feat!: adds support to multiple service projects and Shared VPC (#115)

GoogleCloudPlatform · May 5, 2023 · bc1b8b1 · bc1b8b1
1 parent 7744a6d
commit bc1b8b1
Show file tree

Hide file tree

Showing 25 changed files with 852 additions and 166 deletions.
diff --git a/docs/upgrading_to_v7.0.md b/docs/upgrading_to_v7.0.md
@@ -0,0 +1,64 @@
+# Upgrading to v7.0
+
+The v7.0 release contains backwards-incompatible
+changes due to renaming the sub-modules name.
+
+## secure-serverless-net
+
+The module was rename from `secure-cloud-serverless-net` to `secure-serverless-net`.
+The required variable`serverless_type` was also added to allow re-use from Cloud Functions (2nd Gen).
+
+```diff
+module "cloud_run_network" {
+-  source = "../secure-cloud-serverless-net"
++  source = "../secure-serverless-net"
+
+   connector_name            = var.connector_name
+   subnet_name               = var.subnet_name
+   location                  = var.location
+   vpc_project_id            = var.vpc_project_id
+   serverless_project_id     = var.serverless_project_id
+   shared_vpc_name           = var.shared_vpc_name
+   connector_on_host_project = false
+   ip_cidr_range             = var.ip_cidr_range
+   create_subnet             = var.create_subnet
+   resource_names_suffix     = var.resource_names_suffix
++  serverless_type           = "CLOUD_RUN"
+   serverless_service_identity_email = google_project_service_identity.serverless_sa.email
+}
+```
+
+## secure-serverless-harness
+
+The module was rename from `secure-cloud-serverless-harness` to `secure-serverless-harness`.
+The`serverless_project_name` variable was changed to accept more than one name, to create
+one or more service projects.
+
+```diff
+module "secure_harness" {
+-  source                                      = "../../modules/secure-cloud-serverless-harness"
++  source                                      = "../../modules/secure-serverless-harness"
+   billing_account                             = var.billing_account
+   security_project_name                       = "prj-kms-secure-cloud-run"
+-  serverless_project_name                     = "prj-secure-cloud-run"
++  serverless_project_names                    = ["prj-secure-cloud-run"]
+   org_id                                      = var.org_id
+   parent_folder_id                            = var.parent_folder_id
+   serverless_folder_suffix                    = random_id.random_folder_suffix.hex
+   serverless_service_identity_email           = google_project_service_identity.serverless_sa.email
+   region                                      = local.region
+   location                                    = local.location
+   vpc_name                                    = "vpc-secure-cloud-run"
+   subnet_ip                                   = "10.0.0.0/28"
+   private_service_connect_ip                  = "10.3.0.5"
+   create_access_context_manager_access_policy = var.create_access_context_manager_access_policy
+   access_context_manager_policy_id            = var.access_context_manager_policy_id
+   access_level_members                        = var.access_level_members
+   key_name                                    = "key-secure-artifact-registry"
+   keyring_name                                = "krg-secure-artifact-registry"
+   prevent_destroy                             = false
+   artifact_registry_repository_name           = local.repository_name
+   egress_policies                             = var.egress_policies
+   ingress_policies                            = var.ingress_policies
+   serverless_type                             = "CLOUD_RUN"
+```
diff --git a/examples/secure_cloud_run_standalone/main.tf b/examples/secure_cloud_run_standalone/main.tf
@@ -27,10 +27,10 @@ resource "random_id" "random_folder_suffix" {
 }
 
