Skip to content

Commit

Permalink
Refactor solution
Browse files Browse the repository at this point in the history
  • Loading branch information
@fellipeamedeiros
fellipeamedeiros committed Nov 6, 2024
1 parent 93a4823 commit 1acdf5a
Show file tree
Hide file tree
Showing 9 changed files with 178 additions and 128 deletions.
6 changes: 6 additions & 0 deletions cloud-armor-demo/prereq.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,4 +51,10 @@ MEMBER=serviceAccount:$PROJECT_NUMBER@cloudbuild.gserviceaccount.com
add_iam_member $MEMBER roles/editor
add_iam_member $MEMBER roles/iam.securityAdmin

COMPUTEMEMBER=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com
add_iam_member $COMPUTEMEMBER roles/editor
add_iam_member $COMPUTEMEMBER roles/iam.securityAdmin
add_iam_member $COMPUTEMEMBER roles/logging.logWriter
add_iam_member $COMPUTEMEMBER roles/storage.admin

echo Script completed successfully!
1 change: 1 addition & 0 deletions wordpress-on-cloudrun/build/cloudbuild.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ steps:
options:
env:
- TF_VAR_project_id=$PROJECT_ID
- TF_VAR_project_number=$PROJECT_NUMBER
tags:
- terraform
- wordpress-on-cloudrun
Expand Down
76 changes: 38 additions & 38 deletions wordpress-on-cloudrun/infra/cloudsql.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,46 +18,46 @@ resource "random_password" "cloudsql_password" {
length = 8
}

# create a VPC for CloudSQL
module "vpc" {
source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/net-vpc?ref=v23.0.0"
project_id = module.project.project_id
name = "sql-vpc"
subnets = [
{
ip_cidr_range = var.ip_ranges.sql_vpc
name = "subnet"
region = var.region
}
]
psa_config = {
ranges = {
cloud-sql = var.ip_ranges.psa
}
}
}

# create a VPC connector for the ClouSQL VPC
resource "google_vpc_access_connector" "connector" {
count = var.create_connector ? 1 : 0
project = module.project.project_id
name = "wp-connector"
region = var.region
ip_cidr_range = var.ip_ranges.connector
network = module.vpc.self_link
}
#resource "google_vpc_access_connector" "connector" {
# count = var.create_connector ? 1 : 0
# project = var.project_id
# name = "wp-connector"
# region = var.region
# ip_cidr_range = var.ip_ranges.connector
# network = module.vpc.network_self_link
#}

# Set up CloudSQL
module "cloudsql" {
source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/cloudsql-instance?ref=v23.0.0"
project_id = module.project.project_id
network = module.vpc.self_link
name = "mysql"
resource "google_sql_database_instance" "cloud_sql" {
name = "mysql-db"
database_version = "MYSQL_5_7"
region = var.region
database_version = local.cloudsql_conf.database_version
tier = local.cloudsql_conf.tier
databases = [local.cloudsql_conf.db]
users = {
"${local.cloudsql_conf.user}" = var.cloudsql_password
project = var.project_id
settings {
tier = "db-g1-small"
user_labels = local.resource_labels
disk_autoresize = true
disk_autoresize_limit = 0
disk_size = 10
disk_type = "PD_SSD"

ip_configuration {
authorized_networks {
name = "default_network"
value = "0.0.0.0/0"
}
}

# ip_configuration {
# ipv4_enabled = false
# private_network = module.vpc.network_self_link
# }
}
deletion_protection = false
}

resource "google_sql_user" "users" {
name = "wp-user"
instance = google_sql_database_instance.cloud_sql.name
password = random_password.cloudsql_password.result
}
127 changes: 58 additions & 69 deletions wordpress-on-cloudrun/infra/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,96 +13,85 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
data "google_project" "project" {}

locals {
all_principals_iam = [for k in var.principals : "user:${k}"]
cloudsql_conf = {
database_version = "MYSQL_8_0"
tier = "db-g1-small"
db = "wp-mysql"
user = "admin"
}
iam = {
# CloudSQL
"roles/cloudsql.admin" = local.all_principals_iam
"roles/cloudsql.client" = local.all_principals_iam
"roles/cloudsql.instanceUser" = local.all_principals_iam
# common roles
"roles/logging.admin" = local.all_principals_iam
"roles/iam.serviceAccountUser" = local.all_principals_iam
"roles/iam.serviceAccountTokenCreator" = local.all_principals_iam
}
connector = var.connector == null ? google_vpc_access_connector.connector.0.self_link : var.connector

#connector = var.connector == null ? google_vpc_access_connector.connector.0.self_link : var.connector
prefix = "wordpress-on-cloudrun"
}

# either create a project or set up the given one
module "project" {
source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/project?ref=v23.0.0"
name = var.project_id
parent = try(var.project_create.parent, null)
billing_account = try(var.project_create.billing_account_id, null)
project_create = var.project_create != null
prefix = var.project_create == null ? null : var.prefix
iam = var.project_create != null ? local.iam : {}
iam_additive = var.project_create == null ? local.iam : {}
services = [
"run.googleapis.com",
"logging.googleapis.com",
"monitoring.googleapis.com",
"sqladmin.googleapis.com",
"sql-component.googleapis.com",
"vpcaccess.googleapis.com",
"servicenetworking.googleapis.com"
]
}

resource "random_password" "wp_password" {
length = 8
}

# create the Cloud Run service
module "cloud_run" {
source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/cloud-run?ref=v23.0.0"
project_id = module.project.project_id
name = "cr-wordpress"
region = var.region
resource "google_cloud_run_v2_service" "default" {
provider = google-beta
name = "cr-wordpress"
location = var.region
deletion_protection = false
ingress = "INGRESS_TRAFFIC_ALL"

