cloud-foundation-fabric/blueprints/third-party-solutions/phpipam/main.tf

/**
 * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

locals {
  cloudsql_conf = {
    database_version = "MYSQL_8_0"
    tier             = "db-g1-small"
    db               = "phpipam"
    user             = "admin"
  }
  cloudsql_password = coalesce(
    var.cloudsql_password,
    module.cloudsql.user_passwords[local.cloudsql_conf.user]
  )
  connector = coalesce(var.connector, module.cloud_run.vpc_connector)
  domain = (
    var.custom_domain != null ? var.custom_domain : (
      var.phpipam_exposure == "EXTERNAL" ?
    "${module.addresses.0.global_addresses["phpipam"].address}.nip.io" : "phpipam.internal")
  )
  iam = {
    # CloudSQL
    "roles/cloudsql.admin"        = var.admin_principals
    "roles/cloudsql.client"       = var.admin_principals
    "roles/cloudsql.instanceUser" = var.admin_principals
    # common roles
    "roles/logging.admin"                  = var.admin_principals
    "roles/iam.serviceAccountUser"         = var.admin_principals
    "roles/iam.serviceAccountTokenCreator" = var.admin_principals
  }
  network          = var.vpc_config == null ? module.vpc.0.self_link : var.vpc_config.network
  phpipam_password = var.phpipam_password == null ? random_password.phpipam_password.result : var.phpipam_password
  subnetwork       = var.vpc_config == null ? module.vpc.0.subnet_self_links["${var.region}/ilb"] : var.vpc_config.subnetwork
}


# either create a project or set up the given one
module "project" {
  source          = "../../../modules/project"
  billing_account = try(var.project_create.billing_account_id, null)
  iam             = var.project_create != null ? local.iam : {}
  name            = var.project_id
  parent          = try(var.project_create.parent, null)
  prefix          = var.project_create == null ? null : var.prefix
  project_create  = var.project_create != null
  services = [
    "iap.googleapis.com",
    "logging.googleapis.com",
    "monitoring.googleapis.com",
    "run.googleapis.com",
    "servicenetworking.googleapis.com",
    "sqladmin.googleapis.com",
    "sql-component.googleapis.com",
    "vpcaccess.googleapis.com"
  ]
}


# create a VPC for CloudSQL and ILB
module "vpc" {
  source     = "../../../modules/net-vpc"
  count      = var.vpc_config == null ? 1 : 0
  project_id = module.project.project_id
  name       = "${var.prefix}-sql-vpc"

  psa_config = {
    ranges = {
      cloud-sql = var.ip_ranges.psa
    }
  }
  subnets = [
    {
      ip_cidr_range = var.ip_ranges.ilb
      name          = "ilb"
      region        = var.region
    }
  ]
}

resource "random_password" "phpipam_password" {
  length = 8
}

# create the Cloud Run service
module "cloud_run" {
  source           = "../../../modules/cloud-run"
  project_id       = module.project.project_id
  name             = "${var.prefix}-cr-phpipam"
  prefix           = var.prefix
  ingress_settings = "all"
  region           = var.region

  containers = {
    phpipam = {
      image = var.phpipam_config.image
      ports = {
        http = {
          name           = "http1"
          protocol       = null
          container_port = var.phpipam_config.port
        }
      }
      env_from = null
      # set up the database connection
      env = {
        "TZ"                     = "Europe/Rome"
        "IPAM_TRUST_X_FORWARDED" = "true"
        "IPAM_DATABASE_HOST"     = module.cloudsql.ip
        "IPAM_DATABASE_USER"     = local.cloudsql_conf.user
        "IPAM_DATABASE_PASS"     = local.cloudsql_password
        "IPAM_DATABASE_NAME"     = local.cloudsql_conf.db
        "IPAM_DATABASE_PORT"     = "3306"
      }
    }
  }
  iam = local.glb_create && var.iap.enabled ? {
    "roles/run.invoker" : ["serviceAccount:${local.iap_sa_email}"]
    } : {
    "roles/run.invoker" : [var.cloud_run_invoker]
  }
  revision_annotations = {
    autoscaling = {
      min_scale = 1
      max_scale = 2
    }
    # connect to CloudSQL
    cloudsql_instances = [module.cloudsql.connection_name]
    # allow all traffic
    vpcaccess_egress    = "private-ranges-only"
    vpcaccess_connector = local.connector
  }
  vpc_connector_create = var.create_connector ? {
    ip_cidr_range = var.ip_ranges.connector
    vpc_self_link = local.network
  } : null
}