-
Notifications
You must be signed in to change notification settings - Fork 518
/
Copy pathmain.tf
106 lines (95 loc) · 3.23 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
locals {
project = "larkworthy-tester"
location = "EU"
region = "europe-west1"
base_image_name = "oryd/oathkeeper"
base_image_tag = "v0.37.1"
#base_image_tag = "v0.36.0-beta.4"
}
terraform {
backend "gcs" {
prefix = "ORY_Oathkeeper/state"
bucket = "terraform-larkworthy"
}
}
provider "google" {
project = local.project
region = local.region
}
# Create service account to run service with no permissions
resource "google_service_account" "oathkeeper" {
account_id = "oathkeeper"
display_name = "oathkeeper"
}
# Policy to allow public access to Cloud Run endpoint
data "google_iam_policy" "noauth" {
binding {
role = "roles/run.invoker"
members = ["allUsers"]
}
}
# Allow public access to ORY Oathkeeper
resource "google_cloud_run_service_iam_policy" "noauth" {
location = google_cloud_run_service.oathkeeper.location
project = google_cloud_run_service.oathkeeper.project
service = google_cloud_run_service.oathkeeper.name
policy_data = data.google_iam_policy.noauth.policy_data
}
# config bucket for service
resource "google_storage_bucket" "config" {
name = "${local.project}_${local.region}_oathkeeper"
location = local.location
bucket_policy_only = true
}
# rules for service
resource "google_storage_bucket_object" "rules" {
name = "rules_${filesha256("${path.module}/rules.template.yml")}.yml"
content = templatefile(
"${path.module}/rules.template.yml", {
// camunda_url = "https://camunda-flxotk3pnq-ew.a.run.app"
camunda_url = "https://camunda-secure-flxotk3pnq-ew.a.run.app"
# Note Cloud run terminates https so container exposed only to http
oathkeeper_url = "http://oathkeeper-flxotk3pnq-ew.a.run.app"
})
bucket = google_storage_bucket.config.name
}
# Let oathkeeper read objects from it
resource "google_storage_bucket_iam_member" "oathkeeper-viewer" {
bucket = google_storage_bucket.config.name
role = "roles/storage.objectViewer"
# member = "serviceAccount:${google_service_account.oathkeeper.email}"
member = "allUsers" # work around until we can use the cloud API https://github.com/ory/oathkeeper/issues/425
}
# Cloud Run ORY Oathkeeper
resource "google_cloud_run_service" "oathkeeper" {
name = "oathkeeper"
location = local.region
depends_on = [google_storage_bucket_object.rules]
template {
spec {
# Use locked down Service Account
service_account_name = google_service_account.oathkeeper.email
containers {
image = null_resource.oathkeeper_image.triggers.image
args = ["--config", "/config.yaml"]
env {
name = "nonce"
value = filesha256("${path.module}/rules.template.yml") # Force refresh on rule change
}
env {
name = "ACCESS_RULES_REPOSITORIES"
# storage.cloud.google.com domain serves content via redirects which is does not work ATM https://github.com/ory/oathkeeper/issues/425
value = "https://storage.googleapis.com/${google_storage_bucket.config.name}/${google_storage_bucket_object.rules.name}"
}
env {
name = "LOG_LEVEL"
value = "debug"
}
}
}
}
traffic {
percent = 100
latest_revision = true
}
}