GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ahmetb → cloud-run-iap-terraform-demo

ahmetb / cloud-run-iap-terraform-demo

Licence: other
Deploy an IAP-secured application to Cloud Run using Terraform (e.g. an admin portal or internal company app)

Programming Languages

HCL
1544 projects

Labels

terraformiapgoogle-cloud-runcloud-iap

Projects that are alternatives of or similar to cloud-run-iap-terraform-demo

DYFStoreKit
([Swift] https://github.com/chenxing640/DYFStore) A lightweight and easy-to-use iOS library for In-App Purchases (Objective-C). DYFStoreKit uses blocks and notifications to wrap StoreKit, provides receipt verification and transaction persistence and doesn't require any external dependencies.
Stars: ✭ 52 (+1.96%)
Mutual labels:  iap
cloud-run-node-16
Latest Node.js on Cloud Run
Stars: ✭ 14 (-72.55%)
Mutual labels:  google-cloud-run
deploy-cloudrun
This action deploys your container image to Cloud Run.
Stars: ✭ 238 (+366.67%)
Mutual labels:  google-cloud-run
laravel6-on-google-cloud-run
Laravel 6 on Google cloud run for a demo
Stars: ✭ 25 (-50.98%)
Mutual labels:  google-cloud-run
cordova-plugin-purchases
Cordova in-app purchases and subscriptions made easy.
Stars: ✭ 52 (+1.96%)
Mutual labels:  iap
token-cli
Command line utility for interacting with OAuth2 infrastructure to generate tokens
Stars: ✭ 19 (-62.75%)
Mutual labels:  iap
cloudrun-tutorial
A tutorial showing some of the features of Cloud Run
Stars: ✭ 79 (+54.9%)
Mutual labels:  google-cloud-run
Swiftystorekit
Lightweight In App Purchases Swift framework for iOS 8.0+, tvOS 9.0+ and macOS 10.10+ ⛺
Stars: ✭ 5,796 (+11264.71%)
Mutual labels:  iap
gcp-iap-auth
A simple server implementation and package in Go for helping you secure your web apps running on GCP behind a Cloud IAP (Identity-Aware Proxy)
Stars: ✭ 75 (+47.06%)
Mutual labels:  iap
purchases-unity
Unity in-app purchases and subscriptions made easy.
Stars: ✭ 48 (-5.88%)
Mutual labels:  iap
Google-IAP
Android Library for easing Google Play Billing to your apps with support for Subscriptions, In-App Purchases and Consumables with a beautiful sample app.
Stars: ✭ 129 (+152.94%)
Mutual labels:  iap
Cloud Run Faq
Unofficial FAQ and everything you've been wondering about Google Cloud Run.
Stars: ✭ 1,921 (+3666.67%)
Mutual labels:  google-cloud-run
cloud-run-wordpress
Deploy a Wordpress site on Google Cloud Run
Stars: ✭ 25 (-50.98%)
Mutual labels:  google-cloud-run
activejob-google cloud tasks-http
Active Job adapter for Google Cloud Tasks HTTP targets
Stars: ✭ 16 (-68.63%)
Mutual labels:  google-cloud-run
cloud-run-hello
Demo container for Google Cloud Run
Stars: ✭ 54 (+5.88%)
Mutual labels:  google-cloud-run
serverless-url-redirect
Simple click-to-deploy serverless URL redirect service
Stars: ✭ 39 (-23.53%)
Mutual labels:  google-cloud-run
cloudrun-fastapi
FastAPI on Google Cloud Run
Stars: ✭ 112 (+119.61%)
Mutual labels:  google-cloud-run
souls
SOULs 🔥 Build Serverless Apps faster like Rails. Powered by Ruby GraphQL, RBS/Steep, Active Record, RSpec, RuboCop, and Google Cloud.
Stars: ✭ 327 (+541.18%)
Mutual labels:  google-cloud-run

IAP Terraform Sample for Cloud Run

This sample deploys a Cloud Run service with VPC ingress controls that only allows traffic from Cloud HTTPS load balancer that has IAP (Identity Aware Proxy) enabled.

IAP authenticates users with a Google account (or other external IdP) and checks if the user is allowed to access the deployed service.

Prerequisites

You must have a domain name registered, for which you can modify certain DNS settings. You can use a subdomain as well.

