Merge pull request #12 from deepfence/readme

Add readme for multiple project deployment

README.md

@@ -20,11 +20,16 @@ This module deploys Cloud Scanner for Google Cloud by creating underlying resour
 
 ### - Single-Project
 
-Deepfence workload will be deployed in the same account where user's resources will be watched.
+Deepfence workload will be deployed in the same project where user's resources will be monitored.
 
-Please check out below to implement the same-
 [`./examples/single-project`](https://github.com/deepfence/terraform-gcp-cloud-scanner/tree/main/examples/single-project)
 
+### - Multiple-Projects
+
+Deepfence workload will be deployed in a selected project and roles will be created in all other projects and all projects will be monitored.
+
+[`./examples/multi-project`](https://github.com/deepfence/terraform-gcp-cloud-scanner/tree/main/examples/multi-project)
+
 ## Authors
 
 Module is maintained and supported by [Deepfence](https://deepfence.io/).

examples/multi-project/README.md

@@ -0,0 +1,92 @@
+# Cloud Scanner in Google Cloud<br/>[ Example :: Multiple-Project ] 
+
+Deploy Cloud Scanner for Google Cloud in multiple projects.<br/>
+
+### Notice
+**Deployment cost** - This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
+
+## Prerequisites
+
+1. Configure [Terraform **GCP** Provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs)
+2. Following **roles** are required in your GCP organization/project credentials
+   * _Owner_
+3. Besides, the following GCP **APIs must be enabled** to deploy resources correctly:
+
+* [Identity and access management API](https://console.cloud.google.com/marketplace/product/google/iam.googleapis.com)
+* [Cloud Run API](https://console.cloud.google.com/marketplace/product/google/run.googleapis.com)
+
+## Usage
+Copy the code below and paste it into a .tf file on your local machine.
+
+```terraform
+
+module "cloud-scanner_example_multiple-projects" {
+  source              = "deepfence/cloud-scanner/gcp//examples/multi-project"
+  version             = "0.4.0"
+  name                = "deepfence-cloud-scanner"
+  # org_domain: root project name
+  org_domain          = ""
+  # mgmt-console-url: deepfence.customer.com or 22.33.44.55
+  mgmt-console-url    = "<Console URL>"
+  mgmt-console-port   = "443"
+  deepfence-key       = "<Deepfence-key>"
+  image_name          = "us-east1-docker.pkg.dev/deepfenceio/deepfence/cloud-scanner:2.1.0"
+  # project_id example: dev1-123456
+  project_id          = "<PROJECT_ID>"
+  # region example: asia-east1
+  region              = "<REGION_ID>"
+  # Optional for private ip console
+  # Name of vpc network in which the management console was deployed
+  vpc                 = ""
+  # Optional for private ip console
+  # IP CIDR range for the connector to above vpc
+  # Example: 11.0.0.0/28
+  ip_cidr_range_svpca = ""
+  cpu                 = "4"
+  memory              = "8096Mi"
+  labels              = {
+    name = "deepfence-cloud-scanner"
+  }
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 4.21.0 |
+| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | ~> 4.21.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | ~> 4.21.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_container"></a> [container](#module\_container) | ../../modules/services/container | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_service_account.container_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_deepfence-key"></a> [deepfence-key](#input\_deepfence-key) | deepfence-key | `string` | `""` | no |
+| <a name="input_mgmt-console-port"></a> [mgmt-console-port](#input\_mgmt-console-port) | mgmt-console-port | `string` | `"443"` | no |
+| <a name="input_mgmt-console-url"></a> [mgmt-console-url](#input\_mgmt-console-url) | mgmt-console-url | `string` | `""` | no |
+| <a name="input_mode"></a> [mode](#input\_mode) | mode | `string` | `"service"` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"deepfence-cloud-scanner"` | no |
+
+## Outputs
+
+No outputs.

examples/multi-project/main.tf

@@ -1,25 +1,26 @@
-
 resource "google_service_account" "container_sa" {
   account_id   = "${var.name}-sa"
   display_name = "Service account for container"
-  project = var.project_id
+  project      = var.project_id
 }
 
