Merge branch 'main' into minor-fixes-from-ce-feedback

GoogleCloudPlatform · Jan 22, 2025 · fdd5780 · fdd5780
2 parents 4e49383 + e5cc320
commit fdd5780
Show file tree

Hide file tree

Showing 12 changed files with 103 additions and 8 deletions.
diff --git a/components/common-infra/terraform/vpc.tf b/components/common-infra/terraform/vpc.tf
@@ -78,6 +78,43 @@ resource "google_compute_network_firewall_policy_rule" "allow-google-apis" {
   }
 }
 
+resource "google_compute_network_firewall_policy_rule" "allow-psa-to-alloydb" {
+  count           = var.create_vpc_network ? 1 : 0
+  description     = "Allow egress to PSA reserved range used for AlloyDB"
+  action          = "allow"
+  direction       = "EGRESS"
+  enable_logging  = true
+  firewall_policy = google_compute_network_firewall_policy.policy[0].name
+  priority        = 1010
+  rule_name       = "allow-psa-to-alloydb"
+
+  match {
+    dest_ip_ranges = ["${var.psa_reserved_address}/24"]
+    layer4_configs {
+      ip_protocol = "tcp"
+      ports       = ["5433"]
+    }
+  }
+}
+
+resource "google_compute_network_firewall_policy_rule" "default-deny" {
+  count           = var.create_vpc_network ? 1 : 0
+  description     = "Low priority rule to deny all egress not explicitly matched by other rules"
+  action          = "deny"
+  direction       = "EGRESS"
+  enable_logging  = true
+  firewall_policy = google_compute_network_firewall_policy.policy[0].name
+  priority        = 65535
+  rule_name       = "default-deny-all"
+
+  match {
+    dest_ip_ranges = ["0.0.0.0/0"]
+    layer4_configs {
+      ip_protocol = "all"
+    }
+  }
+}
+
 resource "google_compute_network_firewall_policy_rule" "allow-subnet-internal" {
   count           = var.create_vpc_network ? 1 : 0
   description     = "Allow internal traffic within the composer subnet"

diff --git a/components/doc-classifier/terraform/main.tf b/components/doc-classifier/terraform/main.tf
@@ -76,6 +76,13 @@ resource "google_cloud_run_v2_job" "docai-form-processor-job" {
   template {
     template {
       service_account = module.doc_classifier_account.email
+      vpc_access {
+        network_interfaces {
+          network    = var.vpc_network_name
+          subnetwork = var.serverless_connector_subnet
+        }
+        egress = "ALL_TRAFFIC"
+      }
       containers {
         image = local.image_name_and_tag
       }

diff --git a/components/doc-classifier/terraform/variables.tf b/components/doc-classifier/terraform/variables.tf
@@ -38,3 +38,13 @@ variable "cloud_build_service_account_email" {
   description = "the user-managed service account configured for Cloud Build"
   type        = string
 }
+
+variable "vpc_network_name" {
+  type        = string
+  description = "The name of the network where subnets will be created"
+}
+
+variable "serverless_connector_subnet" {
+  description = "Name of the VPC subnet to create"
+  type        = string
+}
diff --git a/components/doc-deletion/terraform/doc-deletion.tf b/components/doc-deletion/terraform/doc-deletion.tf
@@ -29,7 +29,7 @@ resource "google_cloud_run_v2_job" "doc_deletion_job" {
           network    = var.vpc_network_name
           subnetwork = var.serverless_connector_subnet
         }
-        egress = "PRIVATE_RANGES_ONLY"
+        egress = "ALL_TRAFFIC"
       }
       containers {
         image = local.image_name_and_tag

diff --git a/components/doc-registry/terraform/main.tf b/components/doc-registry/terraform/main.tf
@@ -77,6 +77,13 @@ resource "google_cloud_run_v2_job" "doc-registry-service-job" {
   template {
     template {
       service_account = module.doc_registry_service_account.email
+      vpc_access {
+        network_interfaces {
+          network    = var.vpc_network_name
+          subnetwork = var.serverless_connector_subnet
+        }
+        egress = "ALL_TRAFFIC"
+      }
       containers {
         image = local.image_name_and_tag
         env {

diff --git a/components/doc-registry/terraform/variables.tf b/components/doc-registry/terraform/variables.tf
@@ -50,3 +50,13 @@ variable "cloud_build_service_account_email" {
   description = "the user-managed service account configured for Cloud Build"
   type        = string
 }
+
+variable "vpc_network_name" {
+  type        = string
+  description = "The name of the network where subnets will be created"
+}
+
+variable "serverless_connector_subnet" {
+  description = "Name of the VPC subnet to create"
+  type        = string
+}
diff --git a/components/post-setup-config/terraform/alloydb-config.tf b/components/post-setup-config/terraform/alloydb-config.tf
@@ -29,7 +29,7 @@ resource "google_cloud_run_v2_job" "configure_db_schema_job" {
           network    = var.vpc_network_name
           subnetwork = var.serverless_connector_subnet
         }
-        egress = "PRIVATE_RANGES_ONLY"
+        egress = "ALL_TRAFFIC"
       }
       containers {
         image = local.image_name_and_tag

