feat: support upstream serverless module attribute changes (#55)

GoogleCloudPlatform · Jul 12, 2023 · 749071a · 749071a
1 parent 20117c7
commit 749071a
Show file tree

Hide file tree

Showing 4 changed files with 98 additions and 24 deletions.
diff --git a/examples/secure_cloud_function_bigquery_trigger/main.tf b/examples/secure_cloud_function_bigquery_trigger/main.tf
@@ -30,7 +30,7 @@ resource "random_id" "random_folder_suffix" {
 
 module "secure_harness" {
   source  = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-harness"
-  version = "~> 0.8"
+  version = "~> 0.9"
 
   billing_account                             = var.billing_account
   security_project_name                       = "prj-security"
@@ -53,7 +53,7 @@ module "secure_harness" {
   artifact_registry_repository_name           = local.repository_name
   egress_policies                             = var.egress_policies
   ingress_policies                            = var.ingress_policies
-  serverless_type                             = "CLOUD_FUNCTION"
+  base_serverless_api                         = "cloudfunctions.googleapis.com"
   use_shared_vpc                              = true
   time_to_wait_vpc_sc_propagation             = "600s"
 
@@ -64,10 +64,29 @@ module "secure_harness" {
   network_project_extra_apis = ["networksecurity.googleapis.com"]
 
   serverless_project_extra_apis = {
-    "prj-secure-cloud-function" = ["networksecurity.googleapis.com"]
+    "prj-secure-cloud-function" = ["networksecurity.googleapis.com", "cloudfunctions.googleapis.com", "cloudbuild.googleapis.com", "eventarc.googleapis.com", "eventarcpublishing.googleapis.com"]
   }
 }
 
+module "cloudfunction_source_bucket" {
+  source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version = "~>3.4"
+
+  project_id    = module.secure_harness.serverless_project_ids[0]
+  name          = "bkt-${local.location}-${module.secure_harness.serverless_project_numbers[module.secure_harness.serverless_project_ids[0]]}-cfv2-zip-files"
+  location      = local.location
+  storage_class = "REGIONAL"
+  force_destroy = true
+
+  encryption = {
+    default_kms_key_name = module.secure_harness.artifact_registry_key
+  }
+
+  depends_on = [
+    module.secure_harness
+  ]
+}
+
 resource "google_project_service" "network_project_apis" {
   for_each           = toset(["networkservices.googleapis.com", "certificatemanager.googleapis.com"])
   project            = module.secure_harness.network_project_id[0]
@@ -90,7 +109,7 @@ resource "google_storage_bucket_object" "cf_bigquery_source_zip" {
   # Append to the MD5 checksum of the files's content
   # to force the zip to be updated as soon as a change occurs
   name   = "src-${data.archive_file.cf_bigquery_source.output_md5}.zip"
-  bucket = module.secure_harness.cloudfunction_source_bucket[module.secure_harness.serverless_project_ids[0]].name
+  bucket = module.cloudfunction_source_bucket.name
 
   depends_on = [
     data.archive_file.cf_bigquery_source
@@ -272,7 +291,7 @@ module "secure_cloud_function" {
   }
 
   storage_source = {
-    bucket = module.secure_harness.cloudfunction_source_bucket[module.secure_harness.serverless_project_ids[0]].name
+    bucket = module.cloudfunction_source_bucket.name
     object = google_storage_bucket_object.cf_bigquery_source_zip.name
   }
 

diff --git a/examples/secure_cloud_function_internal_server/main.tf b/examples/secure_cloud_function_internal_server/main.tf
@@ -29,7 +29,7 @@ resource "random_id" "random_folder_suffix" {
 
 module "secure_harness" {
   source  = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-harness"
-  version = "~> 0.8"
+  version = "~> 0.9"
 
   billing_account                             = var.billing_account
   security_project_name                       = "prj-security"
@@ -52,7 +52,7 @@ module "secure_harness" {
   artifact_registry_repository_name           = local.repository_name
   egress_policies                             = var.egress_policies
   ingress_policies                            = var.ingress_policies
-  serverless_type                             = "CLOUD_FUNCTION"
+  base_serverless_api                         = "cloudfunctions.googleapis.com"
   use_shared_vpc                              = true
   time_to_wait_vpc_sc_propagation             = "660s"
 
