# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: name: terraform-google-cloud-run-secure-cloud-run-security annotations: config.kubernetes.io/local-config: "true" spec: info: title: Secure Cloud Run Security source: repo: https://github.com/GoogleCloudPlatform/terraform-google-cloud-run.git sourceType: git dir: /modules/secure-cloud-run-security version: 0.17.2 actuationTool: flavor: Terraform version: ">= 0.13" description: {} content: examples: - name: cloud_run_vpc_connector location: examples/cloud_run_vpc_connector - name: secure_cloud_run location: examples/secure_cloud_run - name: secure_cloud_run_standalone location: examples/secure_cloud_run_standalone - name: simple_cloud_run location: examples/simple_cloud_run - name: simple_cloud_run_with_cmek location: examples/simple_cloud_run_with_cmek - name: simple_job_exec location: examples/simple_job_exec - name: v2 location: examples/v2 - name: v2_with_gmp location: examples/v2_with_gmp interfaces: variables: - name: decrypters description: List of comma-separated owners for each key declared in set_decrypters_for. varType: list(string) defaultValue: [] - name: encrypters description: List of comma-separated owners for each key declared in set_encrypters_for. varType: list(string) defaultValue: [] - name: folder_id description: The folder ID to apply the policy to. varType: string defaultValue: "" - name: groups description: " Groups which will have roles assigned.\n The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.\n The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.\n The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.\n The Cloud Run User email group which the following roles will be added: Cloud Run Invoker.\n" varType: |- object({ group_serverless_administrator = optional(string, null) group_serverless_security_administrator = optional(string, null) group_cloud_run_developer = optional(string, null) group_cloud_run_user = optional(string, null) }) defaultValue: {} - name: key_name description: Key name. varType: string required: true - name: key_protection_level description: "The protection level to use when creating a version based on this template. Possible values: [\"SOFTWARE\", \"HSM\"]" varType: string defaultValue: HSM - name: key_rotation_period description: Period of key rotation in seconds. varType: string defaultValue: 2592000s - name: keyring_name description: Keyring name. varType: string required: true - name: kms_project_id description: The project where KMS will be created. varType: string required: true - name: location description: The location where resources are going to be deployed. varType: string required: true - name: organization_id description: The organization ID to apply the policy to. varType: string defaultValue: "" - name: owners description: List of comma-separated owners for each key declared in set_owners_for. varType: list(string) defaultValue: [] - name: policy_for description: "Policy Root: set one of the following values to determine where the policy is applied. Possible values: [\"project\", \"folder\", \"organization\"]." varType: string defaultValue: project - name: prevent_destroy description: Set the prevent_destroy lifecycle attribute on keys.. varType: bool defaultValue: true - name: serverless_project_id description: The project where Cloud Run is going to be deployed. varType: string required: true outputs: - name: key_self_link description: Key self link. - name: keyring_resource description: Keyring resource. - name: keyring_self_link description: Self link of the keyring. requirements: roles: - level: Project roles: - roles/run.admin - roles/iam.serviceAccountAdmin - roles/artifactregistry.admin - roles/iam.serviceAccountUser - roles/serviceusage.serviceUsageViewer - roles/cloudkms.admin - level: Project roles: - roles/resourcemanager.folderAdmin - roles/resourcemanager.projectCreator - roles/resourcemanager.projectDeleter - level: Project roles: - roles/accesscontextmanager.policyAdmin - roles/orgpolicy.policyAdmin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com - serviceusage.googleapis.com - run.googleapis.com - cloudkms.googleapis.com - iam.googleapis.com - accesscontextmanager.googleapis.com - cloudbilling.googleapis.com - monitoring.googleapis.com - compute.googleapis.com