fix: Changes connector egress setting and org policies (#47)

GoogleCloudPlatform · Jun 9, 2023 · 94158d9 · 94158d9
1 parent 1743c51
commit 94158d9
Show file tree

Hide file tree

Showing 7 changed files with 10 additions and 10 deletions.
diff --git a/modules/secure-cloud-function-core/README.md b/modules/secure-cloud-function-core/README.md
@@ -36,7 +36,7 @@ module "secure_cloud_function_core" {
     service_account_email          = <FUNCTION-SERVICE-ACCOUNT-EMAIL>
     ingress_settings               = "ALLOW_INTERNAL_AND_GCLB"
     all_traffic_on_latest_revision = true
-    vpc_connector_egress_settings  = "PRIVATE_RANGES_ONLY"
+    vpc_connector_egress_settings  = "ALL_TRAFFIC"
     runtime_env_variables          = <FUNCTION-RUNTIME-ENV-VARS>
 
     runtime_secret_env_variables = <FUNCTION-RUNTIME-SECRET-ENV-VARS>
@@ -65,7 +65,7 @@ module "secure_cloud_function_core" {
 | project\_number | The project number to deploy to. | `number` | `null` | no |
 | repo\_source | The source repository where the Cloud Function Source is stored. Do not use combined with source\_path. | <pre>object({<br>    project_id   = optional(string)<br>    repo_name    = string<br>    branch_name  = string<br>    dir          = optional(string)<br>    tag_name     = optional(string)<br>    commit_sha   = optional(string)<br>    invert_regex = optional(bool, false)<br>  })</pre> | `null` | no |
 | runtime | The runtime in which the function will be executed. | `string` | n/a | yes |
-| service\_config | Details of the service | <pre>object({<br>    max_instance_count    = optional(string, 100)<br>    min_instance_count    = optional(string, 1)<br>    available_memory      = optional(string, "256M")<br>    timeout_seconds       = optional(string, 60)<br>    runtime_env_variables = optional(map(string), null)<br>    runtime_secret_env_variables = optional(set(object({<br>      key_name   = string<br>      project_id = optional(string)<br>      secret     = string<br>      version    = string<br>    })), null)<br>    secret_volumes = optional(set(object({<br>      mount_path = string<br>      project_id = optional(string)<br>      secret     = string<br>      versions = set(object({<br>        version = string<br>        path    = string<br>      }))<br>    })), null)<br>    vpc_connector                  = string<br>    vpc_connector_egress_settings  = optional(string, "PRIVATE_RANGES_ONLY")<br>    ingress_settings               = optional(string, "ALLOW_INTERNAL_AND_GCLB")<br>    service_account_email          = string<br>    all_traffic_on_latest_revision = optional(bool, true)<br>  })</pre> | n/a | yes |
+| service\_config | Details of the service | <pre>object({<br>    max_instance_count    = optional(string, 100)<br>    min_instance_count    = optional(string, 1)<br>    available_memory      = optional(string, "256M")<br>    timeout_seconds       = optional(string, 60)<br>    runtime_env_variables = optional(map(string), null)<br>    runtime_secret_env_variables = optional(set(object({<br>      key_name   = string<br>      project_id = optional(string)<br>      secret     = string<br>      version    = string<br>    })), null)<br>    secret_volumes = optional(set(object({<br>      mount_path = string<br>      project_id = optional(string)<br>      secret     = string<br>      versions = set(object({<br>        version = string<br>        path    = string<br>      }))<br>    })), null)<br>    vpc_connector                  = string<br>    vpc_connector_egress_settings  = optional(string, "ALL_TRAFFIC")<br>    ingress_settings               = optional(string, "ALLOW_INTERNAL_AND_GCLB")<br>    service_account_email          = string<br>    all_traffic_on_latest_revision = optional(bool, true)<br>  })</pre> | n/a | yes |
 | storage\_source | Get the source from this location in Google Cloud Storage. | <pre>object({<br>    bucket     = string<br>    object     = string<br>    generation = optional(string, null)<br>  })</pre> | `null` | no |
 
 ## Outputs

diff --git a/modules/secure-cloud-function-core/variables.tf b/modules/secure-cloud-function-core/variables.tf
@@ -133,7 +133,7 @@ variable "service_config" {
       }))
     })), null)
     vpc_connector                  = string
-    vpc_connector_egress_settings  = optional(string, "PRIVATE_RANGES_ONLY")
+    vpc_connector_egress_settings  = optional(string, "ALL_TRAFFIC")
     ingress_settings               = optional(string, "ALLOW_INTERNAL_AND_GCLB")
     service_account_email          = string
     all_traffic_on_latest_revision = optional(bool, true)

