From 749e871da42d4b69140d68992a971809d474e514 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Wed, 7 Jun 2023 18:03:17 -0300 Subject: [PATCH] fix: Fix README in Cloud SQL Example (#38) Co-authored-by: Grant Sorbo --- build/int.cloudbuild.yaml | 2 +- .../secure_cloud_function_with_sql/README.md | 192 ++++++++++-------- .../versions.tf | 2 +- 3 files changed, 114 insertions(+), 82 deletions(-) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index dd61a3e7..166afb83 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -timeout: 7200s +timeout: 10800s steps: - id: prepare name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' diff --git a/examples/secure_cloud_function_with_sql/README.md b/examples/secure_cloud_function_with_sql/README.md index c6c5f31d..366511b4 100644 --- a/examples/secure_cloud_function_with_sql/README.md +++ b/examples/secure_cloud_function_with_sql/README.md @@ -3,76 +3,89 @@ This examples shows how to connect Secure Cloud Function (2nd Gen) with Cloud SQL in different project using a Shared VPC and multiple projects. -The resources/services/activations/deletions that this example will create/trigger are: - -* secure-serverless-harness module will apply: - * Creates Security Project - * Creates Shared VPC Project - * Creates Shared Network - * Deny all Egress Rule - * Allow Internal APIs Firewall Rule - * Configure Private Connect - * Creates Cloud Function project - * Creates Cloud SQL project - -* secure-serverless-network module will apply: - * Creates Firewall rules on your **VPC Project**. +The resources and services that this example will create or enable are: + +* The **secure-serverless-harness** module will: + * Create a Security Project + * Create a Cloud Function project + * Create a Shared VPC Project with: + * A Shared Network + * A firewall rule to deny all egress traffic + * A firewall rule to allow internal APIs traffic + * A configured Private Connect + +* The **secure-serverless-network** module will: + * Create the following Firewall rules on the **Shared VPC Project**: * Serverless to VPC Connector * VPC Connector to Serverless * VPC Connector Health Checks - * Creates a sub network to VPC Connector usage purpose. - * Creates Serverless Connector on your **VPC Project** or **Serverless Project**. Refer the comparison below: + * Create a sub network to VPC Connector usage purpose + * Create a Serverless Connector on the **Shared VPC Project** or the **Serverless Project**. Refer to the following comparison to choose where to create Serverless Connector: * Advantages of creating connectors in the [VPC Project](https://cloud.google.com/run/docs/configuring/connecting-shared-vpc#host-project) * Advantages of creating connectors in the [Serverless Project](https://cloud.google.com/run/docs/configuring/connecting-shared-vpc#service-projects) - * Grant the necessary roles for Cloud Function are able to use VPC Connector on your Shared VPC when creating VPC Connector in host project. - * Grant Network User role to Cloud Services service account. - * Grant VPC Access User to Cloud Function Service Identity when deploying VPC Access. - -* secure-cloud-function-security module will apply: - * Creates KMS Keyring and Key for [customer managed encryption keys](https://cloud.google.com/run/docs/securing/using-cmek) in the **KMS Project** to be used by Cloud Function (2nd Gen). - * Enables Organization Policies related to Cloud Function (2nd Gen) in the **Serverless Project**. - * Allow Ingress only from internal and Cloud Load Balancing. - * Allow VPC Egress to Private Ranges Only. - * When groups emails are provided, this module will grant the roles for each persona. - * Serverless administrator - Service Project - * roles/run.admin - * roles/cloudfunctions.admin - * roles/compute.networkViewer - * compute.networkUser - * Servervless Security Administrator - Security project - * roles/cloudfunctions.viewer - * roles/run.viewer - * roles/cloudkms.viewer - * roles/artifactregistry.reader - * Cloud Function (2nd Gen) developer - Security project - * roles/cloudfunctions.developer - * roles/artifactregistry.writer - * roles/cloudkms.cryptoKeyEncrypter - * Cloud Function (2nd Gen) user - Service project - * roles/cloudfunctions.invoker - -* secure-cloud-function-core module will apply: - * Creates a Cloud Function (2nd Gen). - * Creates the Cloud Function source bucket in the same location as the Cloud Function. - * Configure the EventArc Google Channel to use Customer Encryption Key in the Cloud