-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create a networking module for provisioning a Cloud Run compatible ne…
…twork This creates a module suitable for provisioning a network and regional subnets suitable for use with Cloud Run's direct VPC egress feature (in preview). Signed-off-by: Matt Moore <[email protected]>
- Loading branch information
Showing
8 changed files
with
209 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
# `networking` | ||
|
||
This module sets up GCP networking suitable for operating Cloud Run services | ||
utilizing the preview [Direct VPC egress](https://cloud.google.com/run/docs/configuring/vpc-direct-vpc) | ||
feature to talk to other "internal ingress" Cloud Run services, and access other | ||
GCP resources that live within or are accessible via the provisioned network. | ||
The intended usage of this module: | ||
|
||
```hcl | ||
// Create a network with several regional subnets | ||
module "networking" { | ||
source = "chainguard-dev/glue/cloudrun//networking" | ||
name = "my-networking" | ||
project_id = var.project_id | ||
// These are all of the regions where direct VPC egress is | ||
// supported in preview. | ||
regions = [ | ||
"us-east1", | ||
"us-central1", | ||
"europe-west1", | ||
"europe-west3", | ||
"asia-northeast1", | ||
] | ||
} | ||
``` | ||
|
||
<!-- BEGIN_TF_DOCS --> | ||
## Requirements | ||
|
||
No requirements. | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_google"></a> [google](#provider\_google) | n/a | | ||
| <a name="provider_google-beta"></a> [google-beta](#provider\_google-beta) | n/a | | ||
| <a name="provider_random"></a> [random](#provider\_random) | n/a | | ||
|
||
## Modules | ||
|
||
| Name | Source | Version | | ||
|------|--------|---------| | ||
| <a name="module_authorize-delivery"></a> [authorize-delivery](#module\_authorize-delivery) | ../authorize-private-service | n/a | | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [google-beta_google_project_service_identity.pubsub](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_project_service_identity) | resource | | ||
| [google_pubsub_subscription.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource | | ||
| [google_service_account.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | | ||
| [google_service_account_iam_binding.allow-pubsub-to-mint-tokens](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource | | ||
| [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| <a name="input_broker"></a> [broker](#input\_broker) | The name of the pubsub topic we are using as a broker. | `string` | n/a | yes | | ||
| <a name="input_filter"></a> [filter](#input\_filter) | A Knative Trigger-style filter over the cloud event attributes. | `map(string)` | n/a | yes | | ||
| <a name="input_name"></a> [name](#input\_name) | n/a | `string` | n/a | yes | | ||
| <a name="input_private-service"></a> [private-service](#input\_private-service) | The private cloud run service that is subscribing to these events. | <pre>object({<br> name = string<br> region = string<br> })</pre> | n/a | yes | | ||
| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes | | ||
|
||
## Outputs | ||
|
||
No outputs. | ||
<!-- END_TF_DOCS --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
// Create a special DNS zone attached to the network in which | ||
// we will operate our services that reroutes *.run.app to records | ||
// that we control. | ||
resource "google_dns_managed_zone" "cloud-run-internal" { | ||
project = var.project_id | ||
name = "cloud-run-internal" | ||
dns_name = "run.app." | ||
description = "This reroutes run.app requests to private.googleapis.com" | ||
|
||
visibility = "private" | ||
|
||
private_visibility_config { | ||
networks { | ||
network_url = google_compute_network.this.id | ||
} | ||
} | ||
} | ||
|
||
// Create a record for *.run.app that points to private.googleapis.com | ||
resource "google_dns_record_set" "cloud-run-cname" { | ||
project = var.project_id | ||
name = "*.run.app." | ||
managed_zone = google_dns_managed_zone.cloud-run-internal.name | ||
type = "CNAME" | ||
ttl = 60 | ||
|
||
rrdatas = ["private.googleapis.com."] | ||
} | ||
|
||
// Create a special DNS zone attached to the network in which | ||
// we will operate our services that reroutes private.googleapis.com | ||
// to records that we control. | ||
resource "google_dns_managed_zone" "private-google-apis" { | ||
project = var.project_id | ||
name = "private-google-apis" | ||
dns_name = "private.googleapis.com." | ||
description = "This maps DNS for private.googleapis.com" | ||
|
||
visibility = "private" | ||
|
||
private_visibility_config { | ||
networks { | ||
network_url = google_compute_network.this.id | ||
} | ||
} | ||
} | ||
|
||
// Create a record for private.googleapis.com that points to | ||
// the documented internal IP addresses for the Google APIs. | ||
resource "google_dns_record_set" "private-googleapis-a-record" { | ||
project = var.project_id | ||
name = "private.googleapis.com." | ||
managed_zone = google_dns_managed_zone.private-google-apis.name | ||
type = "A" | ||
ttl = 60 | ||
|
||
// This IP range is documented here: | ||
// https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid | ||
rrdatas = [for x in range(8, 12) : "199.36.153.${x}"] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
// Create a global network in which to place our resources. | ||
resource "google_compute_network" "this" { | ||
name = var.name | ||
auto_create_subnetworks = false | ||
routing_mode = "GLOBAL" | ||
project = var.project_id | ||
delete_default_routes_on_create = true | ||
} | ||
|
||
// Create regional subnets in each of the specified regions, | ||
// which we will use to operate Cloud Run services. | ||
resource "google_compute_subnetwork" "regional" { | ||
for_each = { | ||
for region in var.regions : region => 1 + index(var.regions, region) | ||
} | ||
|
||
name = "${var.name}-${each.key}" | ||
|
||
// This is needed in order to interact with Google APIs like Pub/Sub. | ||
private_ip_google_access = true | ||
|
||
network = google_compute_network.this.id | ||
region = each.key | ||
ip_cidr_range = cidrsubnet(var.cidr, 8, each.value) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
output "network_id" { | ||
value = google_compute_network.this.id | ||
} | ||
|
||
output "regional-networks" { | ||
value = { | ||
for region in var.regions : region => { | ||
network = google_compute_network.this.id | ||
subnet = google_compute_subnetwork.regional[region].name | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
variable "name" { | ||
type = string | ||
} | ||
|
||
variable "project_id" { | ||
type = string | ||
} | ||
|
||
variable "regions" { | ||
type = list(string) | ||
description = "The list of regions in which to provision subnets suitable for use with Cloud Run direct VPC egress." | ||
} | ||
|
||
variable "cidr" { | ||
default = "10.0.0.0/8" | ||
} |