tseho · February 25, 2022 14:54
diff --git a/main.tf b/main.tf
 provider "google" {
  project     = var.gcp_project
  region      = var.gcp_region
  credentials = file(var.gcp_auth_file)
 }

 data "google_project" "project" {
 }

 # Docker image registry
 resource "google_container_registry" "registry" {
  project  = var.gcp_project
  location = var.gcp_location
 }

 # Custom role allowed to GET objects from buckets
 resource "google_project_iam_custom_role" "storage-noauth" {
  role_id     = "storage.objectView"
  title       = "Storage Object View Only"
  permissions = ["storage.objects.get"]
 }

 # Policy attaching the custom role "storage-noauth" to all users
 data "google_iam_policy" "storage-noauth" {
  binding {
    role    = google_project_iam_custom_role.storage-noauth.id
    members = [
      "allUsers",
    ]
  }
 }

 # Bucket for storing the static website
 resource "google_storage_bucket" "app" {
  name          = var.gcp_bucket_app
  location      = var.gcp_location
  force_destroy = true

  uniform_bucket_level_access = true
 }

 # Attach the policy "storage-noauth" to the static website bucket.
 # It allows any user to access the files in it if they have the correct url.
 resource "google_storage_bucket_iam_policy" "app-acl" {
  bucket      = google_storage_bucket.app.name
  policy_data = data.google_iam_policy.storage-noauth.policy_data
 }


 # Bucket for storing the videos
 resource "google_storage_bucket" "assets" {
  name          = var.gcp_bucket_assets
  location      = var.gcp_location
  force_destroy = true

  uniform_bucket_level_access = true
 }

 # Attach the policy "storage-noauth" to the videos bucket.
 # It allows any user to access the files in it if they have the correct url.
 resource "google_storage_bucket_iam_policy" "assets-acl" {
  bucket      = google_storage_bucket.assets.name
  policy_data = data.google_iam_policy.storage-noauth.policy_data
 }

 # Declare the API credentials file in the Secret Manager
 resource "google_secret_manager_secret" "api-gcp-key-file" {
  secret_id = "api-gcp-key-file"
  replication {
    automatic = true
  }
 }

 # Store the API credentials file in the Secret Manager
 resource "google_secret_manager_secret_version" "api-gcp-key-file-version" {
  secret      = google_secret_manager_secret.api-gcp-key-file.id
  secret_data = file(var.gcp_api_key_file)
 }

 # The API using Cloud Run
 # The container has the secret "api-gcp-key-file" mounted as a volume.
 resource "google_cloud_run_service" "api" {
  name                       = var.gcp_cloud_run_api
  location                   = var.gcp_region
  autogenerate_revision_name = true

  template {
    spec {
      containers {
        image = var.gcp_cloud_run_api_image
        ports {
          container_port = 80
        }
        env {
          name  = "GCLOUD_PROJECT_ID"
          value = data.google_project.project.project_id
        }
        env {
          name  = "GCLOUD_KEY_FILE"
          value = "/secrets/${google_secret_manager_secret.api-gcp-key-file.secret_id}"
        }
        env {
          name  = "STORAGE_ASSETS_BUCKET"
          value = google_storage_bucket.assets.name
        }
        volume_mounts {
          name       = google_secret_manager_secret.api-gcp-key-file.secret_id
          mount_path = "/secrets"
        }
      }
      volumes {
        name = google_secret_manager_secret.api-gcp-key-file.secret_id
        secret {
          secret_name = google_secret_manager_secret.api-gcp-key-file.secret_id
        }
      }
    }

    metadata {
      annotations = {
        "autoscaling.knative.dev/maxScale" = "1"
        "client.knative.dev/user-image"    = var.gcp_cloud_run_api_image
        "run.googleapis.com/client-name"   = "terraform"
      }
    }
  }

  traffic {
    percent         = 100
    latest_revision = true
  }

  depends_on = [google_secret_manager_secret_version.api-gcp-key-file-version]
 }

 # Policy attaching the permission to access a Cloud Run service to all users
 data "google_iam_policy" "cloud-run-noauth" {
  binding {
    role    = "roles/run.invoker"
    members = [
      "allUsers",
    ]
  }
 }

 # Attach the policy "cloud-run-noauth" to the API
 resource "google_cloud_run_service_iam_policy" "api-noauth" {
  location    = google_cloud_run_service.api.location
  project     = google_cloud_run_service.api.project
  service     = google_cloud_run_service.api.name
  policy_data = data.google_iam_policy.cloud-run-noauth.policy_data
  depends_on  = [google_cloud_run_service.api]
 }
diff --git a/variables.tf b/variables.tf
 variable "gcp_project" {
  type        = string
  description = "GCP project name"
 }

 variable "gcp_region" {
  type        = string
  description = "GCP region"
  default     = "europe-west1"
 }

 variable "gcp_location" {
  type        = string
  description = "GCP location"
  default     = "EU"
 }

 variable "gcp_auth_file" {
  type        = string
  description = "GCP authentication file for terraform"
 }

 variable "gcp_bucket_app" {
  type        = string
  description = "The id of the bucket for the static website"
 }

 variable "gcp_bucket_assets" {
  type        = string
  description = "The id of the bucket for the assets"
 }

 variable "gcp_cloud_run_api" {
  type        = string
  description = "The id of the Cloud Run Service"
 }

 variable "gcp_cloud_run_api_image" {
  type        = string
  description = "The name of the docker image for the API"
 }

 variable "gcp_api_key_file" {
  type        = string
  description = "GCP authentication file for accessing buckets from the API"
 }
	provider "google" {
	project = var.gcp_project
	region = var.gcp_region
	credentials = file(var.gcp_auth_file)
	}

	data "google_project" "project" {
	}

	# Docker image registry
	resource "google_container_registry" "registry" {
	project = var.gcp_project
	location = var.gcp_location
	}

