diff --git a/cloud-armor-demo/prereq.sh b/cloud-armor-demo/prereq.sh index c5096b1c..1f731b9e 100644 --- a/cloud-armor-demo/prereq.sh +++ b/cloud-armor-demo/prereq.sh @@ -51,4 +51,10 @@ MEMBER=serviceAccount:$PROJECT_NUMBER@cloudbuild.gserviceaccount.com add_iam_member $MEMBER roles/editor add_iam_member $MEMBER roles/iam.securityAdmin +COMPUTEMEMBER=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com +add_iam_member $COMPUTEMEMBER roles/editor +add_iam_member $COMPUTEMEMBER roles/iam.securityAdmin +add_iam_member $COMPUTEMEMBER roles/logging.logWriter +add_iam_member $COMPUTEMEMBER roles/storage.admin + echo Script completed successfully! diff --git a/wordpress-on-cloudrun/README.md b/wordpress-on-cloudrun/README.md index 04f71861..0d502d29 100644 --- a/wordpress-on-cloudrun/README.md +++ b/wordpress-on-cloudrun/README.md @@ -48,7 +48,9 @@ Pricing Estimates - We have created a sample estimate based on some usage we see sh prereq.sh ``` -Please note - New organizations have the 'Enforce Domain Restricted Sharing' policy enforced by default. You may have to edit the policy to allow public access to your Cloud Run instance. Please refer to this [page](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy) for more information. +⚠️ Please note - New organizations have the 'Enforce Domain Restricted Sharing' policy enforced by default. You may have to edit the policy to allow public access to your Cloud Run instance. Please refer to this [page](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy) for more information. + +⚠️ Please note - New organizations have the 'Restrict Authorized Networks on Cloud SQL instances' policy enforced by default. You may have to edit the policy to allow cloud run to access Cloud SQL instance. Please refer to this [page](https://cloud.google.com/sql/docs/mysql/org-policy/org-policy#connection-constraints) for more information. 3. Run the Cloud Build Job ``` diff --git a/wordpress-on-cloudrun/build/cloudbuild.yaml b/wordpress-on-cloudrun/build/cloudbuild.yaml index 1fb02171..37832471 100644 --- a/wordpress-on-cloudrun/build/cloudbuild.yaml +++ b/wordpress-on-cloudrun/build/cloudbuild.yaml @@ -32,6 +32,7 @@ steps: options: env: - TF_VAR_project_id=$PROJECT_ID + - TF_VAR_project_number=$PROJECT_NUMBER tags: - terraform - wordpress-on-cloudrun diff --git a/wordpress-on-cloudrun/infra/cloudsql.tf b/wordpress-on-cloudrun/infra/cloudsql.tf index 30af3899..931ceac4 100644 --- a/wordpress-on-cloudrun/infra/cloudsql.tf +++ b/wordpress-on-cloudrun/infra/cloudsql.tf @@ -18,46 +18,51 @@ resource "random_password" "cloudsql_password" { length = 8 } -# create a VPC for CloudSQL -module "vpc" { - source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/net-vpc?ref=v23.0.0" - project_id = module.project.project_id - name = "sql-vpc" - subnets = [ - { - ip_cidr_range = var.ip_ranges.sql_vpc - name = "subnet" - region = var.region - } - ] - psa_config = { - ranges = { - cloud-sql = var.ip_ranges.psa +# create a VPC connector for the ClouSQL VPC +#resource "google_vpc_access_connector" "connector" { +# count = var.create_connector ? 1 : 0 +# project = var.project_id +# name = "wp-connector" +# region = var.region +# ip_cidr_range = var.ip_ranges.connector +# network = module.vpc.network_self_link +#} + +resource "google_sql_database_instance" "cloud_sql" { + name = "mysql-db" + database_version = "MYSQL_5_7" + region = var.region + project = var.project_id + settings { + tier = "db-g1-small" + user_labels = local.resource_labels + disk_autoresize = true + disk_autoresize_limit = 0 + disk_size = 10 + disk_type = "PD_SSD" + + ip_configuration { + authorized_networks { + name = "default_network" + value = "0.0.0.0/0" + } } + +# ip_configuration { +# ipv4_enabled = false +# private_network = module.vpc.network_self_link +# } } + deletion_protection = false } -# create a VPC connector for the ClouSQL VPC -resource "google_vpc_access_connector" "connector" { - count = var.create_connector ? 