feat: initial attempt at terraforming

.gitignore

@@ -6,3 +6,10 @@ cvds
 pyenv
 config.json
 .vscode
+
+# Terraform
+*.tfstate
+*.tfstate.backup
+*.tfstate.lock.info
+*.tfplan
+.terraform

cloudrun-malware-scanner/.gcloudignore

@@ -3,3 +3,4 @@ pyenv
 node_modules
 .gcloudignore
 .eslintrc.js
+config.json.tmpl

cloudrun-malware-scanner/cloudbuild.yaml

@@ -0,0 +1,28 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+steps:
+  - name: "gcr.io/cloud-builders/docker"
+    args:
+      [
+        "build",
+        "--tag=$REGION-docker.pkg.dev/$PROJECT_ID/malware-scanner/malware-scanner:latest",
+        "-f",
+        "Dockerfile",
+        ".",
+      ]
+images:
+  - "$REGION-docker.pkg.dev/$PROJECT_ID/malware-scanner/malware-scanner:latest"
+options:
+  logging: "CLOUD_LOGGING_ONLY"

terraform/infra/apis/main.tf

@@ -0,0 +1,36 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Enable APIs
+
+# Requires that the following APIs are already enabled:
+#  cloudresourcemanager.googleapis.com
+#  serviceusage.googleapis.com
+
+locals {
+  apis = [
+    "artifactregistry.googleapis.com",
+    "run.googleapis.com",
+    "eventarc.googleapis.com",
+    "logging.googleapis.com",
+    "cloudbuild.googleapis.com",
+    "cloudscheduler.googleapis.com",
+    "pubsub.googleapis.com",
+  ]
+}
+resource "google_project_service" "apis" {
+  for_each = toset(local.apis)
+  service  = each.key
+}
+

terraform/infra/demo_buckets/main.tf

@@ -0,0 +1,44 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+variable "projectId" {
+}
+variable "service_account_email" {
+}
+variable "location" {
+}
+variable "uniform_bucket_level_access" {
+}
+
+locals {
+  buckets = toset(["unscanned", "quarantined", "clean"])
+}
+
+
+resource "google_storage_bucket" "demo_buckets" {
+  for_each                    = local.buckets
+  name                        = "${each.key}-${var.projectId}"
+  location                    = var.location
+  uniform_bucket_level_access = var.uniform_bucket_level_access
+}
+
+resource "google_storage_bucket_iam_binding" "demo_buckets_sa_binding" {
+  for_each = google_storage_bucket.demo_buckets
+  bucket   = each.value.name
+  role     = "roles/storage.admin"
+  members = [
+    "serviceAccount:${var.service_account_email}",
+  ]
+}

