From 95ed8e4031a9a25edc02fd7d0f3e483c8cbfdce4 Mon Sep 17 00:00:00 2001 From: Nghia Tran Date: Wed, 17 Apr 2024 10:22:19 -0700 Subject: [PATCH 1/5] Stop allowing 0.0.0.0/0 egress by default. Instead specify a specific range for Google APIs Signed-off-by: Nghia Tran --- modules/networking/main.tf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/networking/main.tf b/modules/networking/main.tf index b9646358..f152b0c0 100644 --- a/modules/networking/main.tf +++ b/modules/networking/main.tf @@ -7,12 +7,13 @@ resource "google_compute_network" "this" { delete_default_routes_on_create = true } -// Create a default route to the Internet. -resource "google_compute_route" "egress-inet" { +// Allow private Google access from the VPC. +resource "google_compute_route" "private-google-access" { name = var.name network = google_compute_network.this.name - dest_range = "0.0.0.0/0" + # https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid#config + dest_range = "199.36.153.8/30" next_hop_gateway = "default-internet-gateway" } From e398f5f105f9fa4b7c1f11cedee531a12b9fa227 Mon Sep 17 00:00:00 2001 From: Nghia Tran Date: Thu, 18 Apr 2024 10:51:27 -0700 Subject: [PATCH 2/5] Reroute *.google.com to private.googleapis.com Signed-off-by: Nghia Tran --- modules/networking/dns.tf | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/modules/networking/dns.tf b/modules/networking/dns.tf index 28707f7d..3fb69b15 100644 --- a/modules/networking/dns.tf +++ b/modules/networking/dns.tf @@ -33,6 +33,35 @@ resource "google_dns_record_set" "cloud-run-cname" { rrdatas = ["private.googleapis.com."] } +// Create a special DNS zone attached to the network in which +// we will operate our services that reroutes *.google.com +// that we control. +resource "google_dns_managed_zone" "private-google-com" { + project = var.project_id + name = "private-google-com-${random_string.suffix.result}" + dns_name = "google.com." + description = "This reroutes google.com requests to private.googleapis.com" + + visibility = "private" + + private_visibility_config { + networks { + network_url = google_compute_network.this.id + } + } +} + +// Create a record for *.run.app that points to private.googleapis.com +resource "google_dns_record_set" "private-google-com-cname" { + project = var.project_id + name = "*.google.com." + managed_zone = google_dns_managed_zone.private-google-com.name + type = "CNAME" + ttl = 60 + + rrdatas = ["private.googleapis.com."] +} + // Create a special DNS zone attached to the network in which // we will operate our services that reroutes private.googleapis.com // to records that we control. From 699369ca2fabdbe4d9aa5f24105319b3d552fd22 Mon Sep 17 00:00:00 2001 From: Nghia Tran Date: Thu, 18 Apr 2024 10:55:19 -0700 Subject: [PATCH 3/5] Docs Signed-off-by: Nghia Tran --- modules/networking/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/networking/README.md b/modules/networking/README.md index 6e464e3c..2cea9a4d 100644 --- a/modules/networking/README.md +++ b/modules/networking/README.md @@ -48,11 +48,13 @@ No modules. | Name | Type | |------|------| | [google_compute_network.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network) | resource | -| [google_compute_route.egress-inet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource | +| [google_compute_route.private-google-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource | | [google_compute_subnetwork.regional](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork) | resource | | [google_dns_managed_zone.cloud-run-internal](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone) | resource | | [google_dns_managed_zone.private-google-apis](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone) | resource | +| [google_dns_managed_zone.private-google-com](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone) | resource | | [google_dns_record_set.cloud-run-cname](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource | +| [google_dns_record_set.private-google-com-cname](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource | | [google_dns_record_set.private-googleapis-a-record](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource | | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | From b9e939165879a333c4da08d644fa0980e6b4818a Mon Sep 17 00:00:00 2001 From: Nghia Tran Date: Thu, 18 Apr 2024 11:16:48 -0700 Subject: [PATCH 4/5] moved Signed-off-by: Nghia Tran --- modules/networking/main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/networking/main.tf b/modules/networking/main.tf index f152b0c0..3ce9a739 100644 --- a/modules/networking/main.tf +++ b/modules/networking/main.tf @@ -17,6 +17,11 @@ resource "google_compute_route" "private-google-access" { next_hop_gateway = "default-internet-gateway" } +moved { + from = google_compute_route.egress-inet + to = google_compute_route.private-google-access +} + // Create regional subnets in each of the specified regions, // which we will use to operate Cloud Run services. resource "google_compute_subnetwork" "regional" { From debd4e0fcf7380dc54e847a12de8c4c177d77d64 Mon Sep 17 00:00:00 2001 From: Nghia Tran Date: Thu, 18 Apr 2024 11:33:42 -0700 Subject: [PATCH 5/5] Update modules/networking/dns.tf Signed-off-by: Nghia Tran --- modules/networking/dns.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/dns.tf b/modules/networking/dns.tf index 3fb69b15..2317f8d8 100644 --- a/modules/networking/dns.tf +++ b/modules/networking/dns.tf @@ -51,7 +51,7 @@ resource "google_dns_managed_zone" "private-google-com" { } } -// Create a record for *.run.app that points to private.googleapis.com +// Create a record for *.google.com that points to private.googleapis.com resource "google_dns_record_set" "private-google-com-cname" { project = var.project_id name = "*.google.com."