diff --git a/components/common-infra/terraform/vpc.tf b/components/common-infra/terraform/vpc.tf index 27779c96..690b435c 100644 --- a/components/common-infra/terraform/vpc.tf +++ b/components/common-infra/terraform/vpc.tf @@ -78,6 +78,43 @@ resource "google_compute_network_firewall_policy_rule" "allow-google-apis" { } } +resource "google_compute_network_firewall_policy_rule" "allow-psa-to-alloydb" { + count = var.create_vpc_network ? 1 : 0 + description = "Allow egress to PSA reserved range used for AlloyDB" + action = "allow" + direction = "EGRESS" + enable_logging = true + firewall_policy = google_compute_network_firewall_policy.policy[0].name + priority = 1010 + rule_name = "allow-psa-to-alloydb" + + match { + dest_ip_ranges = ["${var.psa_reserved_address}/24"] + layer4_configs { + ip_protocol = "tcp" + ports = ["5433"] + } + } +} + +resource "google_compute_network_firewall_policy_rule" "default-deny" { + count = var.create_vpc_network ? 1 : 0 + description = "Low priority rule to deny all egress not explicitly matched by other rules" + action = "deny" + direction = "EGRESS" + enable_logging = true + firewall_policy = google_compute_network_firewall_policy.policy[0].name + priority = 65535 + rule_name = "default-deny-all" + + match { + dest_ip_ranges = ["0.0.0.0/0"] + layer4_configs { + ip_protocol = "all" + } + } +} + resource "google_compute_network_firewall_policy_rule" "allow-subnet-internal" { count = var.create_vpc_network ? 1 : 0 description = "Allow internal traffic within the composer subnet" diff --git a/components/doc-classifier/terraform/main.tf b/components/doc-classifier/terraform/main.tf index 117889fe..dbcc8aeb 100644 --- a/components/doc-classifier/terraform/main.tf +++ b/components/doc-classifier/terraform/main.tf @@ -76,6 +76,13 @@ resource "google_cloud_run_v2_job" "docai-form-processor-job" { template { template { service_account = module.doc_classifier_account.email + vpc_access { + network_interfaces { + network = var.vpc_network_name + subnetwork = var.serverless_connector_subnet + } + egress = "ALL_TRAFFIC" + } containers { image = local.image_name_and_tag } diff --git a/components/doc-classifier/terraform/variables.tf b/components/doc-classifier/terraform/variables.tf index 69a319c2..c089bc01 100644 --- a/components/doc-classifier/terraform/variables.tf +++ b/components/doc-classifier/terraform/variables.tf @@ -38,3 +38,13 @@ variable "cloud_build_service_account_email" { description = "the user-managed service account configured for Cloud Build" type = string } + +variable "vpc_network_name" { + type = string + description = "The name of the network where subnets will be created" +} + +variable "serverless_connector_subnet" { + description = "Name of the VPC subnet to create" + type = string +} diff --git a/components/doc-deletion/terraform/doc-deletion.tf b/components/doc-deletion/terraform/doc-deletion.tf index 81995dbd..7c3bd2a9 100644 --- a/components/doc-deletion/terraform/doc-deletion.tf +++ b/components/doc-deletion/terraform/doc-deletion.tf @@ -29,7 +29,7 @@ resource "google_cloud_run_v2_job" "doc_deletion_job" { network = var.vpc_network_name subnetwork = var.serverless_connector_subnet } - egress = "PRIVATE_RANGES_ONLY" + egress = "ALL_TRAFFIC" } containers { image = local.image_name_and_tag diff --git a/components/doc-registry/terraform/main.tf b/components/doc-registry/terraform/main.tf index 5f807c42..cb2da761 100644 --- a/components/doc-registry/terraform/main.tf +++ b/components/doc-registry/terraform/main.tf @@ -77,6 +77,13 @@ resource "google_cloud_run_v2_job" "doc-registry-service-job" { template { template { service_account = module.doc_registry_service_account.email + vpc_access { + network_interfaces { + network = var.vpc_network_name + subnetwork = var.serverless_connector_subnet + } + egress = "ALL_TRAFFIC" + } containers { image = local.image_name_and_tag env { diff --git a/components/doc-registry/terraform/variables.tf b/components/doc-registry/terraform/variables.tf index f1a9035d..cbe6d334 100644 --- a/components/doc-registry/terraform/variables.tf +++ b/components/doc-registry/terraform/variables.tf @@ -50,3 +50,13 @@ variable "cloud_build_service_account_email" { description = "the user-managed service account configured for Cloud Build" type = string } + +variable "vpc_network_name" { + type = string + description = "The name of the network where subnets will be created" +} + +variable "serverless_connector_subnet" { + description = "Name of the VPC subnet to create" + type = string +} diff --git a/components/post-setup-config/terraform/alloydb-config.tf b/components/post-setup-config/terraform/alloydb-config.tf index c6c90235..a799c98d 100644 --- a/components/post-setup-config/terraform/alloydb-config.tf +++ b/components/post-setup-config/terraform/alloydb-config.tf @@ -29,7 +29,7 @@ resource "google_cloud_run_v2_job" "configure_db_schema_job" { network = var.vpc_network_name subnetwork = var.serverless_connector_subnet } - egress = "PRIVATE_RANGES_ONLY" + egress = "ALL_TRAFFIC" } containers { image = local.image_name_and_tag diff --git a/components/specialized-parser/terraform/main.tf b/components/specialized-parser/terraform/main.tf index 6d26caa1..99582915 100644 --- a/components/specialized-parser/terraform/main.tf +++ b/components/specialized-parser/terraform/main.tf @@ -100,7 +100,7 @@ resource "google_cloud_run_v2_job" "specialized_parser_processor_job" { service_account = module.specialized_parser_account.email vpc_access { network_interfaces { - network = var.network + network = var.vpc_network_name subnetwork = var.serverless_connector_subnet } egress = "ALL_TRAFFIC" diff --git a/components/specialized-parser/terraform/variables.tf b/components/specialized-parser/terraform/variables.tf index 5d98446c..21b9f5b6 100644 --- a/components/specialized-parser/terraform/variables.tf +++ b/components/specialized-parser/terraform/variables.tf @@ -60,14 +60,14 @@ variable "processors_location" { default = "us" } -variable "network" { - description = "Name of the VPC network to use" +variable "serverless_connector_subnet" { + description = "Name of the VPC subnet to create" type = string } -variable "serverless_connector_subnet" { - description = "Name of the VPC subnet to create" +variable "vpc_network_name" { type = string + description = "The name of the network where subnets will be created" } variable "cloud_build_service_account_email" { diff --git a/components/webui/terraform/cloudrun.tf b/components/webui/terraform/cloudrun.tf index b0dae2be..92a7c1c0 100644 --- a/components/webui/terraform/cloudrun.tf +++ b/components/webui/terraform/cloudrun.tf @@ -74,6 +74,13 @@ resource "google_cloud_run_v2_service" "eks_webui" { } } service_account = module.cloud_run_web_account.email + vpc_access { + network_interfaces { + network = var.vpc_network_name + subnetwork = var.serverless_connector_subnet + } + egress = "ALL_TRAFFIC" + } } lifecycle { replace_triggered_by = [null_resource.deployment_trigger] diff --git a/components/webui/terraform/variables.tf b/components/webui/terraform/variables.tf index 5f3be72b..905db4e1 100644 --- a/components/webui/terraform/variables.tf +++ b/components/webui/terraform/variables.tf @@ -62,3 +62,13 @@ variable "lb_ssl_certificate_domains" { description = "Custom domain pointing to the WebUI app, DNS configured" type = list(string) } + +variable "vpc_network_name" { + type = string + description = "The name of the network where subnets will be created" +} + +variable "serverless_connector_subnet" { + description = "Name of the VPC subnet to create" + type = string +} diff --git a/sample-deployments/composer-orchestrated-process/main.tf b/sample-deployments/composer-orchestrated-process/main.tf index 79cce7e4..68c92613 100644 --- a/sample-deployments/composer-orchestrated-process/main.tf +++ b/sample-deployments/composer-orchestrated-process/main.tf @@ -99,6 +99,8 @@ module "doc_classifier_job" { artifact_repo = module.common_infra.artifact_repo.name cloud_build_service_account_email = module.common_infra.cloud_build_service_account.email classifier_cloud_run_job_name = local.classifier_cloud_run_job_name + vpc_network_name = module.common_infra.vpc_network_name + serverless_connector_subnet = module.common_infra.serverless_connector_subnet } module "specialized_parser_job" { @@ -110,7 +112,7 @@ module "specialized_parser_job" { bigquery_dataset_id = module.common_infra.bq_store_dataset_id alloydb_instance = module.common_infra.alloydb_primary_instance alloydb_cluster = module.common_infra.alloydb_cluster_name - network = module.common_infra.vpc_network_name + vpc_network_name = module.common_infra.vpc_network_name serverless_connector_subnet = module.common_infra.serverless_connector_subnet alloydb_cluster_ready = module.common_infra.alloydb_cluster_ready cloud_build_service_account_email = module.common_infra.cloud_build_service_account.email @@ -151,6 +153,9 @@ module "dpu_ui" { agent_builder_data_store_id = google_discovery_engine_data_store.dpu_ds.data_store_id agent_builder_search_id = google_discovery_engine_search_engine.basic.engine_id lb_ssl_certificate_domains = var.webui_domains + vpc_network_name = module.common_infra.vpc_network_name + serverless_connector_subnet = module.common_infra.serverless_connector_subnet + } # Depends on: input bucket, artefactory (registury_url), and docprocessor service account @@ -192,6 +197,8 @@ module "doc_registry" { region = var.region artifact_repo = module.common_infra.artifact_repo.name cloud_build_service_account_email = module.common_infra.cloud_build_service_account.email + vpc_network_name = module.common_infra.vpc_network_name + serverless_connector_subnet = module.common_infra.serverless_connector_subnet } module "doc-deletion" {