[pull] main from GoogleCloudPlatform:main

README.md

@@ -143,6 +143,7 @@ them to fit your particular use case.
 *   [Certificate Authority Service Hierarchy](examples/certificate-authority-service-hierarchy) - Root and Subordinate Certificate Authority Service CA Pools and CAs with examples for domain ownership validation and sample load test script.
 *   [Cloud Run to BQ](examples/cloudrun-to-bq) - Solution to accept events/data
     on HTTP REST Endpoint and insert into BQ.
+*   [Cloud Run CRL Monitor](examples/cloudrun-crl-monitor) - Cloud Run based solution for continuous monitoring of CRL distribution endpoints including CRL validity verification and alerting.
 *   [Cloud SQL Custom Metric](examples/cloud-sql-custom-metric) - An example of
     creating a Stackdriver custom metric monitoring Cloud SQL Private Services
     IP consumption.

examples/cloud-composer-examples/requirements.txt

@@ -1,5 +1,5 @@
 apache-airflow[gcp,crypto]==1.10.3
 apache-beam[gcp]==2.19.0
-werkzeug==3.0.6
+werkzeug==3.1.4
 tzlocal>=1.5.1
 pyspark==3.3.2

examples/cloudrun-crl-monitor/.gitignore

@@ -0,0 +1,50 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+*.tf.bak
+*.terraform.lock.hcl
+*.zip
+.DS_Store
+
+# Crash log files
+crash.log
+
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+*.tfvars.json
+!terraform.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+*-providers.tf
+/.idea/
+/data/*
+/venv/
+
+2-apigee-providers.tf
+!2-apigee-providers_override.tf
+!identity-providers.tf

examples/cloudrun-crl-monitor/README.md

@@ -0,0 +1,80 @@
+# Cloud Run CRL Monitoring
+
+This project deploys a serverless solution to monitor Certificate Revocation Lists (CRLs) using Google Cloud Run, Cloud Scheduler, and Cloud Monitoring.
+
+It validates that CRLs are:
+1.  **Accessible**: Can be downloaded via HTTP/HTTPS.
+2.  **Valid**: Are in valid DER or PEM format.
+3.  **Fresh**: Have not expired (based on `Next Update` field).
+
+## Architecture
+
+The solution consists of:
+*   **Cloud Run Job**: Executes a script to download and validate the CRL.
+*   **Cloud Scheduler**: Triggers the Cloud Run Job on a schedule (default: every minute).
+*   **Uptime Check**: Monitors the CRL URL availability from the public internet.
+*   **Cloud Monitoring**:
+    *   **Custom Metric**: `custom.googleapis.com/crl_validation/success` (1 = Success, 0 = Failure).
+    *   **Alert Policy**: Triggers if validation fails for a configurable duration.
+
+## Usage
+
+1.  **Configure Variables**: Update `terraform.tfvars` with your project details and CRL monitors.
+
+    ```hcl
+    project_id = "your-project-id"
+
+    crl_monitors = [
+      {
+        name                     = "example-ca"
+        region                   = "europe-west3"
+        target_url               = "http://crl.example.com/ca.crl"
+        schedule                 = "* * * * *"
+        crl_expiration_buffer    = "3600s" # Alert 1 hour before actual expiration
+      }
+    ]
+
+    alert_duration_threshold = "60s"
+    ```
+
+2.  **Deploy**:
+
+    ```bash
+    terraform init
+    terraform apply
+    ```
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| `project_id` | The Google Cloud project ID. | `string` | n/a | Yes |
+| `crl_monitors` | List of CRL monitors to configure. | `list(object)` | n/a | Yes |
+| `alert_duration_threshold` | Duration of failure before triggering an alert (e.g., "60s", "300s"). | `string` | n/a | Yes |
+| `alert_autoclose` | Duration after which an open alert closes automatically. | `string` | `"1800s"` | No |
+
+### `crl_monitors` Object
+
+| Name | Description | Type | Default |
+|------|-------------|------|---------|
+| `name` | Unique name for the monitor resources. | `string` | n/a |
+| `region` | Cloud Run region (e.g., "europe-west3"). | `string` | n/a |
+| `target_url` | URL of the CRL to monitor. | `string` | n/a |
+| `schedule` | Cron schedule for the job. | `string` | `"* * * * *"` |
+| `crl_expiration_buffer` | Time buffer before expiration to consider as failure. | `string` | `"3600s"` |
+
+## Requirements
+
+*   Terraform >= 1.0
+*   Google Cloud SDK (gcloud) installed and authenticated.
+*   APIs enabled:
+    *   `run.googleapis.com`
+    *   `cloudscheduler.googleapis.com`
+    *   `monitoring.googleapis.com`
+
+## Files
+
+*   `main.tf`: Root module configuration, iterates over `crl_monitors`.
+*   `variables.tf`: Input variable definitions.
+*   `alerts.tf`: Cloud Monitoring Alert Policy definition.
+*   `crl-monitor/`: Reusable module for individual CRL monitors.

examples/cloudrun-crl-monitor/alerts.tf

@@ -0,0 +1,46 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_monitoring_alert_policy" "crl_validation_failure" {
+  display_name = "CRL Validation"
+  combiner     = "OR"
+  project      = var.project_id
+
+  conditions {
+    display_name = "CRL Validation Failed"
+    condition_threshold {
+      filter          = "metric.type=\"custom.googleapis.com/crl_validation/success\" AND resource.type=\"generic_task\""
+      duration        = var.alert_duration_threshold
+      comparison      = "COMPARISON_LT"
+      threshold_value = 1
+
+      aggregations {
+        alignment_period     = "60s"
+        per_series_aligner   = "ALIGN_NEXT_OLDER"
+        cross_series_reducer = "REDUCE_MAX"
+        group_by_fields      = ["resource.label.job"]
+      }
+
+      trigger {
+        count = 1
+      }
+    }
+  }
+
+  alert_strategy {
+    auto_close = var.alert_autoclose
+  }
+}