@@ -70,10 +70,27 @@ module "secure_harness" {
   ]
 
   serverless_project_extra_apis = {
-    "prj-secure-cloud-function" = [
-      "networksecurity.googleapis.com"
-    ]
+    "prj-secure-cloud-function" = ["networksecurity.googleapis.com", "cloudfunctions.googleapis.com", "cloudbuild.googleapis.com", "eventarc.googleapis.com", "eventarcpublishing.googleapis.com"]
+  }
+}
+
+module "cloudfunction_source_bucket" {
+  source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version = "~>3.4"
+
+  project_id    = module.secure_harness.serverless_project_ids[0]
+  name          = "bkt-${local.location}-${module.secure_harness.serverless_project_numbers[module.secure_harness.serverless_project_ids[0]]}-cfv2-zip-files"
+  location      = local.location
+  storage_class = "REGIONAL"
+  force_destroy = true
+
+  encryption = {
+    default_kms_key_name = module.secure_harness.artifact_registry_key
   }
+
+  depends_on = [
+    module.secure_harness
+  ]
 }
 
 resource "google_project_service" "network_project_apis" {
@@ -98,7 +115,7 @@ resource "google_storage_bucket_object" "function-source" {
   # Append to the MD5 checksum of the files's content
   # to force the zip to be updated as soon as a change occurs
   name   = "src-${data.archive_file.cf-internal-server-source.output_md5}.zip"
-  bucket = module.secure_harness.cloudfunction_source_bucket[module.secure_harness.serverless_project_ids[0]].name
+  bucket = module.cloudfunction_source_bucket.name
 
   depends_on = [
     data.archive_file.cf-internal-server-source
@@ -205,7 +222,7 @@ module "secure_cloud_function" {
   }
 
   storage_source = {
-    bucket = module.secure_harness.cloudfunction_source_bucket[module.secure_harness.serverless_project_ids[0]].name
+    bucket = module.cloudfunction_source_bucket.name
     object = google_storage_bucket_object.function-source.name
   }
 
@@ -221,7 +238,7 @@ module "secure_cloud_function" {
     retry_policy          = "RETRY_POLICY_RETRY"
     event_filters = [{
       attribute       = "bucket"
-      attribute_value = module.secure_harness.cloudfunction_source_bucket[module.secure_harness.serverless_project_ids[0]].name
+      attribute_value = module.cloudfunction_source_bucket.name
     }]
   }
   runtime     = "go118"

diff --git a/examples/secure_cloud_function_with_sql/main.tf b/examples/secure_cloud_function_with_sql/main.tf
@@ -34,7 +34,7 @@ resource "random_id" "random_folder_suffix" {
 
 module "secure_harness" {
   source  = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-harness"
-  version = "~> 0.8"
+  version = "~> 0.9"
 
   billing_account                             = var.billing_account
   security_project_name                       = "prj-security"
@@ -57,7 +57,7 @@ module "secure_harness" {
   artifact_registry_repository_name           = local.repository_name
   egress_policies                             = var.egress_policies
   ingress_policies                            = var.ingress_policies
-  serverless_type                             = "CLOUD_FUNCTION"
+  base_serverless_api                         = "cloudfunctions.googleapis.com"
   use_shared_vpc                              = true
   time_to_wait_vpc_sc_propagation             = "600s"
 
@@ -66,7 +66,7 @@ module "secure_harness" {
   security_project_extra_apis = ["secretmanager.googleapis.com"]
 
   serverless_project_extra_apis = {
-    "prj-secure-cloud-function" = ["servicenetworking.googleapis.com", "sqladmin.googleapis.com", "cloudscheduler.googleapis.com", "networksecurity.googleapis.com"],
+    "prj-secure-cloud-function" = ["servicenetworking.googleapis.com", "sqladmin.googleapis.com", "cloudscheduler.googleapis.com", "networksecurity.googleapis.com", "cloudfunctions.googleapis.com", "cloudbuild.googleapis.com", "eventarc.googleapis.com", "eventarcpublishing.googleapis.com"],
     "prj-secure-cloud-sql"      = ["sqladmin.googleapis.com", "sql-component.googleapis.com", "servicenetworking.googleapis.com"]
   }
 
