diff --git a/modules/secure-cloud-function-core/README.md b/modules/secure-cloud-function-core/README.md index 49f23b8c..7d966cb2 100644 --- a/modules/secure-cloud-function-core/README.md +++ b/modules/secure-cloud-function-core/README.md @@ -36,7 +36,7 @@ module "secure_cloud_function_core" { service_account_email = ingress_settings = "ALLOW_INTERNAL_AND_GCLB" all_traffic_on_latest_revision = true - vpc_connector_egress_settings = "PRIVATE_RANGES_ONLY" + vpc_connector_egress_settings = "ALL_TRAFFIC" runtime_env_variables = runtime_secret_env_variables = @@ -65,7 +65,7 @@ module "secure_cloud_function_core" { | project\_number | The project number to deploy to. | `number` | `null` | no | | repo\_source | The source repository where the Cloud Function Source is stored. Do not use combined with source\_path. | 
object({
    project_id   = optional(string)
    repo_name    = string
    branch_name  = string
    dir          = optional(string)
    tag_name     = optional(string)
    commit_sha   = optional(string)
    invert_regex = optional(bool, false)
  })
| `null` | no | | runtime | The runtime in which the function will be executed. | `string` | n/a | yes | -| service\_config | Details of the service | 
object({
    max_instance_count    = optional(string, 100)
    min_instance_count    = optional(string, 1)
    available_memory      = optional(string, "256M")
    timeout_seconds       = optional(string, 60)
    runtime_env_variables = optional(map(string), null)
    runtime_secret_env_variables = optional(set(object({
      key_name   = string
      project_id = optional(string)
      secret     = string
      version    = string
    })), null)
    secret_volumes = optional(set(object({
      mount_path = string
      project_id = optional(string)
      secret     = string
      versions = set(object({
        version = string
        path    = string
      }))
    })), null)
    vpc_connector                  = string
    vpc_connector_egress_settings  = optional(string, "PRIVATE_RANGES_ONLY")
    ingress_settings               = optional(string, "ALLOW_INTERNAL_AND_GCLB")
    service_account_email          = string
    all_traffic_on_latest_revision = optional(bool, true)
  })
| n/a | yes | +| service\_config | Details of the service | 
object({
    max_instance_count    = optional(string, 100)
    min_instance_count    = optional(string, 1)
    available_memory      = optional(string, "256M")
    timeout_seconds       = optional(string, 60)
    runtime_env_variables = optional(map(string), null)
    runtime_secret_env_variables = optional(set(object({
      key_name   = string
      project_id = optional(string)
      secret     = string
      version    = string
    })), null)
    secret_volumes = optional(set(object({
      mount_path = string
      project_id = optional(string)
      secret     = string
      versions = set(object({
        version = string
        path    = string
      }))
    })), null)
    vpc_connector                  = string
    vpc_connector_egress_settings  = optional(string, "ALL_TRAFFIC")
    ingress_settings               = optional(string, "ALLOW_INTERNAL_AND_GCLB")
    service_account_email          = string
    all_traffic_on_latest_revision = optional(bool, true)
  })
| n/a | yes | | storage\_source | Get the source from this location in Google Cloud Storage. | 
object({
    bucket     = string
    object     = string
    generation = optional(string, null)
  })
| `null` | no | ## Outputs diff --git a/modules/secure-cloud-function-core/variables.tf b/modules/secure-cloud-function-core/variables.tf index b04e4b57..983b075e 100644 --- a/modules/secure-cloud-function-core/variables.tf +++ b/modules/secure-cloud-function-core/variables.tf @@ -133,7 +133,7 @@ variable "service_config" { })) })), null) vpc_connector = string - vpc_connector_egress_settings = optional(string, "PRIVATE_RANGES_ONLY") + vpc_connector_egress_settings = optional(string, "ALL_TRAFFIC") ingress_settings = optional(string, "ALLOW_INTERNAL_AND_GCLB") service_account_email = string all_traffic_on_latest_revision = optional(bool, true) diff --git a/modules/secure-cloud-function-security/org_policies.tf b/modules/secure-cloud-function-security/org_policies.tf index 809d7225..07df2876 100644 --- a/modules/secure-cloud-function-security/org_policies.tf +++ b/modules/secure-cloud-function-security/org_policies.tf @@ -85,6 +85,6 @@ module "cloudrun_allowed_vpc_egress" { organization_id = local.organization constraint = "constraints/run.allowedVPCEgress" policy_type = "list" - allow = ["private-ranges-only"] + allow = ["all-traffic"] allow_list_length = 1 } diff --git a/modules/secure-cloud-function/README.md b/modules/secure-cloud-function/README.md index 2077917d..02a2c4cf 100644 --- a/modules/secure-cloud-function/README.md +++ b/modules/secure-cloud-function/README.md @@ -132,7 +132,7 @@ module "secure_cloud_run" { | storage\_source | Get the source from this location in Google Cloud Storage. | 
object({
    bucket     = string
    object     = string
    generation = optional(string, null)
