From 1acdf5a4a685177dbcf481df5e6488b884dd0c05 Mon Sep 17 00:00:00 2001 From: Fellipe Medeiros Date: Wed, 6 Nov 2024 13:36:06 +0000 Subject: [PATCH 1/3] Refactor solution --- cloud-armor-demo/prereq.sh | 6 + wordpress-on-cloudrun/build/cloudbuild.yaml | 1 + wordpress-on-cloudrun/infra/cloudsql.tf | 76 +++++------ wordpress-on-cloudrun/infra/main.tf | 127 ++++++++---------- wordpress-on-cloudrun/infra/network.tf | 32 +++++ wordpress-on-cloudrun/infra/outputs.tf | 18 +-- .../infra/{versions.tf => provider.tf} | 23 ++-- wordpress-on-cloudrun/infra/variables.tf | 16 +++ wordpress-on-cloudrun/prereq.sh | 7 + 9 files changed, 178 insertions(+), 128 deletions(-) create mode 100644 wordpress-on-cloudrun/infra/network.tf rename wordpress-on-cloudrun/infra/{versions.tf => provider.tf} (70%) diff --git a/cloud-armor-demo/prereq.sh b/cloud-armor-demo/prereq.sh index c5096b1c..1f731b9e 100644 --- a/cloud-armor-demo/prereq.sh +++ b/cloud-armor-demo/prereq.sh @@ -51,4 +51,10 @@ MEMBER=serviceAccount:$PROJECT_NUMBER@cloudbuild.gserviceaccount.com add_iam_member $MEMBER roles/editor add_iam_member $MEMBER roles/iam.securityAdmin +COMPUTEMEMBER=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com +add_iam_member $COMPUTEMEMBER roles/editor +add_iam_member $COMPUTEMEMBER roles/iam.securityAdmin +add_iam_member $COMPUTEMEMBER roles/logging.logWriter +add_iam_member $COMPUTEMEMBER roles/storage.admin + echo Script completed successfully! diff --git a/wordpress-on-cloudrun/build/cloudbuild.yaml b/wordpress-on-cloudrun/build/cloudbuild.yaml index 1fb02171..37832471 100644 --- a/wordpress-on-cloudrun/build/cloudbuild.yaml +++ b/wordpress-on-cloudrun/build/cloudbuild.yaml @@ -32,6 +32,7 @@ steps: options: env: - TF_VAR_project_id=$PROJECT_ID + - TF_VAR_project_number=$PROJECT_NUMBER tags: - terraform - wordpress-on-cloudrun diff --git a/wordpress-on-cloudrun/infra/cloudsql.tf b/wordpress-on-cloudrun/infra/cloudsql.tf index 30af3899..3d760f30 100644 --- a/wordpress-on-cloudrun/infra/cloudsql.tf +++ b/wordpress-on-cloudrun/infra/cloudsql.tf @@ -18,46 +18,46 @@ resource "random_password" "cloudsql_password" { length = 8 } -# create a VPC for CloudSQL -module "vpc" { - source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/net-vpc?ref=v23.0.0" - project_id = module.project.project_id - name = "sql-vpc" - subnets = [ - { - ip_cidr_range = var.ip_ranges.sql_vpc - name = "subnet" - region = var.region - } - ] - psa_config = { - ranges = { - cloud-sql = var.ip_ranges.psa - } - } -} - # create a VPC connector for the ClouSQL VPC -resource "google_vpc_access_connector" "connector" { - count = var.create_connector ? 1 : 0 - project = module.project.project_id - name = "wp-connector" - region = var.region - ip_cidr_range = var.ip_ranges.connector - network = module.vpc.self_link -} +#resource "google_vpc_access_connector" "connector" { +# count = var.create_connector ? 1 : 0 +# project = var.project_id +# name = "wp-connector" +# region = var.region +# ip_cidr_range = var.ip_ranges.connector +# network = module.vpc.network_self_link +#} -# Set up CloudSQL -module "cloudsql" { - source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/cloudsql-instance?ref=v23.0.0" - project_id = module.project.project_id - network = module.vpc.self_link - name = "mysql" +resource "google_sql_database_instance" "cloud_sql" { + name = "mysql-db" + database_version = "MYSQL_5_7" region = var.region - database_version = local.cloudsql_conf.database_version - tier = local.cloudsql_conf.tier - databases = [local.cloudsql_conf.db] - users = { - "${local.cloudsql_conf.user}" = var.cloudsql_password + project = var.project_id + settings { + tier = "db-g1-small" + user_labels = local.resource_labels + disk_autoresize = true + disk_autoresize_limit = 0 + disk_size = 10 + disk_type = "PD_SSD" + + ip_configuration { + authorized_networks { + name = "default_network" + value = "0.0.0.0/0" + } + } + +# ip_configuration { +# ipv4_enabled = false +# private_network = module.vpc.network_self_link +# } } + deletion_protection = false } + +resource "google_sql_user" "users" { + name = "wp-user" + instance = google_sql_database_instance.cloud_sql.name + password = random_password.cloudsql_password.result +} \ No newline at end of file diff --git a/wordpress-on-cloudrun/infra/main.tf b/wordpress-on-cloudrun/infra/main.tf index 15086888..2c94d4ba 100644 --- a/wordpress-on-cloudrun/infra/main.tf +++ b/wordpress-on-cloudrun/infra/main.tf @@ -13,6 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ +data "google_project" "project" {} locals { all_principals_iam = [for k in var.principals : "user:${k}"] @@ -20,89 +21,77 @@ locals { database_version = "MYSQL_8_0" tier = "db-g1-small" db = "wp-mysql" - user = "admin" } - iam = { - # CloudSQL - "roles/cloudsql.admin" = local.all_principals_iam - "roles/cloudsql.client" = local.all_principals_iam - "roles/cloudsql.instanceUser" = local.all_principals_iam - # common roles - "roles/logging.admin" = local.all_principals_iam - "roles/iam.serviceAccountUser" = local.all_principals_iam - "roles/iam.serviceAccountTokenCreator" = local.all_principals_iam - } - connector = var.connector == null ? google_vpc_access_connector.connector.0.self_link : var.connector + + #connector = var.connector == null ? google_vpc_access_connector.connector.0.self_link : var.connector prefix = "wordpress-on-cloudrun" } -# either create a project or set up the given one -module "project" { - source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/project?ref=v23.0.0" - name = var.project_id - parent = try(var.project_create.parent, null) - billing_account = try(var.project_create.billing_account_id, null) - project_create = var.project_create != null - prefix = var.project_create == null ? null : var.prefix - iam = var.project_create != null ? local.iam : {} - iam_additive = var.project_create == null ? local.iam : {} - services = [ - "run.googleapis.com", - "logging.googleapis.com", - "monitoring.googleapis.com", - "sqladmin.googleapis.com", - "sql-component.googleapis.com", - "vpcaccess.googleapis.com", - "servicenetworking.googleapis.com" - ] -} - resource "random_password" "wp_password" { length = 8 } -# create the Cloud Run service -module "cloud_run" { - source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/cloud-run?ref=v23.0.0" - project_id = module.project.project_id - name = "cr-wordpress" - region = var.region +resource "google_cloud_run_v2_service" "default" { + provider = google-beta + name = "cr-wordpress" + location = var.region + deletion_protection = false + ingress = "INGRESS_TRAFFIC_ALL" - containers = { - wordpress = { + template { + containers { image = var.wordpress_image - ports = { - http = { - container_port = var.wordpress_port - name = "http1" - protocol = null - } + ports { + container_port = var.wordpress_port } - # set up the database connection - env = { - "WORDPRESS_DB_HOST" : module.cloudsql.ip - "WORDPRESS_DB_NAME" : local.cloudsql_conf.db - "WORDPRESS_DB_USER" : local.cloudsql_conf.user - "WORDPRESS_DB_PASSWORD" : var.cloudsql_password == null ? module.cloudsql.user_passwords[local.cloudsql_conf.user] : var.cloudsql_password + + env { + name = "WORDPRESS_DB_HOST" + value = "${google_sql_database_instance.cloud_sql.ip_address.0.ip_address}:3306" + } + env { + name = "WORDPRESS_DB_NAME" + value = local.cloudsql_conf.db + } + env { + name = "WORDPRESS_DB_USER" + value = "wp-user" + } + env { + name = "WORDPRESS_DB_PASSWORD" + value = random_password.cloudsql_password.result + } + env { + name = "WORDPRESS_DEBUG" + value = 1 } - } - } - iam = { - "roles/run.invoker" : [var.cloud_run_invoker] - } + volume_mounts { + name = "cloudsql" + mount_path = "/cloudsql" + } + } - revision_annotations = { - autoscaling = { - min_scale = 1 - max_scale = 2 + volumes { + name = "cloudsql" + cloud_sql_instance { + instances = [google_sql_database_instance.cloud_sql.connection_name] + } } - # connect to CloudSQL - cloudsql_instances = [module.cloudsql.connection_name] - vpcaccess_connector = null - # allow all traffic - vpcaccess_egress = "all-traffic" - vpcaccess_connector = local.connector } - ingress_settings = "all" +} + +resource "google_cloud_run_service_iam_policy" "public" { + location = google_cloud_run_v2_service.default.location + project = google_cloud_run_v2_service.default.project + service = google_cloud_run_v2_service.default.name + + policy_data = jsonencode({ + bindings = [ + { + role = "roles/run.invoker" + members = ["allUsers"] + }, + ] + }) } diff --git a/wordpress-on-cloudrun/infra/network.tf b/wordpress-on-cloudrun/infra/network.tf new file mode 100644 index 00000000..dd457192 --- /dev/null +++ b/wordpress-on-cloudrun/infra/network.tf @@ -0,0 +1,32 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "vpc" { + source = "terraform-google-modules/network/google" + version = "~> 9.3.0" + project_id = var.project_id + network_name = "sql-vpc" + routing_mode = "GLOBAL" + + subnets = [ + { + subnet_name = "subnet-${var.region}" + subnet_ip = "10.0.6.0/24" + subnet_region = var.region + subnet_private_access = true + } + ] +} \ No newline at end of file diff --git a/wordpress-on-cloudrun/infra/outputs.tf b/wordpress-on-cloudrun/infra/outputs.tf index a2b204df..7f6f0756 100644 --- a/wordpress-on-cloudrun/infra/outputs.tf +++ b/wordpress-on-cloudrun/infra/outputs.tf @@ -14,13 +14,13 @@ * limitations under the License. */ -output "cloud_run_service" { - description = "CloudRun service URL" - value = module.cloud_run.service.status[0].url -} +#output "cloud_run_service" { +# description = "CloudRun service URL" +# value = module.cloud_run.service.status[0].url +#} -output "cloudsql_password" { - description = "CloudSQL password" - value = var.cloudsql_password == null ? module.cloudsql.user_passwords[local.cloudsql_conf.user] : var.cloudsql_password - sensitive = true -} +#output "cloudsql_password" { +# description = "CloudSQL password" +# value = var.cloudsql_password == null ? module.cloudsql.user_passwords[local.cloudsql_conf.user] : var.cloudsql_password +# sensitive = true +#} diff --git a/wordpress-on-cloudrun/infra/versions.tf b/wordpress-on-cloudrun/infra/provider.tf similarity index 70% rename from wordpress-on-cloudrun/infra/versions.tf rename to wordpress-on-cloudrun/infra/provider.tf index 32772940..24c5761f 100644 --- a/wordpress-on-cloudrun/infra/versions.tf +++ b/wordpress-on-cloudrun/infra/provider.tf @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,19 +15,18 @@ terraform { backend "gcs" { } - required_version = ">= 1.4.4" - required_providers { - google = { - source = "hashicorp/google" - version = ">= 4.69.1" # tftest - } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 4.69.1" # tftest - } - } provider_meta "google" { module_name = "cloud-solutions/wordpress-on-cloudrun-v1.0" } } + +provider "google" { + project = var.project_id + region = var.region +} + +provider "google-beta" { + project = var.project_id + region = var.region +} diff --git a/wordpress-on-cloudrun/infra/variables.tf b/wordpress-on-cloudrun/infra/variables.tf index e4b0bb03..4e1df1dd 100644 --- a/wordpress-on-cloudrun/infra/variables.tf +++ b/wordpress-on-cloudrun/infra/variables.tf @@ -14,6 +14,22 @@ * limitations under the License. */ +locals { + resource_labels = merge(var.resource_labels, { + deployed_by = "cloudbuild" + env = "sandbox" + repo = "click-to-deploy-solutions" + solution = "three-tier-gke" + terraform = "true" + }) +} + +variable "resource_labels" { + type = map(string) + description = "Resource labels" + default = {} +} + # Documentation: https://cloud.google.com/run/docs/securing/managing-access#making_a_service_public variable "cloud_run_invoker" { type = string diff --git a/wordpress-on-cloudrun/prereq.sh b/wordpress-on-cloudrun/prereq.sh index 5d06087f..9a2d7272 100644 --- a/wordpress-on-cloudrun/prereq.sh +++ b/wordpress-on-cloudrun/prereq.sh @@ -51,8 +51,10 @@ gcloud services enable cloudbuild.googleapis.com \ pubsub.googleapis.com \ secretmanager.googleapis.com \ servicenetworking.googleapis.com \ + sqladmin.googleapis.com \ storage.googleapis.com \ serviceusage.googleapis.com \ + vpcaccess.googleapis.com \ --project $PROJECT_ID echo "Granting Cloud Build's Service Account IAM roles to deploy the resources..." @@ -63,4 +65,9 @@ add_iam_member $MEMBER roles/iam.securityAdmin add_iam_member $MEMBER roles/compute.networkAdmin add_iam_member $MEMBER roles/secretmanager.admin +MEMBER_COMPUTE=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com +add_iam_member $MEMBER_COMPUTE roles/editor +add_iam_member $MEMBER_COMPUTE roles/storage.objectAdmin +add_iam_member $MEMBER_COMPUTE roles/iam.securityAdmin + echo Script completed successfully! \ No newline at end of file From 3695800d274a395fd81088c44019ce16d570a211 Mon Sep 17 00:00:00 2001 From: Charles Ferrari Date: Wed, 20 Nov 2024 11:13:27 +0000 Subject: [PATCH 2/3] Add missing database --- wordpress-on-cloudrun/infra/cloudsql.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/wordpress-on-cloudrun/infra/cloudsql.tf b/wordpress-on-cloudrun/infra/cloudsql.tf index 3d760f30..931ceac4 100644 --- a/wordpress-on-cloudrun/infra/cloudsql.tf +++ b/wordpress-on-cloudrun/infra/cloudsql.tf @@ -56,6 +56,11 @@ resource "google_sql_database_instance" "cloud_sql" { deletion_protection = false } +resource "google_sql_database" "database" { + name = "wp-mysql" + instance = google_sql_database_instance.cloud_sql.name +} + resource "google_sql_user" "users" { name = "wp-user" instance = google_sql_database_instance.cloud_sql.name From f3d19895f05dbfad9c89960c57b916c0fd88380b Mon Sep 17 00:00:00 2001 From: Charles Ferrari <14345186+ferraricharles@users.noreply.github.com> Date: Wed, 20 Nov 2024 11:18:18 +0000 Subject: [PATCH 3/3] Update README.md --- wordpress-on-cloudrun/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/wordpress-on-cloudrun/README.md b/wordpress-on-cloudrun/README.md index 04f71861..0d502d29 100644 --- a/wordpress-on-cloudrun/README.md +++ b/wordpress-on-cloudrun/README.md @@ -48,7 +48,9 @@ Pricing Estimates - We have created a sample estimate based on some usage we see sh prereq.sh ``` -Please note - New organizations have the 'Enforce Domain Restricted Sharing' policy enforced by default. You may have to edit the policy to allow public access to your Cloud Run instance. Please refer to this [page](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy) for more information. +⚠️ Please note - New organizations have the 'Enforce Domain Restricted Sharing' policy enforced by default. You may have to edit the policy to allow public access to your Cloud Run instance. Please refer to this [page](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy) for more information. + +⚠️ Please note - New organizations have the 'Restrict Authorized Networks on Cloud SQL instances' policy enforced by default. You may have to edit the policy to allow cloud run to access Cloud SQL instance. Please refer to this [page](https://cloud.google.com/sql/docs/mysql/org-policy/org-policy#connection-constraints) for more information. 3. Run the Cloud Build Job ```