feat: migrate serverless_type to service-based flag (#131)

Co-authored-by: Grant Sorbo <gtsorbo@google.com>
GoogleCloudPlatform · Jul 10, 2023 · 8546af0 · 8546af0
1 parent b337b06
commit 8546af0
Show file tree

Hide file tree

Showing 11 changed files with 32 additions and 61 deletions.
diff --git a/examples/secure_cloud_run_standalone/main.tf b/examples/secure_cloud_run_standalone/main.tf
@@ -48,7 +48,7 @@ module "secure_harness" {
   artifact_registry_repository_name           = local.repository_name
   egress_policies                             = var.egress_policies
   ingress_policies                            = var.ingress_policies
-  serverless_type                             = "CLOUD_RUN"
+  base_serverless_api                         = "run.googleapis.com"
 }
 
 resource "null_resource" "copy_image" {

diff --git a/modules/secure-cloud-run/main.tf b/modules/secure-cloud-run/main.tf
@@ -56,7 +56,6 @@ module "cloud_run_network" {
   ip_cidr_range             = var.ip_cidr_range
   create_subnet             = var.create_subnet
   resource_names_suffix     = var.resource_names_suffix
-  serverless_type           = "CLOUD_RUN"
 
   serverless_service_identity_email = google_project_service_identity.serverless_sa.email
 

diff --git a/modules/secure-serverless-harness/README.md b/modules/secure-serverless-harness/README.md
@@ -57,6 +57,7 @@ module "secure_cloud_run_harness" {
 | artifact\_registry\_repository\_description | The description of the Artifact Registry Repository to be created. | `string` | `"Secure Cloud Run Artifact Registry Repository"` | no |
 | artifact\_registry\_repository\_format | The format of the Artifact Registry Repository to be created. | `string` | `"DOCKER"` | no |
 | artifact\_registry\_repository\_name | The name of the Artifact Registry Repository to be created. | `string` | n/a | yes |
+| base\_serverless\_api | This variable will enable Cloud Function or Cloud Run specific resources. Cloud Run API will be used for the terraform-google-cloud-run repository while Cloud Function API will be used in the terraform-google-cloud-functions repository. It supports only run.googleapis.com or cloudfunctions.googleapis.com | `string` | n/a | yes |
 | billing\_account | The ID of the billing account to associate this project with. | `string` | n/a | yes |
 | create\_access\_context\_manager\_access\_policy | Defines if Access Context Manager will be created by Terraform. | `bool` | `false` | no |
 | decrypters | List of comma-separated owners for each key declared in set\_decrypters\_for. | `list(string)` | `[]` | no |
@@ -84,7 +85,6 @@ module "secure_cloud_run_harness" {
 | serverless\_folder\_suffix | The suffix to be concat in the Serverless folder name fldr-serverless-<SUFFIX>. | `string` | `""` | no |
 | serverless\_project\_extra\_apis | The extra APIs to be enabled during serverless projects creation. | `map(list(string))` | `{}` | no |
 | serverless\_project\_names | The name to give the Cloud Serverless project. | `list(string)` | n/a | yes |
-| serverless\_type | The type of resource to be used. It supports only CLOUD\_RUN or CLOUD\_FUNCTION | `string` | n/a | yes |
 | service\_account\_project\_roles | Common roles to apply to the Cloud Serverless service account in the serverless project. | `map(list(string))` | `{}` | no |
 | subnet\_ip | The CDIR IP range of the subnetwork. | `string` | n/a | yes |
 | time\_to\_wait\_vpc\_sc\_propagation | The time to wait VPC-SC propagation when applying and destroying. | `string` | `"180s"` | no |
@@ -95,10 +95,10 @@ module "secure_cloud_run_harness" {
 