@@ -76,6 +76,44 @@ module "secure_harness" {
   }
 }
 
+module "cloudfunction_source_bucket" {
+  source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version = "~>3.4"
+
+  project_id    = module.secure_harness.serverless_project_ids[0]
+  name          = "bkt-${local.location}-${module.secure_harness.serverless_project_numbers[module.secure_harness.serverless_project_ids[0]]}-cfv2-zip-files"
+  location      = local.location
+  storage_class = "REGIONAL"
+  force_destroy = true
+
+  encryption = {
+    default_kms_key_name = module.secure_harness.artifact_registry_key
+  }
+
+  depends_on = [
+    module.secure_harness
+  ]
+}
+
+module "cloud_sql_temp_bucket" {
+  source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version = "~>3.4"
+
+  project_id    = module.secure_harness.serverless_project_ids[1]
+  name          = "bkt-${local.location}-${module.secure_harness.serverless_project_numbers[module.secure_harness.serverless_project_ids[1]]}-temp-files"
+  location      = local.location
+  storage_class = "REGIONAL"
+  force_destroy = true
+
+  encryption = {
+    default_kms_key_name = module.secure_harness.artifact_registry_key
+  }
+
+  depends_on = [
+    module.secure_harness
+  ]
+}
+
 resource "google_project_service" "network_project_apis" {
   for_each           = toset(["networkservices.googleapis.com", "certificatemanager.googleapis.com"])
   project            = module.secure_harness.network_project_id[0]
@@ -311,7 +349,7 @@ resource "null_resource" "create_user_pwd" {
 }
 
 resource "google_storage_bucket_iam_member" "object_admin" {
-  bucket = module.secure_harness.cloudfunction_source_bucket[module.secure_harness.serverless_project_ids[1]].name
+  bucket = module.cloud_sql_temp_bucket.name
   role   = "roles/storage.objectAdmin"
   member = "serviceAccount:${module.safer_mysql_db.instance_service_account_email_address}"
 }
@@ -323,7 +361,7 @@ resource "google_storage_bucket_object" "cloud_sql_dump_file" {
   # Append to the MD5 checksum of the files's content
   # to force the zip to be updated as soon as a change occurs
   name   = "assets/sample-db-data.sql"
-  bucket = module.secure_harness.cloudfunction_source_bucket[module.secure_harness.serverless_project_ids[1]].name
+  bucket = module.cloud_sql_temp_bucket.name
 
   depends_on = [
     module.secure_harness
@@ -334,14 +372,14 @@ resource "null_resource" "create_and_populate_db" {
 
   triggers = {
     instance  = module.safer_mysql_db.instance_name,
-    file_name = "${module.secure_harness.cloudfunction_source_bucket[module.secure_harness.serverless_project_ids[1]].name}/${google_storage_bucket_object.cloud_sql_dump_file.name}"
+    file_name = "${module.cloud_sql_temp_bucket.name}/${google_storage_bucket_object.cloud_sql_dump_file.name}"
   }
 
   provisioner "local-exec" {
     command = <<EOT
     gcloud sql import sql ${module.safer_mysql_db.instance_name} \
     --project ${module.secure_harness.serverless_project_ids[1]} \
-    gs://${module.secure_harness.cloudfunction_source_bucket[module.secure_harness.serverless_project_ids[1]].name}/${google_storage_bucket_object.cloud_sql_dump_file.name} \
+    gs://${module.cloud_sql_temp_bucket.name}/${google_storage_bucket_object.cloud_sql_dump_file.name} \
     --database=${local.db_name} --impersonate-service-account=${var.terraform_service_account} -q
     EOT
   }
@@ -367,7 +405,7 @@ resource "google_storage_bucket_object" "cf_cloudsql_source_zip" {
   # Append to the MD5 checksum of the files's content
   # to force the zip to be updated as soon as a change occurs
   name   = "src-${data.archive_file.cf_cloudsql_source.output_md5}.zip"
-  bucket = module.secure_harness.cloudfunction_source_bucket[module.secure_harness.serverless_project_ids[0]].name
+  bucket = module.cloudfunction_source_bucket.name
 
   depends_on = [
     data.archive_file.cf_cloudsql_source,
@@ -468,7 +506,7 @@ module "secure_cloud_function" {
   }
 
   storage_source = {
-    bucket = module.secure_harness.cloudfunction_source_bucket[module.secure_harness.serverless_project_ids[0]].name
+    bucket = module.cloudfunction_source_bucket.name
     object = google_storage_bucket_object.cf_cloudsql_source_zip.name
   }
 

diff --git a/modules/secure-cloud-function/main.tf b/modules/secure-cloud-function/main.tf
@@ -17,11 +17,11 @@
 
 module "cloud_serverless_network" {
   source  = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-net"
-  version = "~> 0.8"
+  version = "~> 0.9"
 
   connector_name            = var.connector_name
   subnet_name               = var.subnet_name
-  serverless_type           = "CLOUD_FUNCTION"
+  enable_load_balancer_fw   = "false"
   location                  = var.location
   vpc_project_id            = var.vpc_project_id
   serverless_project_id     = var.serverless_project_id