feat: add cmek support (#33)

* Add CMEK variable, add configuration to template_annotations to support CMEK configuration * Add description to variable * Add example and test fixture * Adds integration test for cloud run + cmek example * Adds integration test * Fixes linting issues * Fix typo * Fix code review issues * Change mode to get annotations * Fix software requirements for cmek example * Fix code review issues: remove commented code, remove swap step in integration build, fix readme title for new example
GoogleCloudPlatform · May 3, 2022 · 9d0a6fa · 9d0a6fa
1 parent 7f775fc
commit 9d0a6fa
Show file tree

Hide file tree

Showing 14 changed files with 1,177 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -45,6 +45,7 @@ module "cloud_run" {
 | container\_concurrency | Concurrent request limits to the service | `number` | `0` | no |
 | domain\_map\_annotations | Annotations to the domain map | `map(string)` | `{}` | no |
 | domain\_map\_labels | A set of key/value label pairs to assign to the Domain mapping | `map(string)` | `{}` | no |
+| encryption\_key | CMEK encryption key self-link expected in the format projects/PROJECT/locations/LOCATION/keyRings/KEY-RING/cryptoKeys/CRYPTO-KEY. | `string` | `null` | no |
 | env\_secret\_vars | [Beta] Environment variables (Secret Manager) | <pre>list(object({<br>    name = string<br>    value_from = set(object({<br>      secret_key_ref = map(string)<br>    }))<br>  }))</pre> | `[]` | no |
 | env\_vars | Environment variables (cleartext) | <pre>list(object({<br>    value = string<br>    name  = string<br>  }))</pre> | `[]` | no |
 | force\_override | Option to force override existing mapping | `bool` | `false` | no |

diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
@@ -24,15 +24,43 @@ steps:
 - id: create
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
+  waitFor:
+  - prepare
 - id: converge
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge']
+  waitFor:
+  - create
 - id: verify
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify']
+  waitFor:
+  - converge
 - id: destroy
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy']
+  waitFor:
+  - verify
+- id: create all
+  waitFor:
+    - prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && source_test_env && init_credentials && cft test run TestCloudRunWithCMEK --test-dir test/integration --stage init --verbose']
+- id: converge cloud-run-with-cmek
+  waitFor:
+    - create all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && source_test_env && init_credentials && cft test run TestCloudRunWithCMEK --test-dir test/integration --stage apply --verbose']
+- id: verify cloud-run-with-cmek
+  waitFor:
+    - converge cloud-run-with-cmek
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && source_test_env && init_credentials && cft test run TestCloudRunWithCMEK --test-dir test/integration --stage verify --verbose']
+- id: destroy cloud-run-with-cmek
+  waitFor:
+    - verify cloud-run-with-cmek
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && source_test_env && init_credentials && cft test run TestCloudRunWithCMEK --test-dir test/integration --stage destroy --verbose']
 tags:
 - 'ci'
 - 'integration'

diff --git a/examples/simple_cloud_run/README.md b/examples/simple_cloud_run/README.md
@@ -8,7 +8,7 @@ The resources/services/activations/deletions that this example will create/trigg
 
 ## Assumptions and Prerequisites
 
-This example assumes that below mentioend prerequisites are in place before consuming the example.
+This example assumes that below mentioned prerequisites are in place before consuming the example.
 
 * All required APIs are enabled in the GCP Project
 
@@ -37,16 +37,17 @@ This example assumes that below mentioend prerequisites are in place before cons
 These sections describe requirements for using this example.
 
 ### Software
+
 - [Terraform](https://www.terraform.io/downloads.html) ~> v0.13+
-- [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) ~> v3.53+
-- [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) ~>
+* [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) ~> v3.53+
+* [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) ~>
   v3.53+
 
 ### Service Account
 
 A service account can be used with required roles to execute this example:
 
-- Cloud Run Admin: `roles/run.admin`
+* Cloud Run Admin: `roles/run.admin`
 
 Know more about [Cloud Run Deployment Permissions](https://cloud.google.com/run/docs/reference/iam/roles#additional-configuration).
 
@@ -57,4 +58,4 @@ The [Project Factory module](https://registry.terraform.io/modules/terraform-goo
 
 A project with the following APIs enabled must be used to host the main resource of this example:
 
