feat: implement Cloud Armor security policies and configure CDN for Cloud Run deployment

Author: max-ostapenko

terraform/modules/cdn-glb/cloud_armor.tf

@@ -0,0 +1,87 @@
+# Cloud Armor Security Policy
+resource "google_compute_security_policy" "security_policy" {
+  name        = "${var.name_prefix}-backend-security-policy"
+  project     = var.project
+  description = "Backend security policy for ${var.name_prefix}"
+  type        = "CLOUD_ARMOR"
+}
+
+# Deny non-GET methods - priority 2147483625
+resource "google_compute_security_policy_rule" "deny_non_get" {
+  security_policy = google_compute_security_policy.security_policy.name
+  project         = var.project
+  action          = "deny(403)"
+  priority        = 2147483625
+  preview         = false
+  description     = "Deny non-GET methods"
+
+  match {
+    expr {
+      expression = "request.method.upper() != 'GET'"
+    }
+  }
+}
+
+# Block requests except whitelisted hosts - priority 2147483635
+resource "google_compute_security_policy_rule" "block_non_whitelisted_hosts" {
+  security_policy = google_compute_security_policy.security_policy.name
+  project         = var.project
+  action          = "deny(403)"
+  priority        = 2147483635
+  preview         = false
+  description     = "Block requests except whitelisted hosts"
+
+  match {
+    expr {
+      expression = "request.headers['host'].lower() != '${var.domain}'"
+    }
+  }
+}
+
+# Blacklisted user-agents - priority 2147483640
+resource "google_compute_security_policy_rule" "block_user_agents" {
+  security_policy = google_compute_security_policy.security_policy.name
+  project         = var.project
+  action          = "deny(403)"
+  priority        = 2147483640
+  preview         = false
+  description     = "Black-listed user-agents"
+
+  match {
+    expr {
+      expression = <<-EOT
+        has(request.headers['user-agent']) && (
+            request.headers['user-agent'].contains('GenomeCrawler') ||
+            request.headers['user-agent'].contains('AhrefsBot')
+        )
+      EOT
+    }
+  }
+}
+
+# Default rate limiting rule - priority 2147483646
+resource "google_compute_security_policy_rule" "rate_limit" {
+  security_policy = google_compute_security_policy.security_policy.name
+  project         = var.project
+  action          = "throttle"
+  priority        = 2147483646
+  preview         = false
+  description     = "Default rate limiting rule"
+
+  match {
+    versioned_expr = "SRC_IPS_V1"
+    config {
+      src_ip_ranges = ["*"]
+    }
+  }
+
+  rate_limit_options {
+    conform_action = "allow"
+    exceed_action  = "deny(403)"
+    enforce_on_key = "IP"
+    rate_limit_threshold {
+      count        = 500
+      interval_sec = 60
+    }
+  }
+}

