zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adjusting second region for on-prem-in-a-box for testing more use cases

This commit is contained in:
averbukh 2021-01-28 19:53:26 +01:00
parent 5baed553aa
commit 2c71835965
10 changed files with 288 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/cloud-config-container/onprem/README.md
View File

@ -64,13 +64,13 @@ module "on-prem" {
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| vpn_config | VPN configuration, type must be one of 'dynamic' or 'static'. | <code title="object&#40;&#123;&#10;peer_ip &#61; string&#10;shared_secret &#61; string&#10;type &#61; string&#10;&#125;&#41;">object({...})</code> | ✓ | |
| vpn_config | VPN configuration, type must be one of 'dynamic' or 'static'. | <code title="object&#40;&#123;&#10;peer_ip &#61; string&#10;shared_secret &#61; string&#10;type &#61; string&#10;peer_ip2 &#61; string&#10;shared_secret2 &#61; string&#10;&#125;&#41;">object({...})</code> | ✓ | |
| *config_variables* | Additional variables used to render the cloud-config and CoreDNS templates. | <code title="map&#40;any&#41;">map(any)</code> | | <code title="">{}</code> |
| *coredns_config* | CoreDNS configuration path, if null default will be used. | <code title="">string</code> | | <code title="">null</code> |
| *local_ip_cidr_range* | IP CIDR range used for the Docker onprem network. | <code title="">string</code> | | <code title="">192.168.192.0/24</code> |
| *test_instance* | Test/development instance attributes, leave null to skip creation. | <code title="object&#40;&#123;&#10;project_id &#61; string&#10;zone &#61; string&#10;name &#61; string&#10;type &#61; string&#10;network &#61; string&#10;subnetwork &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |
| *test_instance_defaults* | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object&#40;&#123;&#10;disks &#61; map&#40;object&#40;&#123;&#10;read_only &#61; bool&#10;size &#61; number&#10;&#125;&#41;&#41;&#10;image &#61; string&#10;metadata &#61; map&#40;string&#41;&#10;nat &#61; bool&#10;service_account_roles &#61; list&#40;string&#41;&#10;tags &#61; list&#40;string&#41;&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;disks &#61; &#123;&#125;&#10;image &#61; null&#10;metadata &#61; &#123;&#125;&#10;nat &#61; false&#10;service_account_roles &#61; &#91;&#10;&#34;roles&#47;logging.logWriter&#34;,&#10;&#34;roles&#47;monitoring.metricWriter&#34;&#10;&#93;&#10;tags &#61; &#91;&#34;ssh&#34;&#93;&#10;&#125;">...</code> |
| *vpn_dynamic_config* | BGP configuration for dynamic VPN, ignored if VPN type is 'static'. | <code title="object&#40;&#123;&#10;local_bgp_asn &#61; number&#10;local_bgp_address &#61; string&#10;peer_bgp_asn &#61; number&#10;peer_bgp_address &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;local_bgp_asn &#61; 65002&#10;local_bgp_address &#61; &#34;169.254.0.2&#34;&#10;peer_bgp_asn &#61; 65001&#10;peer_bgp_address &#61; &#34;169.254.0.1&#34;&#10;&#125;">...</code> |
| *vpn_dynamic_config* | BGP configuration for dynamic VPN, ignored if VPN type is 'static'. | <code title="object&#40;&#123;&#10;local_bgp_asn &#61; number&#10;local_bgp_address &#61; string&#10;peer_bgp_asn &#61; number&#10;peer_bgp_address &#61; string&#10;local_bgp_asn2 &#61; number&#10;local_bgp_address2 &#61; string&#10;peer_bgp_asn2 &#61; number&#10;peer_bgp_address2 &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;local_bgp_asn &#61; 64514&#10;local_bgp_address &#61; &#34;169.254.1.2&#34;&#10;peer_bgp_asn &#61; 64513&#10;peer_bgp_address &#61; &#34;169.254.1.1&#34;&#10;local_bgp_asn2 &#61; 64514&#10;local_bgp_address2 &#61; &#34;169.254.2.2&#34;&#10;peer_bgp_asn2 &#61; 64520&#10;peer_bgp_address2 &#61; &#34;169.254.2.1&#34;&#10;&#125;">...</code> |
| *vpn_static_ranges* | Remote CIDR ranges for static VPN, ignored if VPN type is 'dynamic'. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">["10.0.0.0/8"]</code> |
## Outputs

