🔥 bugfix: Security Upgrade blocks allUsers need to add tag to suppo…

…rt allowing access publically (#372) * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change
joggrdocs · Mar 13, 2024 · 1306e37 · 1306e37
1 parent 17c346e
commit 1306e37
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -55,7 +55,7 @@ jobs:
 
 | Field | Required | Description | Default |
 | ----- | -------- | ----------- | ------- |
-| name | yes | The name of the service (must be unique) to be deployed. | - |
+| name | yes | The name of the service (must be unique) to be deployed. This cannot exceed 24 characters | - |
 | gcp_service_account_key | yes | The Service Account JSON Key used to push images to the GCP Artifact Registry. | - |
 | gcp_artifact_repository | yes | The Artifact Registry name, you can override for custom names (i.e. the 'acme' in us-docker.pkg.dev/able-sailor-21423/acme) | - |
 | github_token | yes | Github Token, pass in the `secrets.GITHUB_TOKEN`. | - |
@@ -65,6 +65,7 @@ jobs:
 | flags | no | List of flags that will be injected during runtime. | - |
 | gcp_region | no | The GCP Region where the service will be deployed. | us-central1 |
 | gcp_project_id | no | The GCP Project ID where the service will be deployed. | - |
+| gcp_tag | no | A tag to be applied to the Cloud Run service, used for ingress or other permissions. | - |
 | docker_file_name | no | The Dockerfile name, you can override for custom names (i.e. DevDockerfile) | Dockerfile |
 | docker_directory | no | Directory where the DockerFile is located. | . |
 | docker_build_args | no | Comma separated list of arguments that will be injected during the build, each on a new line. | - |

diff --git a/action.yaml b/action.yaml
@@ -10,7 +10,7 @@ inputs:
   #------------------
 
   name:
-    description: "The name of the service (must be unique) to be deployed."
+    description: "The name of the service (must be unique) to be deployed. This cannot exceed 24 characters"
     required: true
   port:
     description: "The port that the application will run on in the container."
@@ -39,6 +39,10 @@ inputs:
   gcp_artifact_repository:
     description: "The Artifact Registry name, you can override for custom names (i.e. the 'acme' in us-docker.pkg.dev/able-sailor-21423/acme)"
     required: true
+  gcp_tag:
+    description: "A tag to be applied to the Cloud Run service, used for ingress or other permissions."
+    required: false
+    default: "tagValues/281479867842234"
 
   #------------------
   # Pull Request Integration
@@ -138,6 +142,19 @@ runs:
           service=${{ inputs.name }}
           pull_request=pr${{ steps.pr-number.outputs.result }}
 
+    - name: '🏷️ Tag Cloud Run Service for Ingress'
+      uses: actions/github-script@v7
+      env:
+        GCP_TAG: '${{ inputs.gcp_tag }}'
+        GCP_PROJECT_ID: '${{ inputs.gcp_project_id }}'
+        GCP_REGION: '${{ inputs.gcp_region }}' 
+        SERVICE_NAME: 'pvw-${{ inputs.gcp_artifact_repository }}-${{ inputs.name }}-pr${{ steps.pr-number.outputs.result }}'
+      with:
+        github-token: ${{ inputs.github_token }}
+        script: |
+          const script = require('${{ github.action_path }}/scripts/gcp-resource-tag.js');
+          await script({ github, context, core, exec, env: process.env });
+    
     - name: '💬 Add Deployment URL to Pull Request'
       uses: actions/github-script@v7
       env: 

diff --git a/scripts/build-docs.mjs b/scripts/build-docs.mjs
@@ -25,7 +25,7 @@ const run = () => {
     const outputs = [];
 
     for (const [key, value] of Object.entries(parsedActionYaml.inputs)) {
-      const def = key !== 'gcp_project_id' ? value.default : '-';
+      const def = key !== 'gcp_project_id' && key !== 'gcp_tag' ? value.default : '-';
       inputs.push([key, value.required ? 'yes' : 'no', value.description ?? 'no description provided', def ?? '-']);
     }
 

diff --git a/scripts/gcp-resource-tag.js b/scripts/gcp-resource-tag.js
@@ -0,0 +1,47 @@
+/**
+ * Get input from the environment
+ * 
+ * @param {Node.env} env 
+ * @param {string} name 
+ * @returns 
+ */
+function getInput(env, name) {
+  return env[name];
+}
+
+/**
+ * Tag the new Service with the GCP_TAG
+ * 
+ * @param {object} payload
+ * @param {object} payload.env
+ */
+module.exports = async ({ exec, env }) => {
+  const gcpProjectId = getInput(env, 'GCP_PROJECT_ID');
+  const gcpRegion = getInput(env, 'GCP_REGION');
+  const serviceName = getInput(env, 'SERVICE_NAME');
+  const gcpTag = getInput(env, 'GCP_TAG');
+
+  try {
+    await exec.exec('gcloud', [
+      'resource-manager',
+      'tags',
+      'bindings',
+      'create',
+      `--tag-value=${gcpTag}`,
+      `--parent=//run.googleapis.com/projects/${gcpProjectId}/locations/${gcpRegion}/services/${serviceName}`
+      `--location=${gcpRegion}`,
+    ]);
+  } catch (error) {
+    console.warn('WARNING: Failed to create resource tag. This may be due to the tag already existing.');
+  }
+
+  await exec.exec('gcloud', [
+    'run',
+    'services',
+    'add-iam-policy-binding',
+    serviceName,
+    `--member=allUsers`,
+    `--role=roles/run.invoker`,
+    `--region=${gcpRegion}`,
+  ]);
+}