d2 icon indicating copy to clipboard operation
d2 copied to clipboard
verified publisher icon terrastruct

title bug

Open alixander opened this issue 4 months ago • 1 comments

Where is "Fetcher" in the title? Shouldn't be cut off since the diagram has enough width.

Image 
title: {
  shape: text
  label: |md
    # Cloud Run Egress Architecture — Backend / Exporter / Autolayout / Fetcher
  |
  near: top-center
}

Cloud_Run_Services: {
  label: "Cloud Run Services"
  style: {
    fill: "#fbfbfd"
  }

  Backend: {
    label: "Backend\n(tag: egress-web)\nDirect VPC egress: ALL_TRAFFIC"
    style: {fill: "#e8f0fe"}
  }

  Exporter: {
    label: "Exporter\n(tag: egress-sentry)\nDirect VPC egress: ALL_TRAFFIC"
    style: {fill: "#e7f8ef"}
  }

  Autolayout: {
    label: "Autolayout\n(tag: egress-none)\nDirect VPC egress: ALL_TRAFFIC"
    style: {fill: "#fdeee8"}
  }

  Fetcher: {
    label: "Fetcher\n(tag: egress-fetcher)\nDirect VPC egress: ALL_TRAFFIC"
    style: {fill: "#fff7cc"}
  }
}

VPC: {
  label: "Your VPC (firewall / routes apply here)"
  style: {
    fill: "#f4f6fb"
  }

  FW: {
    shape: page
    label: |md
      ## Egress Firewall Policies

      - Allow DNS (UDP/TCP 53) → 169.254.169.254
      - Deny Metadata (TCP 80/443) → 169.254.169.254
      - Allow → SWP VIP:80,443 (for tags: egress-web, egress-sentry, egress-fetcher)
      - Allow private RFC1918/required backends (optional)
      - Deny-All catch-all (per tag; e.g., egress-none)
    |
  }

  SWP: {
    label: "Secure Web Proxy (SWP)\nExplicit HTTP/HTTPS proxy\n(domain/URL policy, logs)"
    shape: cylinder
  }

  NAT: {
    label: "Cloud NAT\nEgress IPs to Internet"
    shape: cylinder
  }
}

Internet: {
  shape: cloud
  label: "Internet"
}

Sentry: {
  label: "sentry.io"
}

ImageHosts: {
  label: "Any image hosts"
}

# Ingress constraints to Autolayout (IAM-based)
Cloud_Run_Services.Backend -> Cloud_Run_Services.Autolayout: {
  label: "ingress (Run Invoker SA)"
  style: {stroke-dash: 3}
}

Cloud_Run_Services.Exporter -> Cloud_Run_Services.Autolayout: {
  label: "ingress (Run Invoker SA)"
  style: {stroke-dash: 3}
}

# Backend calls Fetcher for arbitrary image fetching
Cloud_Run_Services.Backend -> Cloud_Run_Services.Fetcher: {
  label: "HTTPS (OIDC) call for image fetching"
  style: {stroke-dash: 3}
}

# Service egress paths into VPC and through SWP
Cloud_Run_Services.Backend -> VPC.SWP: "via VPC FW → SWP"
Cloud_Run_Services.Exporter -> VPC.SWP: "via VPC FW → SWP"
Cloud_Run_Services.Fetcher -> VPC.SWP: "via VPC FW → SWP"

# Autolayout egress explicitly denied
Cloud_Run_Services.Autolayout -> VPC.FW: {
  label: "egress denied"
  style: {stroke-dash: 3; stroke: "#cc0000"}
}

# SWP to NAT to Internet
VPC.SWP -> VPC.NAT: ""
VPC.NAT -> Internet: ""

# Internet to SaaS destinations
Internet -> Sentry: ""
Internet -> ImageHosts: ""

# SWP policy notes
PolicyNotes: {
  shape: page
  label: |md
    ## SWP Policy Examples

    - Source = Exporter SA → allow *.sentry.io only
    - Source = Backend SA → allow broader HTTPS (still block RFC1918/link-local)
    - Source = Fetcher SA (optional) → general web allow with deny lists
  |
}

