Skip to content

Refactor solution #212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Refactor solution #212

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1acdf5a
Refactor solution
fellipeamedeiros Nov 6, 2024
3695800
Add missing database
ferraricharles Nov 20, 2024
f3d1989
Update README.md
ferraricharles Nov 20, 2024
c68db87
Merge pull request #215 from GoogleCloudPlatform/fix-wordpress
rajasnathak Nov 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions cloud-armor-demo/prereq.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,4 +51,10 @@ MEMBER=serviceAccount:[email protected]
add_iam_member $MEMBER roles/editor
add_iam_member $MEMBER roles/iam.securityAdmin

COMPUTEMEMBER=serviceAccount:[email protected]
add_iam_member $COMPUTEMEMBER roles/editor
add_iam_member $COMPUTEMEMBER roles/iam.securityAdmin
add_iam_member $COMPUTEMEMBER roles/logging.logWriter
add_iam_member $COMPUTEMEMBER roles/storage.admin

echo Script completed successfully!
4 changes: 3 additions & 1 deletion wordpress-on-cloudrun/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,9 @@ Pricing Estimates - We have created a sample estimate based on some usage we see
sh prereq.sh
```

Please note - New organizations have the 'Enforce Domain Restricted Sharing' policy enforced by default. You may have to edit the policy to allow public access to your Cloud Run instance. Please refer to this [page](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy) for more information.
⚠️ Please note - New organizations have the 'Enforce Domain Restricted Sharing' policy enforced by default. You may have to edit the policy to allow public access to your Cloud Run instance. Please refer to this [page](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy) for more information.

⚠️ Please note - New organizations have the 'Restrict Authorized Networks on Cloud SQL instances' policy enforced by default. You may have to edit the policy to allow cloud run to access Cloud SQL instance. Please refer to this [page](https://cloud.google.com/sql/docs/mysql/org-policy/org-policy#connection-constraints) for more information.

3. Run the Cloud Build Job
```
Expand Down
1 change: 1 addition & 0 deletions wordpress-on-cloudrun/build/cloudbuild.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ steps:
options:
env:
- TF_VAR_project_id=$PROJECT_ID
- TF_VAR_project_number=$PROJECT_NUMBER
tags:
- terraform
- wordpress-on-cloudrun
Expand Down
79 changes: 42 additions & 37 deletions wordpress-on-cloudrun/infra/cloudsql.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,46 +18,51 @@ resource "random_password" "cloudsql_password" {
length = 8
}

# create a VPC for CloudSQL
module "vpc" {
source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/net-vpc?ref=v23.0.0"
project_id = module.project.project_id
name = "sql-vpc"
subnets = [
{
ip_cidr_range = var.ip_ranges.sql_vpc
name = "subnet"
region = var.region
}
]
psa_config = {
ranges = {
cloud-sql = var.ip_ranges.psa
# create a VPC connector for the ClouSQL VPC
#resource "google_vpc_access_connector" "connector" {
# count = var.create_connector ? 1 : 0
# project = var.project_id
# name = "wp-connector"
# region = var.region
# ip_cidr_range = var.ip_ranges.connector
# network = module.vpc.network_self_link
#}

resource "google_sql_database_instance" "cloud_sql" {
name = "mysql-db"
database_version = "MYSQL_5_7"
region = var.region
project = var.project_id
settings {
tier = "db-g1-small"
user_labels = local.resource_labels
disk_autoresize = true
disk_autoresize_limit = 0
disk_size = 10
disk_type = "PD_SSD"

ip_configuration {
authorized_networks {
name = "default_network"
value = "0.0.0.0/0"
}
}

# ip_configuration {
# ipv4_enabled = false
# private_network = module.vpc.network_self_link
# }
}
deletion_protection = false
}

# create a VPC connector for the ClouSQL VPC
resource "google_vpc_access_connector" "connector" {
count = var.create_connector ? 1 : 0
project = module.project.project_id
name = "wp-connector"
region = var.region
ip_cidr_range = var.ip_ranges.connector
network = module.vpc.self_link
resource "google_sql_database" "database" {
name = "wp-mysql"
instance = google_sql_database_instance.cloud_sql.name
}

# Set up CloudSQL
module "cloudsql" {
source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/cloudsql-instance?ref=v23.0.0"
project_id = module.project.project_id
network = module.vpc.self_link
name = "mysql"
region = var.region
database_version = local.cloudsql_conf.database_version
tier = local.cloudsql_conf.tier
databases = [local.cloudsql_conf.db]
users = {
"${local.cloudsql_conf.user}" = var.cloudsql_password
}
}
resource "google_sql_user" "users" {
name = "wp-user"
instance = google_sql_database_instance.cloud_sql.name
password = random_password.cloudsql_password.result
}
127 changes: 58 additions & 69 deletions wordpress-on-cloudrun/infra/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,96 +13,85 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
data "google_project" "project" {}

locals {
all_principals_iam = [for k in var.principals : "user:${k}"]
cloudsql_conf = {
database_version = "MYSQL_8_0"
tier = "db-g1-small"
db = "wp-mysql"
user = "admin"
}
iam = {
# CloudSQL
"roles/cloudsql.admin" = local.all_principals_iam
"roles/cloudsql.client" = local.all_principals_iam
"roles/cloudsql.instanceUser" = local.all_principals_iam
# common roles
"roles/logging.admin" = local.all_principals_iam
"roles/iam.serviceAccountUser" = local.all_principals_iam
"roles/iam.serviceAccountTokenCreator" = local.all_principals_iam
}
connector = var.connector == null ? google_vpc_access_connector.connector.0.self_link : var.connector

#connector = var.connector == null ? google_vpc_access_connector.connector.0.self_link : var.connector
prefix = "wordpress-on-cloudrun"
}

# either create a project or set up the given one
module "project" {
source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/project?ref=v23.0.0"
name = var.project_id
parent = try(var.project_create.parent, null)
billing_account = try(var.project_create.billing_account_id, null)
project_create = var.project_create != null
prefix = var.project_create == null ? null : var.prefix
iam = var.project_create != null ? local.iam : {}
iam_additive = var.project_create == null ? local.iam : {}
services = [
"run.googleapis.com",
"logging.googleapis.com",
"monitoring.googleapis.com",
"sqladmin.googleapis.com",
"sql-component.googleapis.com",
"vpcaccess.googleapis.com",
"servicenetworking.googleapis.com"
]
}

resource "random_password" "wp_password" {
length = 8
}

# create the Cloud Run service
module "cloud_run" {
source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/cloud-run?ref=v23.0.0"
project_id = module.project.project_id
name = "cr-wordpress"
region = var.region
resource "google_cloud_run_v2_service" "default" {
provider = google-beta
name = "cr-wordpress"
location = var.region
deletion_protection = false
ingress = "INGRESS_TRAFFIC_ALL"

containers = {
wordpress = {
template {
containers {
image = var.wordpress_image
ports = {
http = {
container_port = var.wordpress_port
name = "http1"
protocol = null
}
ports {
container_port = var.wordpress_port
}
# set up the database connection
env = {
"WORDPRESS_DB_HOST" : module.cloudsql.ip
"WORDPRESS_DB_NAME" : local.cloudsql_conf.db
"WORDPRESS_DB_USER" : local.cloudsql_conf.user
"WORDPRESS_DB_PASSWORD" : var.cloudsql_password == null ? module.cloudsql.user_passwords[local.cloudsql_conf.user] : var.cloudsql_password

env {
name = "WORDPRESS_DB_HOST"
value = "${google_sql_database_instance.cloud_sql.ip_address.0.ip_address}:3306"
}
env {
name = "WORDPRESS_DB_NAME"
value = local.cloudsql_conf.db
}
env {
name = "WORDPRESS_DB_USER"
value = "wp-user"
}
env {
name = "WORDPRESS_DB_PASSWORD"
value = random_password.cloudsql_password.result
}
env {
name = "WORDPRESS_DEBUG"
value = 1
}
}
}

iam = {
"roles/run.invoker" : [var.cloud_run_invoker]
}
volume_mounts {
name = "cloudsql"
mount_path = "/cloudsql"
}
}

revision_annotations = {
autoscaling = {
min_scale = 1
max_scale = 2
volumes {
name = "cloudsql"
cloud_sql_instance {
instances = [google_sql_database_instance.cloud_sql.connection_name]
}
}
# connect to CloudSQL
cloudsql_instances = [module.cloudsql.connection_name]
vpcaccess_connector = null
# allow all traffic
vpcaccess_egress = "all-traffic"
vpcaccess_connector = local.connector
}
ingress_settings = "all"
}

resource "google_cloud_run_service_iam_policy" "public" {
location = google_cloud_run_v2_service.default.location
project = google_cloud_run_v2_service.default.project
service = google_cloud_run_v2_service.default.name

policy_data = jsonencode({
bindings = [
{
role = "roles/run.invoker"
members = ["allUsers"]
},
]
})
}
32 changes: 32 additions & 0 deletions wordpress-on-cloudrun/infra/network.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

module "vpc" {
source = "terraform-google-modules/network/google"
version = "~> 9.3.0"
project_id = var.project_id
network_name = "sql-vpc"
routing_mode = "GLOBAL"

subnets = [
{
subnet_name = "subnet-${var.region}"
subnet_ip = "10.0.6.0/24"
subnet_region = var.region
subnet_private_access = true
}
]
}
18 changes: 9 additions & 9 deletions wordpress-on-cloudrun/infra/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,13 @@
* limitations under the License.
*/

output "cloud_run_service" {
description = "CloudRun service URL"
value = module.cloud_run.service.status[0].url
}
#output "cloud_run_service" {
# description = "CloudRun service URL"
# value = module.cloud_run.service.status[0].url
#}

output "cloudsql_password" {
description = "CloudSQL password"
value = var.cloudsql_password == null ? module.cloudsql.user_passwords[local.cloudsql_conf.user] : var.cloudsql_password
sensitive = true
}
#output "cloudsql_password" {
# description = "CloudSQL password"
# value = var.cloudsql_password == null ? module.cloudsql.user_passwords[local.cloudsql_conf.user] : var.cloudsql_password
# sensitive = true
#}
23 changes: 11 additions & 12 deletions wordpress-on-cloudrun/infra/versions.tf → wordpress-on-cloudrun/infra/provider.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -15,19 +15,18 @@
terraform {
backend "gcs" {
}
required_version = ">= 1.4.4"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 4.69.1" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 4.69.1" # tftest
}
}

provider_meta "google" {
module_name = "cloud-solutions/wordpress-on-cloudrun-v1.0"
}
}

provider "google" {
project = var.project_id
region = var.region
}

provider "google-beta" {
project = var.project_id
region = var.region
}
16 changes: 16 additions & 0 deletions wordpress-on-cloudrun/infra/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,22 @@
* limitations under the License.
*/

locals {
resource_labels = merge(var.resource_labels, {
deployed_by = "cloudbuild"
env = "sandbox"
repo = "click-to-deploy-solutions"
solution = "three-tier-gke"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may not be the right label

terraform = "true"
})
}

variable "resource_labels" {
type = map(string)
description = "Resource labels"
default = {}
}

# Documentation: https://cloud.google.com/run/docs/securing/managing-access#making_a_service_public
variable "cloud_run_invoker" {
type = string
Expand Down
Loading