Merge branch 'example-wordpress' of https://github.com/skalolazka/cloud-foundation-fabric into example-wordpress

getting

blueprints/third-party-solutions/wordpress/README.md

@@ -0,0 +1 @@
+# TODO

blueprints/third-party-solutions/wordpress/cloudrun/README.md

@@ -0,0 +1,124 @@
+# Wordpress deployment on Cloud Run
+
+43% of the Web is built on Wordpress. Because of its simplicity and versatility, Wordpress can be used for internal websites as well as customer facing e-commerce platforms in small to large businesses, while still offering security.
+
+This repository contains the necessary Terraform files to deploy a functioning new Wordpress website exposed to the public internet with minimal technical overhead.
+
+This architecture can be used for the following use cases and more:
+
+* Blog
+* Intranet / internal Wiki
+* E-commerce platform
+
+## Architecture
+
+![Wordpress on Cloud Run](images/architecture.png "Wordpress on Cloud Run")
+
+The main components that are deployed in this architecture are the following (you can learn about them by following the hyperlinks):
+
+* [Cloud Run](https://cloud.google.com/run): serverless PaaS offering to host containers for web-oriented applications, while offering security, scalability and easy versioning
+* [Cloud SQL](https://cloud.google.com/sql): Managed solution for SQL databases
+
+## Setup
+
+### Prerequisites
+
+#### Setting up the project for the deployment
+
+This example will deploy all its resources into the project defined by the `project_id` variable. Please note that we assume this project already exists. However, if you provide the appropriate values to the `project_create` variable, the project will be created as part of the deployment.
+
+If `project_create` is left to null, the identity performing the deployment needs the `owner` role on the project defined by the `project_id` variable. Otherwise, the identity performing the deployment needs `resourcemanager.projectCreator` on the resource hierarchy node specified by `project_create.parent` and `billing.user` on the billing account specified by `project_create.billing_account_id`.
+
+### Deployment
+
+#### Step 0: Cloning the repository
+
+Click on the image below, sign in if required and when the prompt appears, click on “confirm”.
+
+[<p align="center"> <img alt="Open Cloudshell" width = "300px" src="images/button.png" /> </p>]()
+
+LINK NEEDED --> can only be added after PR
+
+Before we deploy the architecture, you will at least need the following information (for more precise configuration see the Variables section):
+
+* The project ID.
+* A Google Cloud Registry path to a Wordpress container image.
+
+#### Step 1: Add Wordpress image
+
+In order to deploy the Wordpress service to Cloud Run, you need to store the [Wordpress image](https://hub.docker.com/r/bitnami/wordpress/) in Google Cloud Registry (GCR).
+
+Make sure that the Google Container Registry API is enabled and run the following commands in your Cloud Shell environment with your `project_id` in place of the `MY_PROJECT` placeholder:
+
+``` {shell}
+docker pull bitnami/wordpress
+```
+
+```{shell}
+docker tag bitnami/wordpress gcr.io/MY_PROJECT/wordpress
+```
+```{shell
+
+docker push gcr.io/MY_PROJECT/wordpress
+```
+
+** Important : please note this example architecture is built for this particular bitnami image, if you decide to use another one this example might not work.**
+
+#### Step 2: Deploy resources
+
+Once you have the required information, head back to the Cloud Shell editor. Make sure you’re in the directory of this tutorial (where this README is in).
+
+Configure the Terraform variables in your terraform.tfvars file. See [terraform.tfvars.sample](terraform.tfvars.sample) as starting point - just copy it to `terraform.tfvars` and edit the latter.
+
+Initialize your Terraform environment and deploy the resources:
+
+``` {shell}
+terraform init
+terraform apply
+```
+The resource creation will take a few minutes.
+
+Upon completion, you will see the output with the values for the Cloud Run service and the user and password to access the `/admin` part of the website. You can also view it later with:
+``` {shell}
+terraform output
+# or for the concrete variable:
+terraform output cloud_run_service
+```
+
+
+#### Clean up your environment
+
+The easiest way to remove all the deployed resources is to run the following command in Cloud Shell:
+
+``` {shell}
+terraform destroy
+```
+
+The above command will delete the associated resources so there will be no billable charges made afterwards.
+<!-- BEGIN TFDOC -->
+
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---:|:---:|:---:|
+| [project_id](variables.tf#L32) | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ |  |
+| [wordpress_image](variables.tf#L49) | Image to run with Cloud Run, starts with \"gcr.io\" | <code>string</code> | ✓ |  |
+| [cloud_run_invoker](variables.tf#L61) | IAM member authorized to access the end-point (for example, 'user:YOUR_IAM_USER' for only you or 'allUsers' for everyone) | <code>string</code> |  | <code>&#34;allUsers&#34;</code> |
+| [connector_cidr](variables.tf#L67) | CIDR block for the VPC serverless connector (10.8.0.0/28 by default) | <code>string</code> |  | <code>&#34;10.8.0.0&#47;28&#34;</code> |
+| [prefix](variables.tf#L17) | Unique prefix used for resource names. Not used for project if 'project_create' is null. | <code>string</code> |  | <code>&#34;&#34;</code> |
+| [principals](variables.tf#L43) | List of emails of people/service accounts to give rights to, eg 'user@domain.com'. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [project_create](variables.tf#L23) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object&#40;&#123;&#10;  billing_account_id &#61; string&#10;  parent             &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [psa_cidr](variables.tf#L80) | CIDR block for Private Service Access for CloudSQL (10.60.0.0/24 by default) | <code>string</code> |  | <code>&#34;10.60.0.0&#47;24&#34;</code> |
+| [region](variables.tf#L37) | Region for the created resources | <code>string</code> |  | <code>&#34;europe-west4&#34;</code> |
+| [sql_vpc_cidr](variables.tf#L73) | CIDR block for the VPC for the CloudSQL (10.0.0.0/20 by default) | <code>string</code> |  | <code>&#34;10.0.0.0&#47;20&#34;</code> |
+| [wordpress_port](variables.tf#L54) | Port for the Wordpress image (8080 by default) | <code>number</code> |  | <code>8080</code> |
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| [cloud_run_service](outputs.tf#L17) | CloudRun service URL | ✓ |
+| [wp_password](outputs.tf#L28) | Wordpress user password | ✓ |
+| [wp_user](outputs.tf#L23) | Wordpress username |  |
+
+<!-- END TFDOC -->

