separate cdn domain variables, add configurable cloudrun ingress, and improve docs with module READMEs

.github/workflows/test.yml

@@ -0,0 +1,68 @@
+name: "Test"
+
+on:
+  pull_request:
+    paths:
+      - "**/*.tf"
+      - "**/*.tfvars"
+      - ".github/workflows/test.yml"
+  workflow_dispatch:
+
+jobs:
+  terraform-test:
+    name: Test Terraform
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.25'
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "~1.8.0"
+
+      - name: Install TFLint
+        uses: terraform-linters/setup-tflint@v4
+        with:
+          tflint_version: latest
+
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Run all tests
+        run: make test
+
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## Terraform Lint Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Modules Checked" >> $GITHUB_STEP_SUMMARY
+          modules=$(find . -name "*.tf" -type f | xargs dirname | sort -u)
+          echo "The following Terraform modules were validated:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          for module in $modules; do
+            echo "- \`$module\`" >> $GITHUB_STEP_SUMMARY
+          done
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Checks Performed" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Terraform Format Check" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Terraform Validation" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ TFLint Analysis" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Security Scan (Trivy)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Local Development" >> $GITHUB_STEP_SUMMARY
+          echo "Run the same checks locally with:" >> $GITHUB_STEP_SUMMARY
+          echo '```bash' >> $GITHUB_STEP_SUMMARY
+          echo "make test          # Run all tests" >> $GITHUB_STEP_SUMMARY
+          echo "make format        # Auto-format files" >> $GITHUB_STEP_SUMMARY
+          echo "make scan          # Run security scan" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY

.gitignore

@@ -11,6 +11,9 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
+.terraform/
+.terraform.lock.hcl
+
 # Dependency directories (remove the comment below to include it)
 # vendor/
 

.tflint.hcl

@@ -0,0 +1,64 @@
+config {
+  # Set minimum Terraform version to support provider functions
+  terraform_version = "~> 1.8.0"
+}
+
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+  version = "0.9.1"
+  source  = "github.com/terraform-linters/tflint-ruleset-terraform"
+}
+
+plugin "google" {
+  enabled = true
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+
+rule "terraform_deprecated_interpolation" {
+  enabled = false  # Disable to allow provider function syntax
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+  format  = "snake_case"
+}
+
+rule "terraform_required_providers" {
+  enabled = true
+}
+
+rule "terraform_required_version" {
+  enabled = true
+}
+
+rule "terraform_standard_module_structure" {
+  enabled = true
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_unused_required_providers" {
+  enabled = true
+}

.trivyignore

@@ -0,0 +1,12 @@
+# Trivy ignore file for Suga GCP Plugins
+# https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/
+
+# Example: Ignore specific checks that may not apply to plugin modules
+# AVD-GCP-0011  # Uncomment to ignore specific GCP checks
+# AVD-GCP-0001  # Uncomment to ignore public access warnings if intentional
+
+# Ignore directories
+.git/
+.terraform/
+node_modules/
+security-reports/

DEVELOPERS.md

@@ -0,0 +1,16 @@
+# Developer Guide
+
+## Prerequisites
+
+- [Terraform](https://www.terraform.io/downloads) >= 1.5.0
+- [Docker](https://www.docker.com/get-started) (for tflint and trivy)
+
+## Usage
+
+```bash
+make format    # Format all Terraform files
+make test      # Run all tests (format-check, validate, lint, scan)
+make clean     # Clean up temp files
+```
+
+Tools run in Docker containers - no local installation needed.