Function location. - * **Warning:** If there is another CMEK configured for the same region, it will be overwritten. - * Creates a private worker pool for Cloud Build configured to not use External IP. - * Grants Cloud Functions Invoker to EventArc Trigger Service Account. - * Enables Container Registry Automatic Scanning. - -* The Example will create besides all secure-cloud-function resources: - * Cloud SQL Private Access - * Cloud SQL Instance - * Cloud SQL MYSQL database - * Storage Bucket to store Cloud Function source Code + * Grant the necessary roles for the Cloud Function to be able to use the VPC Connector on the Shared VPC if creating the VPC Connector in the host project: + * Grant Network User role to the [Google API Service Agent](https://cloud.google.com/compute/docs/access/service-accounts#google_apis_service_agent) service account. + * Grant VPC Access User to the [Google Cloud Functions Service Agent](https://cloud.google.com/functions/docs/concepts/iam#access_control_for_service_accounts) when deploying VPC Access. + +* The **secure-web-proxy** module will: + * Create a sub network for Regional Managed Proxy purpose + * Create the following Firewall rule on the **Shared VPC Project**: + * Cloud Build to Secure Web Proxy + * Create a VPC peering for the Shared VPC Network with: + * A Compute Global Address + * A Service Networking Connection + * Upload your certificate manager + * You can use a self-signed + * Create a Gateway Security Policy with: + * A Gateway Security Policy Rule + * A Security URL Lists resource + * Create the Secure Web Proxy/Gateway (SWP/SWG) instance + +* The **secure-cloud-serverless-security** module will: + * Create KMS Keyring and Key for [customer managed encryption keys](https://cloud.google.com/run/docs/securing/using-cmek) in the **KMS Project** to be used by Cloud Function (2nd Gen) + * Enable the following Organization Policies related to Cloud Function (2nd Gen) in the **Serverless Project**: + * Allowed ingress settings - Allow HTTP traffic from private VPC sources and through GCLB. + * Allowed VPC Connector egress settings - Force the use of VPC Access Connector for all egress traffic from the function. + * Grant the following roles if groups emails are provided: + * **Serverless Administrator** group on the Service Project: + * Cloud Run Admin: `roles/run.admin` + * Cloud Functions Admin: `roles/cloudfunctions.admin` + * Network Viewer: `roles/compute.networkViewer` + * Network User: `roles/compute.networkUser` + * **Servervless Security Administrator** group on the Security project: + * Cloud Functions Viewer: `roles/cloudfunctions.viewer` + * Cloud Frun Viewer: `roles/run.viewer` + * Cloud KMS Viewer: `roles/cloudkms.viewer` + * Artifact Registry Reader: `roles/artifactregistry.reader` + * **Cloud Function (2nd Gen) developer** group on the Security project: + * Cloud Functions Developer: `roles/cloudfunctions.developer` + * Artifact Registry Writer: `roles/artifactregistry.writer` + * Cloud KMS CryptoKey Encrypter: `roles/cloudkms.cryptoKeyEncrypter` + * **Cloud Function (2nd Gen) user** group on the Service project: + * Cloud Functions Invoker: `roles/cloudfunctions.invoker` + +* The **secure-cloud-function-core** module will: + * Create a Cloud Function (2nd Gen) + * Create the Cloud Function source bucket in the same location as the Cloud Function + * Configure the EventArc Google Channel to use Customer Encryption Key in the Cloud Function location + * **Warning:** If there is another CMEK configured for the same region, it will be overwritten + * Create a private worker pool for Cloud Build configured to not use External IP + * Grant Cloud Functions Invoker to the [EventArc Trigger Service Account](https://cloud.google.com/functions/docs/calling/eventarc#trigger-identity) + * Enable [Container Registry Automatic Scanning](https://cloud.google.com/artifact-registry/docs/analysis) + +* In addition to all the secure-cloud-function resources created, this example will also create: + * [Cloud SQL Private Access](https://cloud.google.com/sql/docs/mysql/configure-private-services-access) + * [Cloud SQL Instance](https://cloud.google.com/sql/docs/mysql/introduction) + * [Cloud SQL MYSQL database](https://cloud.google.com/sql/docs/mysql/create-manage-databases) + * A Storage Bucket to store Cloud Function source Code * KMS Keys to be used by: - * Pub/Sub - * Cloud SQL - * Secret Manager - * Cloud Scheduler + * Pub/Sub Topic + * Cloud SQL Instance + * [Secret