38
modules/cloud-config-container/onprem/cloud-config.yaml
View File

@ -172,7 +172,8 @@ write_files:
owner: root:root
permissions: '0600'
content: |
: PSK "${vpn_config.shared_secret}"
${vpn_config.peer_ip} : PSK "${vpn_config.shared_secret}"
${vpn_config.peer_ip2} : PSK "${vpn_config.shared_secret2}"
# IPSEC tunnel configuration
- path: /var/lib/docker-compose/onprem/ipsec/ipsec.conf
@ -216,7 +217,38 @@ write_files:
closeaction=restart
%{~ if vpn_config.type == "dynamic" ~}
mark=%unique
%{~ endif ~}
conn gcp2
%{~ if vpn_config.type == "dynamic" ~}
leftupdown="/var/lib/strongswan/ipsec-vti.sh 1 ${vpn_dynamic_config.peer_bgp_address2}/30 ${vpn_dynamic_config.local_bgp_address2}/30"
%{~ endif ~}
left=%any
leftid=%any
%{~ if vpn_config.type == "dynamic" ~}
leftsubnet=0.0.0.0/0
%{~ else ~}
leftsubnet=${ip_cidr_ranges.local}
%{~ endif ~}
leftauth=psk
right=${vpn_config.peer_ip_wildcard2}
rightid=${vpn_config.peer_ip2}
%{~ if vpn_config.type == "dynamic" ~}
rightsubnet=0.0.0.0/0
%{~ else ~}
rightsubnet=${ip_cidr_ranges.remote}
%{~ endif ~}
rightauth=psk
type=tunnel
auto=start
dpdaction=restart
closeaction=restart
%{~ if vpn_config.type == "dynamic" ~}
mark=%unique
%{~ endif ~}
%{~ if vpn_config.type == "dynamic" ~}
# Charon configuration
- path: /var/lib/docker-compose/onprem/ipsec/vti.conf
owner: root:root
@ -292,6 +324,10 @@ write_files:
local ${vpn_dynamic_config.local_bgp_address} as ${vpn_dynamic_config.local_bgp_asn};
neighbor ${vpn_dynamic_config.peer_bgp_address} as ${vpn_dynamic_config.peer_bgp_asn};
}
protocol bgp gcp_vpc_a_tun2 from gcp_vpc_a {
local ${vpn_dynamic_config.local_bgp_address2} as ${vpn_dynamic_config.local_bgp_asn2};
neighbor ${vpn_dynamic_config.peer_bgp_address2} as ${vpn_dynamic_config.peer_bgp_asn2};
}
%{~ endif ~}

4
modules/cloud-config-container/onprem/main.tf
View File

@ -38,6 +38,7 @@ locals {
dns = cidrhost(var.local_ip_cidr_range, 3)
www = cidrhost(var.local_ip_cidr_range, 4)
shell = cidrhost(var.local_ip_cidr_range, 5)
vpn2 = cidrhost(var.local_ip_cidr_range, 6)
}
netblocks = local.netblocks
vpn_config = local.vpn_config
@ -49,7 +50,8 @@ locals {
data.google_netblock_ip_ranges.restricted-googleapis.cidr_blocks_ipv4
)
vpn_config = merge(var.vpn_config, {
peer_ip_wildcard = "%${var.vpn_config.peer_ip}"
peer_ip_wildcard = "%${var.vpn_config.peer_ip}"
peer_ip_wildcard2 = "%${var.vpn_config.peer_ip2}"
})
}

32
modules/cloud-config-container/onprem/variables.tf
View File

@ -35,25 +35,35 @@ variable "local_ip_cidr_range" {
variable "vpn_config" {
description = "VPN configuration, type must be one of 'dynamic' or 'static'."
type = object({
peer_ip = string
shared_secret = string
type = string
peer_ip = string
shared_secret = string
type = string
peer_ip2 = string
shared_secret2 = string
})
}
variable "vpn_dynamic_config" {
description = "BGP configuration for dynamic VPN, ignored if VPN type is 'static'."
type = object({
local_bgp_asn = number
local_bgp_address = string
peer_bgp_asn = number
peer_bgp_address = string
local_bgp_asn = number
local_bgp_address = string
peer_bgp_asn = number
peer_bgp_address = string
local_bgp_asn2 = number
local_bgp_address2 = string
peer_bgp_asn2 = number
peer_bgp_address2 = string
})
default = {
local_bgp_asn = 65002
local_bgp_address = "169.254.0.2"
peer_bgp_asn = 65001
peer_bgp_address = "169.254.0.1"
local_bgp_asn = 64514
local_bgp_address = "169.254.1.2"
peer_bgp_asn = 64513
peer_bgp_address = "169.254.1.1"
local_bgp_asn2 = 64514
local_bgp_address2 = "169.254.2.2"
peer_bgp_asn2 = 64520
peer_bgp_address2 = "169.254.2.1"
}
}