 | Name | Description |
 |------|-------------|
+| artifact\_registry\_key | Artifact Registry KMS Key. |
 | artifact\_registry\_repository\_id | The Artifact Registry Repository full identifier where the images should be stored. |
 | artifact\_registry\_repository\_name | The Artifact Registry Repository last part of the repository name where the images should be stored. |
 | cloud\_serverless\_service\_identity\_email | The Cloud Run Service Identity email. |
-| cloudfunction\_source\_bucket | Cloud Function Source Bucket. |
 | network\_project\_id | Project ID of the project created to host the Cloud Run Network. |
 | restricted\_access\_level\_name | Access level name. |
 | restricted\_service\_perimeter\_name | Service Perimeter name. |

diff --git a/modules/secure-serverless-harness/main.tf b/modules/secure-serverless-harness/main.tf
@@ -15,8 +15,7 @@
  */
 
 locals {
-  api = var.serverless_type == "CLOUD_FUNCTION" ? ["cloudfunctions.googleapis.com", "cloudbuild.googleapis.com", "eventarc.googleapis.com", "eventarcpublishing.googleapis.com"] : []
-  serverless_apis = concat([
+  serverless_apis = [
     "vpcaccess.googleapis.com",
     "compute.googleapis.com",
     "container.googleapis.com",
@@ -25,7 +24,7 @@ locals {
     "cloudkms.googleapis.com",
     "dns.googleapis.com",
     "servicenetworking.googleapis.com"
-  ], local.api)
+  ]
   kms_apis = concat([
     "cloudkms.googleapis.com",
     "artifactregistry.googleapis.com"
@@ -84,7 +83,7 @@ module "serverless_project" {
   for_each = toset(var.serverless_project_names)
 
   billing_account               = var.billing_account
-  serverless_type               = var.serverless_type
+  base_serverless_api           = var.base_serverless_api
   org_id                        = var.org_id
   activate_apis                 = concat(local.serverless_apis, try(var.serverless_project_extra_apis[each.value], []))
   folder_name                   = google_folder.fld_serverless.name
@@ -96,6 +95,7 @@ module "serverless_project" {
 
 
 resource "google_artifact_registry_repository" "repo" {
+  count         = var.base_serverless_api == "run.googleapis.com" ? 1 : 0
   project       = module.security_project.project_id
   location      = var.location
   repository_id = var.artifact_registry_repository_name
@@ -109,10 +109,10 @@ resource "google_artifact_registry_repository" "repo" {
 }
 
 resource "google_artifact_registry_repository_iam_member" "member" {
-  for_each   = module.serverless_project
+  for_each   = var.base_serverless_api == "run.googleapis.com" ? module.serverless_project : {}
   project    = module.security_project.project_id
   location   = var.location
-  repository = google_artifact_registry_repository.repo.repository_id
+  repository = google_artifact_registry_repository.repo[0].repository_id
   role       = "roles/artifactregistry.reader"
   member     = "serviceAccount:${each.value.cloud_serverless_service_identity_email}"
 
@@ -154,24 +154,3 @@ resource "google_project_service_identity" "artifact_sa" {
     time_sleep.wait_vpc_sc_propagation
   ]
 }
-
-module "cloudfunction_source_bucket" {
-  for_each = var.serverless_type == "CLOUD_RUN" ? {} : module.serverless_project
-  source   = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
-  version  = "~>3.4"
-
-  project_id    = each.value.project_id
-  name          = "bkt-${var.location}-${each.value.project_number}-cfv2-zip-files"
-  location      = var.location
-  storage_class = "REGIONAL"
-  force_destroy = true
-
-  encryption = {
-    default_kms_key_name = module.artifact_registry_kms.keys[var.key_name]
-  }
-
-  depends_on = [
-    module.artifact_registry_kms,
-    time_sleep.wait_vpc_sc_propagation
-  ]
-}
diff --git a/modules/secure-serverless-harness/outputs.tf b/modules/secure-serverless-harness/outputs.tf
@@ -96,7 +96,7 @@ output "service_subnet" {
 }
 
 output "artifact_registry_repository_id" {
-  value       = google_artifact_registry_repository.repo.id
+  value       = var.base_serverless_api == "run.googleapis.com" ? google_artifact_registry_repository.repo[0].id : ""
   description = "The Artifact Registry Repository full identifier where the images should be stored."
 