blueprints/third-party-solutions/wordpress/cloudrun/main.tf

@@ -0,0 +1,165 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  prefix = var.prefix == null ? "" : "${var.prefix}-"
+  all_principals_iam = [
+    for k in var.principals :
+    "user:${k}"
+  ]
+  iam = {
+    # CloudSQL
+    "roles/cloudsql.admin"        = local.all_principals_iam
+    "roles/cloudsql.client"       = local.all_principals_iam
+    "roles/cloudsql.instanceUser" = local.all_principals_iam
+    # common roles
+    "roles/logging.admin"                  = local.all_principals_iam
+    "roles/iam.serviceAccountUser"         = local.all_principals_iam
+    "roles/iam.serviceAccountTokenCreator" = local.all_principals_iam
+  }
+  cloud_sql_conf = {
+    database_version = "MYSQL_8_0"
+    tier             = "db-g1-small"
+    db               = "wp-mysql"
+    user             = "admin"
+    pass             = "password"
+  }
+  wp_user = "user"
+}
+
+
+module "project" { # either create a project or set up the given one
+  source          = "../../../../modules/project"
+  name            = var.project_id
+  parent          = try(var.project_create.parent, null)
+  billing_account = try(var.project_create.billing_account_id, null)
+  project_create  = var.project_create != null
+  prefix          = var.project_create == null ? null : var.prefix
+  iam             = var.project_create != null ? local.iam : {}
+  iam_additive    = var.project_create == null ? local.iam : {}
+  services = [
+    "run.googleapis.com",
+    "logging.googleapis.com",
+    "monitoring.googleapis.com",
+    "sqladmin.googleapis.com",
+    "sql-component.googleapis.com",
+    "vpcaccess.googleapis.com",
+    "servicenetworking.googleapis.com"
+  ]
+}
+
+resource "random_password" "wp_password" {
+  length = 8
+}
+
+module "cloud_run" { # create the Cloud Run service
+  source     = "../../../../modules/cloud-run"
+  project_id = module.project.project_id
+  name       = "${local.prefix}cr-wordpress"
+  region     = var.region
+
+  containers = [{
+    image = var.wordpress_image
+    ports = [{
+      name           = "http1"
+      protocol       = null
+      container_port = var.wordpress_port
+    }]
+    options = {
+      command  = null
+      args     = null
+      env_from = null
+      env = { # set up the database connection
+        "APACHE_HTTP_PORT_NUMBER" : var.wordpress_port
+        "WORDPRESS_DATABASE_HOST" : module.cloudsql.ip
+        "WORDPRESS_DATABASE_NAME" : local.cloud_sql_conf.db
+        "WORDPRESS_DATABASE_USER" : local.cloud_sql_conf.user
+        "WORDPRESS_DATABASE_PASSWORD" : local.cloud_sql_conf.pass
+        "WORDPRESS_USERNAME" : local.wp_user
+        "WORDPRESS_PASSWORD" : random_password.wp_password.result
+      }
+    }
+    resources     = null
+    volume_mounts = null
+  }]
+
+  iam = {
+    "roles/run.invoker" : [var.cloud_run_invoker]
+  }
+
+  revision_annotations = {
+    autoscaling = {
+      min_scale = 1
+      max_scale = 2
+    }
+    # connect to CloudSQL
+    cloudsql_instances  = [module.cloudsql.connection_name]
+    vpcaccess_connector = null
+    vpcaccess_egress    = "all-traffic" # allow all traffic
+  }
+  ingress_settings = "all"
+
+  vpc_connector_create = { # create a VPC connector for the ClouSQL VPC
+    ip_cidr_range = var.connector_cidr
+    name          = "${local.prefix}wp-connector"
+    vpc_self_link = module.vpc.self_link
+  }
+}
+
+
+module "vpc" { # create a VPC for CloudSQL
+  source     = "../../../../modules/net-vpc"
+  project_id = module.project.project_id
+  name       = "${local.prefix}sql-vpc"
+  subnets = [
+    {
+      ip_cidr_range      = var.sql_vpc_cidr
+      name               = "subnet"
+      region             = var.region
+      secondary_ip_range = {}
+    }
+  ]
+
+  psa_config = { # Private Service Access
+    ranges = {
+      cloud-sql = var.psa_cidr
+    }
+    routes = null
+  }
+}
+
+
+module "firewall" { # set up firewall for CloudSQL
+  source       = "../../../../modules/net-vpc-firewall"
+  project_id   = module.project.project_id
+  network      = module.vpc.name
+  admin_ranges = [var.sql_vpc_cidr]
+}
+
+
+module "cloudsql" { # Set up CloudSQL
+  source           = "../../../../modules/cloudsql-instance"
+  project_id       = module.project.project_id
+  network          = module.vpc.self_link
+  name             = "${local.prefix}mysql"
+  region           = var.region
+  database_version = local.cloud_sql_conf.database_version
+  tier             = local.cloud_sql_conf.tier
+  databases        = [local.cloud_sql_conf.db]
+  users = {
+    "${local.cloud_sql_conf.user}" = "${local.cloud_sql_conf.pass}"
+  }
+}