terraform/infra/main.tf

@@ -0,0 +1,113 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+provider "google" {
+  project = var.projectId
+  region  = var.region
+}
+
+locals {
+  repo_root = abspath("${path.module}/../..")
+  src_root  = abspath("${local.repo_root}/cloudrun-malware-scanner")
+}
+
+module "apis" {
+  source = "./apis"
+  count  = var.enable_apis ? 1 : 0
+}
+
+resource "google_service_account" "malware_scanner_sa" {
+  account_id   = var.service_name
+  display_name = "Service Account for malware scanner cloud run service"
+  depends_on   = [module.apis]
+}
+
+resource "google_project_iam_member" "malware_scanner_iam" {
+  for_each = toset(["roles/monitoring.metricWriter", "roles/run.invoker", "roles/eventarc.eventReceiver"])
+  project  = var.projectId
+  role     = each.value
+  member   = "serviceAccount:${google_service_account.malware_scanner_sa.email}"
+}
+
+data "google_storage_project_service_account" "gcs_account" {}
+
+resource "google_project_iam_binding" "gcs_sa_pubsub_publish" {
+  project = var.projectId
+  role    = "roles/pubsub.publisher"
+  members = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"]
+}
+
+resource "google_service_account" "build_service_account" {
+  account_id   = "${var.service_name}-build"
+  display_name = "Service Account for malware scanner cloud run service"
+  depends_on   = [module.apis]
+}
+
+resource "google_project_iam_binding" "build_iam" {
+  for_each = toset(["roles/storage.objectViewer", "roles/logging.logWriter", "roles/artifactregistry.writer"])
+  project  = var.projectId
+  role     = each.value
+  members  = ["serviceAccount:${google_service_account.build_service_account.email}"]
+}
+
+
+# Create demo buckets if specified
+module "demo_buckets" {
+  source                      = "./demo_buckets"
+  count                       = var.create_demo_buckets ? 1 : 0
+  projectId                   = var.projectId
+  location                    = var.bucket_location
+  service_account_email       = google_service_account.malware_scanner_sa.email
+  uniform_bucket_level_access = var.uniform_bucket_level_access
+  depends_on                  = [module.apis]
+}
+
+resource "google_artifact_registry_repository" "repo" {
+  location      = var.region
+  repository_id = var.service_name
+  description   = "Image registry for Malware Scanner"
+  format        = "DOCKER"
+  depends_on    = [module.apis]
+}
+
+resource "google_storage_bucket" "cvd_mirror_bucket" {
+  name                        = var.cvd_mirror_bucket
+  location                    = var.bucket_location
+  uniform_bucket_level_access = var.uniform_bucket_level_access
+  depends_on                  = [module.apis]
+}
+
+resource "google_storage_bucket_iam_binding" "cvd_mirror_bucket_sa_binding" {
+  bucket = google_storage_bucket.cvd_mirror_bucket.name
+  role   = "roles/storage.admin"
+  members = [
+    "serviceAccount:${google_service_account.malware_scanner_sa.email}",
+  ]
+}
+
+# perform an update/initial load of mirror bucket
+resource "null_resource" "populate_cvd_mirror" {
+  provisioner "local-exec" {
+    command = join(" ; ", [
+      "echo '\n\nPopulating CVD Mirror bucket\n\n'",
+      "python3 -m venv pyenv",
+      ". pyenv/bin/activate",
+      "pip3 install crcmod cvdupdate",
+      "./updateCvdMirror.sh '${var.cvd_mirror_bucket}'"
+    ])
+    interpreter = ["/bin/bash", "-x", "-e"]
+    working_dir = local.src_root
+  }
+  depends_on = [google_storage_bucket.cvd_mirror_bucket]
+}

terraform/infra/variables.tf

@@ -0,0 +1,52 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "projectId" {
+}
+
+variable "bucket_location" {
+  description = "Location to create Cloud Storage buckets"
+  default     = "US"
+}
+
+variable "region" {
+  description = "Region to create regional resources"
+  default     = "us-central1"
+}
+
+variable "service_name" {
+  default = "malware-scanner"
+}
+
+variable "enable_apis" {
+  description = "Automatically enable required APIs (requires that cloudresourcemanager.googleapis.com and serviceusage.googleapis.com are already enabled)"
+  default     = true
+  type        = bool
+}
+
+variable "create_demo_buckets" {
+  description = "Create unscanned-PROJECT_ID, clean-PROJECT_ID, and quarantined-PROJECT_ID buckets for demo purposes. "
+  default     = false
+  type        = bool
+}
+
+variable "cvd_mirror_bucket" {
+  description = "Name of the GCS bucket used for storing a mirror of the clamav CVD database (for example: cvd-mirror-$$PROJECT_ID)"
+}
+
+variable "uniform_bucket_level_access" {
+  description = "When creating cloud storage buckets, the parameter uniform_bucket_level_access is set to this value"
+  default     = true
+  type        = bool
+}

terraform/infra/versions.tf

@@ -0,0 +1,27 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 6.2.0"
+    }
+  }
+  required_version = ">= 1.7"
+
+  provider_meta "google" {
+    module_name = "cloud-solutions/gcs-malware-scanner-deploy-v3.1"
+  }
+}