cloudsql and vpn

.github/workflows/codeql-analysis.yml

@@ -48,11 +48,11 @@ jobs:
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        
+
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-        
+
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
@@ -61,7 +61,7 @@ jobs:
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
     #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
     # - run: |

src/files_gcp.go

@@ -39,3 +39,18 @@ var googleStorageBucketAcl []byte
 
 //go:embed  mapping/gcp/resource/storage/google_storage_bucket_iam_binding.json
 var googleStorageBucketIamBinding []byte
+
+//go:embed  mapping/gcp/resource/cloudsql/google_sql_database_instance.json
+var googleSqlDatabaseInstance []byte
+
+//go:embed  mapping/gcp/resource/cloudsql/google_sql_database.json
+var googleSqlDatabase []byte
+
+//go:embed  mapping/gcp/resource/cloudsql/google_sql_user.json
+var googleSqlUser []byte
+
+//go:embed  mapping/gcp/resource/servicenetworking/google_service_networking_connection.json
+var googleServiceNetworkingConnection []byte
+
+//go:embed  mapping/gcp/resource/compute/google_compute_global_address.json
+var googleComputeGlobalAddress []byte

src/gcp.go

@@ -19,18 +19,23 @@ func GetGCPPermissions(result ResourceV2) []string {
 // GetGCPResourcePermissions looks up permissions required for resources
 func GetGCPResourcePermissions(result ResourceV2) []string {
 	TFLookup := map[string]interface{}{
-		"google_compute_instance":           googleComputeInstance,
-		"google_storage_bucket":             googleStorageBucket,
-		"google_storage_bucket_object":      googleStorageBucketObject,
-		"google_compute_network":            googleComputeNetwork,
-		"google_compute_address":            googleComputeAddress,
-		"google_compute_firewall":           googleComputeFirewall,
-		"google_project_iam_custom_role":    googleProjectIamCustomRole,
-		"google_service_account":            googleServiceAccount,
-		"google_kms_crypto_key":             googleKmsCryptoKey,
-		"google_kms_key_ring":               googleKmsKeyRing,
-		"google_storage_bucket_acl":         googleStorageBucketAcl,
-		"google_storage_bucket_iam_binding": googleStorageBucketIamBinding,
+		"google_compute_instance":              googleComputeInstance,
+		"google_storage_bucket":                googleStorageBucket,
+		"google_storage_bucket_object":         googleStorageBucketObject,
+		"google_compute_network":               googleComputeNetwork,
+		"google_compute_address":               googleComputeAddress,
+		"google_compute_firewall":              googleComputeFirewall,
+		"google_project_iam_custom_role":       googleProjectIamCustomRole,
+		"google_service_account":               googleServiceAccount,
+		"google_kms_crypto_key":                googleKmsCryptoKey,
+		"google_kms_key_ring":                  googleKmsKeyRing,
+		"google_storage_bucket_acl":            googleStorageBucketAcl,
+		"google_storage_bucket_iam_binding":    googleStorageBucketIamBinding,
+		"google_sql_database_instance":         googleSqlDatabaseInstance,
+		"google_sql_database":                  googleSqlDatabase,
+		"google_sql_user":                      googleSqlUser,
+		"google_compute_global_address":        googleComputeGlobalAddress,
+		"google_service_networking_connection": googleServiceNetworkingConnection,
 	}
 
 	var Permissions []string

src/mapping/gcp/resource/cloudsql/google_sql_database.json

@@ -0,0 +1,20 @@
+[
+  {
+    "apply": [
+      "cloudsql.databases.create",
+      "cloudsql.databases.delete",
+      "cloudsql.databases.get",
+      "cloudsql.databases.update"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "cloudsql.databases.delete"
+    ],
+    "modify": [
+      "cloudsql.databases.update"
+    ],
+    "plan": []
+  }
+]

src/mapping/gcp/resource/cloudsql/google_sql_database_instance.json

@@ -0,0 +1,22 @@
+[
+  {
+    "apply": [
+      "cloudsql.instances.create",
+      "cloudsql.instances.get",
+      "cloudsql.instances.delete",
+      "cloudsql.instances.update",
+      "cloudsql.users.list",
+      "cloudsql.users.delete"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "cloudsql.instances.delete"
+    ],
+    "modify": [
+      "cloudsql.instances.update"
+    ],
+    "plan": []
+  }
+]

src/mapping/gcp/resource/cloudsql/google_sql_user.json

@@ -0,0 +1,19 @@
+[
+  {
+    "apply": [
+      "cloudsql.users.list",
+      "cloudsql.users.delete",
+      "cloudsql.users.create"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "cloudsql.users.delete"
+    ],
+    "modify": [
+      "cloudsql.users.update"
+    ],
+    "plan": []
+  }
+]

src/mapping/gcp/resource/compute/google_compute_global_address.json

@@ -0,0 +1,20 @@
+[
+  {
+    "apply": [
+      "compute.globalAddresses.create",
+      "compute.globalAddresses.delete",
+      "compute.globalAddresses.get",
+      "compute.networks.use"
+    ],
+    "attributes": {
+      "address_type": [
+        "compute.globalAddresses.deleteInternal",
+        "compute.globalAddresses.createInternal"
+      ],
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]

src/mapping/gcp/resource/google_cloudfunctions_function.json

@@ -0,0 +1,11 @@
+[
+  {
+    "apply": [],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]

src/mapping/gcp/resource/servicenetworking/google_service_networking_connection.json