-- Google Cloud Run: `run.googleapis.com`
+* Google Cloud Run: `run.googleapis.com`
diff --git a/examples/simple_cloud_run_with_cmek/README.md b/examples/simple_cloud_run_with_cmek/README.md
@@ -0,0 +1,68 @@
+# Simple Cloud Run With CMEK
+
+This example showcases the basic deployment of containerized applications on Cloud Run, along with domain mapping, CMEK and IAM policy for the service.
+
+The resources/services/activations/deletions that this example will create/trigger are:
+
+* Creates a Cloud Run service with provided name and container
+
+## Assumptions and Prerequisites
+
+This example assumes that below mentioned prerequisites are in place before consuming the example.
+
+* All required APIs are enabled in the GCP Project
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The project ID to deploy to | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| encryption\_key | Encryption Key used in Cloud Run Service |
+| project\_id | Google Cloud project in which the service was created |
+| revision | Deployed revision for the service |
+| service\_id | Unique Identifier for the created service |
+| service\_location | Location in which the Cloud Run service was created |
+| service\_name | Name of the created service |
+| service\_status | Status of the created service |
+| service\_url | The URL on which the deployed service is available |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Requirements
+
+These sections describe requirements for using this example.
+
+### Software
+
+* [Terraform](https://www.terraform.io/downloads.html) ~> v0.13+
+
+* [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) ~> v4.0+
+* [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) ~>
+  v4.0+
+
+### Service Account
+
+A service account can be used with required roles to execute this example:
+
+* Cloud Run Admin: `roles/run.admin`
+* Cloud KMS Admin: `roles/cloudkms.admin`
+
+Know more about [Cloud Run Deployment Permissions](https://cloud.google.com/run/docs/reference/iam/roles#additional-configuration).
+Know more about [Cloud KMS Permissions](https://cloud.google.com/kms/docs/reference/permissions-and-roles).
+
+The [Project Factory module](https://registry.terraform.io/modules/terraform-google-modules/project-factory/google/latest) and the
+[IAM module](https://registry.terraform.io/modules/terraform-google-modules/iam/google/latest) may be used in combination to provision a service account with the necessary roles applied.
+
+### APIs
+
+A project with the following APIs enabled must be used to host the main resource of this example:
+
+* Google Cloud Run: `run.googleapis.com`
+* Google Cloud Key Management Service : `cloudkms.googleapis.com`
+* Google IAM: `iam.googleapis.com`
diff --git a/examples/simple_cloud_run_with_cmek/main.tf b/examples/simple_cloud_run_with_cmek/main.tf
@@ -0,0 +1,55 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  key_name = "crypto-key-example"
+}
+
+module "kms" {
+  source  = "terraform-google-modules/kms/google"
+  version = "~> 2.1"
+
+  project_id         = var.project_id
+  location           = "us-central1"
+  keyring            = "key-ring-example"
+  keys               = [local.key_name]
+  set_decrypters_for = [local.key_name]
+  set_encrypters_for = [local.key_name]
+  decrypters = [
+    "serviceAccount:${google_project_service_identity.serverless_sa.email}",
+  ]
+  encrypters = [
+    "serviceAccount:${google_project_service_identity.serverless_sa.email}",
+  ]
+  prevent_destroy = false
+}
+
+resource "google_project_service_identity" "serverless_sa" {
+  provider = google-beta
+  project  = var.project_id
+  service  = "run.googleapis.com"
+}
+
+module "cloud_run" {
+  source = "../../"
+
+  service_name = "ci-cloud-run"
+  project_id   = var.project_id
+  location     = "us-central1"
+  image        = "us-docker.pkg.dev/cloudrun/container/hello"
+
+  encryption_key = module.kms.keys[local.key_name]
+}
diff --git a/examples/simple_cloud_run_with_cmek/outputs.tf b/examples/simple_cloud_run_with_cmek/outputs.tf
@@ -0,0 +1,55 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "service_name" {
+  value       = module.cloud_run.service_name
+  description = "Name of the created service"
+}
+
+output "revision" {
+  value       = module.cloud_run.revision
+  description = "Deployed revision for the service"
+}
+
+output "service_url" {
+  value       = module.cloud_run.service_url
+  description = "The URL on which the deployed service is available"
+}
+
+output "service_id" {
+  value       = module.cloud_run.service_id
+  description = "Unique Identifier for the created service"
+}
+
+output "service_status" {
+  value       = module.cloud_run.service_status
+  description = "Status of the created service"
+}
+
+output "service_location" {
+  value       = module.cloud_run.location
+  description = "Location in which the Cloud Run service was created"
+}
+
+output "encryption_key" {
+  value       = module.kms.keys[local.key_name]
+  description = "Encryption Key used in Cloud Run Service"
+}
+
+output "project_id" {
+  description = "Google Cloud project in which the service was created"
+  value       = var.project_id
+}
diff --git a/examples/simple_cloud_run_with_cmek/variables.tf b/examples/simple_cloud_run_with_cmek/variables.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID to deploy to"
+  type        = string
+}
diff --git a/examples/simple_cloud_run_with_cmek/versions.tf b/examples/simple_cloud_run_with_cmek/versions.tf
@@ -0,0 +1,30 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 4.0"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "~> 4.0"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -14,6 +14,11 @@
  * limitations under the License.
  */
 
+locals {
+  cmek_template_annotation = var.encryption_key != null ? { "run.googleapis.com/encryption-key" = var.encryption_key } : {}
+  template_annotations     = merge(var.template_annotations, local.cmek_template_annotation)
+}
+
 resource "google_cloud_run_service" "main" {
   provider                   = google-beta
   name                       = var.service_name
@@ -99,7 +104,7 @@ resource "google_cloud_run_service" "main" {
     } // spec
     metadata {
       labels      = var.template_labels
-      annotations = var.template_annotations
+      annotations = local.template_annotations
       name        = var.generate_revision_name ? null : "${var.service_name}-${var.traffic_split.0.revision_name}"
     } // metadata
   }   // template

diff --git a/test/integration/go.mod b/test/integration/go.mod
@@ -0,0 +1,10 @@
+module github.com/GoogleCloudPlatform/terraform-google-cloud-run/test/integration
+
+go 1.16
+
+require (
+	github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.0.0-20211001192917-5e783cf7c716
+	github.com/gruntwork-io/terratest v0.35.6
+	github.com/stretchr/testify v1.7.0
+	github.com/tidwall/gjson v1.9.3
+)