294 lines
7.7 KiB
Terraform
294 lines
7.7 KiB
Terraform
|
/**
|
||
|
* Copyright 2022 Google LLC
|
||
|
*
|
||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
* you may not use this file except in compliance with the License.
|
||
|
* You may obtain a copy of the License at
|
||
|
*
|
||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||
|
*
|
||
|
* Unless required by applicable law or agreed to in writing, software
|
||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
* See the License for the specific language governing permissions and
|
||
|
* limitations under the License.
|
||
|
*/
|
||
|
|
||
|
locals {
|
||
|
prefix = (var.prefix == null || var.prefix == "") ? "" : "${var.prefix}-"
|
||
|
}
|
||
|
|
||
|
module "project" {
|
||
|
source = "../../../modules/project"
|
||
|
billing_account = (var.project_create != null
|
||
|
? var.project_create.billing_account_id
|
||
|
: null
|
||
|
)
|
||
|
parent = (var.project_create != null
|
||
|
? var.project_create.parent
|
||
|
: null
|
||
|
)
|
||
|
prefix = var.project_create == null ? null : var.prefix
|
||
|
name = var.project_id
|
||
|
services = [
|
||
|
"compute.googleapis.com"
|
||
|
]
|
||
|
project_create = var.project_create != null
|
||
|
}
|
||
|
|
||
|
|
||
|
module "vpc" {
|
||
|
source = "../../../modules/net-vpc"
|
||
|
project_id = module.project.project_id
|
||
|
name = "${local.prefix}vpc"
|
||
|
subnets = [
|
||
|
{
|
||
|
ip_cidr_range = "10.0.1.0/24"
|
||
|
name = "subnet-ew1"
|
||
|
region = "europe-west1"
|
||
|
secondary_ip_range = null
|
||
|
},
|
||
|
{
|
||
|
ip_cidr_range = "10.0.2.0/24"
|
||
|
name = "subnet-ue1"
|
||
|
region = "us-east1"
|
||
|
secondary_ip_range = null
|
||
|
},
|
||
|
{
|
||
|
ip_cidr_range = "10.0.3.0/24"
|
||
|
name = "subnet-uw1"
|
||
|
region = "us-west1"
|
||
|
secondary_ip_range = null
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
|
||
|
module "firewall" {
|
||
|
source = "../../../modules/net-vpc-firewall"
|
||
|
project_id = module.project.project_id
|
||
|
network = module.vpc.name
|
||
|
}
|
||
|
|
||
|
module "nat_ew1" {
|
||
|
source = "../../../modules/net-cloudnat"
|
||
|
project_id = module.project.project_id
|
||
|
region = "europe-west1"
|
||
|
name = "${local.prefix}nat-eu1"
|
||
|
router_network = module.vpc.name
|
||
|
}
|
||
|
|
||
|
module "nat_ue1" {
|
||
|
source = "../../../modules/net-cloudnat"
|
||
|
project_id = module.project.project_id
|
||
|
region = "us-east1"
|
||
|
name = "${local.prefix}nat-ue1"
|
||
|
router_network = module.vpc.name
|
||
|
}
|
||
|
|
||
|
module "instance_template_ew1" {
|
||
|
source = "../../../modules/compute-vm"
|
||
|
project_id = module.project.project_id
|
||
|
zone = "europe-west1-b"
|
||
|
name = "${local.prefix}europe-west1-template"
|
||
|
instance_type = "n1-standard-2"
|
||
|
network_interfaces = [{
|
||
|
network = module.vpc.self_link
|
||
|
subnetwork = module.vpc.subnet_self_links["europe-west1/subnet-ew1"]
|
||
|
}]
|
||
|
boot_disk = {
|
||
|
image = "projects/debian-cloud/global/images/family/debian-11"
|
||
|
}
|
||
|
metadata = {
|
||
|
startup-script-url = "gs://cloud-training/gcpnet/httplb/startup.sh"
|
||
|
}
|
||
|
create_template = true
|
||
|
tags = [
|
||
|
"http-server"
|
||
|
]
|
||
|
}
|
||
|
|
||
|
module "instance_template_ue1" {
|
||
|
source = "../../../modules/compute-vm"
|
||
|
project_id = module.project.project_id
|
||
|
zone = "us-east1-b"
|
||
|
name = "${local.prefix}us-east1-template"
|
||
|
network_interfaces = [{
|
||
|
network = module.vpc.self_link
|
||
|
subnetwork = module.vpc.subnet_self_links["us-east1/subnet-ue1"]
|
||
|
}]
|
||
|
boot_disk = {
|
||
|
image = "projects/debian-cloud/global/images/family/debian-11"
|
||
|
}
|
||
|
metadata = {
|
||
|
startup-script-url = "gs://cloud-training/gcpnet/httplb/startup.sh"
|
||
|
}
|
||
|
create_template = true
|
||
|
tags = [
|
||
|
"http-server"
|
||
|
]
|
||
|
}
|
||
|
|
||
|
module "vm_siege" {
|
||
|
source = "../../../modules/compute-vm"
|
||
|
project_id = module.project.project_id
|
||
|
zone = "us-west1-c"
|
||
|
