A Cloud Run deployment of PrivateBin

privatebin.tf

variable "region" {
  type    = string
  default = "europe-west4"
}

variable "project" {
  type    = string
}

variable "image" {
  type    = string
  default = "eu.gcr.io/binx-io-public/privatebin:latest"
}


provider "google" {
  project = var.project
  region  = var.region
}

provider "google-beta" {
  project = var.project
  region  = var.region
}

resource "google_cloud_run_service" "privatebin" {
  name     = "privatebin"
  location = var.region
  provider = google-beta

  template {
    spec {
      service_account_name = google_service_account.privatebin.email
      containers {
        image = var.image # "gcr.io/binx-io-public/shellinabox"
        volume_mounts {
          name       = "config"
          mount_path = "/cloudcfg"
        }
        env {
          name  = "CONFIG_PATH"
          value = "/cloudcfg"
        }
      }
      volumes {
        name = "config"
        secret {
          secret_name = element(reverse(split("/", google_secret_manager_secret.privatebin.name)), 0)
          items {
            key  = element(reverse(split("/", google_secret_manager_secret_version.privatebin.name)), 0)
            path = "conf.php"
          }
        }
      }
    }
  }

  metadata {
    annotations = {
      "run.googleapis.com/launch-stage" = "BETA"
    }
  }

  traffic {
    percent         = 100
    latest_revision = true
  }
}

resource "google_storage_bucket" "privatebin" {
  name          = format("private-bin-%s", var.project)
  location      = var.region
  force_destroy = true

  lifecycle_rule {
    condition {
      age = 30
    }
    action {
      type = "Delete"
    }
  }
}

resource "google_service_account" "privatebin" {
  account_id   = "privatebin"
  display_name = "PrivateBin"
}


resource "google_storage_bucket_iam_binding" "privatebin_object_admin" {
  bucket = google_storage_bucket.privatebin.name
  role   = "roles/storage.objectAdmin"
  members = [
    format("serviceAccount:%s", google_service_account.privatebin.email)
  ]
}

resource "google_cloud_run_service_iam_binding" "run_invoker" {
  location = google_cloud_run_service.privatebin.location
  project  = google_cloud_run_service.privatebin.project
  service  = google_cloud_run_service.privatebin.name
  role     = "roles/run.invoker"
  members = [
    "allUsers",
  ]
}

resource "google_secret_manager_secret" "privatebin" {
  secret_id = "privatebin-configuration"

  replication {
    automatic = true
  }
}


resource "google_secret_manager_secret_iam_binding" "privatebin_accessor" {
  project   = google_secret_manager_secret.privatebin.project
  secret_id = google_secret_manager_secret.privatebin.id
  role      = "roles/secretmanager.secretAccessor"
  members = [
    format("serviceAccount:%s", google_service_account.privatebin.email)
  ]
}

resource "google_secret_manager_secret_version" "privatebin" {
  secret      = google_secret_manager_secret.privatebin.id
  secret_data = <<EOF
[main]
name = "My Serverless PrivateBin"
discussion = true
opendiscussion = false
password = true
fileupload = false
burnafterreadingselected = false
defaultformatter = "plaintext"
sizelimit = 10485760
template = "bootstrap"
languageselection = false

[expire]
default = "1day"

[expire_options]
5min = 300
10min = 600
1hour = 3600
1day = 86400
1week = 604800
1month = 2592000
1year = 31536000
never = 0

[formatter_options]
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"

[traffic]
limit = 10

[purge]
limit = 300
batchsize = 10

[model]
class = GoogleCloudStorage

[model_options]
bucket = "${google_storage_bucket.privatebin.name}"
EOF 
}

output "privatebin_url" {
  description = "url of the privatebin service"
  value       = google_cloud_run_service.privatebin.status[0].url
}