  })
| `null` | no | | subnet\_name | Subnet name to be re-used to create Serverless Connector. | `string` | `null` | no | | timeout\_seconds | Timeout for each request. | `number` | `120` | no | -| vpc\_egress\_value | Sets VPC Egress firewall rule. Supported values are all-traffic, all (deprecated), and private-ranges-only. all-traffic and all provide the same functionality. all is deprecated but will continue to be supported. Prefer all-traffic. | `string` | `"PRIVATE_RANGES_ONLY"` | no | +| vpc\_egress\_value | Sets VPC Egress firewall rule. Supported values are VPC\_CONNECTOR\_EGRESS\_SETTINGS\_UNSPECIFIED, PRIVATE\_RANGES\_ONLY, and ALL\_TRAFFIC. | `string` | `"ALL_TRAFFIC"` | no | | vpc\_project\_id | The host project for the shared vpc. | `string` | n/a | yes | ## Outputs diff --git a/modules/secure-cloud-function/variables.tf b/modules/secure-cloud-function/variables.tf index 8959ea10..f945e8ac 100644 --- a/modules/secure-cloud-function/variables.tf +++ b/modules/secure-cloud-function/variables.tf @@ -236,9 +236,9 @@ variable "timeout_seconds" { } variable "vpc_egress_value" { - description = "Sets VPC Egress firewall rule. Supported values are all-traffic, all (deprecated), and private-ranges-only. all-traffic and all provide the same functionality. all is deprecated but will continue to be supported. Prefer all-traffic." + description = "Sets VPC Egress firewall rule. Supported values are VPC_CONNECTOR_EGRESS_SETTINGS_UNSPECIFIED, PRIVATE_RANGES_ONLY, and ALL_TRAFFIC." type = string - default = "PRIVATE_RANGES_ONLY" + default = "ALL_TRAFFIC" } variable "ingress_settings" { diff --git a/test/integration/secure_cloud_function_bigquery_trigger/cloud_function2_bigquery_trigger_test.go b/test/integration/secure_cloud_function_bigquery_trigger/cloud_function2_bigquery_trigger_test.go index b3ac7807..83d124f4 100644 --- a/test/integration/secure_cloud_function_bigquery_trigger/cloud_function2_bigquery_trigger_test.go +++ b/test/integration/secure_cloud_function_bigquery_trigger/cloud_function2_bigquery_trigger_test.go @@ -274,7 +274,7 @@ func TestGCF2BigqueryTrigger(t *testing.T) { }, { constraint: "constraints/run.allowedVPCEgress", - allowedValues: "private-ranges-only", + allowedValues: "all-traffic", }, { constraint: "constraints/run.allowedIngress", @@ -305,7 +305,7 @@ func TestGCF2BigqueryTrigger(t *testing.T) { cf := gcloud.Runf(t, "functions describe %s --project %s --gen2 --region %s", name, projectID, location) assert.Equal("ACTIVE", cf.Get("state").String(), "Should be ACTIVE. Cloud Function is not successfully deployed.") assert.Equal(connectorID, cf.Get("serviceConfig.vpcConnector").String(), fmt.Sprintf("VPC Connector should be %s. Connector was not set.", connectorID)) - assert.Equal("PRIVATE_RANGES_ONLY", cf.Get("serviceConfig.vpcConnectorEgressSettings").String(), "Egress setting should be PRIVATE_RANGES_ONLY.") + assert.Equal("ALL_TRAFFIC", cf.Get("serviceConfig.vpcConnectorEgressSettings").String(), "Egress setting should be ALL_TRAFFIC.") assert.Equal("ALLOW_INTERNAL_AND_GCLB", cf.Get("serviceConfig.ingressSettings").String(), "Ingress setting should be ALLOW_INTERNAL_AND_GCLB.") assert.Equal(saEmail, cf.Get("serviceConfig.serviceAccountEmail").String(), fmt.Sprintf("Cloud Function should use the service account %s.", saEmail)) assert.Contains(cf.Get("eventTrigger.eventType").String(), "google.cloud.audit.log.v1.written", "Event Trigger is not based on Audit Logs. Check the EventType configuration.") diff --git a/test/integration/secure_cloud_function_with_sql/secure_cloud_function_with_sql_test.go b/test/integration/secure_cloud_function_with_sql/secure_cloud_function_with_sql_test.go index cfe393ad..fddd3fc0 100644 --- a/test/integration/secure_cloud_function_with_sql/secure_cloud_function_with_sql_test.go +++ b/test/integration/secure_cloud_function_with_sql/secure_cloud_function_with_sql_test.go @@ -75,7 +75,7 @@ func TestGCF2CloudSQL(t *testing.T) { cf := gcloud.Runf(t, "functions describe %s --project %s --gen2 --region %s", name, projectID, location) assert.Equal("ACTIVE", cf.Get("state").String(), "Should be ACTIVE. Cloud Function is not successfully deployed.") assert.Equal(connectorID, cf.Get("serviceConfig.vpcConnector").String(), fmt.Sprintf("VPC Connector should be %s. Connector was not set.", connectorID)) - assert.Equal("PRIVATE_RANGES_ONLY", cf.Get("serviceConfig.vpcConnectorEgressSettings").String(), "Egress setting should be PRIVATE_RANGES_ONLY.") + assert.Equal("ALL_TRAFFIC", cf.Get("serviceConfig.vpcConnectorEgressSettings").String(), "Egress setting should be ALL_TRAFFIC.") assert.Equal("ALLOW_INTERNAL_AND_GCLB", cf.Get("serviceConfig.ingressSettings").String(), "Ingress setting should be ALLOW_INTERNAL_AND_GCLB.") assert.Equal(saEmail, cf.Get("serviceConfig.serviceAccountEmail").String(), fmt.Sprintf("Cloud Function should use the service account %s.", saEmail)) assert.Equal("google.cloud.pubsub.topic.v1.messagePublished", cf.Get("eventTrigger.eventType").String(), "Event Trigger is not a message published on topic.")