-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathnetwork.tf
126 lines (103 loc) · 4.35 KB
/
network.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# Copyright © 2021-2024, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
data "google_compute_address" "nat_address" {
count = length(var.nat_address_name) == 0 ? 0 : 1
name = var.nat_address_name
project = var.project
region = local.region
}
module "nat_address" {
count = length(var.nat_address_name) == 0 ? 1 : 0
source = "terraform-google-modules/address/google"
version = "~> 4.1.0"
project_id = var.project
region = local.region
address_type = "EXTERNAL"
names = [
"${var.prefix}-nat-address"
]
}
module "cloud_nat" {
count = length(var.nat_address_name) == 0 ? 1 : 0
source = "terraform-google-modules/cloud-nat/google"
version = "~> 5.3.0"
project_id = var.project
name = "${var.prefix}-cloud-nat"
region = local.region
create_router = true
router = "${var.prefix}-router"
network = module.vpc.network_self_link
nat_ips = module.nat_address[0].self_links
# this was disabled by default in v5.0.0, setting to true to retain previous behavior
enable_endpoint_independent_mapping = true
}
module "vpc" {
source = "./modules/network"
vpc_name = trimspace(var.vpc_name)
prefix = var.prefix
region = local.region
subnet_names = local.subnet_names
create_subnets = length(var.subnet_names) == 0 ? true : false
gke_subnet_cidr = var.gke_subnet_cidr
misc_subnet_cidr = var.misc_subnet_cidr
gke_pod_subnet_cidr = var.gke_pod_subnet_cidr
gke_service_subnet_cidr = var.gke_service_subnet_cidr
}
# All about how to use "private ip" to configure access from gke to cloud sql:
# https://cloud.google.com/sql/docs/postgres/private-ip
resource "google_compute_global_address" "private_ip_address" {
name = "${var.prefix}-private-ip-address"
count = var.postgres_servers != null ? length(var.postgres_servers) != 0 ? 1 : 0 : 0
purpose = "VPC_PEERING"
address_type = "INTERNAL"
address = split("/", var.database_subnet_cidr)[0]
prefix_length = split("/", var.database_subnet_cidr)[1]
network = module.vpc.network_self_link
}
resource "google_service_networking_connection" "private_vpc_connection" {
count = var.postgres_servers != null ? length(var.postgres_servers) != 0 ? 1 : 0 : 0
network = module.vpc.network_name
service = "servicenetworking.googleapis.com"
reserved_peering_ranges = [google_compute_global_address.private_ip_address[0].name]
# required as of hashicorp/google v5.12.0 when using google_service_networking_connection in
# conjunction with CloudSQL instances in order to cleanly delete resources
# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_networking_connection
deletion_policy = "ABANDON"
}
resource "google_compute_firewall" "nfs_vm_cluster_firewall" {
name = "${var.prefix}-nfs-server-cluster-firewall"
count = var.storage_type == "standard" ? 1 : 0
network = module.vpc.network_name
allow {
protocol = "tcp"
}
allow {
protocol = "udp"
}
target_tags = ["${var.prefix}-nfs-server"] # matches the tag on the nfs server
# the node group vms are tagged with the cluster name
source_tags = ["${var.prefix}-gke", "${var.prefix}-jump-server"]
source_ranges = distinct(concat([local.gke_pod_subnet_cidr], [local.gke_subnet_cidr])) # allow the pods
}
resource "google_compute_firewall" "nfs_vm_firewall" {
name = "${var.prefix}-nfs-server-firewall"
count = (var.storage_type == "standard" && var.create_nfs_public_ip && length(local.vm_public_access_cidrs) != 0) ? 1 : 0
network = module.vpc.network_name
allow {
protocol = "tcp"
ports = ["22"]
}
target_tags = ["${var.prefix}-nfs-server"] # matches the tag on the jump server
source_ranges = local.vm_public_access_cidrs
}
resource "google_compute_firewall" "jump_vm_firewall" {
name = "${var.prefix}-jump-server-firewall"
count = (var.create_jump_public_ip && var.create_jump_vm && length(local.vm_public_access_cidrs) != 0) ? 1 : 0
network = module.vpc.network_name
allow {
protocol = "tcp"
ports = ["22"]
}
target_tags = ["${var.prefix}-jump-server"] # matches the tag on the jump server
source_ranges = local.vm_public_access_cidrs
}