Identity-Aware Proxy configuration
This commit is contained in:
parent
4c2e31baac
commit
63bae85b34
|
@ -2,7 +2,7 @@
|
||||||
### Purpose of this configuration file.
|
### Purpose of this configuration file.
|
||||||
###
|
###
|
||||||
### On top of custom-url configuration (wish list: 'include' directive),
|
### On top of custom-url configuration (wish list: 'include' directive),
|
||||||
### add security using Cloud Armor in the LB.
|
### add security using Cloud Armor and Identity-Aware Proxy in the LB.
|
||||||
###
|
###
|
||||||
|
|
||||||
# Add an HTTPS Load Balancer in front of the Cloud Run service
|
# Add an HTTPS Load Balancer in front of the Cloud Run service
|
||||||
|
@ -18,11 +18,19 @@ custom_domain = "cloud-run-explore.example.org"
|
||||||
# To allow access through the default URL set this value to "all"
|
# To allow access through the default URL set this value to "all"
|
||||||
ingress_settings = "internal-and-cloud-load-balancing"
|
ingress_settings = "internal-and-cloud-load-balancing"
|
||||||
|
|
||||||
# Security policy to enforce in the LB. The code and this configuration
|
# Cloud Armor security policy to enforce in the LB. The code and this
|
||||||
# allow to block a list of IPs and a specific URL path. For example, you
|
# configuration allow to block a list of IPs and a specific URL path. For
|
||||||
# may want to block access to a login page to external users
|
# example, you may want to block access to a login page to external users
|
||||||
security_policy = {
|
security_policy = {
|
||||||
enabled = true
|
enabled = true
|
||||||
ip_blacklist = ["79.149.0.0/16"]
|
ip_blacklist = ["79.149.0.0/16"]
|
||||||
path_blocked = "/login.html"
|
path_blocked = "/login.html"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Identity-Aware Proxy config for Cloud Run in the LB
|
||||||
|
iap = {
|
||||||
|
enabled = true
|
||||||
|
support_email = "user@example.org"
|
||||||
|
app_title = "Cloud Run Explore Application"
|
||||||
|
oauth2_client_name = "Test Client"
|
||||||
|
}
|
||||||
|
|
|
@ -38,7 +38,12 @@ module "glb" {
|
||||||
]
|
]
|
||||||
health_checks = []
|
health_checks = []
|
||||||
port_name = "http"
|
port_name = "http"
|
||||||
security_policy = try(google_compute_security_policy.policy[0].name, null)
|
security_policy = try(google_compute_security_policy.policy[0].name,
|
||||||
|
null)
|
||||||
|
iap_config = try({
|
||||||
|
oauth2_client_id = google_iap_client.iap_client[0].client_id,
|
||||||
|
oauth2_client_secret = google_iap_client.iap_client[0].secret
|
||||||
|
}, null)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
health_check_configs = {}
|
health_check_configs = {}
|
||||||
|
@ -62,6 +67,7 @@ module "glb" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Cloud Armor configuration
|
||||||
resource "google_compute_security_policy" "policy" {
|
resource "google_compute_security_policy" "policy" {
|
||||||
count = var.glb_create ? (var.security_policy.enabled ? 1 : 0) : 0
|
count = var.glb_create ? (var.security_policy.enabled ? 1 : 0) : 0
|
||||||
name = "cloud-run-policy"
|
name = "cloud-run-policy"
|
||||||
|
@ -99,3 +105,40 @@ resource "google_compute_security_policy" "policy" {
|
||||||
description = "Default rule"
|
description = "Default rule"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Identity-Aware Proxy (IAP) or OAuth brand (see OAuth consent screen)
|
||||||
|
# Note:
|
||||||
|
# Only "Organization Internal" brands can be created programmatically
|
||||||
|
# via API. To convert it into an external brand please use the GCP
|
||||||
|
# Console.
|
||||||
|
# Brands can only be created once for a Google Cloud project and the
|
||||||
|
# underlying Google API doesn't support DELETE or PATCH methods.
|
||||||
|
# Destroying a Terraform-managed Brand will remove it from state but
|
||||||
|
# will not delete it from Google Cloud.
|
||||||
|
resource "google_iap_brand" "iap_brand" {
|
||||||
|
count = var.glb_create ? (var.iap.enabled ? 1 : 0) : 0
|
||||||
|
project = var.project_id
|
||||||
|
support_email = var.iap.support_email
|
||||||
|
application_title = var.iap.app_title
|
||||||
|
}
|
||||||
|
|
||||||
|
# IAP owned OAuth2 client
|
||||||
|
# Note:
|
||||||
|
# Only internal org clients can be created via declarative tools.
|
||||||
|
# External clients must be manually created via the GCP console.
|
||||||
|
# Warning:
|
||||||
|
# All arguments including secret will be stored in the raw state as plain-text.
|
||||||
|
resource "google_iap_client" "iap_client" {
|
||||||
|
count = var.glb_create ? (var.iap.enabled ? 1 : 0) : 0
|
||||||
|
display_name = var.iap.oauth2_client_name
|
||||||
|
brand = google_iap_brand.iap_brand[0].name
|
||||||
|
}
|
||||||
|
|
||||||
|
# IAM policy for IAP
|
||||||
|
# For simplicity we use the support_email as authorized member
|
||||||
|
resource "google_iap_web_iam_member" "iap_iam" {
|
||||||
|
count = var.glb_create ? (var.iap.enabled ? 1 : 0) : 0
|
||||||
|
project = var.project_id
|
||||||
|
role = "roles/iap.httpsResourceAccessor"
|
||||||
|
member = "user:${var.iap.support_email}"
|
||||||
|
}
|
||||||
|
|
|
@ -40,7 +40,7 @@ variable "ingress_settings" {
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "security_policy" {
|
variable "security_policy" {
|
||||||
description = "Security policy to enforce in the LB"
|
description = "Security policy (Cloud Armor) to enforce in the LB"
|
||||||
type = object({
|
type = object({
|
||||||
enabled = bool
|
enabled = bool
|
||||||
ip_blacklist = list(string)
|
ip_blacklist = list(string)
|
||||||
|
@ -52,3 +52,19 @@ variable "security_policy" {
|
||||||
path_blocked = null
|
path_blocked = null
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "iap" {
|
||||||
|
description = "Identity-Aware Proxy for Cloud Run in the LB"
|
||||||
|
type = object({
|
||||||
|
enabled = bool
|
||||||
|
support_email = string
|
||||||
|
app_title = string
|
||||||
|
oauth2_client_name = string
|
||||||
|
})
|
||||||
|
default = {
|
||||||
|
enabled = false
|
||||||
|
support_email = null
|
||||||
|
app_title = null
|
||||||
|
oauth2_client_name = null
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue