# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: name: terraform-google-cloud-run-secure-cloud-run annotations: config.kubernetes.io/local-config: "true" spec: info: title: Secure Cloud Run source: repo: https://github.com/GoogleCloudPlatform/terraform-google-cloud-run.git sourceType: git dir: /modules/secure-cloud-run version: 0.17.2 actuationTool: flavor: Terraform version: ">= 0.13" description: {} content: examples: - name: cloud_run_vpc_connector location: examples/cloud_run_vpc_connector - name: secure_cloud_run location: examples/secure_cloud_run - name: secure_cloud_run_standalone location: examples/secure_cloud_run_standalone - name: simple_cloud_run location: examples/simple_cloud_run - name: simple_cloud_run_with_cmek location: examples/simple_cloud_run_with_cmek - name: simple_job_exec location: examples/simple_job_exec - name: v2 location: examples/v2 - name: v2_with_gmp location: examples/v2_with_gmp interfaces: variables: - name: artifact_registry_repository_location description: Artifact Registry Repository location to grant serverless identity viewer role. varType: string - name: artifact_registry_repository_name description: Artifact Registry Repository name to grant serverless identity viewer role varType: string - name: artifact_registry_repository_project_id description: Artifact Registry Repository Project ID to grant serverless identity viewer role. varType: string - name: cloud_armor_policies_name description: Cloud Armor policy name already created in the project. If `create_cloud_armor_policies` is `false`, this variable must be provided, If `create_cloud_armor_policies` is `true`, this variable will be ignored. varType: string - name: cloud_run_sa description: Service account to be used on Cloud Run. varType: string required: true - name: connector_name description: The name for the connector to be created. varType: string defaultValue: serverless-vpc-connector - name: create_cloud_armor_policies description: When `true`, the terraform will create the Cloud Armor policies. When `false`, the user must provide their own Cloud Armor name in `cloud_armor_policies_name`. varType: bool defaultValue: true - name: create_subnet description: The subnet will be created with the subnet_name variable if true. When false, it will use the subnet_name for the subnet. varType: bool defaultValue: true - name: env_vars description: Environment variables (cleartext) varType: |- list(object({ value = string name = string })) defaultValue: [] - name: folder_id description: The folder ID to apply the policy to. varType: string defaultValue: "" - name: grant_artifact_register_reader description: When true it will grant permission to read an image from your artifact registry. When true, you must provide `artifact_registry_repository_project_id`, `artifact_registry_repository_location` and `artifact_registry_repository_name`. varType: bool defaultValue: false - name: groups description: " Groups which will have roles assigned.\n The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.\n The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.\n The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.\n The Cloud Run User email group which the following roles will be added: Cloud Run Invoker.\n" varType: |- object({ group_serverless_administrator = optional(string, null) group_serverless_security_administrator = optional(string, null) group_cloud_run_developer = optional(string, null) group_cloud_run_user = optional(string, null) }) defaultValue: {} - name: image description: Image url to be deployed on Cloud Run. varType: string required: true - name: ip_cidr_range description: The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. varType: string required: true - name: key_name description: The name of KMS Key to be created and used in Cloud Run. varType: string defaultValue: cloud-run-kms-key - name: key_protection_level description: "The protection level to use when creating a version based on this template. Possible values: [\"SOFTWARE\", \"HSM\"]" varType: string defaultValue: HSM - name: key_rotation_period description: Period of key rotation in seconds. varType: string defaultValue: 2592000s - name: keyring_name description: Keyring name. varType: string defaultValue: cloud-run-kms-keyring - name: kms_project_id description: The project where KMS will be created. varType: string required: true - name: location description: The location where resources are going to be deployed. varType: string required: true - name: max_scale_instances description: Sets the maximum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this [documentation](https://cloud.google.com/run/docs/about-instance-autoscaling). varType: number defaultValue: 2 - name: members description: Users/SAs to be given invoker access to the service with the prefix `serviceAccount:' for SAs and `user:` for users. varType: list(string) defaultValue: [] - name: min_scale_instances description: Sets the minimum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this [documentation](https://cloud.google.com/run/docs/about-instance-autoscaling). varType: number defaultValue: 1 - name: organization_id description: The organization ID to apply the policy to. varType: string defaultValue: "" - name: policy_for description: "Policy Root: set one of the following values to determine where the policy is applied. Possible values: [\"project\", \"folder\", \"organization\"]." varType: string defaultValue: project - name: prevent_destroy description: Set the `prevent_destroy` lifecycle attribute on the Cloud KMS key. varType: bool defaultValue: true - name: region description: Location for load balancer and Cloud Run resources. varType: string required: true - name: resource_names_suffix description: A suffix to concat in the end of the network resources names being created. varType: string - name: serverless_project_id description: The project to deploy the cloud run service. varType: string required: true - name: service_name description: Shared VPC name. varType: string required: true - name: shared_vpc_name description: Shared VPC name which is going to be re-used to create Serverless Connector. varType: string required: true - name: ssl_certificates description: A object with a list of domains to auto-generate SSL certificates or a list of SSL Certificates self-links in the pattern `projects/<PROJECT-ID>/global/sslCertificates/<CERT-NAME>` to be used by Load Balancer. varType: |- object({ ssl_certificates_self_links = list(string) generate_certificates_for_domains = list(string) }) required: true - name: subnet_name description: Subnet name to be re-used to create Serverless Connector. varType: string - name: verified_domain_name description: List of Custom Domain Name varType: list(string) defaultValue: [] - name: volumes description: "[Beta] Volumes needed for environment variables (when using secret)." varType: |- list(object({ name = string secret = set(object({ secret_name = string items = map(string) })) })) defaultValue: [] - name: vpc_egress_value description: Sets VPC Egress firewall rule. Supported values are all-traffic, all (deprecated), and private-ranges-only. all-traffic and all provide the same functionality. all is deprecated but will continue to be supported. Prefer all-traffic. varType: string defaultValue: private-ranges-only - name: vpc_project_id description: The host project for the shared vpc. varType: string required: true outputs: - name: cloud_services_sa description: Service Account for Cloud Run Service. - name: connector_id description: VPC serverless connector ID. - name: domain_map_id description: Unique Identifier for the created domain map. - name: domain_map_status description: Status of Domain mapping. - name: gca_vpcaccess_sa description: Service Account for VPC Access. - name: key_self_link description: Name of the Cloud KMS crypto key. - name: keyring_self_link description: Name of the Cloud KMS keyring. - name: load_balancer_ip description: IP Address used by Load Balancer. - name: revision description: Deployed revision for the service. - name: run_identity_services_sa description: Service Identity to run services. - name: service_id description: ID of the created service. - name: service_status description: Status of the created service. - name: service_url description: Url of the created service. requirements: roles: - level: Project roles: - roles/accesscontextmanager.policyAdmin - roles/orgpolicy.policyAdmin - level: Project roles: - roles/run.admin - roles/iam.serviceAccountAdmin - roles/artifactregistry.admin - roles/iam.serviceAccountUser - roles/serviceusage.serviceUsageViewer - roles/cloudkms.admin - level: Project roles: - roles/resourcemanager.folderAdmin - roles/resourcemanager.projectCreator - roles/resourcemanager.projectDeleter services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com - serviceusage.googleapis.com - run.googleapis.com - cloudkms.googleapis.com - iam.googleapis.com - accesscontextmanager.googleapis.com - cloudbilling.googleapis.com - monitoring.googleapis.com - compute.googleapis.com