Ensure firestore databases deployed correctly.

cloud/gcp/deploytf/.nitric/modules/service/main.tf

@@ -78,6 +78,8 @@ resource "google_cloud_run_v2_service" "service" {
   launch_stage        = "GA"
   deletion_protection = false
 
+  ingress = var.internal_ingress == true ? "INGRESS_TRAFFIC_INTERNAL_ONLY" : "INGRESS_TRAFFIC_ALL"
+
   template {
     scaling {
       min_instance_count = var.min_instances
@@ -86,7 +88,10 @@ resource "google_cloud_run_v2_service" "service" {
 
     dynamic "vpc_access" {
       for_each = var.vpc != null ? [1] : []
+
+
       content {
+        egress = var.vpc.all_traffic ? "ALL_TRAFFIC" : "PRIVATE_RANGES_ONLY"
         network_interfaces {
           network    = var.vpc.network
           subnetwork = var.vpc.subnet

cloud/gcp/deploytf/.nitric/modules/service/variables.tf

@@ -82,6 +82,12 @@ variable "artifact_registry_repository" {
   type        = string
 }
 
+variable "internal_ingress" {
+  description = "Whether to restrict ingress to internal traffic only"
+  type        = bool
+  default     = false
+}
+
 variable "kms_key" {
   description = "The name of the KMS key to use"
   type        = string
@@ -93,6 +99,7 @@ variable "vpc" {
   nullable = true
   default = null
   type = object({
+    all_traffic = bool
     network = string
     subnet = string
     network_tags = list(string)

cloud/gcp/deploytf/.nitric/modules/stack/main.tf

@@ -168,3 +168,20 @@ resource "google_kms_crypto_key_iam_binding" "cmek_key_binding" {
   members       = toset(local.kms_reader_service_accounts)
   depends_on    = [google_project_service.required_services, google_project_service_identity.secret_manager_sa[0]]
 }
+
+# Ensure firestore default db exists
+resource "google_firestore_database" "database" {
+  count = var.firestore_enabled ? 1 : 0
+
+  project     = data.google_project.project.project_id
+  name        = "${random_id.stack_id.hex}-kv"
+  location_id = var.location
+  type        = "FIRESTORE_NATIVE"
+
+  dynamic "cmek_config" {
+    for_each = var.cmek_enabled ? [1] : []
+    content {
+      kms_key_name = var.cmek_enabled ? google_kms_crypto_key.cmek_key[0].id : null
+    }
+  }
+}

cloud/gcp/deploytf/.nitric/modules/stack/outputs.tf

@@ -31,4 +31,9 @@ output "cmek_key" {
 output "kms_key_iam_binding" {
   value = length(google_kms_crypto_key.cmek_key) > 0 ? google_kms_crypto_key_iam_binding.cmek_key_binding[0] : null
   description = "The IAM binding for the KMS key"
+}
+
+output "firestore_database_id" {
+  value = google_firestore_database.database[0] != null ? google_firestore_database.database[0].name : "(default)"
+  description = "Firestore database for stack"
 }

cloud/gcp/deploytf/.nitric/modules/stack/variables.tf

@@ -8,6 +8,11 @@ variable "cmek_enabled" {
   type        = bool
 }
 
+variable "firestore_enabled" {
+  description = "Enable Firestore"
+  type        = bool
+}
+
 variable "location" {
   description = "The location to deploy the stack"
   type        = string

cloud/gcp/deploytf/deploy.go

@@ -39,6 +39,7 @@ import (
 	"github.com/nitrictech/nitric/cloud/gcp/deploytf/generated/topic"
 	"github.com/nitrictech/nitric/cloud/gcp/deploytf/generated/websocket"
 	deploymentspb "github.com/nitrictech/nitric/core/pkg/proto/deployments/v1"
+	resourcespb "github.com/nitrictech/nitric/core/pkg/proto/resources/v1"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@@ -47,12 +48,16 @@ type VpcConfig struct {
 	Network     string   `mapstructure:"network" json:"network"`
 	Subnet      string   `mapstructure:"subnet" json:"subnet"`
 	NetworkTags []string `mapstructure:"network-tags" json:"network_tags"`
+	AllTraffic  bool     `mapstructure:"all-traffic" json:"all_traffic"`
 }
 
 type NitricGcpTerraformProvider struct {
 	*deploy.CommonStackDetails
 	Stack tfstack.Stack
 
+	serviceIngress  bool
+	requiresKvStore bool
+
 	// CmekEnabled - Enable Customer Managed Encryption Keys
 	cmekEnabled bool
 	vpcConfig   *VpcConfig
@@ -102,6 +107,11 @@ func (a *NitricGcpTerraformProvider) Init(attributes map[string]interface{}) err
 		mapstructure.Decode(vpcConfig, a.vpcConfig)
 	}
 
+	serviceIngress, ok := a.RawAttributes["service_ingress"].(bool)
+	if ok {
+		a.serviceIngress = serviceIngress
+	}
+
 	return nil
 }
 