diff --git a/modules/secure-cloud-function-security/org_policies.tf b/modules/secure-cloud-function-security/org_policies.tf
@@ -85,6 +85,6 @@ module "cloudrun_allowed_vpc_egress" {
   organization_id   = local.organization
   constraint        = "constraints/run.allowedVPCEgress"
   policy_type       = "list"
-  allow             = ["private-ranges-only"]
+  allow             = ["all-traffic"]
   allow_list_length = 1
 }
diff --git a/modules/secure-cloud-function/README.md b/modules/secure-cloud-function/README.md
@@ -132,7 +132,7 @@ module "secure_cloud_run" {
 | storage\_source | Get the source from this location in Google Cloud Storage. | <pre>object({<br>    bucket     = string<br>    object     = string<br>    generation = optional(string, null)<br>  })</pre> | `null` | no |
 | subnet\_name | Subnet name to be re-used to create Serverless Connector. | `string` | `null` | no |
 | timeout\_seconds | Timeout for each request. | `number` | `120` | no |
-| vpc\_egress\_value | Sets VPC Egress firewall rule. Supported values are all-traffic, all (deprecated), and private-ranges-only. all-traffic and all provide the same functionality. all is deprecated but will continue to be supported. Prefer all-traffic. | `string` | `"PRIVATE_RANGES_ONLY"` | no |
+| vpc\_egress\_value | Sets VPC Egress firewall rule. Supported values are VPC\_CONNECTOR\_EGRESS\_SETTINGS\_UNSPECIFIED, PRIVATE\_RANGES\_ONLY, and ALL\_TRAFFIC. | `string` | `"ALL_TRAFFIC"` | no |
 | vpc\_project\_id | The host project for the shared vpc. | `string` | n/a | yes |
 
 ## Outputs

diff --git a/modules/secure-cloud-function/variables.tf b/modules/secure-cloud-function/variables.tf
@@ -236,9 +236,9 @@ variable "timeout_seconds" {
 }
 
 variable "vpc_egress_value" {
-  description = "Sets VPC Egress firewall rule. Supported values are all-traffic, all (deprecated), and private-ranges-only. all-traffic and all provide the same functionality. all is deprecated but will continue to be supported. Prefer all-traffic."
+  description = "Sets VPC Egress firewall rule. Supported values are VPC_CONNECTOR_EGRESS_SETTINGS_UNSPECIFIED, PRIVATE_RANGES_ONLY, and ALL_TRAFFIC."
   type        = string
-  default     = "PRIVATE_RANGES_ONLY"
+  default     = "ALL_TRAFFIC"
 }
 
 variable "ingress_settings" {

diff --git a/...tegration/secure_cloud_function_bigquery_trigger/cloud_function2_bigquery_trigger_test.go b/...tegration/secure_cloud_function_bigquery_trigger/cloud_function2_bigquery_trigger_test.go
@@ -274,7 +274,7 @@ func TestGCF2BigqueryTrigger(t *testing.T) {
 			},
 			{
 				constraint:    "constraints/run.allowedVPCEgress",
-				allowedValues: "private-ranges-only",
+				allowedValues: "all-traffic",
 			},
 			{
 				constraint:    "constraints/run.allowedIngress",
@@ -305,7 +305,7 @@ func TestGCF2BigqueryTrigger(t *testing.T) {
 		cf := gcloud.Runf(t, "functions describe %s --project %s --gen2 --region %s", name, projectID, location)
 		assert.Equal("ACTIVE", cf.Get("state").String(), "Should be ACTIVE. Cloud Function is not successfully deployed.")
 		assert.Equal(connectorID, cf.Get("serviceConfig.vpcConnector").String(), fmt.Sprintf("VPC Connector should be %s. Connector was not set.", connectorID))
-		assert.Equal("PRIVATE_RANGES_ONLY", cf.Get("serviceConfig.vpcConnectorEgressSettings").String(), "Egress setting should be PRIVATE_RANGES_ONLY.")
+		assert.Equal("ALL_TRAFFIC", cf.Get("serviceConfig.vpcConnectorEgressSettings").String(), "Egress setting should be ALL_TRAFFIC.")
 		assert.Equal("ALLOW_INTERNAL_AND_GCLB", cf.Get("serviceConfig.ingressSettings").String(), "Ingress setting should be ALLOW_INTERNAL_AND_GCLB.")
 		assert.Equal(saEmail, cf.Get("serviceConfig.serviceAccountEmail").String(), fmt.Sprintf("Cloud Function should use the service account %s.", saEmail))
 		assert.Contains(cf.Get("eventTrigger.eventType").String(), "google.cloud.audit.log.v1.written", "Event Trigger is not based on Audit Logs. Check the EventType configuration.")

diff --git a/test/integration/secure_cloud_function_with_sql/secure_cloud_function_with_sql_test.go b/test/integration/secure_cloud_function_with_sql/secure_cloud_function_with_sql_test.go
@@ -75,7 +75,7 @@ func TestGCF2CloudSQL(t *testing.T) {
 		cf := gcloud.Runf(t, "functions describe %s --project %s --gen2 --region %s", name, projectID, location)
 		assert.Equal("ACTIVE", cf.Get("state").String(), "Should be ACTIVE. Cloud Function is not successfully deployed.")
 		assert.Equal(connectorID, cf.Get("serviceConfig.vpcConnector").String(), fmt.Sprintf("VPC Connector should be %s. Connector was not set.", connectorID))
-		assert.Equal("PRIVATE_RANGES_ONLY", cf.Get("serviceConfig.vpcConnectorEgressSettings").String(), "Egress setting should be PRIVATE_RANGES_ONLY.")
+		assert.Equal("ALL_TRAFFIC", cf.Get("serviceConfig.vpcConnectorEgressSettings").String(), "Egress setting should be ALL_TRAFFIC.")
 		assert.Equal("ALLOW_INTERNAL_AND_GCLB", cf.Get("serviceConfig.ingressSettings").String(), "Ingress setting should be ALLOW_INTERNAL_AND_GCLB.")
 		assert.Equal(saEmail, cf.Get("serviceConfig.serviceAccountEmail").String(), fmt.Sprintf("Cloud Function should use the service account %s.", saEmail))
 		assert.Equal("google.cloud.pubsub.topic.v1.messagePublished", cf.Get("eventTrigger.eventType").String(), "Event Trigger is not a message published on topic.")