blueprints/third-party-solutions/wordpress/cloudrun/outputs.tf

@@ -0,0 +1,32 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "cloud_run_service" {
+  description = "CloudRun service URL"
+  value       = module.cloud_run.service.status[0].url
+  sensitive   = true
+}
+
+output "wp_user" {
+  description = "Wordpress username"
+  value       = local.wp_user
+}
+
+output "wp_password" {
+  description = "Wordpress user password"
+  value       = random_password.wp_password.result
+  sensitive   = true
+}

blueprints/third-party-solutions/wordpress/cloudrun/terraform.tfvars.sample

@@ -0,0 +1,3 @@
+prefix     = "wp"
+project_id = "my-wordpress-project"
+wordpress_image = "gcr.io/my-wordpress-project/wordpress"

blueprints/third-party-solutions/wordpress/cloudrun/variables.tf

@@ -0,0 +1,84 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "prefix" {
+  description = "Unique prefix used for resource names. Not used for project if 'project_create' is null."
+  type        = string
+  default     = ""
+}
+
+variable "project_create" {
+  description = "Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format."
+  type = object({
+    billing_account_id = string
+    parent             = string
+  })
+  default = null
+}
+
+variable "project_id" {
+  description = "Project id, references existing project if `project_create` is null."
+  type        = string
+}
+
+variable "region" {
+  type        = string
+  description = "Region for the created resources"
+  default     = "europe-west4"
+}
+
+variable "principals" {
+  description = "List of emails of people/service accounts to give rights to, eg 'user@domain.com'."
+  type        = list(string)
+  default     = []
+}
+
+variable "wordpress_image" {
+  type        = string
+  description = "Image to run with Cloud Run, starts with \"gcr.io\""
+}
+
+variable "wordpress_port" {
+  type        = number
+  description = "Port for the Wordpress image (8080 by default)"
+  default     = 8080
+}
+
+# Documentation: https://cloud.google.com/run/docs/securing/managing-access#making_a_service_public
+variable "cloud_run_invoker" {
+  type        = string
+  description = "IAM member authorized to access the end-point (for example, 'user:YOUR_IAM_USER' for only you or 'allUsers' for everyone)"
+  default     = "allUsers"
+}
+
+variable "connector_cidr" {
+  type        = string
+  description = "CIDR block for the VPC serverless connector (10.8.0.0/28 by default)"
+  default     = "10.8.0.0/28"
+}
+
+variable "sql_vpc_cidr" {
+  type        = string
+  description = "CIDR block for the VPC for the CloudSQL (10.0.0.0/20 by default)"
+  default     = "10.0.0.0/20"
+}
+
+# Documentation: https://cloud.google.com/vpc/docs/configure-private-services-access#allocating-range
+variable "psa_cidr" {
+  type        = string
+  description = "CIDR block for Private Service Access for CloudSQL (10.60.0.0/24 by default)"
+  default     = "10.60.0.0/24"
+}