@@ -178,10 +188,19 @@ func (a *NitricGcpTerraformProvider) Pre(stack cdktf.TerraformStack, resources [
 		RegistryAuth: registryAuths,
 	})
 
+	// if resources has any kv stores, make sure kv is enabled for the stack
+	for _, resource := range resources {
+		if resource.Id.GetType() == resourcespb.ResourceType_KeyValueStore {
+			a.requiresKvStore = true
+			break
+		}
+	}
+
 	a.Stack = tfstack.NewStack(stack, jsii.String("stack"), &tfstack.StackConfig{
-		Location:    jsii.String(a.Region),
-		StackName:   jsii.String(a.StackName),
-		CmekEnabled: jsii.Bool(a.cmekEnabled),
+		Location:         jsii.String(a.Region),
+		StackName:        jsii.String(a.StackName),
+		CmekEnabled:      jsii.Bool(a.cmekEnabled),
+		FirestoreEnabled: jsii.Bool(a.requiresKvStore),
 	})
 
 	return nil

cloud/gcp/deploytf/generated/service/Service.go

@@ -45,6 +45,8 @@ type Service interface {
 	SetGpus(val *float64)
 	Image() *string
 	SetImage(val *string)
+	InternalIngress() *bool
+	SetInternalIngress(val *bool)
 	InvokerServiceAccountEmailOutput() *string
 	KmsKey() *string
 	SetKmsKey(val *string)
@@ -252,6 +254,16 @@ func (j *jsiiProxy_Service) Image() *string {
 	return returns
 }
 
+func (j *jsiiProxy_Service) InternalIngress() *bool {
+	var returns *bool
+	_jsii_.Get(
+		j,
+		"internalIngress",
+		&returns,
+	)
+	return returns
+}
+
 func (j *jsiiProxy_Service) InvokerServiceAccountEmailOutput() *string {
 	var returns *string
 	_jsii_.Get(
@@ -564,6 +576,14 @@ func (j *jsiiProxy_Service)SetImage(val *string) {
 	)
 }
 
+func (j *jsiiProxy_Service)SetInternalIngress(val *bool) {
+	_jsii_.Set(
+		j,
+		"internalIngress",
+		val,
+	)
+}
+
 func (j *jsiiProxy_Service)SetKmsKey(val *string) {
 	_jsii_.Set(
 		j,

cloud/gcp/deploytf/generated/service/ServiceConfig.go

@@ -35,6 +35,8 @@ type ServiceConfig struct {
 	Cpus *float64 `field:"optional" json:"cpus" yaml:"cpus"`
 	// The amount of gpus to allocate to the CloudRun service.
 	Gpus *float64 `field:"optional" json:"gpus" yaml:"gpus"`
+	// Whether to restrict ingress to internal traffic only.
+	InternalIngress *bool `field:"optional" json:"internalIngress" yaml:"internalIngress"`
 	// The name of the KMS key to use.
 	KmsKey *string `field:"optional" json:"kmsKey" yaml:"kmsKey"`
 	// The maximum number of instances to run 10.

cloud/gcp/deploytf/generated/service/main.go

@@ -29,6 +29,7 @@ func init() {
 			_jsii_.MemberMethod{JsiiMethod: "getString", GoMethod: "GetString"},
 			_jsii_.MemberProperty{JsiiProperty: "gpus", GoGetter: "Gpus"},
 			_jsii_.MemberProperty{JsiiProperty: "image", GoGetter: "Image"},
+			_jsii_.MemberProperty{JsiiProperty: "internalIngress", GoGetter: "InternalIngress"},
 			_jsii_.MemberMethod{JsiiMethod: "interpolationForOutput", GoMethod: "InterpolationForOutput"},
 			_jsii_.MemberProperty{JsiiProperty: "invokerServiceAccountEmailOutput", GoGetter: "InvokerServiceAccountEmailOutput"},
 			_jsii_.MemberProperty{JsiiProperty: "kmsKey", GoGetter: "KmsKey"},

cloud/gcp/deploytf/generated/stack/Stack.go

@@ -28,6 +28,9 @@ type Stack interface {
 	DependsOn() *[]*string
 	// Experimental.
 	SetDependsOn(val *[]*string)
+	FirestoreDatabaseIdOutput() *string
+	FirestoreEnabled() *bool
+	SetFirestoreEnabled(val *bool)
 	// Experimental.
 	ForEach() cdktf.ITerraformIterator
 	// Experimental.
@@ -166,6 +169,26 @@ func (j *jsiiProxy_Stack) DependsOn() *[]*string {
 	return returns
 }
 
+func (j *jsiiProxy_Stack) FirestoreDatabaseIdOutput() *string {
+	var returns *string
+	_jsii_.Get(
+		j,
+		"firestoreDatabaseIdOutput",
+		&returns,
+	)
+	return returns
+}
+
+func (j *jsiiProxy_Stack) FirestoreEnabled() *bool {
+	var returns *bool
+	_jsii_.Get(
+		j,
+		"firestoreEnabled",
+		&returns,
+	)
+	return returns
+}
+
 func (j *jsiiProxy_Stack) ForEach() cdktf.ITerraformIterator {
 	var returns cdktf.ITerraformIterator
 	_jsii_.Get(
@@ -353,6 +376,17 @@ func (j *jsiiProxy_Stack)SetDependsOn(val *[]*string) {
 	)
 }
 