1 : 0 - project = module.project.project_id - name = "wp-connector" - region = var.region - ip_cidr_range = var.ip_ranges.connector - network = module.vpc.self_link +resource "google_sql_database" "database" { + name = "wp-mysql" + instance = google_sql_database_instance.cloud_sql.name } -# Set up CloudSQL -module "cloudsql" { - source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/cloudsql-instance?ref=v23.0.0" - project_id = module.project.project_id - network = module.vpc.self_link - name = "mysql" - region = var.region - database_version = local.cloudsql_conf.database_version - tier = local.cloudsql_conf.tier - databases = [local.cloudsql_conf.db] - users = { - "${local.cloudsql_conf.user}" = var.cloudsql_password - } -} +resource "google_sql_user" "users" { + name = "wp-user" + instance = google_sql_database_instance.cloud_sql.name + password = random_password.cloudsql_password.result +} \ No newline at end of file diff --git a/wordpress-on-cloudrun/infra/main.tf b/wordpress-on-cloudrun/infra/main.tf index 15086888..2c94d4ba 100644 --- a/wordpress-on-cloudrun/infra/main.tf +++ b/wordpress-on-cloudrun/infra/main.tf @@ -13,6 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ +data "google_project" "project" {} locals { all_principals_iam = [for k in var.principals : "user:${k}"] @@ -20,89 +21,77 @@ locals { database_version = "MYSQL_8_0" tier = "db-g1-small" db = "wp-mysql" - user = "admin" } - iam = { - # CloudSQL - "roles/cloudsql.admin" = local.all_principals_iam - "roles/cloudsql.client" = local.all_principals_iam - "roles/cloudsql.instanceUser" = local.all_principals_iam - # common roles - "roles/logging.admin" = local.all_principals_iam - "roles/iam.serviceAccountUser" = local.all_principals_iam - "roles/iam.serviceAccountTokenCreator" = local.all_principals_iam - } - connector = var.connector == null ? google_vpc_access_connector.connector.0.self_link : var.connector + + #connector = var.connector == null ? google_vpc_access_connector.connector.0.self_link : var.connector prefix = "wordpress-on-cloudrun" } -# either create a project or set up the given one -module "project" { - source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/project?ref=v23.0.0" - name = var.project_id - parent = try(var.project_create.parent, null) - billing_account = try(var.project_create.billing_account_id, null) - project_create = var.project_create != null - prefix = var.project_create == null ? null : var.prefix - iam = var.project_create != null ? local.iam : {} - iam_additive = var.project_create == null ? local.iam : {} - services = [ - "run.googleapis.com", - "logging.googleapis.com", - "monitoring.googleapis.com", - "sqladmin.googleapis.com", - "sql-component.googleapis.com", - "vpcaccess.googleapis.com", - "servicenetworking.googleapis.com" - ] -} - resource "random_password" "wp_password" { length = 8 } -# create the Cloud Run service -module "cloud_run" { - source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/cloud-run?ref=v23.0.0" - project_id = module.project.project_id - name = "cr-wordpress" - region = var.region +resource "google_cloud_run_v2_service" "default" { + provider = google-beta + name = "cr-wordpress" + location = var.region + deletion_protection = false + ingress = "INGRESS_TRAFFIC_ALL" - containers = { - wordpress = { + template { + containers { image = var.wordpress_image - ports = { - http = { - container_port = var.wordpress_port - name = "http1" - protocol = null - } + ports { + container_port = var.wordpress_port } - # set up the database connection - env = { - "WORDPRESS_DB_HOST" : module.cloudsql.ip - "WORDPRESS_DB_NAME" : local.cloudsql_conf.db - "WORDPRESS_DB_USER" : local.cloudsql_conf.user - "WORDPRESS_DB_PASSWORD" : var.cloudsql_password == null ? module.cloudsql.user_passwords[local.cloudsql_conf.user] : var.cloudsql_password + + env { + name = "WORDPRESS_DB_HOST" + value = "${google_sql_database_instance.cloud_sql.ip_address.0.ip_address}:3306" + } + env { + name = "WORDPRESS_DB_NAME" + value = local.cloudsql_conf.db + } + env { + name = "WORDPRESS_DB_USER" + value = "wp-user" + } + env { + name = "WORDPRESS_DB_PASSWORD" + value = random_password.cloudsql_password.result + } + env { + name = "WORDPRESS_DEBUG" + value = 1 } - } - } - iam = { - "roles/run.invoker" : [var.cloud_run_invoker] - } + volume_mounts { + name = "cloudsql" + mount_path = "/cloudsql" + } + } - revision_annotations = { - autoscaling = { - min_scale = 1 - max_scale = 2 + volumes { + name = "cloudsql" + cloud_sql_instance { + instances = [google_sql_database_instance.cloud_sql.connection_name] + } } - # connect to CloudSQL - cloudsql_instances = [module.cloudsql.connection_name] - vpcaccess_connector = null - # allow all traffic - vpcaccess_egress = "all-traffic" - vpcaccess_connector = local.connector } - ingress_settings = "all" +} + +resource "google_cloud_run_service_iam_policy" "public" { + location = google_cloud_run_v2_service.default.location + project = google_cloud_run_v2_service.default.project + service = google_cloud_run_v2_service.default.name + + policy_data = jsonencode({ + bindings = [ + { + role = "roles/run.invoker" + members = ["allUsers"] + }, + ] + }) } diff --git a/wordpress-on-cloudrun/infra/network.tf b/wordpress-on-cloudrun/infra/network.tf new file mode 100644 index 00000000..dd457192 --- /dev/null +++ b/wordpress-on-cloudrun/infra/network.tf @@ -0,0 +1,32 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "vpc" { + source = "terraform-google-modules/network/google" + version = "~> 9.3.0" + project_id = var.project_id + network_name = "sql-vpc" + routing_mode = "GLOBAL" + + subnets = [ + { + subnet_name = "subnet-${var.region}" + subnet_ip = "10.0.6.0/24" + subnet_region = var.region + subnet_private_access = true + } + ] +} \ No newline at end of file diff --git a/wordpress-on-cloudrun/infra/outputs.tf b/wordpress-on-cloudrun/infra/outputs.tf index a2b204df..7f6f0756 100644 --- a/wordpress-on-cloudrun/infra/outputs.tf +++ b/wordpress-on-cloudrun/infra/outputs.tf @@ -14,13 +14,13 @@ * limitations under the License. */ -output "cloud_run_service" { - description = "CloudRun service URL" - value = module.cloud_run.service.status[0].url -} +#output "cloud_run_service" { +# description = "CloudRun service URL" +# value = module.cloud_run.service.status[0].url +#} -output "cloudsql_password" { - description = "CloudSQL password" - value = var.cloudsql_password == null ? module.cloudsql.user_passwords[local.cloudsql_conf.user] : var.cloudsql_password - sensitive = true -} +#output "cloudsql_password" { +# description = "CloudSQL password" +# value = var.cloudsql_password == null ? module.cloudsql.user_passwords[local.cloudsql_conf.user] : var.cloudsql_password +# sensitive = true +#} diff --git a/wordpress-on-cloudrun/infra/versions.tf b/wordpress-on-cloudrun/infra/provider.tf similarity index 70% rename from wordpress-on-cloudrun/infra/versions.tf rename to wordpress-on-cloudrun/infra/provider.tf index 32772940..24c5761f 100644 --- a/wordpress-on-cloudrun/infra/versions.tf +++ b/wordpress-on-cloudrun/infra/provider.tf @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,19 +15,18 @@ terraform { backend "gcs" { } - required_version = ">= 1.4.4" - required_providers { - google = { - source = "hashicorp/google" - version = ">= 4.69.1" # tftest - } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 4.69.1" # tftest - } - } provider_meta "google" { module_name = "cloud-solutions/wordpress-on-cloudrun-v1.0" } } + +provider "google" { + project = var.project_id + region = var.region +} + +provider "google-beta" { + project = var.project_id + region = var.region +} diff --git a/wordpress-on-cloudrun/infra/variables.tf b/wordpress-on-cloudrun/infra/variables.tf index e4b0bb03..4e1df1dd 100644 --- a/wordpress-on-cloudrun/infra/variables.tf +++ b/wordpress-on-cloudrun/infra/variables.tf @@ -14,6 +14,22 @@ * limitations under the License. */ +locals { + resource_labels = merge(var.resource_labels, { + deployed_by = "cloudbuild" + env = "sandbox" + repo = "click-to-deploy-solutions" + solution = "three-tier-gke" + terraform = "true" + }) +} + +variable "resource_labels" { + type = map(string) + description = "Resource labels" + default = {} +} + # Documentation: https://cloud.google.com/run/docs/securing/managing-access#making_a_service_public variable "cloud_run_invoker" { type = string diff --git a/wordpress-on-cloudrun/prereq.sh b/wordpress-on-cloudrun/prereq.sh index 5d06087f..9a2d7272 100644 --- a/wordpress-on-cloudrun/prereq.sh +++ b/wordpress-on-cloudrun/prereq.sh @@ -51,8 +51,10 @@ gcloud services enable cloudbuild.googleapis.com \ pubsub.googleapis.com \ secretmanager.googleapis.com \ servicenetworking.googleapis.com \ + sqladmin.googleapis.com \ storage.googleapis.com \ serviceusage.googleapis.com \ + vpcaccess.googleapis.com \ --project $PROJECT_ID echo "Granting Cloud Build's Service Account IAM roles to deploy the resources..." @@ -63,4 +65,9 @@ add_iam_member $MEMBER roles/iam.securityAdmin add_iam_member $MEMBER roles/compute.networkAdmin add_iam_member $MEMBER roles/secretmanager.admin +MEMBER_COMPUTE=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com +add_iam_member $MEMBER_COMPUTE roles/editor +add_iam_member $MEMBER_COMPUTE roles/storage.objectAdmin +add_iam_member $MEMBER_COMPUTE roles/iam.securityAdmin + echo Script completed successfully! \ No newline at end of file