diff --git a/components/specialized-parser/terraform/main.tf b/components/specialized-parser/terraform/main.tf
@@ -100,7 +100,7 @@ resource "google_cloud_run_v2_job" "specialized_parser_processor_job" {
       service_account = module.specialized_parser_account.email
       vpc_access {
         network_interfaces {
-          network    = var.network
+          network    = var.vpc_network_name
           subnetwork = var.serverless_connector_subnet
         }
         egress = "ALL_TRAFFIC"

diff --git a/components/specialized-parser/terraform/variables.tf b/components/specialized-parser/terraform/variables.tf
@@ -60,14 +60,14 @@ variable "processors_location" {
   default     = "us"
 }
 
-variable "network" {
-  description = "Name of the VPC network to use"
+variable "serverless_connector_subnet" {
+  description = "Name of the VPC subnet to create"
   type        = string
 }
 
-variable "serverless_connector_subnet" {
-  description = "Name of the VPC subnet to create"
+variable "vpc_network_name" {
   type        = string
+  description = "The name of the network where subnets will be created"
 }
 
 variable "cloud_build_service_account_email" {

diff --git a/components/webui/terraform/cloudrun.tf b/components/webui/terraform/cloudrun.tf
@@ -74,6 +74,13 @@ resource "google_cloud_run_v2_service" "eks_webui" {
       }
     }
     service_account = module.cloud_run_web_account.email
+    vpc_access {
+      network_interfaces {
+        network    = var.vpc_network_name
+        subnetwork = var.serverless_connector_subnet
+      }
+      egress = "ALL_TRAFFIC"
+    }
   }
   lifecycle {
     replace_triggered_by = [null_resource.deployment_trigger]

diff --git a/components/webui/terraform/variables.tf b/components/webui/terraform/variables.tf
@@ -62,3 +62,13 @@ variable "lb_ssl_certificate_domains" {
   description = "Custom domain pointing to the WebUI app, DNS configured"
   type        = list(string)
 }
+
+variable "vpc_network_name" {
+  type        = string
+  description = "The name of the network where subnets will be created"
+}
+
+variable "serverless_connector_subnet" {
+  description = "Name of the VPC subnet to create"
+  type        = string
+}
diff --git a/sample-deployments/composer-orchestrated-process/main.tf b/sample-deployments/composer-orchestrated-process/main.tf
@@ -99,6 +99,8 @@ module "doc_classifier_job" {
   artifact_repo                     = module.common_infra.artifact_repo.name
   cloud_build_service_account_email = module.common_infra.cloud_build_service_account.email
   classifier_cloud_run_job_name     = local.classifier_cloud_run_job_name
+  vpc_network_name                  = module.common_infra.vpc_network_name
+  serverless_connector_subnet       = module.common_infra.serverless_connector_subnet
 }
 
 module "specialized_parser_job" {
@@ -110,7 +112,7 @@ module "specialized_parser_job" {
   bigquery_dataset_id               = module.common_infra.bq_store_dataset_id
   alloydb_instance                  = module.common_infra.alloydb_primary_instance
   alloydb_cluster                   = module.common_infra.alloydb_cluster_name
-  network                           = module.common_infra.vpc_network_name
+  vpc_network_name                  = module.common_infra.vpc_network_name
   serverless_connector_subnet       = module.common_infra.serverless_connector_subnet
   alloydb_cluster_ready             = module.common_infra.alloydb_cluster_ready
   cloud_build_service_account_email = module.common_infra.cloud_build_service_account.email
@@ -151,6 +153,9 @@ module "dpu_ui" {
   agent_builder_data_store_id       = google_discovery_engine_data_store.dpu_ds.data_store_id
   agent_builder_search_id           = google_discovery_engine_search_engine.basic.engine_id
   lb_ssl_certificate_domains        = var.webui_domains
+  vpc_network_name                  = module.common_infra.vpc_network_name
+  serverless_connector_subnet       = module.common_infra.serverless_connector_subnet
+
 }
 
 # Depends on: input bucket, artefactory (registury_url), and docprocessor service account
@@ -192,6 +197,8 @@ module "doc_registry" {
   region                            = var.region
   artifact_repo                     = module.common_infra.artifact_repo.name
   cloud_build_service_account_email = module.common_infra.cloud_build_service_account.email
+  vpc_network_name                  = module.common_infra.vpc_network_name
+  serverless_connector_subnet       = module.common_infra.serverless_connector_subnet
 }
 
 module "doc-deletion" {