terraform/modules/cdn-glb/main.tf

@@ -0,0 +1,124 @@
+# Serverless Network Endpoint Group (NEG) for Cloud Run
+resource "google_compute_region_network_endpoint_group" "serverless_neg" {
+  name                  = coalesce(var.neg_name, "${var.name_prefix}-${var.environment}")
+  region                = var.region
+  project               = var.project
+  network_endpoint_type = "SERVERLESS"
+
+  cloud_run {
+    service = "tech-report-api-prod" # var.cloud_run_service_name
+  }
+}
+
+# Backend Service with CDN
+resource "google_compute_backend_service" "backend" {
+  name                            = coalesce(var.backend_service_name, var.name_prefix)
+  project                         = var.project
+  compression_mode                = "AUTOMATIC"
+  protocol                        = "HTTPS"
+  load_balancing_scheme           = "EXTERNAL_MANAGED"
+  timeout_sec                     = 30
+  connection_draining_timeout_sec = 0
+  locality_lb_policy              = "ROUND_ROBIN"
+  security_policy                 = google_compute_security_policy.security_policy.id
+
+  enable_cdn = var.enable_cdn
+
+  dynamic "cdn_policy" {
+    for_each = var.enable_cdn ? [1] : []
+    content {
+      cache_mode                   = var.cdn_cache_mode
+      default_ttl                  = var.cdn_default_ttl
+      max_ttl                      = var.cdn_max_ttl
+      client_ttl                   = var.cdn_client_ttl
+      serve_while_stale            = var.cdn_serve_while_stale
+      negative_caching             = var.cdn_negative_caching
+      signed_url_cache_max_age_sec = 0
+
+      cache_key_policy {
+        include_host         = false
+        include_protocol     = false
+        include_query_string = true
+      }
+    }
+  }
+
+  backend {
+    group                        = google_compute_region_network_endpoint_group.serverless_neg.id
+    balancing_mode               = "UTILIZATION"
+    capacity_scaler              = 1
+    max_connections              = 0
+    max_connections_per_endpoint = 0
+    max_connections_per_instance = 0
+    max_rate                     = 0
+    max_rate_per_endpoint        = 0
+    max_rate_per_instance        = 0
+    max_utilization              = 0
+  }
+
+  log_config {
+    enable      = true
+    sample_rate = 1
+  }
+}
+
+# URL Map (Load Balancer)
+resource "google_compute_url_map" "url_map" {
+  name            = var.load_balancer_name
+  project         = var.project
+  default_service = google_compute_backend_service.backend.id
+}
+
+# Google-managed SSL Certificate
+resource "google_compute_managed_ssl_certificate" "ssl_cert" {
+  name    = coalesce(var.ssl_cert_name, "${var.name_prefix}-ssl-cert")
+  project = var.project
+
+  managed {
+    domains = [var.domain]
+  }
+}
+
+# HTTPS Target Proxy
+resource "google_compute_target_https_proxy" "https_proxy" {
+  name             = coalesce(var.https_proxy_name, "${var.load_balancer_name}-target-proxy")
+  project          = var.project
+  url_map          = google_compute_url_map.url_map.id
+  ssl_certificates = [google_compute_managed_ssl_certificate.ssl_cert.id]
+}
+
+# HTTP Target Proxy (for HTTP to HTTPS redirect)
+resource "google_compute_target_http_proxy" "http_proxy" {
+  name    = coalesce(var.http_proxy_name, "${var.load_balancer_name}-http-proxy")
+  project = var.project
+  url_map = google_compute_url_map.url_map.id
+}
+
+# Global Forwarding Rule for HTTPS
+resource "google_compute_global_forwarding_rule" "https_forwarding_rule" {
+  name                                                         = coalesce(var.https_forwarding_rule_name, "${var.load_balancer_name}-https-forwarding-rule")
+  project                                                      = var.project
+  target                                                       = google_compute_target_https_proxy.https_proxy.id
+  port_range                                                   = "443-443"
+  ip_protocol                                                  = "TCP"
+  ip_address                                                   = "35.190.12.254"
+  ip_version                                                   = "IPV4"
+  source_ip_ranges                                             = []
+  load_balancing_scheme                                        = "EXTERNAL_MANAGED"
+  external_managed_backend_bucket_migration_testing_percentage = 0
+  network_tier                                                 = "PREMIUM"
+}
+
+# Global Forwarding Rule for HTTP
+resource "google_compute_global_forwarding_rule" "http_forwarding_rule" {
+  name                                                         = coalesce(var.http_forwarding_rule_name, "${var.load_balancer_name}-http-forwarding-rule")
+  project                                                      = var.project
+  target                                                       = google_compute_target_http_proxy.http_proxy.id
+  port_range                                                   = "80-80"
+  ip_protocol                                                  = "TCP"
+  ip_address                                                   = "35.190.48.74"
+  ip_version                                                   = "IPV4"
+  load_balancing_scheme                                        = "EXTERNAL_MANAGED"
+  external_managed_backend_bucket_migration_testing_percentage = 0
+  network_tier                                                 = "PREMIUM"
+}

terraform/modules/cdn-glb/outputs.tf

@@ -0,0 +1,34 @@
+output "load_balancer_ip_http" {
+  description = "The IP address of the HTTP load balancer"
+  value       = google_compute_global_forwarding_rule.http_forwarding_rule.ip_address
+}
+
+output "load_balancer_ip_https" {
+  description = "The IP address of the HTTPS load balancer"
+  value       = google_compute_global_forwarding_rule.https_forwarding_rule.ip_address
+}
+
+output "backend_service_id" {
+  description = "The ID of the backend service"
+  value       = google_compute_backend_service.backend.id
+}
+
+output "url_map_id" {
+  description = "The ID of the URL map"
+  value       = google_compute_url_map.url_map.id
+}
+
+output "ssl_certificate_id" {
+  description = "The ID of the SSL certificate"
+  value       = google_compute_managed_ssl_certificate.ssl_cert.id
+}
+
+output "neg_id" {
+  description = "The ID of the serverless NEG"
+  value       = google_compute_region_network_endpoint_group.serverless_neg.id
+}
+
+output "security_policy_id" {
+  description = "The ID of the Cloud Armor security policy"
+  value       = google_compute_security_policy.security_policy.id
+}