VPC.FW -> PolicyNotes: {style: {stroke-dash: 3}}

https://play.d2lang.com/?script=vFbNbuM2EL7rKQbyRS7inzTeXa8XLaA6MdZANhUib4wCAQJKGtlEGFIl6SRCY6CnPkDRJ9wnKUiJtiUkDTaHXhJrODPfcH6-oaaa4QT-8ADUmhQ4AY2P2gNgJEE2gae7zAMA6MCUiU0GlxsOZyuJSkEo0zXVmOqNRPj25z_wC0lvkWcwgLPHQkiNEgYQbrRgpBQbDQOYoU7XKD2AJw-AI5ET0KLopcg1Sm_reRbl5nLDb2KU9zRFVQVXh-Pvo3Dnvgldl-4WADllRrOTJ3mSZ-Z463ngonNazmEtvuaBJqsJoL1b7wGT7jU_pRJTDVfRtJZPIDw_v1lchrPZfOpbPw7aoeI4H-bobx2sS0Ub18lbwAq5luVbsT_kY8z32Pvct9H3Jy18Lji-ET3PEHG8R6-L3YauxS3cvJK-FTrPP6RpDb31vKto2myb38RGWpdBTiU-EMZgAFJsNCogRcFKWKPE7su9NMrf58mul2ZLp1APTUFWeHhLNzYAnY6bl5lDjgSjKUXl1So9CBkTD3B6EUPw9TQaLKYRvDvpwre__obj9x_7P74b9ev_O5NT5CV8QU0yogkExmQ8HIxGr5hVSEYjXkZwNY8m4-HRaHQCQS4kaLJShzNw1GzLo3a1Wm4LSe-JRricTY8_Ho8HEn_fUIkZJNWQKQhEoanghHUbF-mFjEFKdLrumQQFBdpYPgH2V_2jRm9auydXiHgZtfsrxtQQ0hITiKR4LCGIl1H3mp89FibtGj4vFtHA_ImhMArXPMjEHaF88PXyHApTnPIImFiprn9Y47RklGeWvSz2RbhoY1fsdBEurnld9HmkQAuYG37jqF92uPU8p9Sg49S4POjkvaet58W2LM1Wr0rVp8JqzO_ICj8LpVs8GvISqDmDtTm0uh2Y8yrqVHClJaFc2-gPODyYh196CVGYdZ_h6r5bAb2f4ZnTNh-5YGgNGxhen_N7cYsS4rAxjkpLcYu9jKj1BE62z--K_m7x_C8BdHYrLyWMKcd4YEaJyIRqSaRLsx0Zylffn7UGj7qIq_4Nfp2fTrsW3YI2oV6Nvoao5wsKotcKKNfCUiXhGei1FJvV2szZK4FfRdO-nUb_nhJrP1s6nvFfK9V3G7tMv2rrdQ67t74o1lTASsiQU8y8_-wVh-JY39Wg9la5eDnZn6D6NnskTYfD4dB3-V9GZrwuwsUhR3j1jRys5Rnf9-rfRrxnCt-v5rb6Nm5iQmLIUGnKieFateMVY-kYw_cb4kOaqFyaACouBC40Ks9urfLC_G4QVL362u_FykNlBGeP5K5gbuP1IBYbmSL8tH8oxqGtGbF75If-jsRAcFa2rVzbNYwSKUiGEurJUJoyBgkT6e1uHzHKb3tMpG79HLh0DRWHBzvKel8hR0kYPGBSIz1QvTZVL4FRpZV9zVaPjv5sabLZTNULI7j1_g0AAP__&layout=dagre&

alixander avatar Sep 08 '25 18:09 alixander