   depends_on = [
@@ -105,7 +105,7 @@ output "artifact_registry_repository_id" {
 }
 
 output "artifact_registry_repository_name" {
-  value       = google_artifact_registry_repository.repo.repository_id
+  value       = var.base_serverless_api == "run.googleapis.com" ? google_artifact_registry_repository.repo[0].repository_id : ""
   description = "The Artifact Registry Repository last part of the repository name where the images should be stored."
 
   depends_on = [
@@ -140,9 +140,9 @@ output "restricted_access_level_name" {
   ]
 }
 
-output "cloudfunction_source_bucket" {
-  value       = var.serverless_type == "CLOUD_RUN" ? {} : { for bucket in module.cloudfunction_source_bucket : bucket.bucket.project => bucket.bucket }
-  description = "Cloud Function Source Bucket."
+output "artifact_registry_key" {
+  value       = module.artifact_registry_kms.keys[var.key_name]
+  description = "Artifact Registry KMS Key."
 
   depends_on = [
     time_sleep.wait_vpc_sc_propagation

diff --git a/modules/secure-serverless-harness/variables.tf b/modules/secure-serverless-harness/variables.tf
@@ -19,12 +19,13 @@ variable "billing_account" {
   type        = string
 }
 
-variable "serverless_type" {
-  description = "The type of resource to be used. It supports only CLOUD_RUN or CLOUD_FUNCTION"
+variable "base_serverless_api" {
+  description = "This variable will enable Cloud Function or Cloud Run specific resources. Cloud Run API will be used for the terraform-google-cloud-run repository while Cloud Function API will be used in the terraform-google-cloud-functions repository. It supports only run.googleapis.com or cloudfunctions.googleapis.com"
   type        = string
+
   validation {
-    condition     = contains(["CLOUD_RUN", "CLOUD_FUNCTION"], var.serverless_type)
-    error_message = "unsupported value for serverless_type"
+    condition     = contains(["run.googleapis.com", "cloudfunctions.googleapis.com"], var.base_serverless_api)
+    error_message = "Unsupported value for base_serverless_api"
   }
 }
 

diff --git a/modules/secure-serverless-net/README.md b/modules/secure-serverless-net/README.md
@@ -44,13 +44,13 @@ module "cloud_run_network" {
 | connector\_name | The name of the serverless connector which is going to be created. | `string` | n/a | yes |
 | connector\_on\_host\_project | Connector is going to be created on the host project if true. When false, connector is going to be created on service project. For more information, access [documentation](https://cloud.google.com/run/docs/configuring/connecting-shared-vpc). | `bool` | `false` | no |
 | create\_subnet | The subnet will be created with the subnet\_name variable if true. When false, it will use the subnet\_name for the subnet. | `bool` | `true` | no |
+| enable\_load\_balancer\_fw | Create the firewall rule for Cloud Run to enable the VPC Connector to access the Load Balancer instance using TCP port 80. Default is true. If using Cloud Function set to false. | `bool` | `true` | no |
 | flow\_sampling | Sampling rate of VPC flow logs. The value must be in [0,1]. Where 1.0 means all logs, 0.5 mean half of the logs and 0.0 means no logs are reported. | `number` | `1` | no |
 | ip\_cidr\_range | The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. | `string` | n/a | yes |
 | location | The location where resources are going to be deployed. | `string` | n/a | yes |
 | resource\_names\_suffix | A suffix to concat in the end of the resources names. | `string` | `null` | no |
 | serverless\_project\_id | The project where cloud run is going to be deployed. | `string` | n/a | yes |
 | serverless\_service\_identity\_email | The Service Identity email for the serverless resource (Cloud Run or Cloud Function). | `string` | n/a | yes |
-| serverless\_type | The type of resource to be used. It supports only CLOUD\_RUN or CLOUD\_FUNCTION | `string` | n/a | yes |
 | shared\_vpc\_name | Shared VPC name which is going to be used to create Serverless Connector. | `string` | n/a | yes |
 | subnet\_name | Subnet name to be re-used to create Serverless Connector. | `string` | n/a | yes |
 | vpc\_project\_id | The project where shared vpc is. | `string` | n/a | yes |

