diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..bdf222b1 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +--- +version: 2 +updates: + - package-ecosystem: gomod + directory: "/" + schedule: + interval: "daily" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml new file mode 100644 index 00000000..a54e8e8c --- /dev/null +++ b/.github/workflows/documentation.yaml @@ -0,0 +1,26 @@ +name: Generate terraform docs + +on: + pull_request: + +jobs: + docs: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + module: + - authorize-private-service + + steps: + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + + - uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # v1.0.0 + with: + working-dir: ${{ matrix.module }} + output-file: README.md + output-method: inject + fail-on-diff: "true" + + - if: failure() + run: cat README.md diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml new file mode 100644 index 00000000..38cd0f54 --- /dev/null +++ b/.github/workflows/main.yaml @@ -0,0 +1,21 @@ +name: Validate, Lint and Test + +on: + push: + branches: + - main + pull_request: + +jobs: + lint-and-validate: + name: "Terraform fmt and validate" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 + + - run: terraform fmt -check + + - run: | + terraform init + terraform validate diff --git a/authorize-private-service/README.md b/authorize-private-service/README.md new file mode 100644 index 00000000..e69de29b diff --git a/authorize-private-service/main.tf b/authorize-private-service/main.tf new file mode 100644 index 00000000..ad0810cf --- /dev/null +++ b/authorize-private-service/main.tf @@ -0,0 +1,16 @@ +resource "google_cloud_run_v2_service_iam_member" "authorize-calls" { + project = var.project_id + location = var.region + name = var.name + + role = "roles/run.invoker" + member = "serviceAccount:${var.service-account}" +} + +data "google_cloud_run_v2_service" "this" { + depends_on = [google_cloud_run_v2_service_iam_member.authorize-calls] + + project = var.project_id + location = var.region + name = var.name +} diff --git a/authorize-private-service/outputs.tf b/authorize-private-service/outputs.tf new file mode 100644 index 00000000..e3fbe553 --- /dev/null +++ b/authorize-private-service/outputs.tf @@ -0,0 +1,4 @@ +output "uri" { + description = "The URI of the private Cloud Run service." + value = data.google_cloud_run_v2_service.this.uri +} diff --git a/authorize-private-service/variables.tf b/authorize-private-service/variables.tf new file mode 100644 index 00000000..b8f0acb6 --- /dev/null +++ b/authorize-private-service/variables.tf @@ -0,0 +1,18 @@ +variable "project_id" { + type = string +} + +variable "region" { + description = "The region in which this Cloud Run service is based." + type = string +} + +variable "name" { + description = "The name of the Cloud Run service in this region." + type = string +} + +variable "service-account" { + description = "The email of the service account being authorized to invoke the private Cloud Run service." + type = string +}