kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix failin e2e tests for Cloud Run CMEK

Browse Source 
* create a fixture adding IAM grants to Cloud Run service agent
* add to README.md information about required grant

Decided to add ths as a fixture though it may not be reused so:
* grant is not polluting the example
* grant is fairly easy discoverable from README.md
* setup_module is not burdened with additional grant which is used only
  for this example
This commit is contained in:
Wiktor Niesiobędzki
2024-03-28 12:44:20 +00:00
committed by Wiktor Niesiobędzki
parent f487b27aa9
commit da4e5acd46
2 changed files with 26 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
modules/cloud-run-v2/README.md
View File

@@ -188,7 +188,7 @@ module "cloud_run" {
### Using Customer-Managed Encryption Key ### Using Customer-Managed Encryption Key
Deploy a Cloud Run service with environment variables encrypted using a Customer-Managed Encryption Key. Ensure you specify the encryption_key with the full resource identifier of your Cloud KMS CryptoKey. This setup adds an extra layer of security by utilizing your own encryption keys. Deploy a Cloud Run service with environment variables encrypted using a Customer-Managed Encryption Key (CMEK). Ensure you specify the encryption_key with the full resource identifier of your Cloud KMS CryptoKey and that Cloud Run Service agent (`service-<PROJECT_NUMBER>@serverless-robot-prod.iam.gserviceaccount.com`) has permission to use the key, for example `roles/cloudkms.cryptoKeyEncrypterDecrypter` IAM role. This setup adds an extra layer of security by utilizing your own encryption keys.
```hcl ```hcl
module "cloud_run" { module "cloud_run" {
@@ -203,7 +203,7 @@ module "cloud_run" {
} }
} }
} }
# tftest modules=1 resources=1 e2e # tftest modules=1 resources=2 fixtures=fixtures/cloud-run-kms-iam-grant.tf e2e
``` ```
### Eventarc triggers ### Eventarc triggers
@@ -424,6 +424,7 @@ module "cloud_run" {
## Fixtures ## Fixtures
- [cloud-run-kms-iam-grant.tf](../../tests/fixtures/cloud-run-kms-iam-grant.tf)
- [iam-service-account.tf](../../tests/fixtures/iam-service-account.tf) - [iam-service-account.tf](../../tests/fixtures/iam-service-account.tf)
- [pubsub.tf](../../tests/fixtures/pubsub.tf) - [pubsub.tf](../../tests/fixtures/pubsub.tf)
- [secret-credentials.tf](../../tests/fixtures/secret-credentials.tf) - [secret-credentials.tf](../../tests/fixtures/secret-credentials.tf)

23
tests/fixtures/cloud-run-kms-iam-grant.tf vendored Normal file
View File

@@ -0,0 +1,23 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
resource "google_kms_crypto_key_iam_binding" "encrypt_decrypt" {
crypto_key_id = var.kms_key.id
members = [
"serviceAccount:service-${var.project_number}@serverless-robot-prod.iam.gserviceaccount.com"
]
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
}