 # deploys application image in cloud run container with required access
 module "container" {
-  source             = "../../modules/services/multi-project-container"
-  name               = "${var.name}-container"
-  mode               = var.mode
-  mgmt-console-url   = var.mgmt-console-url
-  mgmt-console-port  = var.mgmt-console-port
-  deepfence-key      = var.deepfence-key
-  image_name         = var.image_name
-  project_id         = var.project_id
-  container_sa_email = google_service_account.container_sa.email
-  cpu                = 2
-  multi-project-ids = join(",", data.google_projects.all_projects.projects.*.project_id)
-  org-acc-id        = data.google_organization.org_by_domain.id
-  location = var.region
+  source              = "../../modules/services/multi-project-container"
+  name                = "${var.name}-container"
+  mode                = var.mode
+  mgmt-console-url    = var.mgmt-console-url
+  mgmt-console-port   = var.mgmt-console-port
+  deepfence-key       = var.deepfence-key
+  image_name          = var.image_name
+  project_id          = var.project_id
+  container_sa_email  = google_service_account.container_sa.email
+  cpu                 = var.cpu
+  memory              = var.memory
+  multi-project-ids   = join(",", data.google_projects.all_projects.projects.*.project_id)
+  org-acc-id          = data.google_organization.org_by_domain.id
+  location            = var.region
   ip_cidr_range_svpca = var.ip_cidr_range_svpca
   vpc                 = var.vpc
+  labels              = var.labels
 }

examples/multi-project/variables.tf

@@ -31,7 +31,7 @@ variable "deepfence-key" {
 variable "image_name" {
   type        = string
   description = "Cloud Scanner docker image"
-  default     = "us-east1-docker.pkg.dev/deepfenceio/deepfence/cloud-scanner:2.0.0"
+  default     = "us-east1-docker.pkg.dev/deepfenceio/deepfence/cloud-scanner:2.1.0"
 }
 
 variable "org_domain" {
@@ -45,19 +45,38 @@ variable "project_id" {
 }
 
 variable "region" {
-  type = string
+  type        = string
   description = "location where the workload is going to be deployed"
 }
 
 
 variable "vpc" {
-  type = string
-  default = ""
+  type        = string
+  default     = ""
   description = "VPC Network name if connecting to console via private ip"
 }
 
 variable "ip_cidr_range_svpca" {
-  type = string
-  default = "11.0.0.0/28"
+  type        = string
+  default     = "11.0.0.0/28"
   description = "IP CIDR Range for serverless vpc connector to be created for private ip console"
+}
+
+variable "cpu" {
+  type        = string
+  default     = "4"
+  description = "Amount of CPU to reserve for cloud-scanner cloud run service"
+}
+
+variable "memory" {
+  type        = string
+  default     = "8192Mi"
+  description = "Amount of memory to reserve for cloud-scanner cloud run service"
+}
+
+variable "labels" {
+  type    = map(string)
+  default = {
+    name = "deepfence-cloud-scanner"
+  }
 }

examples/single-project/README.md

@@ -1,4 +1,4 @@
-# Cloud Scanner in Google Cloud<br/>[ Example :: Single-Account ] 
+# Cloud Scanner in Google Cloud<br/>[ Example :: Single-Project ] 
 
 Deploy Cloud Scanner for Google Cloud in a single project.<br/>
 
@@ -22,18 +22,29 @@ Copy the code below and paste it into a .tf file on your local machine.
 
