kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e42c1b548c676db3012ab8e6c5965ff81ec6413
hunfabric/modules/cloud-run-v2/recipes/cloudsql-iam-auth-proxy/README.md
Wiktor Niesiobędzki 2e42c1b548 service_account_config for Cloud Run v2 
Additional changes:
* align vpc-connector interface to Cloud Functions
* split managed and unmanaged resources into separate files, this makes
  easier to introduce further changes
* add support for contexts
* move `vpc_connector` variable to variables.tf for Cloud Functions
* remove `create` from `vpc_connector` in Cloud Functions as it was
  sharing the meaning with `vpc_connector_create`
2025-10-27 08:03:53 +01:00

2.4 KiB
Raw Blame History

Cloud Run provides shorthand to connect to Cloud SQL database, but that requires connecting using password. In this recipe connection is authorized using IAM

# create service account for Cloud Run service
module "run-sa" {
  source     = "./fabric/modules/iam-service-account"
  project_id = var.project_id
  name       = "db-run"
  iam_project_roles = {
    (var.project_id) = [
      "roles/storage.objectViewer",
      "roles/logging.logWriter",
      "roles/cloudsql.client",
      "roles/cloudsql.instanceUser"
    ]
  }
}

# Create MySQL database
module "db" {
  source     = "./fabric/modules/cloudsql-instance"
  project_id = var.project_id
  network_config = {
    connectivity = {
      psa_config = {
        private_network = var.vpc.self_link
      }
    }
  }
  name             = "db"
  region           = var.region
  database_version = "MYSQL_8_4"
  tier             = "db-g1-small"

  flags = {
    cloudsql_iam_authentication    = "on"
    disconnect_on_expired_password = "on"
  }

  databases = [
    "test"
  ]

  users = {
    # IAM Service Account
    (module.run-sa.email) = {
      type = "CLOUD_IAM_SERVICE_ACCOUNT"
    }
  }
  gcp_deletion_protection       = false
  terraform_deletion_protection = false
}

module "database_run" {
  source     = "./fabric/modules/cloud-run-v2"
  project_id = var.project_id
  name       = "db-test"
  region     = var.region
  containers = {
    sqlproxy = {
      image = "docker.io/phpmyadmin"
      ports = {
        "" = {
          container_port = 8080
          name           = "http1"
        }
      }
      env = {
        APACHE_PORT = "8080"
        PMA_SOCKET  = "/cloudsql/${module.db.connection_name}"
        PMA_USER    = split("@", module.run-sa.email)[0]
      }
      volume_mounts = {
        custom_cloudsql = "/cloudsql"
      }
    }
    authproxy = {
      name  = "cloudsql"
      image = "gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.18.0"
      args = [
        "--auto-iam-authn",
        "--private-ip",
        "--unix-socket=/cloudsql",
        module.db.connection_name
      ]
      ports = {}
      volume_mounts = {
        custom_cloudsql = "/cloudsql"
      }
    }
  }
  service_account_config = {
    create = false
    email  = module.run-sa.email
  }
  volumes = {
    custom_cloudsql = {
      empty_dir_size = "128k"
    }
  }
  deletion_protection = false
}
# tftest inventory=recipe-cloudsql-iam-auth-proxy.yaml e2e