terraform/modules/cdn-glb/variables.tf

@@ -0,0 +1,121 @@
+variable "project" {
+  description = "The GCP project ID"
+  type        = string
+}
+
+variable "region" {
+  description = "The GCP region for the Cloud Run service"
+  type        = string
+  default     = "us-central1"
+}
+variable "environment" {
+  description = "The 'Environment' that is being created/deployed. Applied as a suffix to many resources."
+  type        = string
+}
+
+variable "cloud_run_service_name" {
+  description = "The name of the Cloud Run service to route traffic to"
+  type        = string
+}
+
+variable "domain" {
+  description = "The domain name for the SSL certificate"
+  type        = string
+}
+
+variable "name_prefix" {
+  description = "Prefix for naming resources"
+  type        = string
+  default     = "report-api"
+}
+
+variable "load_balancer_name" {
+  description = "Name for the load balancer (URL map)"
+  type        = string
+}
+
+# CDN Configuration
+variable "enable_cdn" {
+  description = "Whether to enable CDN for the backend service"
+  type        = bool
+  default     = true
+}
+
+variable "cdn_cache_mode" {
+  description = "CDN cache mode (CACHE_ALL_STATIC, USE_ORIGIN_HEADERS, FORCE_CACHE_ALL)"
+  type        = string
+  default     = "CACHE_ALL_STATIC"
+}
+
+variable "cdn_default_ttl" {
+  description = "Default TTL for cached content in seconds"
+  type        = number
+  default     = 2592000 # 30 days
+}
+
+variable "cdn_max_ttl" {
+  description = "Maximum TTL for cached content in seconds"
+  type        = number
+  default     = 2592000 # 30 days
+}
+
+variable "cdn_client_ttl" {
+  description = "Client TTL for cached content in seconds (browser cache)"
+  type        = number
+  default     = 28800 # 8 hours
+}
+
+variable "cdn_serve_while_stale" {
+  description = "Time to serve stale content while revalidating in seconds"
+  type        = number
+  default     = 0
+}
+
+variable "cdn_negative_caching" {
+  description = "Whether to enable negative caching"
+  type        = bool
+  default     = false
+}
+
+# Resource naming overrides (for importing existing resources)
+variable "neg_name" {
+  description = "Name for the serverless NEG (overrides name_prefix-neg)"
+  type        = string
+  default     = null
+}
+
+variable "backend_service_name" {
+  description = "Name for the backend service (overrides name_prefix)"
+  type        = string
+  default     = null
+}
+
+variable "ssl_cert_name" {
+  description = "Name for the SSL certificate (overrides name_prefix-ssl-cert)"
+  type        = string
+  default     = null
+}
+
+variable "https_proxy_name" {
+  description = "Name for the HTTPS proxy (overrides load_balancer_name-target-proxy)"
+  type        = string
+  default     = null
+}
+
+variable "http_proxy_name" {
+  description = "Name for the HTTP proxy"
+  type        = string
+  default     = null
+}
+
+variable "https_forwarding_rule_name" {
+  description = "Name for the HTTPS forwarding rule"
+  type        = string
+  default     = null
+}
+
+variable "http_forwarding_rule_name" {
+  description = "Name for the HTTP forwarding rule"
+  type        = string
+  default     = null
+}

terraform/modules/run-service/main.tf

@@ -134,10 +134,13 @@ resource "google_cloud_run_v2_service" "service" {
 
   template {
     service_account = var.service_account_email
+    timeout                          = var.timeout
+    max_instance_request_concurrency = var.max_instance_request_concurrency
 
     containers {
       image = docker_registry_image.registry_image.name
       resources {
+        cpu_idle = var.environment == "prod" ? false : true
         limits = {
           cpu    = var.available_cpu
           memory = var.available_memory
@@ -151,10 +154,9 @@ resource "google_cloud_run_v2_service" "service" {
         }
       }
     }
-    timeout                          = var.timeout
-    max_instance_request_concurrency = var.max_instance_request_concurrency
   }
   scaling {
+    scaling_mode       = "AUTOMATIC"
     min_instance_count = var.min_instances
   }
   traffic {