 module "secure_harness" {
-  source                                      = "../../modules/secure-cloud-serverless-harness"
+  source                                      = "../../modules/secure-serverless-harness"
   billing_account                             = var.billing_account
   security_project_name                       = "prj-kms-secure-cloud-run"
-  serverless_project_name                     = "prj-secure-cloud-run"
+  serverless_project_names                    = ["prj-secure-cloud-run"]
   org_id                                      = var.org_id
   parent_folder_id                            = var.parent_folder_id
   serverless_folder_suffix                    = random_id.random_folder_suffix.hex
@@ -65,18 +65,18 @@ module "secure_cloud_run" {
   source                                  = "../../modules/secure-cloud-run"
   location                                = local.location
   region                                  = local.region
-  serverless_project_id                   = module.secure_harness.serverless_project_id
-  vpc_project_id                          = module.secure_harness.serverless_project_id
+  serverless_project_id                   = module.secure_harness.serverless_project_ids[0]
+  vpc_project_id                          = module.secure_harness.network_project_id[0]
   kms_project_id                          = module.secure_harness.security_project_id
   key_name                                = "key-secure-cloud-run"
   keyring_name                            = "krg-secure-cloud-run"
   service_name                            = "srv-secure-cloud-run"
   image                                   = "${local.location}-docker.pkg.dev/${module.secure_harness.security_project_id}/${module.secure_harness.artifact_registry_repository_name}/hello:latest"
-  cloud_run_sa                            = module.secure_harness.service_account_email
+  cloud_run_sa                            = module.secure_harness.service_account_email[module.secure_harness.serverless_project_ids[0]]
   connector_name                          = "con-secure-cloud-run"
-  subnet_name                             = module.secure_harness.service_subnet
+  subnet_name                             = module.secure_harness.service_subnet[0]
   create_subnet                           = false
-  shared_vpc_name                         = module.secure_harness.service_vpc.network_name
+  shared_vpc_name                         = module.secure_harness.service_vpc[0].network_name
   ip_cidr_range                           = "10.0.0.0/28"
   prevent_destroy                         = false
   artifact_registry_repository_location   = local.location

diff --git a/examples/secure_cloud_run_standalone/outputs.tf b/examples/secure_cloud_run_standalone/outputs.tf
@@ -15,12 +15,12 @@
  */
 
 output "serverless_project_id" {
-  value       = module.secure_harness.serverless_project_id
+  value       = module.secure_harness.serverless_project_ids[0]
   description = "The serverless project id."
 }
 
 output "serverless_project_number" {
-  value       = module.secure_harness.serverless_project_number
+  value       = module.secure_harness.serverless_project_numbers[module.secure_harness.serverless_project_ids[0]]
   description = "The serverless project number."
 }
 
@@ -35,22 +35,22 @@ output "security_project_number" {
 }
 
 output "service_account_email" {
-  value       = module.secure_harness.service_account_email
+  value       = module.secure_harness.service_account_email[module.secure_harness.serverless_project_ids[0]]
   description = "The service account email created to be used by Cloud Run."
 }
 
 output "service_vpc_self_link" {
-  value       = module.secure_harness.service_vpc.network.self_link
+  value       = module.secure_harness.service_vpc[0].network.self_link
   description = "The Network self-link created in harness."
 }
 
 output "service_vpc_name" {
-  value       = module.secure_harness.service_vpc.network_name
+  value       = module.secure_harness.service_vpc[0].network_name
   description = "The Network self-link created in harness."
 }
 
 output "service_vpc_subnet_name" {
-  value       = module.secure_harness.service_subnet
+  value       = module.secure_harness.service_subnet[0]
   description = "The sub-network name created in harness."
 }
 

diff --git a/modules/secure-cloud-run/main.tf b/modules/secure-cloud-run/main.tf
@@ -44,7 +44,7 @@ module "vpc_project_apis" {
 }
 
 module "cloud_run_network" {
-  source = "../secure-cloud-serverless-net"
+  source = "../secure-serverless-net"
 
   connector_name            = var.connector_name
   subnet_name               = var.subnet_name
@@ -56,6 +56,7 @@ module "cloud_run_network" {
   ip_cidr_range             = var.ip_cidr_range
   create_subnet             = var.create_subnet
   resource_names_suffix     = var.resource_names_suffix
+  serverless_type           = "CLOUD_RUN"
 
   serverless_service_identity_email = google_project_service_identity.serverless_sa.email
 

