search

chainguard-dev / terraform-infra-common

A repository containing a collection of "glue" modules for encapsulating common Cloud Run patterns.
Apache License 2.0
4 stars 22 forks source link

Add optional IAP support to Cloud Run services. #422

Closed wlynch closed 2 months ago

wlynch commented 2 months ago

cc @jonjohnsonjr @imjasonh

imjasonh commented 2 months ago

Do you have an example of how this is used, both from the IAP config side, and from the app side to get the currently IAP'ed user's identity and/or token?

wlynch commented 2 months ago

https://cloud.google.com/iap/docs/enabling-cloud-run has good documentation on this.

This bit of terraform is really configuring the GCLB with the an oauth app's creds so IAP knows how to auth. presumably you could also tf gen this and pass it through.

There is an extra step where you need to grant the IAP SA cloud run invoker, but this can't easily be done within these modules:

resource "google_project_service" "iap" {
  project = var.project_id
  service = "iap.googleapis.com"

  timeouts {
    create = "30m"
    update = "40m"
  }

  disable_on_destroy = false
}

resource "google_project_service_identity" "iap_sa" {
  provider = google-beta

  project = var.project_id
  service = "iap.googleapis.com"
}

resource "google_cloud_run_service_iam_member" "invoker" {
  for_each   = module.networking.regional-networks
  depends_on = [google_project_service.iap]
  project    = var.project_id
  location   = each.key
  service    = var.name
  role       = "roles/run.invoker"
  member     = "serviceAccount:${google_project_service_identity.iap_sa.email}"
}

from there you can grant access by granting users to the IAP via https://cloud.google.com/iap/docs/managing-access#add_access

wlynch commented 2 months ago

On the app side, there a bunch of headers that IAP provides. a few useful ones;