	# Custom role allowed to GET objects from buckets
	resource "google_project_iam_custom_role" "storage-noauth" {
	role_id = "storage.objectView"
	title = "Storage Object View Only"
	permissions = ["storage.objects.get"]
	}

	# Policy attaching the custom role "storage-noauth" to all users
	data "google_iam_policy" "storage-noauth" {
	binding {
	role = google_project_iam_custom_role.storage-noauth.id
	members = [
	"allUsers",
	]
	}
	}

	# Bucket for storing the static website
	resource "google_storage_bucket" "app" {
	name = var.gcp_bucket_app
	location = var.gcp_location
	force_destroy = true

	uniform_bucket_level_access = true
	}

	# Attach the policy "storage-noauth" to the static website bucket.
	# It allows any user to access the files in it if they have the correct url.
	resource "google_storage_bucket_iam_policy" "app-acl" {
	bucket = google_storage_bucket.app.name
	policy_data = data.google_iam_policy.storage-noauth.policy_data
	}


	# Bucket for storing the videos
	resource "google_storage_bucket" "assets" {
	name = var.gcp_bucket_assets
	location = var.gcp_location
	force_destroy = true

	uniform_bucket_level_access = true
	}

	# Attach the policy "storage-noauth" to the videos bucket.
	# It allows any user to access the files in it if they have the correct url.
	resource "google_storage_bucket_iam_policy" "assets-acl" {
	bucket = google_storage_bucket.assets.name
	policy_data = data.google_iam_policy.storage-noauth.policy_data
	}

	# Declare the API credentials file in the Secret Manager
	resource "google_secret_manager_secret" "api-gcp-key-file" {
	secret_id = "api-gcp-key-file"
	replication {
	automatic = true
	}
	}

	# Store the API credentials file in the Secret Manager
	resource "google_secret_manager_secret_version" "api-gcp-key-file-version" {
	secret = google_secret_manager_secret.api-gcp-key-file.id
	secret_data = file(var.gcp_api_key_file)
	}

	# The API using Cloud Run
	# The container has the secret "api-gcp-key-file" mounted as a volume.
	resource "google_cloud_run_service" "api" {
	name = var.gcp_cloud_run_api
	location = var.gcp_region
	autogenerate_revision_name = true

	template {
	spec {
	containers {
	image = var.gcp_cloud_run_api_image
	ports {
	container_port = 80
	}
	env {
	name = "GCLOUD_PROJECT_ID"
	value = data.google_project.project.project_id
	}
	env {
	name = "GCLOUD_KEY_FILE"
	value = "/secrets/${google_secret_manager_secret.api-gcp-key-file.secret_id}"
	}
	env {
	name = "STORAGE_ASSETS_BUCKET"
	value = google_storage_bucket.assets.name
	}
	volume_mounts {
	name = google_secret_manager_secret.api-gcp-key-file.secret_id
	mount_path = "/secrets"
	}
	}
	volumes {
	name = google_secret_manager_secret.api-gcp-key-file.secret_id
	secret {
	secret_name = google_secret_manager_secret.api-gcp-key-file.secret_id
	}
	}
	}

	metadata {
	annotations = {
	"autoscaling.knative.dev/maxScale" = "1"
	"client.knative.dev/user-image" = var.gcp_cloud_run_api_image
	"run.googleapis.com/client-name" = "terraform"
	}
	}
	}

	traffic {
	percent = 100
	latest_revision = true
	}

	depends_on = [google_secret_manager_secret_version.api-gcp-key-file-version]
	}

	# Policy attaching the permission to access a Cloud Run service to all users
	data "google_iam_policy" "cloud-run-noauth" {
	binding {
	role = "roles/run.invoker"
	members = [
	"allUsers",
	]
	}
	}

	# Attach the policy "cloud-run-noauth" to the API
	resource "google_cloud_run_service_iam_policy" "api-noauth" {
	location = google_cloud_run_service.api.location
	project = google_cloud_run_service.api.project
	service = google_cloud_run_service.api.name
	policy_data = data.google_iam_policy.cloud-run-noauth.policy_data
	depends_on = [google_cloud_run_service.api]
	}
	variable "gcp_project" {
	type = string
	description = "GCP project name"
	}

	variable "gcp_region" {
	type = string
	description = "GCP region"
	default = "europe-west1"
	}

	variable "gcp_location" {
	type = string
	description = "GCP location"
	default = "EU"
	}

	variable "gcp_auth_file" {
	type = string
	description = "GCP authentication file for terraform"
	}

	variable "gcp_bucket_app" {
	type = string
	description = "The id of the bucket for the static website"
	}

	variable "gcp_bucket_assets" {
	type = string
	description = "The id of the bucket for the assets"
	}

	variable "gcp_cloud_run_api" {
	type = string
	description = "The id of the Cloud Run Service"
	}

	variable "gcp_cloud_run_api_image" {
	type = string
	description = "The name of the docker image for the API"
	}

	variable "gcp_api_key_file" {
	type = string
	description = "GCP authentication file for accessing buckets from the API"
	}