# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: name: terraform-google-cloud-run-secure-cloud-run-core annotations: config.kubernetes.io/local-config: "true" spec: info: title: Secure Cloud Run Core source: repo: https://github.com/GoogleCloudPlatform/terraform-google-cloud-run.git sourceType: git dir: /modules/secure-cloud-run-core version: 0.17.2 actuationTool: flavor: Terraform version: ">= 0.13" description: {} content: examples: - name: cloud_run_vpc_connector location: examples/cloud_run_vpc_connector - name: secure_cloud_run location: examples/secure_cloud_run - name: secure_cloud_run_standalone location: examples/secure_cloud_run_standalone - name: simple_cloud_run location: examples/simple_cloud_run - name: simple_cloud_run_with_cmek location: examples/simple_cloud_run_with_cmek - name: simple_job_exec location: examples/simple_job_exec - name: v2 location: examples/v2 - name: v2_with_gmp location: examples/v2_with_gmp interfaces: variables: - name: argument description: Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments. varType: list(string) defaultValue: [] - name: certificate_mode description: The mode of the certificate (NONE or AUTOMATIC). varType: string defaultValue: NONE - name: cloud_armor_policies_name description: Cloud Armor policy name already created in the project. If `create_cloud_armor_policies` is `false`, this variable must be provided, If `create_cloud_armor_policies` is `true`, this variable will be ignored. varType: string - name: cloud_run_sa description: Service account to be used on Cloud Run. varType: string required: true - name: container_command description: Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten. varType: list(string) defaultValue: [] - name: container_concurrency description: Concurrent request limits to the service. varType: number - name: create_cloud_armor_policies description: When `true`, the terraform will create the Cloud Armor policies. When `false`, the user must provide their own Cloud Armor name in `cloud_armor_policies_name`. varType: bool defaultValue: true - name: default_rules description: Default rule for Cloud Armor. varType: |- map(object({ action = string priority = string versioned_expr = string src_ip_ranges = list(string) description = string })) defaultValue: default_rule: action: allow description: Default allow all rule priority: "2147483647" src_ip_ranges: - "*" versioned_expr: SRC_IPS_V1 - name: domain_map_annotations description: Annotations to the domain map. varType: map(string) defaultValue: {} - name: domain_map_labels description: A set of key/value label pairs to assign to the Domain mapping. varType: map(string) defaultValue: {} - name: encryption_key description: CMEK encryption key self-link expected in the format projects/PROJECT/locations/LOCATION/keyRings/KEY-RING/cryptoKeys/CRYPTO-KEY. varType: string required: true - name: env_vars description: Environment variables. varType: |- list(object({ value = string name = string })) defaultValue: [] - name: force_override description: Option to force override existing mapping. varType: bool defaultValue: false - name: generate_revision_name description: Option to enable revision name generation. varType: bool defaultValue: true - name: image description: GAR hosted image URL to deploy. varType: string required: true - name: lb_name description: Name for load balancer and associated resources. varType: string defaultValue: tf-cr-lb - name: limits description: Resource limits to the container. varType: map(string) - name: location description: The location where resources are going to be deployed. varType: string required: true - name: max_scale_instances description: Sets the maximum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this [documentation](https://cloud.google.com/run/docs/about-instance-autoscaling). varType: number defaultValue: 2 - name: members description: Users/SAs to be given invoker access to the service with the prefix `serviceAccount:' for SAs and `user:` for users. varType: list(string) defaultValue: [] - name: min_scale_instances description: Sets the minimum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this [documentation](https://cloud.google.com/run/docs/about-instance-autoscaling). varType: number defaultValue: 1 - name: owasp_rules description: These are additional Cloud Armor rules for SQLi, XSS, LFI, RCE, RFI, Scannerdetection, Protocolattack and Sessionfixation (requires Cloud Armor default_rule). varType: |- map(object({ action = string priority = string expression = string })) defaultValue: rule_canary: action: deny(403) expression: evaluatePreconfiguredExpr('rce-v33-stable') priority: "1003" rule_lfi: action: deny(403) expression: evaluatePreconfiguredExpr('lfi-v33-stable') priority: "1002" rule_protocolattack: action: deny(403) expression: evaluatePreconfiguredExpr('protocolattack-v33-stable') priority: "1006" rule_rfi: action: deny(403) expression: evaluatePreconfiguredExpr('rfi-v33-stable') priority: "1004" rule_scannerdetection: action: deny(403) expression: evaluatePreconfiguredExpr('scannerdetection-v33-stable') priority: "1005" rule_sessionfixation: action: deny(403) expression: evaluatePreconfiguredExpr('sessionfixation-v33-stable') priority: "1007" rule_sqli: action: deny(403) expression: evaluatePreconfiguredExpr('sqli-v33-stable') priority: "1000" rule_xss: action: deny(403) expression: evaluatePreconfiguredExpr('xss-v33-stable') priority: "1001" - name: ports description: Port which the container listens to (http1 or h2c). varType: |- object({ name = string port = number }) defaultValue: name: http1 port: 8080 - name: project_id description: The project where cloud run is going to be deployed. varType: string required: true - name: region description: Location for load balancer and Cloud Run resources. varType: string required: true - name: requests description: Resource requests to the container. varType: map(string) defaultValue: {} - name: service_labels description: A set of key/value label pairs to assign to the service. varType: map(string) defaultValue: {} - name: service_name description: The name of the Cloud Run service to create. varType: string required: true - name: ssl_certificates description: A object with a list of domains to auto-generate SSL certificates or a list of SSL Certificates self-links in the pattern `projects/<PROJECT-ID>/global/sslCertificates/<CERT-NAME>` to be used by Load Balancer. varType: |- object({ ssl_certificates_self_links = list(string) generate_certificates_for_domains = list(string) }) required: true - name: template_labels description: A set of key/value label pairs to assign to the container metadata. varType: map(string) defaultValue: {} - name: timeout_seconds description: Timeout for each request. varType: number defaultValue: 120 - name: traffic_split description: Managing traffic routing to the service. varType: |- list(object({ latest_revision = bool percent = number revision_name = string tag = string })) defaultValue: - latest_revision: true percent: 100 revision_name: v1-0-0 tag: null - name: verified_domain_name description: List of custom Domain Name. varType: list(string) required: true - name: volume_mounts description: "[Beta] Volume Mounts to be attached to the container (when using secret)." varType: |- list(object({ mount_path = string name = string })) defaultValue: [] - name: volumes description: "[Beta] Volumes needed for environment variables (when using secret)." varType: |- list(object({ name = string secret = set(object({ secret_name = string items = map(string) })) })) defaultValue: [] - name: vpc_connector_id description: VPC Connector id in the format projects/PROJECT/locations/LOCATION/connectors/NAME. varType: string required: true - name: vpc_egress_value description: Sets VPC Egress firewall rule. Supported values are all-traffic, all (deprecated), and private-ranges-only. all-traffic and all provide the same functionality. all is deprecated but will continue to be supported. Prefer all-traffic. varType: string defaultValue: private-ranges-only outputs: - name: domain_map_id description: Unique Identifier for the created domain map. - name: domain_map_status description: Status of Domain mapping. - name: load_balancer_ip description: IP Address used by Load Balancer. - name: revision description: Deployed revision for the service. - name: service_id description: Unique Identifier for the created service. - name: service_status description: Status of the created service. - name: service_url description: The URL on which the deployed service is available. requirements: roles: - level: Project roles: - roles/resourcemanager.folderAdmin - roles/resourcemanager.projectCreator - roles/resourcemanager.projectDeleter - level: Project roles: - roles/accesscontextmanager.policyAdmin - roles/orgpolicy.policyAdmin - level: Project roles: - roles/run.admin - roles/iam.serviceAccountAdmin - roles/artifactregistry.admin - roles/iam.serviceAccountUser - roles/serviceusage.serviceUsageViewer - roles/cloudkms.admin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com - serviceusage.googleapis.com - run.googleapis.com - cloudkms.googleapis.com - iam.googleapis.com - accesscontextmanager.googleapis.com - cloudbilling.googleapis.com - monitoring.googleapis.com - compute.googleapis.com