a static ip.
-# The VPC connector is assigned to the cloud run's annotations.
-# This follows the steps detailed here: https://cloud.google.com/run/docs/configuring/static-outbound-ip
+# Create a subnet, vpc access connector, router,  and nat to allow a cloud run instance to be assigned a static ip. The
+# VPC connector is assigned to the cloud run's annotations. This follows the steps detailed here:
+# https://cloud.google.com/run/docs/configuring/static-outbound-ip

-resource "google_compute_subnetwork" "isolated-subnet" {
-  count         = var.enable_static_egress_ip ? 1 : 0
-  name          = "${var.name}-isolated-subnet-for-static-ip"
-  ip_cidr_range = var.static_egress_ip_cidr_range
-  network       = "default"
-  region        = var.cloud_run_region
+# trivy:ignore:AVD-GCP-0029
+resource "google_compute_subnetwork" "vpc_connector" {
+  count = local.create_vpc_connector ? 1 : 0
+
+  name                     = "${var.name}-vpc-connector"
+  project                  = var.project
+  ip_cidr_range            = var.static_egress_ip_cidr_range
+  network                  = "default"
+  region                   = var.region
+  private_ip_google_access = true
 }

-resource "google_vpc_access_connector" "static-ip-connector" {
-  count = var.enable_static_egress_ip ? 1 : 0
-  name  = "${var.name}-connector"
-  subnet {
-    name = google_compute_subnetwork.isolated-subnet[0].name
-  }
-  region = var.cloud_run_region
+resource "google_vpc_access_connector" "main" {
+  count = local.create_vpc_connector ? 1 : 0

+  name           = "${var.name}-conn"
+  project        = var.project
+  region         = var.region
  max_throughput = var.vpc_access_connector_max_throughput

-  lifecycle {
-    ignore_changes = [
-      network,
-    ]
+  subnet {
+    name = google_compute_subnetwork.vpc_connector[0].name
  }
-
-  provider = google-beta
 }

-resource "google_compute_router" "static-ip-router" {
-  count   = var.enable_static_egress_ip ? 1 : 0
+resource "google_compute_router" "static_ip" {
+  count = var.enable_static_egress_ip ? 1 : 0
+
  name    = "${var.name}-ip-router"
+  project = var.project
  network = "default"
-  region  = var.cloud_run_region
+  region  = var.region
 }

-resource "google_compute_address" "static-ip" {
-  count  = var.enable_static_egress_ip ? 1 : 0
-  name   = "${var.name}-static-ip"
-  region = var.cloud_run_region
+resource "google_compute_address" "static_ip" {
+  count = var.enable_static_egress_ip ? 1 : 0
+
+  name    = "${var.name}-static-ip"
+  project = var.project
+  region  = var.region

  # We do not expect that static IPs should be regularly removed and recreated,
  # as it's likely that they will be used within firewall configuration outside
@@ -51,18 +52,43 @@ resource "google_compute_address" "static-ip" {
  }
 }

-resource "google_compute_router_nat" "static-ip-nat" {
-  count                  = var.enable_static_egress_ip ? 1 : 0
-  name                   = "${var.name}-static-ip-nat"
-  router                 = google_compute_router.static-ip-router[0].name
-  nat_ips                = [google_compute_address.static-ip[0].self_link]
-  nat_ip_allocate_option = "MANUAL_ONLY"
-  region                 = var.cloud_run_region
-  min_ports_per_vm       = var.min_ports_per_vm
+resource "google_compute_router_nat" "static_ip" {
+  count = var.enable_static_egress_ip ? 1 : 0

+  name                               = "${var.name}-static-ip-nat"
+  project                            = var.project
+  router                             = google_compute_router.static_ip[0].name
+  nat_ips                            = [google_compute_address.static_ip[0].self_link]
+  nat_ip_allocate_option             = "MANUAL_ONLY"
+  region                             = var.region
+  min_ports_per_vm                   = var.min_ports_per_vm
  source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
+
  subnetwork {
-    name                    = google_compute_subnetwork.isolated-subnet[0].id
+    name = (
+      local.create_vpc_connector ? google_compute_subnetwork.vpc_connector[0].id : var.static_egress_ip_subnetwork_id
+    )
    source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
  }
 }
+
+moved {
+  from = google_compute_subnetwork.isolated-subnet
+  to   = google_compute_subnetwork.vpc_connector
+}
+moved {
+  from = google_vpc_access_connector.static-ip-connector
+  to   = google_vpc_access_connector.main
+}
+moved {
+  from = google_compute_router.static-ip-router
+  to   = google_compute_router.static_ip
+}
+moved {
+  from = google_compute_address.static-ip
+  to   = google_compute_address.static_ip
+}
+moved {
+  from = google_compute_router_nat.static-ip-nat
+  to   = google_compute_router_nat.static_ip
+}
--- a/variables.tf
+++ b/variables.tf
--- a/versions.tf
+++ b/versions.tf
 # versions.tf defines minimum provider versions for the module

 terraform {
+  required_version = ">= 1.3"
  required_providers {
    google = {
      source  = "hashicorp/google"
-      version = ">= 3.70, < 5.0"
-    }
-    google-beta = {
-      source  = "hashicorp/google-beta"
-      version = ">= 3.70, < 5.0"
+      version = ">= 4.0"
    }
    null = {
      source  = "hashicorp/null"
      version = ">= 3.0"
    }
  }
-
-  required_version = ">= 1.0, < 2.0"
 }