+func (j *jsiiProxy_Stack)SetFirestoreEnabled(val *bool) {
+	if err := j.validateSetFirestoreEnabledParameters(val); err != nil {
+		panic(err)
+	}
+	_jsii_.Set(
+		j,
+		"firestoreEnabled",
+		val,
+	)
+}
+
 func (j *jsiiProxy_Stack)SetForEach(val cdktf.ITerraformIterator) {
 	_jsii_.Set(
 		j,

cloud/gcp/deploytf/generated/stack/StackConfig.go

@@ -15,6 +15,8 @@ type StackConfig struct {
 	SkipAssetCreationFromLocalModules *bool `field:"optional" json:"skipAssetCreationFromLocalModules" yaml:"skipAssetCreationFromLocalModules"`
 	// Enable customer managed encryption keys.
 	CmekEnabled *bool `field:"required" json:"cmekEnabled" yaml:"cmekEnabled"`
+	// Enable Firestore.
+	FirestoreEnabled *bool `field:"required" json:"firestoreEnabled" yaml:"firestoreEnabled"`
 	// The location to deploy the stack.
 	Location *string `field:"required" json:"location" yaml:"location"`
 	// The name of the nitric stack.

cloud/gcp/deploytf/generated/stack/Stack__checks.go

@@ -98,6 +98,14 @@ func (j *jsiiProxy_Stack) validateSetCmekEnabledParameters(val *bool) error {
 	return nil
 }
 
+func (j *jsiiProxy_Stack) validateSetFirestoreEnabledParameters(val *bool) error {
+	if val == nil {
+		return fmt.Errorf("parameter val is required, but nil was provided")
+	}
+
+	return nil
+}
+
 func (j *jsiiProxy_Stack) validateSetLocationParameters(val *string) error {
 	if val == nil {
 		return fmt.Errorf("parameter val is required, but nil was provided")

cloud/gcp/deploytf/generated/stack/Stack__no_checks.go

@@ -36,6 +36,10 @@ func (j *jsiiProxy_Stack) validateSetCmekEnabledParameters(val *bool) error {
 	return nil
 }
 
+func (j *jsiiProxy_Stack) validateSetFirestoreEnabledParameters(val *bool) error {
+	return nil
+}
+
 func (j *jsiiProxy_Stack) validateSetLocationParameters(val *string) error {
 	return nil
 }

cloud/gcp/deploytf/generated/stack/main.go

@@ -22,6 +22,8 @@ func init() {
 			_jsii_.MemberProperty{JsiiProperty: "constructNodeMetadata", GoGetter: "ConstructNodeMetadata"},
 			_jsii_.MemberProperty{JsiiProperty: "containerRegistryUriOutput", GoGetter: "ContainerRegistryUriOutput"},
 			_jsii_.MemberProperty{JsiiProperty: "dependsOn", GoGetter: "DependsOn"},
+			_jsii_.MemberProperty{JsiiProperty: "firestoreDatabaseIdOutput", GoGetter: "FirestoreDatabaseIdOutput"},
+			_jsii_.MemberProperty{JsiiProperty: "firestoreEnabled", GoGetter: "FirestoreEnabled"},
 			_jsii_.MemberProperty{JsiiProperty: "forEach", GoGetter: "ForEach"},
 			_jsii_.MemberProperty{JsiiProperty: "fqn", GoGetter: "Fqn"},
 			_jsii_.MemberProperty{JsiiProperty: "friendlyUniqueId", GoGetter: "FriendlyUniqueId"},

cloud/gcp/deploytf/service.go

@@ -53,6 +53,11 @@ func (a *NitricGcpTerraformProvider) Service(stack cdktf.TerraformStack, name st
 		"MIN_WORKERS":            jsii.String(fmt.Sprint(config.Workers)),
 		"NITRIC_HTTP_PROXY_PORT": jsii.String(fmt.Sprint(3000)),
 	}
+
+	if a.requiresKvStore {
+		jsiiEnv["FIRESTORE_DATABASE_NAME"] = a.Stack.FirestoreDatabaseIdOutput()
+	}
+
 	for k, v := range config.GetEnv() {
 		jsiiEnv[k] = jsii.String(v)
 	}
@@ -73,6 +78,7 @@ func (a *NitricGcpTerraformProvider) Service(stack cdktf.TerraformStack, name st
 		MinInstances:               jsii.Number(typeConfig.CloudRun.MinInstances),
 		ContainerConcurrency:       jsii.Number(typeConfig.CloudRun.Concurrency),
 		ArtifactRegistryRepository: a.Stack.ContainerRegistryUriOutput(),
+		InternalIngress:            jsii.Bool(a.serviceIngress),
 		Vpc:                        a.vpcConfig,
 	}