containers = {
wordpress = {
template {
containers {
image = var.wordpress_image
ports = {
http = {
container_port = var.wordpress_port
name = "http1"
protocol = null
}
ports {
container_port = var.wordpress_port
}
# set up the database connection
env = {
"WORDPRESS_DB_HOST" : module.cloudsql.ip
"WORDPRESS_DB_NAME" : local.cloudsql_conf.db
"WORDPRESS_DB_USER" : local.cloudsql_conf.user
"WORDPRESS_DB_PASSWORD" : var.cloudsql_password == null ? module.cloudsql.user_passwords[local.cloudsql_conf.user] : var.cloudsql_password

env {
name = "WORDPRESS_DB_HOST"
value = "${google_sql_database_instance.cloud_sql.ip_address.0.ip_address}:3306"
}
env {
name = "WORDPRESS_DB_NAME"
value = local.cloudsql_conf.db
}
env {
name = "WORDPRESS_DB_USER"
value = "wp-user"
}
env {
name = "WORDPRESS_DB_PASSWORD"
value = random_password.cloudsql_password.result
}
env {
name = "WORDPRESS_DEBUG"
value = 1
}
}
}

iam = {
"roles/run.invoker" : [var.cloud_run_invoker]
}
volume_mounts {
name = "cloudsql"
mount_path = "/cloudsql"
}
}

revision_annotations = {
autoscaling = {
min_scale = 1
max_scale = 2
volumes {
name = "cloudsql"
cloud_sql_instance {
instances = [google_sql_database_instance.cloud_sql.connection_name]
}
}
# connect to CloudSQL
cloudsql_instances = [module.cloudsql.connection_name]
vpcaccess_connector = null
# allow all traffic
vpcaccess_egress = "all-traffic"
vpcaccess_connector = local.connector
}
ingress_settings = "all"
}

resource "google_cloud_run_service_iam_policy" "public" {
location = google_cloud_run_v2_service.default.location
project = google_cloud_run_v2_service.default.project
service = google_cloud_run_v2_service.default.name

policy_data = jsonencode({
bindings = [
{
role = "roles/run.invoker"
members = ["allUsers"]
},
]
})
}
32 changes: 32 additions & 0 deletions wordpress-on-cloudrun/infra/network.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

module "vpc" {
source = "terraform-google-modules/network/google"
version = "~> 9.3.0"
project_id = var.project_id
network_name = "sql-vpc"
routing_mode = "GLOBAL"

subnets = [
{
subnet_name = "subnet-${var.region}"
subnet_ip = "10.0.6.0/24"
subnet_region = var.region
subnet_private_access = true
}
]
}
18 changes: 9 additions & 9 deletions wordpress-on-cloudrun/infra/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,13 @@
* limitations under the License.
*/

output "cloud_run_service" {
description = "CloudRun service URL"
value = module.cloud_run.service.status[0].url
}
#output "cloud_run_service" {
# description = "CloudRun service URL"
# value = module.cloud_run.service.status[0].url
#}

output "cloudsql_password" {
description = "CloudSQL password"
value = var.cloudsql_password == null ? module.cloudsql.user_passwords[local.cloudsql_conf.user] : var.cloudsql_password
sensitive = true
}
#output "cloudsql_password" {
# description = "CloudSQL password"
# value = var.cloudsql_password == null ? module.cloudsql.user_passwords[local.cloudsql_conf.user] : var.cloudsql_password
# sensitive = true
#}
23 changes: 11 additions & 12 deletions wordpress-on-cloudrun/infra/versions.tf → wordpress-on-cloudrun/infra/provider.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -15,19 +15,18 @@
terraform {
backend "gcs" {
}
required_version = ">= 1.4.4"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 4.69.1" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 4.69.1" # tftest
}
}

provider_meta "google" {
module_name = "cloud-solutions/wordpress-on-cloudrun-v1.0"
}
}

provider "google" {
project = var.project_id
region = var.region
}

provider "google-beta" {
project = var.project_id
region = var.region
}
16 changes: 16 additions & 0 deletions wordpress-on-cloudrun/infra/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,22 @@
* limitations under the License.
*/

locals {
resource_labels = merge(var.resource_labels, {
deployed_by = "cloudbuild"
env = "sandbox"
repo = "click-to-deploy-solutions"
solution = "three-tier-gke"
terraform = "true"
})
}

variable "resource_labels" {
type = map(string)
description = "Resource labels"
default = {}
}

# Documentation: https://cloud.google.com/run/docs/securing/managing-access#making_a_service_public
variable "cloud_run_invoker" {
type = string
Expand Down
7 changes: 7 additions & 0 deletions wordpress-on-cloudrun/prereq.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,10 @@ gcloud services enable cloudbuild.googleapis.com \
pubsub.googleapis.com \
secretmanager.googleapis.com \
servicenetworking.googleapis.com \
sqladmin.googleapis.com \
storage.googleapis.com \
serviceusage.googleapis.com \
vpcaccess.googleapis.com \
--project $PROJECT_ID

echo "Granting Cloud Build's Service Account IAM roles to deploy the resources..."
Expand All @@ -63,4 +65,9 @@ add_iam_member $MEMBER roles/iam.securityAdmin
add_iam_member $MEMBER roles/compute.networkAdmin
add_iam_member $MEMBER roles/secretmanager.admin

MEMBER_COMPUTE=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com
add_iam_member $MEMBER_COMPUTE roles/editor
add_iam_member $MEMBER_COMPUTE roles/storage.objectAdmin
add_iam_member $MEMBER_COMPUTE roles/iam.securityAdmin

echo Script completed successfully!

0 comments on commit 1acdf5a

Please sign in to comment.