diff --git a/modules/secure-serverless-net/firewall.tf b/modules/secure-serverless-net/firewall.tf
@@ -127,7 +127,7 @@ module "firewall_rules" {
       log_config = {
         metadata = "INCLUDE_ALL_METADATA"
       }
-    }], var.serverless_type == "CLOUD_RUN" ? [
+    }], var.enable_load_balancer_fw ? [
     {
       name                    = "fw-vpc-connector-to-lb${local.suffix}"
       description             = null

diff --git a/modules/secure-serverless-net/variables.tf b/modules/secure-serverless-net/variables.tf
@@ -78,12 +78,8 @@ variable "resource_names_suffix" {
   default     = null
 }
 
-variable "serverless_type" {
-  description = "The type of resource to be used. It supports only CLOUD_RUN or CLOUD_FUNCTION"
-  type        = string
-
-  validation {
-    condition     = contains(["CLOUD_RUN", "CLOUD_FUNCTION"], var.serverless_type)
-    error_message = "unsupported value for serverless_type"
-  }
+variable "enable_load_balancer_fw" {
+  description = "Create the firewall rule for Cloud Run to enable the VPC Connector to access the Load Balancer instance using TCP port 80. Default is true. If using Cloud Function set to false."
+  type        = bool
+  default     = true
 }
diff --git a/modules/service-project-factory/main.tf b/modules/service-project-factory/main.tf
@@ -14,10 +14,6 @@
  * limitations under the License.
  */
 
-
-locals {
-  api = var.serverless_type == "CLOUD_RUN" ? "run" : "cloudfunctions"
-}
 module "serverless_project" {
   source                      = "terraform-google-modules/project-factory/google"
   version                     = "~> 14.2"
@@ -38,7 +34,7 @@ module "service_accounts" {
   version    = "~> 4.2"
   project_id = module.serverless_project.project_id
   prefix     = "sa"
-  names      = [replace(lower(var.serverless_type), "_", "-")]
+  names      = var.base_serverless_api == "run.googleapis.com" ? ["cloud-run"] : ["cloud-function"]
 
   depends_on = [
     module.serverless_project
@@ -56,7 +52,7 @@ resource "google_project_service_identity" "serverless_sa" {
   provider = google-beta
 
   project = module.serverless_project.project_id
-  service = "${local.api}.googleapis.com"
+  service = var.base_serverless_api
 }
 
 resource "google_service_account_iam_member" "identity_service_account_user" {
@@ -84,7 +80,7 @@ data "google_storage_project_service_account" "gcs_account" {
 }
 
 resource "google_project_iam_member" "gcs_pubsub_publishing" {
-  count   = var.serverless_type == "CLOUD_RUN" ? 0 : 1
+  count   = var.base_serverless_api == "run.googleapis.com" ? 0 : 1
   project = module.serverless_project.project_id
   role    = "roles/pubsub.publisher"
   member  = "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"

diff --git a/modules/service-project-factory/variables.tf b/modules/service-project-factory/variables.tf
@@ -19,13 +19,13 @@ variable "billing_account" {
   type        = string
 }
 
-variable "serverless_type" {
-  description = "The type of resource to be used. It supports only CLOUD_RUN or CLOUD_FUNCTION"
+variable "base_serverless_api" {
+  description = "This variable will enable Cloud Function or Cloud Run specific resources. Cloud Run API will be used for the terraform-google-cloud-run repository while Cloud Function API will be used in the terraform-google-cloud-functions repository. It supports only run.googleapis.com or cloudfunctions.googleapis.com"
   type        = string
 
   validation {
-    condition     = contains(["CLOUD_RUN", "CLOUD_FUNCTION"], var.serverless_type)
-    error_message = "unsupported value for serverless_type"
+    condition     = contains(["run.googleapis.com", "cloudfunctions.googleapis.com"], var.base_serverless_api)
+    error_message = "Unsupported value for base_serverless_api"
   }
 }