Deploy

Create a project

Create a new project, if you don't want to re-use an existing project. For example:

gcloud projects create cloud-run-iap-terraform-demo-1 --name="IAP Cloud Run Demo" --set-as-default

If this project isn't set as your current default project, use:

gcloud config set project cloud-run-iap-terraform-demo-1

Enable billing

Enable billing, if you haven't done this yet, for the project. First get your billing account ID:

gcloud beta billing accounts list

This returns something like:

ACCOUNT_ID            NAME                OPEN  MASTER_ACCOUNT_ID
0X0X0X-0X0X0X-0X0X0X  My Billing Account  True

Now enable billing for your new project:

gcloud beta billing projects link cloud-run-iap-terraform-demo-1 --billing-account 0X0X0X-0X0X0X-0X0X0X

Enable APIs

Enable the following APIs in your (currently selected) project:

gcloud services enable \
    run.googleapis.com \
    containerregistry.googleapis.com \
    compute.googleapis.com \
    iap.googleapis.com \
    vpcaccess.googleapis.com

It might take a minute to complete. Optionally verify that these services are enabled for your current project:

gcloud services list

Create an OAuth2 web application

Create OAuth2 web application (and note its client_id and client_secret) from https://console.cloud.google.com/apis/credentials.

If it asks you to Configure a consent screen first, then do so:

  • Choose 'External' for User Type
  • Fill in 'App name', e.g. IAP Cloud Run Demo
  • Select your email address from the dropdown, for 'User support email'
  • You can leave the 'App domain' section blank
  • Fill in your email address at the 'Developer contact information'
  • Click on 'save and continue' on the next screens and then the 'Credentials' menu link in the left menu bar

Execute Terraform

First initialize the Terraform:

terraform init

(Optional) preview what resources will be created:

terraform apply -var project_id=<project-id> \
    -var region=<region> \
    -var domain=<domain> \
    -var lb_name=<lb_name> \
    -var iap_client_id=<client_id> \
    -var iap_client_secret=<client_secret>

Deploy using Terraform, this will take several minutes to complete:

terraform apply -var project_id=<project-id> \
    -var region=<region> \
    -var domain=<domain> \
    -var lb_name=<lb_name> \
    -var iap_client_id=<client_id> \
    -var iap_client_secret=<client_secret> \
    -auto-approve

In this command fill in:

  • project-id: the project id, e.g. cloud-run-iap-terraform-demo-1
  • region: the region, this is optional, will default to us-central1
  • domain: the domain name you want to use, e.g. corpapp.ahmet.dev
  • lb_name: name for the load balancer, this is optional, will default to iap-lb
  • iap_client_id: the client id for the oAuth client you created earlier
  • iap_client_secret: the client secret for the oAuth client you created earlier. You can view it by editing the oAuth client.

Troubleshooting errors

Note: if you get an error saying Output refers to sensitive values, add sensitive = true to backend_services in .terraform/modules/lb-http/modules/serverless_negs/outputs.tf.

If you get an error like Error: Error creating Connector: googleapi: Error 403: The caller does not have permission, it means the account which is used to execute the terraform, does not have enough permissions. You can fix this by running:

gcloud auth application-default login

If that still doesn't solve the issue, you can view the service account of your project in the GCP console under IAM & Admin -> 'Service Accounts' named e.g. Default compute service account. From there you can troubleshoot which permissions might be missing.

Post-deployment steps

After the deployment is complete:

  1. Configure DNS records of the used domain name with the given IP address. In other words, add a record named www or your subdomain name, of type A pointing to your ipv4 IP address, which was the output of your terraform command. It will take 10-30 minutes until the load balancer starts functioning.
  2. Go back to Credentials page and add a the oauth2_redirect_uri output to the Authorized Redirect URIs of the web application you created here.

Now, you should be able to authenticate to your web application based on the users/group specified in main.tf by visiting your domain.

Cleanup

⚠️ Do not lose the .tfstate file created in this directory.

Run the previous terraform apply command as terraform destroy to clean up the created resources.

Infrastructure

The following diagram shows the infrastructure created. diagram

Serverless VPC Access Connector

The Serverless VPC Access is the connection between your Cloud Run service and resources inside your VPC.

Cloud Run Service

The Cloud Run Service is a compute service which actually runs your website. In this example a simple hello world Docker container.

Serverless Network Endpoint Group

The Serverless Network Endpoint Group is the connection between your Load Balancer and your Cloud Run service. It allows requests to the load balancer, to be routed to the serverless app backend.

HTTP/S Load Balancer

The HTTP/S Load Balancer listens to incoming traffic on an IP address and directs this to a backend service. A terraform module is used which creates several resources, such as:

  • Global Address
  • HTTP Proxy
  • Forwarding rules
  • Managed SSL certificate
  • Serverless NEG as backend

In this case the load balancer doesn't act traditionally, where the load is balanced between a group of backend services, rather, all load is forwarded to the configured backend.

IAM Policy

The IAM Policy defines which members will be granted the role iap.httpsResourceAccessor. With it, you manage who will have access to your website and who doesn't.

IAM Policy for Identity-Aware Proxy WebBackendService

The IAM Policy for Identity-Aware Proxy WebBackendService configures the Identity-Aware Proxy, and binds the IAM Policy you defined to the Load Balancer. From here you can select the HTTPS resource, click on the info panel and add or remove members from the IAP-secured Web App User role.

External resources

This is not an official tutorial and can go out of date. Please read the documentation for more up-to-date info.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].