Makefile

@@ -0,0 +1,47 @@
+.PHONY: help format lint clean
+.DEFAULT_GOAL := help
+
+## TODO: include MEDIUM severity in security scanning.
+TRIVY_SEVERITY := HIGH,CRITICAL
+
+help: ## Show available commands
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "  %-10s %s\n", $$1, $$2}'
+
+trivy-severity: ## Output the Trivy severity levels for use in scripts
+	@echo $(TRIVY_SEVERITY)
+
+format: ## Format all Terraform files
+	@find . -name "*.tf" -type f | xargs dirname | sort -u | xargs -I {} terraform fmt {}
+
+format-check: ## Check formatting of all Terraform files
+	@echo "Checking format..."
+	@find . -name "*.tf" -type f | xargs dirname | sort -u | while read dir; do \
+		terraform fmt -check=true -diff=true "$$dir" || exit 1; \
+	done
+
+validate: ## Validate all Terraform files
+	@echo "Validating..."
+	@find . -name "*.tf" -type f | xargs dirname | sort -u | while read dir; do \
+		echo "  $$dir"; \
+		cd "$$dir" && terraform init -backend=false -get=false -upgrade=false >/dev/null && terraform validate && cd - >/dev/null || exit 1; \
+	done
+
+lint: ## Lint using tflint
+	@echo "Running tflint..."
+	@find . -name "*.tf" -type f | xargs dirname | sort -u | while read dir; do \
+		echo "  $$dir"; \
+		docker run --rm -v "$$(pwd)/$$dir:/data" -t ghcr.io/terraform-linters/tflint --format=compact --minimum-failure-severity=error; \
+	done
+
+scan: ## Run security scan using Trivy
+	@echo "Running security scan..."
+	@docker run --rm -v "$$(pwd):/work" -w /work ghcr.io/aquasecurity/trivy:latest config . --format=table --quiet --exit-code 1 --severity $(TRIVY_SEVERITY)
+
+test: format-check validate lint scan ## Run all tests: format-check, validate, lint, and scan
+	@echo "All tests passed!"
+
+clean: ## Clean up .terraform directories and temp files
+	@find . -type d -name ".terraform" -exec rm -rf {} + 2>/dev/null || true
+	@find . -name "*.tfplan" -delete 2>/dev/null || true
+	@find . -name "*.tfstate*" -delete 2>/dev/null || true
+	@find . -name ".terraform.lock.hcl" -delete 2>/dev/null || true

cdn/README.md

@@ -0,0 +1,64 @@
+# GCP CDN Plugin
+
+Creates a Google Cloud CDN distribution with load balancing, SSL certificates, and DNS configuration for global content delivery.
+
+## Overview
+
+This plugin provisions a complete CDN solution using Google Cloud CDN with:
+
+- Global load balancing with Cloud Load Balancer
+- Automatic SSL certificate provisioning via Certificate Manager
+- DNS record management in Cloud DNS
+- Support for multiple origin types (Cloud Run, Cloud Storage, external)
+- Path-based routing capabilities
+
+## Required Inputs
+
+| Parameter       | Type   | Description                                                                                                                                     |
+| --------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------- |
+| `project_id`    | string | Google Cloud Project ID (e.g. `my-project-123`)                                                                                                 |
+| `region`        | string | Google Cloud region (e.g. `us-central1`)                                                                                                        |
+| `domain_name`   | string | Domain name for the CDN (A records will be created)                                                                                             |
+| `dns_zone_name` | string | Name of the existing [Cloud DNS](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/dns_managed_zone#dns_name-2) |
+
+## Optional Inputs
+
+| Parameter    | Type   | Description                      | Default |
+| ------------ | ------ | -------------------------------- | ------- |
+| `domain_ttl` | number | TTL for DNS A records in seconds | `300`   |
+
+## Prerequisites
+
+- Existing Cloud DNS zone in your project
+- Enabled APIs: Certificate Manager, DNS, Compute Engine
+
+## Usage Example
+
+**Note:** This example shows platform file syntax. You can configure this plugin directly in the Suga Platform Builder UI without writing YAML.
+
+```yaml
+entrypoints:
+  default:
+    plugin: "gcp-cdn"
+    properties:
+      project_id: "my-project-123"
+      region: "us-central1"
+      domain_name: "cdn.example.com"
+      dns_zone_name: "example-com-zone"
+      domain_ttl: 300
+```
+
+## Features
+
+- **Global Distribution**: Leverages Google's global network for content delivery
+- **Automatic SSL**: Provisions and manages SSL certificates automatically
+- **Multi-Origin Support**: Routes traffic to Cloud Run services, Cloud Storage buckets, or external origins
+- **DNS Integration**: Automatically configures DNS records in your existing zone
+- **Load Balancing**: Built-in load balancing with health checking
+
+## References
+
+- [Cloud CDN Documentation](https://cloud.google.com/cdn/docs)
+- [Cloud Load Balancing Documentation](https://cloud.google.com/load-balancing/docs)
+- [Certificate Manager Documentation](https://cloud.google.com/certificate-manager/docs)
+- [Cloud DNS Documentation](https://cloud.google.com/dns/docs)

cdn/manifest.yaml

@@ -20,5 +20,16 @@ inputs:
     type: object
     required: true
     description: 'CDN domain configuration (e.g. `{"name": "cdn.example.com", "ssl": true}`)'
+  domain_name:
+    type: string
+    required: true
+    description: "New A records will be created in the hosted zone to establish this domain name for the CDN"
+  dns_zone_name:
+    type: string
+    required: true
+    description: "The name of the existing Cloud DNS zone that you would like your domain to be configured in"
+  domain_ttl:
+    type: number
+    description: "The time to live (TTL) for the A record created (in seconds). Defaults to 300 seconds"
 
 outputs: