From 4652db30ab3124cc19c8fbd2a31890dec95fbd1c Mon Sep 17 00:00:00 2001 From: Gustavo Valverde Date: Mon, 15 Jul 2024 14:47:58 +0100 Subject: [PATCH] fix(deploy): do not allow public access to prod --- .github/workflows/sub-cloudrun-deploy.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sub-cloudrun-deploy.yml b/.github/workflows/sub-cloudrun-deploy.yml index b1b1c66..6805f65 100644 --- a/.github/workflows/sub-cloudrun-deploy.yml +++ b/.github/workflows/sub-cloudrun-deploy.yml @@ -118,10 +118,11 @@ jobs: --set-cloudsql-instances=${{ vars.CLOUDSQL_INSTANCE }} --add-volume=name=files,type=in-memory --add-volume-mount=volume=files,mount-path=/app/data - --network=projects/zfnd-dev-net-spoke-0/global/networks/dev-spoke-0 - --subnet=projects/zfnd-dev-net-spoke-0/regions/us-east1/subnetworks/dev-default-ue1 + --network=${{ vars.GCP_NETWORK }} + --subnet=${{ vars.GCP_SUBNETWORK }} - name: Allow unauthenticated calls to the service + if: ${{ inputs.environment != 'prod' }} run: | gcloud run services add-iam-policy-binding ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }} \ --region=${{ inputs.region }} --member=allUsers --role=roles/run.invoker --quiet