@@ -0,0 +1,18 @@
+[
+  {
+    "apply": [
+      "resourcemanager.projects.get",
+      "servicenetworking.services.get",
+      "servicenetworking.services.addPeering",
+      "compute.networks.removePeering"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "compute.networks.removePeering"
+    ],
+    "modify": [],
+    "plan": []
+  }
+]

terraform/gcp/backup/google_compute_global_address.private_ip_address.tf

@@ -0,0 +1,7 @@
+resource "google_compute_global_address" "private_ip_address" {
+  name          = "pike"
+  purpose       = "VPC_PEERING"
+  address_type  = "INTERNAL"
+  prefix_length = 16
+  network       = "https://www.googleapis.com/compute/v1/projects/pike-361314/global/networks/default"
+}

terraform/gcp/backup/google_service_networking_connection.private_vpc_connection.tf

@@ -0,0 +1,5 @@
+resource "google_service_networking_connection" "private_vpc_connection" {
+  network                 = "https://www.googleapis.com/compute/v1/projects/pike-361314/global/networks/default"
+  service                 = "servicenetworking.googleapis.com"
+  reserved_peering_ranges = ["pike"]
+}

terraform/gcp/backup/google_sql_database.tf

@@ -0,0 +1,4 @@
+resource "google_sql_database" "pike" {
+  name     = "pike"
+  instance = google_sql_database_instance.main.name
+}

terraform/gcp/backup/google_sql_database_instance.tf

@@ -0,0 +1,18 @@
+resource "random_id" "db_name_suffix" {
+  byte_length = 4
+}
+
+resource "google_sql_database_instance" "main" {
+
+  name             = "main-instance-${random_id.db_name_suffix.hex}"
+  database_version = "MYSQL_5_7"
+  region           = "europe-west1"
+  settings {
+    tier = "db-f1-micro"
+    user_labels = {
+      pike = "permissions"
+    }
+  }
+  //encryption_key_name = "projects/pike-361314/locations/europe-west1/keyRings/pike/cryptoKeys/pike-key-keep"
+  deletion_protection = false
+}

terraform/gcp/backup/google_sql_user.tf

@@ -0,0 +1,6 @@
+resource "google_sql_user" "users" {
+  name     = "me"
+  instance = google_sql_database_instance.main.name
+  // host     = "me.com"
+  password = "changemeagain"
+}

terraform/gcp/google_cloudfunctions_function.tf

@@ -0,0 +1 @@
+#resource "google_cloudfunctions_function" "pike" {}

terraform/gcp/google_cloudfunctions_function_iam_member.invoker.tf

@@ -0,0 +1,15 @@
+# IAM entry for all users to invoke the function
+#resource "google_cloudfunctions_function_iam_member" "invoker" {
+#  project        = google_cloudfunctions_function.lambda.project
+#  region         = google_cloudfunctions_function.lambda.region
+#  cloud_function = google_cloudfunctions_function.lambda.name
+#
+#  role   = "roles/cloudfunctions.invoker"
+#  member = var.invoker
+#}
+#
+#
+#variable "invoker" {
+#  description = "Set who can invoke the lambda"
+#  default="allUsers"
+#}

terraform/gcp/role/google_project_iam_custom_role.tf

@@ -4,9 +4,18 @@ resource "google_project_iam_custom_role" "pike" {
   title       = "pike terraform user"
   description = "A user with least privileges"
   permissions = [
-    "storage.buckets.get",
-    "storage.buckets.update",
-    "storage.buckets.getIamPolicy",
-    "storage.buckets.setIamPolicy"
+    "compute.networks.get",
+    "compute.networks.list",
+    "resourcemanager.projects.get",
+    "servicenetworking.services.get",
+    "servicenetworking.services.addPeering",
+    "compute.networks.removePeering",
+    "compute.serviceAttachments.get",
+    "compute.globalAddresses.create",
+    "compute.globalAddresses.delete",
+    "compute.globalAddresses.createInternal",
+    "compute.globalAddresses.deleteInternal",
+    "compute.networks.use",
+    "compute.globalAddresses.get"
   ]
 }