diff --git a/...secure-cloud-serverless-harness/README.md → modules/secure-serverless-harness/README.md b/...secure-cloud-serverless-harness/README.md → modules/secure-serverless-harness/README.md
@@ -70,6 +70,7 @@ module "secure_cloud_run_harness" {
 | key\_rotation\_period | Period of key rotation in seconds. Default value is equivalent to 30 days. | `string` | `"2592000s"` | no |
 | keyring\_name | Keyring name. | `string` | n/a | yes |
 | location | The location where resources are going to be deployed. | `string` | n/a | yes |
+| network\_project\_name | The name to give the shared vpc project. | `string` | `""` | no |
 | org\_id | The organization ID. | `string` | n/a | yes |
 | owners | List of comma-separated owners for each key declared in set\_owners\_for. | `list(string)` | `[]` | no |
 | parent\_folder\_id | The ID of a folder to host the infrastructure created in this module. | `string` | `""` | no |
@@ -78,10 +79,11 @@ module "secure_cloud_run_harness" {
 | region | The region in which the subnetwork will be created. | `string` | n/a | yes |
 | security\_project\_name | The name to give the security project. | `string` | n/a | yes |
 | serverless\_folder\_suffix | The suffix to be concat in the Serverless folder name fldr-serverless-<SUFFIX>. | `string` | `""` | no |
-| serverless\_project\_name | The name to give the Cloud Run project. | `string` | n/a | yes |
+| serverless\_project\_names | The name to give the Cloud Serverless project. | `list(string)` | n/a | yes |
 | serverless\_type | The type of resource to be used. It supports only CLOUD\_RUN or CLOUD\_FUNCTION | `string` | n/a | yes |
-| service\_account\_project\_roles | Common roles to apply to the Cloud Run service account in the serverless project. | `list(string)` | `[]` | no |
+| service\_account\_project\_roles | Common roles to apply to the Cloud Serverless service account in the serverless project. | `map(list(string))` | `{}` | no |
 | subnet\_ip | The CDIR IP range of the subnetwork. | `string` | n/a | yes |
+| use\_shared\_vpc | Defines if the network created will be a single or shared vpc. | `bool` | `false` | no |
 | vpc\_name | The name of the network. | `string` | n/a | yes |
 
 ## Outputs
@@ -90,17 +92,19 @@ module "secure_cloud_run_harness" {
 |------|-------------|
 | artifact\_registry\_repository\_id | The Artifact Registry Repository full identifier where the images should be stored. |
 | artifact\_registry\_repository\_name | The Artifact Registry Repository last part of the repository name where the images should be stored. |
-| cloud\_run\_service\_identity\_email | The Cloud Run Service Identity email. |
+| cloud\_serverless\_service\_identity\_email | The Cloud Run Service Identity email. |
+| cloudfunction\_source\_bucket | Cloud Function Source Bucket. |
+| network\_project\_id | Project ID of the project created to host the Cloud Run Network. |
 | restricted\_access\_level\_name | Access level name. |
 | restricted\_service\_perimeter\_name | Service Perimeter name. |
 | security\_project\_id | Project ID of the project created for KMS and Artifact Register. |
 | security\_project\_number | Project number of the project created for KMS and Artifact Register. |
 | serverless\_folder\_id | The folder created to alocate Serverless infra. |
-| serverless\_project\_id | Project ID of the project created to deploy Cloud Run. |
-| serverless\_project\_number | Project number of the project created to deploy Cloud Run. |
-| service\_account\_email | The email of the Service Account created to be used by Cloud Run. |
+| serverless\_project\_ids | Project ID of the projects created to deploy Cloud Run. |
+| serverless\_project\_numbers | Project number of the projects created to deploy Cloud Run. |
+| service\_account\_email | The email of the Service Account created to be used by Cloud Serverless. |
 | service\_subnet | The sub-network name created in harness. |
-| service\_vpc | The network created for Cloud Run. |
+| service\_vpc | The network created for Cloud Serverless. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->