Manager](https://cloud.google.com/secret-manager) + * [Cloud Scheduler](https://cloud.google.com/scheduler) * Pub/Sub Topic * Secret Manager - * Cloud SQL User + * [Cloud SQL User](https://cloud.google.com/sql/docs/mysql/create-manage-users) * Secret Manager version saving Database user password * Firewall rule to allow to connect on Cloud SQL using Private IP * Import a sample database @@ -135,44 +148,63 @@ The resources/services/activations/deletions that this example will create/trigg The following dependencies must be available: -* [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0 +* [Terraform](https://www.terraform.io/downloads.html) >= 1.3 * [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) < 5.0 ### APIs -The Secure-cloud-function module will enable the following APIs to the Serverlesss Project: +The Secure Cloud Function with Cloud SQL Example will enable the following APIs to the Serverless Project: + +* Google VPC Access API: `vpcaccess.googleapis.com` +* Compute API: `compute.googleapis.com` +* Container Registry API: `container.googleapis.com` +* Artifact Registry API: `artifactregistry.googleapis.com` +* Cloud Function API: `cloudfunctions.googleapis.com` +* Cloud Run API: `run.googleapis.com` +* Service Networking API: `servicenetworking.googleapis.com` +* SQL Admin API: `sqladmin.googleapis.com` +* Cloud KMS API: `cloudkms.googleapis.com` +* Cloud Scheduler API: `cloudscheduler.googleapis.com` +* Container Scanning API: `containerscanning.googleapis.com` +* Eventarc API: `eventarc.googleapis.com` +* Eventarc Publishing API: `eventarcpublishing.googleapis.com` +* Cloud Build API: `cloudbuild.googleapis.com` + +The Secure Cloud Function with Cloud SQL Example will enable the following APIs to the Cloud SQL Project: * Google VPC Access API: `vpcaccess.googleapis.com` * Compute API: `compute.googleapis.com` * Container Registry API: `container.googleapis.com` * Cloud Function API: `run.googleapis.com` +* Service Networking API: `servicenetworking.googleapis.com` +* SQL Admin API: `sqladmin.googleapis.com` +* SQL Component API: `sql-component.googleapis.com` -The Secure-cloud-function module will enable the following APIs to the VPC Project: +The Secure Cloud Function with Cloud SQL Example will enable the following APIs to the VPC Project: * Google VPC Access API: `vpcaccess.googleapis.com` * Compute API: `compute.googleapis.com` +* Service Networking API: `servicenetworking.googleapis.com` +* DNS API: `dns.googleapis.com` -The Secure-cloud-function module will enable the following APIs to the KMS Project: +The Secure Cloud Function with Cloud SQL Example will enable the following APIs to the Security Project: * Cloud KMS API: `cloudkms.googleapis.com` +* Secret Manager API: `secretmanager.googleapis.com` +* Artifact Registry API: `artifactregistry.googleapis.com` ### Service Account A service account with the following roles must be used to provision the resources of this module: -* VPC Project +* Organization Level + * Access Context Manager Admin: `roles/accesscontextmanager.policyAdmin` + * Organization Policy Admin: `roles/orgpolicy.policyAdmin` +* Folder Level: + * Folder Admin: `roles/resourcemanager.folderAdmin` + * Project Creator: `roles/resourcemanager.projectCreator` + * Project Deleter: `roles/resourcemanager.projectDeleter` * Compute Shared VPC Admin: `roles/compute.xpnAdmin` - * Network Admin: `roles/compute.networkAdmin` - * Security Admin: `roles/compute.securityAdmin` - * Serverless VPC Access Admin: `roles/vpcaccess.admin` -* KMS Project - * Cloud KMS Admin: `roles/cloudkms.admin` -* Serverless Project - * Security Admin: `roles/compute.securityAdmin` - * Serverless VPC Access Admin: `roles/vpcaccess.admin` - * Cloud Function Developer: `roles/run.developer` - * Compute Network User: `roles/compute.networkUser` - * Artifact Registry Reader: `roles/artifactregistry.reader` - -**Note:** [Secret Manager Secret Accessor](https://cloud.google.com/run/docs/configuring/secrets#access-secret) role must be granted to the Cloud Function service account to allow read access on the secret. +* Billing: + * Billing User: `roles/billing.user` diff --git a/examples/secure_cloud_function_with_sql/versions.tf b/examples/secure_cloud_function_with_sql/versions.tf index fa66d1a9..da48d9d2 100644 --- a/examples/secure_cloud_function_with_sql/versions.tf +++ b/examples/secure_cloud_function_with_sql/versions.tf @@ -25,5 +25,5 @@ terraform { version = "< 5.0" } } - required_version = ">= 0.13" + required_version = ">= 1.3" }