 module "cloud-scanner_example_single-project" {
   source              = "deepfence/cloud-scanner/gcp//examples/single-project"
-  version             = "0.3.0"
+  version             = "0.4.0"
   name                = "deepfence-cloud-scanner"
-  mgmt-console-url    = "<Console URL> eg. XXX.XXX.XX.XXX"
+  # mgmt-console-url: deepfence.customer.com or 22.33.44.55
+  mgmt-console-url    = "<Console URL>"
   mgmt-console-port   = "443"
-  deepfence-key       = "<Deepfence-key> eg. XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
-  image_name          = "us-east1-docker.pkg.dev/deepfenceio/deepfence/cloud-scanner:2.0.0"
-  project_id          = "<PROJECT_ID>; ex. dev1-123456"
-  region              = "<REGION_ID>; ex. asia-east1"
-  #optional for private ip console
-  vpc                 = "<VPC Network Name>; Name of vpc network in which the console exists"
-  #optional for private ip console
-  ip_cidr_range_svpca = "<11.0.0.0/28> IP CIDR range for the connector to above vpc"
+  deepfence-key       = "<Deepfence-key>"
+  image_name          = "us-east1-docker.pkg.dev/deepfenceio/deepfence/cloud-scanner:2.1.0"
+  # project_id example: dev1-123456
+  project_id          = "<PROJECT_ID>"
+  # region example: asia-east1
+  region              = "<REGION_ID>"
+  # Optional for private ip console
+  # Name of vpc network in which the management console was deployed
+  vpc                 = ""
+  # Optional for private ip console
+  # IP CIDR range for the connector to above vpc
+  # Example: 11.0.0.0/28
+  ip_cidr_range_svpca = ""
+  cpu                 = "2"
+  memory              = "4096Mi"
+  labels              = {
+    name = "deepfence-cloud-scanner"
+  }
 }
 ```
 

examples/single-project/main.tf

@@ -7,22 +7,24 @@
 resource "google_service_account" "container_sa" {
   account_id   = "${var.name}-sa"
   display_name = "Service account for container"
-  project = var.project_id
+  project      = var.project_id
 }
 
 # deploys application image in cloud run container with required access
 module "container" {
-  source             = "../../modules/services/container"
-  name               = "${var.name}-container"
-  mode               = var.mode
-  mgmt-console-url   = var.mgmt-console-url
-  mgmt-console-port  = var.mgmt-console-port
-  deepfence-key      = var.deepfence-key
-  image_name         = var.image_name
-  project_id         = var.project_id
-  location           = var.region
-  container_sa_email = google_service_account.container_sa.email
-  cpu                = 2
+  source              = "../../modules/services/container"
+  name                = "${var.name}-container"
+  mode                = var.mode
+  mgmt-console-url    = var.mgmt-console-url
+  mgmt-console-port   = var.mgmt-console-port
+  deepfence-key       = var.deepfence-key
+  image_name          = var.image_name
+  project_id          = var.project_id
+  location            = var.region
+  container_sa_email  = google_service_account.container_sa.email
+  cpu                 = var.cpu
+  memory              = var.memory
   ip_cidr_range_svpca = var.ip_cidr_range_svpca
   vpc                 = var.vpc
+  labels              = var.labels
 }

examples/single-project/variables.tf

@@ -35,7 +35,7 @@ variable "deepfence-key" {
 variable "image_name" {
   type        = string
   description = "Cloud Scanner docker image"
-  default     = "us-east1-docker.pkg.dev/deepfenceio/deepfence/cloud-scanner:1.5.0"
+  default     = "us-east1-docker.pkg.dev/deepfenceio/deepfence/cloud-scanner:2.1.0"
 }
 
 variable "project_id" {
@@ -57,3 +57,22 @@ variable "ip_cidr_range_svpca" {
   default = "11.0.0.0/28"
   description = "IP CIDR Range for serverless vpc connector to be created for private ip console"
 }
+
+variable "cpu" {
+  type        = string
+  default     = "1"
+  description = "Amount of CPU to reserve for cloud-scanner cloud run service"
+}
+
+variable "memory" {
+  type        = string
+  default     = "2048Mi"
+  description = "Amount of memory to reserve for cloud-scanner cloud run service"
+}
+
+variable "labels" {
+  type = map(string)
+  default = {
+    name = "deepfence-cloud-scanner"
+  }
+}

modules/services/container/main.tf

@@ -59,6 +59,7 @@ resource "google_cloud_run_service" "container" {
     annotations = {
       "run.googleapis.com/ingress" = "internal"
     }
+    labels = var.labels
   }
 
   template {

modules/services/container/variables.tf

@@ -95,7 +95,9 @@ variable "ip_cidr_range_svpca" {
   description = "IP CIDR Range for serverless vpc connector to be created for private ip console"
 }
 
-
-
-
-
+variable "labels" {
+  type = map(string)
+  default = {
+    name = "deepfence-cloud-scanner"
+  }
+}

modules/services/multi-project-container/main.tf

@@ -57,6 +57,7 @@ resource "google_cloud_run_service" "container" {
     annotations = {
       "run.googleapis.com/ingress" = "internal"
     }
+    labels = var.labels
   }
 
   template {

modules/services/multi-project-container/variables.tf

@@ -66,13 +66,13 @@ variable "image_name" {
 
 variable "cpu" {
   type        = string
-  default     = "1"
+  default     = "4"
   description = "Amount of CPU to reserve for cloud-scanner cloud run service"
 }
 
 variable "memory" {
   type        = string
-  default     = "2048Mi"
+  default     = "8096Mi"
   description = "Amount of memory to reserve for cloud-scanner cloud run service"
 }
 
@@ -103,3 +103,10 @@ variable "ip_cidr_range_svpca" {
   default = "11.0.0.0/28"
   description = "IP CIDR Range for serverless vpc connector to be created for private ip console"
 }
+
+variable "labels" {
+  type = map(string)
+  default = {
+    name = "deepfence-cloud-scanner"
+  }
+}