phpipam

Serverless phpIPAM on Cloud Run

phpIPAM is an open-source IP address management (IPAM) system that can be used to manage IP addresses in both on-premises and cloud environments. It is a powerful tool that can help businesses to automate IP address management, proactively identify and resolve IP address conflicts, and plan for future IP address needs.

This repository aims to speed up deployment of phpIPAM software on Google Cloud Platform Cloud Run serverless product. The web application can be exposed either publicly via Global Application Load Balancer or internally via Internal Application Load Balancer. More information on the architecture section.

Architecture

The main components that are deployed in this architecture are the following ( you can learn about them by following the hyperlinks):

• Cloud Run: serverless PaaS offering to host containers for web-oriented applications, while offering security, scalability and easy versioning
• Cloud SQL: Managed solution for SQL databases
• VPC Serverless Connector: Solution to access the CloudSQL VPC from Cloud Run, using only internal IP addresses
• Global Application Load Balancer (*): An external Application Load Balancer is a proxy-based Layer 7 load balancer that enables you to run and scale your services behind a single external IP address.
• Cloud Armor (*): Help protect your applications and websites against denial of service and web attacks.
• Identity Aware Proxy (*): IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.
• Regional Internal Application Load Balancer (*): A Google Cloud internal Application Load Balancer is a regional proxy-based layer 7 load balancer that enables you expose your services behind a single internal IP address.

(*) Product deployment depends on input variables

Setup

Prerequisites

Setting up the project for the deployment

This example will deploy all its resources into the project defined by the project_id variable. Please note that we assume this project already exists. However, if you provide the appropriate values to the project_create variable, the project will be created as part of the deployment.

If project_create is left to null, the identity performing the deployment needs the owner role on the project defined by the project_id variable. Otherwise, the identity performing the deployment needs resourcemanager.projectCreator on the resource hierarchy node specified by project_create.parent and billing.user on the billing account specified by project_create.billing_account_id.

Deployment

Step 0: Cloning the repository

If you want to deploy from your Cloud Shell, click on the image below, sign in if required and when the prompt appears, click on “confirm”.

Otherwise, in your console of choice:

git clone https://github.com/GoogleCloudPlatform/cloud-foundation-fabric

Before you deploy the architecture, you will need at least the following information (for more precise configuration see the Variables section):

• The project ID.

Step 2: Prepare the variables

Once you have the required information, head back to your cloned repository. Make sure you’re in the directory of this tutorial (where this README is in).

Configure the Terraform variables in your terraform.tfvars file. See terraform.tfvars.sample as starting point - just copy it to terraform.tfvars and edit the latter. See the variables documentation below.

Notes:

1. If you have the domain restriction org. policy on your organization, you have to edit the cloud_run_invoker variable and give it a value that will be accepted in accordance to your policy.
2. By default, the application will be exposed externally through Global Application Load Balancer, for restricting access to specific identities please check IAP configuration or deploy the application internally via the ILB
3. Setting the phpipam_exposure variable to "INTERNAL" will deploy an Internal Application Load Balancer on the same VPC. This might be the preferred option for enterprises since it prevents exposing the application publicly still allowing internal access through private network (via either VPN and/or Interconnect)

Step 3: Deploy resources

Initialize your Terraform environment and deploy the resources:

terraform init
terraform apply

Step 4: Use the created resources

Upon completion, you will see the output with the values for the Cloud Run service and the user and password to access the application. You can also view it later with:

terraform output
# or for the concrete variable:
terraform output cloud_run_service

Please be aware that the password created in the script is not yet configured in the application, you will be prompted to insert that during phpIPAM installation process at first login. To access the newly deployed application follow these instructions:

1. Get the default phpIPAM url from the terraform output in the form {IP_ADDRESS}.nip.io
2. Open your browser at that URL and you will see your phpIPAM installation page like the following one:

3. Click on "New phpipam installation". On the next page click "Automatic database installation", you will be prompted to the following form:

4. Insert "admin" as the MySQL username and the password available on the terraform output of this command below (without quotes). Untick the "Create new database" otherwise you'll get an error during installation, leave all the other values as default and then click on " Install phpipam database"

terraform output cloudsql_password

5. After some time a "Database installed successfully!" message should pop up. Then click "continue" and you'll be prompted to the last form for configuring admin credentials:

6. Insert the phpipam password available in the output of the following command and choose a site title. Then insert the site url and click "Save settings". "A Settings updated, installation complete!" message should pop up and clicking "Proceed to login." will redirect you to the login page. Be aware this is just a convenient way to have a backup admin password in terraform, you could use whatever password you prefer.

terraform output phpipam_password

7. Insert "admin" as username and the password configured on the previous step and after login you'll finally get to the phpIPAM homepage.

Cleaning up your environment

The easiest way to remove all the deployed resources is to run the following command in Cloud Shell:

terraform destroy

The above command will delete the associated resources so there will be no billable charges made afterwards.

Variables

name	description	type	required	default
prefix	Prefix used for resource names.	string	✓
project_id	Project id, references existing project if project_create is null.	string	✓
admin_principals	Users, groups and/or service accounts that are assigned roles, in IAM format (group:[email protected]).	list(string)		[]
cloud_run_invoker	IAM member authorized to access the end-point (for example, 'user:YOUR_IAM_USER' for only you or 'allUsers' for everyone).	string		"allUsers"
cloudsql_password	CloudSQL password (will be randomly generated by default).	string		null
connector	Existing VPC serverless connector to use if not creating a new one.	string		null
create_connector	Should a VPC serverless connector be created or not.	bool		true
custom_domain	Cloud Run service custom domain for GLB.	string		null
deletion_protection	Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail.	bool		false
iap	Identity-Aware Proxy for Cloud Run in the LB.	object({…})		{}
ip_ranges	CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC.	object({…})		{…}
phpipam_config	PHPIpam configuration.	object({…})		{…}
phpipam_exposure	Whether to expose the application publicly via GLB or internally via ILB, default GLB.	string		"EXTERNAL"
phpipam_password	Password for the phpipam user (will be randomly generated by default).	string		null
project_create	Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format.	object({…})		null
region	Region for the created resources.	string		"europe-west4"
security_policy	Security policy (Cloud Armor) to enforce in the LB.	object({…})		{}
vpc_config	VPC Network and subnetwork self links for internal LB setup.	object({…})		null

Outputs

name	description	sensitive
cloud_run_service	CloudRun service URL.	✓
cloudsql_password	CloudSQL password.	✓
phpipam_ip_address	PHPIPAM IP Address either external or internal according to app exposure.
phpipam_password	PHPIPAM user password.	✓
phpipam_url	PHPIPAM website url.
phpipam_user	PHPIPAM username.

Test

module "test" {
  source           = "./fabric/blueprints/third-party-solutions/phpipam"
  admin_principals = ["group:[email protected]"]
  prefix           = "test"
  project_create = {
    billing_account_id = "1234-ABCD-1234"
    parent             = "folders/1234563"
  }
  project_id = "test-prj"
}
# tftest modules=7 resources=43