name = "siege-vm"
|
||
|
instance_type = "n1-standard-2"
|
||
|
network_interfaces = [{
|
||
|
network = module.vpc.self_link
|
||
|
subnetwork = module.vpc.subnet_self_links["us-west1/subnet-uw1"]
|
||
|
nat = true
|
||
|
}]
|
||
|
boot_disk = {
|
||
|
image = "projects/debian-cloud/global/images/family/debian-11"
|
||
|
}
|
||
|
metadata = {
|
||
|
startup-script = <<EOT
|
||
|
#!/bin/bash
|
||
|
|
||
|
apt update -y
|
||
|
apt install -y siege
|
||
|
EOT
|
||
|
}
|
||
|
tags = [
|
||
|
"ssh"
|
||
|
]
|
||
|
}
|
||
|
|
||
|
module "mig_ew1" {
|
||
|
source = "../../../modules/compute-mig"
|
||
|
project_id = module.project.project_id
|
||
|
location = "europe-west1"
|
||
|
name = "${local.prefix}europe-west1-mig"
|
||
|
regional = true
|
||
|
default_version = {
|
||
|
instance_template = module.instance_template_ew1.template.self_link
|
||
|
name = "default"
|
||
|
}
|
||
|
autoscaler_config = {
|
||
|
max_replicas = 5
|
||
|
min_replicas = 1
|
||
|
cooldown_period = 45
|
||
|
cpu_utilization_target = 0.8
|
||
|
load_balancing_utilization_target = null
|
||
|
metric = null
|
||
|
}
|
||
|
named_ports = {
|
||
|
http = 80
|
||
|
}
|
||
|
depends_on = [
|
||
|
module.nat_ew1
|
||
|
]
|
||
|
}
|
||
|
|
||
|
module "mig_ue1" {
|
||
|
source = "../../../modules/compute-mig"
|
||
|
project_id = module.project.project_id
|
||
|
location = "us-east1"
|
||
|
name = "${local.prefix}us-east1-mig"
|
||
|
regional = true
|
||
|
default_version = {
|
||
|
instance_template = module.instance_template_ue1.template.self_link
|
||
|
name = "default"
|
||
|
}
|
||
|
autoscaler_config = {
|
||
|
max_replicas = 5
|
||
|
min_replicas = 1
|
||
|
cooldown_period = 45
|
||
|
cpu_utilization_target = 0.8
|
||
|
load_balancing_utilization_target = null
|
||
|
metric = null
|
||
|
}
|
||
|
named_ports = {
|
||
|
http = 80
|
||
|
}
|
||
|
depends_on = [
|
||
|
module.nat_ue1
|
||
|
]
|
||
|
}
|
||
|
|
||
|
module "glb" {
|
||
|
source = "../../../modules/net-glb"
|
||
|
name = "${local.prefix}http-lb"
|
||
|
project_id = module.project.project_id
|
||
|
backend_services_config = {
|
||
|
http-backend = {
|
||
|
bucket_config = null
|
||
|
enable_cdn = false
|
||
|
cdn_config = null
|
||
|
group_config = {
|
||
|
backends = [
|
||
|
{
|
||
|
group = module.mig_ew1.group_manager.instance_group
|
||
|
options = null
|
||
|
},
|
||
|
{
|
||
|
group = module.mig_ue1.group_manager.instance_group
|
||
|
options = null
|
||
|
}
|
||
|
],
|
||
|
health_checks = ["hc"]
|
||
|
log_config = {
|
||
|
enable = true
|
||
|
sample_rate = 1
|
||
|
}
|
||
|
options = {
|
||
|
affinity_cookie_ttl_sec = null
|
||
|
custom_request_headers = null
|
||
|
custom_response_headers = null
|
||
|
connection_draining_timeout_sec = null
|
||
|
load_balancing_scheme = null
|
||
|
locality_lb_policy = null
|
||
|
port_name = "http"
|
||
|
security_policy = try(google_compute_security_policy.policy[0].name, null)
|
||
|
session_affinity = null
|
||
|
timeout_sec = null
|
||
|
circuits_breakers = null
|
||
|
consistent_hash = null
|
||
|
iap = null
|
||
|
protocol = "HTTP"
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
health_checks_config = {
|
||
|
hc = {
|
||
|
type = "http"
|
||
|
logging = true
|
||
|
options = null
|
||
|
check = {
|
||
|
port_name = "http"
|
||
|
port_specification = "USE_NAMED_PORT"
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
resource "google_compute_security_policy" "policy" {
|
||
|
count = var.enforce_security_policy ? 1 : 0
|
||
|
name = "${local.prefix}denylist-siege"
|
||
|
project = module.project.project_id
|
||
|
rule {
|
||
|
action = "deny(403)"
|
||
|
priority = "1000"
|
||
|
match {
|
||
|
versioned_expr = "SRC_IPS_V1"
|
||
|
config {
|
||
|
src_ip_ranges = [module.vm_siege.external_ip]
|
||
|
}
|
||
|
}
|
||
|
description = "Deny access to siege VM IP"
|
||
|
}
|
||
|
rule {
|
||
|
action = "allow"
|
||
|
priority = "2147483647"
|
||
|
match {
|
||
|
versioned_expr = "SRC_IPS_V1"
|
||
|
config {
|
||
|
src_ip_ranges = ["*"]
|
||
|
}
|
||
|
}
|
||
|
description = "default rule"
|
||
|
}
|
||
|
}
|