95
networking/onprem-google-access-dns/README.md
View File

@ -14,13 +14,13 @@ The example has been purposefully kept simple to show how to use and wire the on
This sample creates several distinct groups of resources:
- one VPC
- one VPC with two regions
- one set of firewall rules
- one Cloud NAT configuration
- one test instance
- one service account for the test instance
- one Cloud NAT configuration per region
- one test instance on each region
- one service account for the test instances
- one service account for the onprem instance
- one dynamic VPN gateway with a single tunnel
- two dynamic VPN gateways in each of the regions with a single tunnel
- two DNS zones (private and forwarding) and a DNS inbound policy
- one emulated on-premises environment in a single GCP instance
@ -88,28 +88,84 @@ google.internal {
### Onprem to cloud
```bash
# check containers are running
sudo docker ps
# connect to the onprem instance
gcloud compute ssh onprem-1
# check that the BGP session works and the advertised routes are set
sudo docker exec -it onprem_bird_1 ip route |grep bird
10.0.0.0/24 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
35.199.192.0/19 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
199.36.153.4/30 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
199.36.153.8/30 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
# check that the VPN tunnels are up
sudo docker exec -it onprem_vpn_1 ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.1, Linux 5.4.0-1029-gcp, x86_64):
uptime: 6 minutes, since Nov 30 08:42:08 2020
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
loaded plugins: charon aesni mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp unity counters
Listening IP addresses:
10.0.16.2
169.254.1.2
169.254.2.2
Connections:
gcp: %any...35.233.104.67,0.0.0.0/0,::/0 IKEv2, dpddelay=30s
gcp: local: uses pre-shared key authentication
gcp: remote: [35.233.104.67] uses pre-shared key authentication
gcp: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
gcp2: %any...35.246.101.51,0.0.0.0/0,::/0 IKEv2, dpddelay=30s
gcp2: local: uses pre-shared key authentication
gcp2: remote: [35.246.101.51] uses pre-shared key authentication
gcp2: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
gcp2[4]: ESTABLISHED 6 minutes ago, 10.0.16.2[34.76.57.103]...35.246.101.51[35.246.101.51]
gcp2[4]: IKEv2 SPIs: 227cb2c52085a743_i 13b18b0ad5d4de2b_r*, pre-shared key reauthentication in 9 hours
gcp2[4]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048
gcp2{4}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cb6fdb84_i eea28dee_o
gcp2{4}: AES_GCM_16_256, 3298 bytes_i, 3051 bytes_o (48 pkts, 3s ago), rekeying in 2 hours
gcp2{4}: 0.0.0.0/0 === 0.0.0.0/0
gcp[3]: ESTABLISHED 6 minutes ago, 10.0.16.2[34.76.57.103]...35.233.104.67[35.233.104.67]
gcp[3]: IKEv2 SPIs: e2cffed5395b63dd_i 99f343468625507c_r*, pre-shared key reauthentication in 9 hours
gcp[3]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048
gcp{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3f09701_i 4e8cc8d5_o
gcp{3}: AES_GCM_16_256, 3438 bytes_i, 3135 bytes_o (49 pkts, 8s ago), rekeying in 2 hours
gcp{3}: 0.0.0.0/0 === 0.0.0.0/0
# check that the BGP sessions works and the advertised routes are set
sudo docker exec -it onprem_bird_1 ip route
default via 10.0.16.1 dev eth0
10.0.0.0/24 proto bird src 10.0.16.2
nexthop via 169.254.1.1 dev vti0 weight 1
nexthop via 169.254.2.1 dev vti1 weight 1
10.0.16.0/24 dev eth0 proto kernel scope link src 10.0.16.2
10.10.0.0/24 proto bird src 10.0.16.2
nexthop via 169.254.1.1 dev vti0 weight 1
nexthop via 169.254.2.1 dev vti1 weight 1
35.199.192.0/19 proto bird src 10.0.16.2
nexthop via 169.254.1.1 dev vti0 weight 1
nexthop via 169.254.2.1 dev vti1 weight 1
169.254.1.0/30 dev vti0 proto kernel scope link src 169.254.1.2
169.254.2.0/30 dev vti1 proto kernel scope link src 169.254.2.2
199.36.153.4/30 proto bird src 10.0.16.2
nexthop via 169.254.1.1 dev vti0 weight 1
nexthop via 169.254.2.1 dev vti1 weight 1
199.36.153.8/30 proto bird src 10.0.16.2
nexthop via 169.254.1.1 dev vti0 weight 1
nexthop via 169.254.2.1 dev vti1 weight 1
# get a shell on the toolbox container
sudo docker exec -it onprem_toolbox_1 sh
# test pinging the IP address of the test instance (check outputs for it)
# test pinging the IP address of the test instances (check outputs for it)
ping 10.0.0.3
ping 10.10.0.3
# note: if you are able to ping the IP but the DNS tests below do not work,
# refer to the sections above on configuring the DNS inbound fwd IP
# test forwarding from CoreDNS via the Cloud DNS inbound policy
dig test-1.gcp.example.org +short
dig test-1-1.gcp.example.org +short
10.0.0.3
dig test-2-1.gcp.example.org +short
10.10.0.3
# test that Private Access is configured correctly
dig compute.googleapis.com +short
@ -143,7 +199,7 @@ curl www.onprem.example.org -s |grep h1
A single pre-existing project is used in this example to keep variables and complexity to a minimum, in a real world scenarios each spoke would probably use a separate project.
The VPN used to connect to the on-premises environment does not account for HA, upgrading to use HA VPN is reasonably simple by using the relevant [module](../../modules/net-vpn-ha).
The VPN-s used to connect to the on-premises environment do not account for HA, upgrading to use HA VPN is reasonably simple by using the relevant [module](../../modules/net-vpn-ha).
<!-- BEGIN TFDOC -->
## Variables
@ -151,12 +207,12 @@ The VPN used to connect to the on-premises environment does not account for HA,
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| project_id | Project id for all resources. | <code title="">string</code> | ✓ | |
| *bgp_asn* | BGP ASNs. | <code title="map&#40;number&#41;">map(number)</code> | | <code title="&#123;&#10;gcp &#61; 64513&#10;onprem &#61; 64514&#10;&#125;">...</code> |
| *bgp_interface_ranges* | BGP interface IP CIDR ranges. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="&#123;&#10;gcp &#61; &#34;169.254.1.0&#47;30&#34;&#10;&#125;">...</code> |
| *bgp_asn* | BGP ASNs. | <code title="map&#40;number&#41;">map(number)</code> | | <code title="&#123;&#10;gcp1 &#61; 64513&#10;gcp2 &#61; 64520&#10;onprem1 &#61; 64514&#10;onprem2 &#61; 64514&#10;&#125;">...</code> |
| *bgp_interface_ranges* | BGP interface IP CIDR ranges. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="&#123;&#10;gcp1 &#61; &#34;169.254.1.0&#47;30&#34;&#10;gcp2 &#61; &#34;169.254.2.0&#47;30&#34;&#10;&#125;">...</code> |
| *dns_forwarder_address* | Address of the DNS server used to forward queries from on-premises. | <code title="">string</code> | | <code title="">10.0.0.2</code> |
| *forwarder_address* | GCP DNS inbound policy forwarder address. | <code title="">string</code> | | <code title="">10.0.0.2</code> |
| *ip_ranges* | IP CIDR ranges. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="&#123;&#10;gcp &#61; &#34;10.0.0.0&#47;24&#34;&#10;onprem &#61; &#34;10.0.16.0&#47;24&#34;&#10;&#125;">...</code> |
| *region* | VPC region. | <code title="">string</code> | | <code title="">europe-west1</code> |
| *ip_ranges* | IP CIDR ranges. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="&#123;&#10;gcp1 &#61; &#34;10.0.0.0&#47;24&#34;&#10;gcp2 &#61; &#34;10.10.0.0&#47;24&#34;&#10;onprem &#61; &#34;10.0.16.0&#47;24&#34;&#10;&#125;">...</code> |
| *region* | VPC region. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="&#123;&#10;gcp1 &#61; &#34;europe-west1&#34;&#10;gcp2 &#61; &#34;europe-west2&#34;&#10;&#125;">...</code> |
| *ssh_source_ranges* | IP CIDR ranges that will be allowed to connect via SSH to the onprem instance. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">["0.0.0.0/0"]</code> |
## Outputs
@ -164,5 +220,6 @@ The VPN used to connect to the on-premises environment does not account for HA,
| name | description | sensitive |
|---|---|:---:|
| onprem-instance | Onprem instance details. | |
| test-instance | Test instance details. | |
| test-instance1 | Test instance details. | |
| test-instance2 | Test instance details. | |
<!-- END TFDOC -->

BIN
networking/onprem-google-access-dns/diagram.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 140 KiB

After

Width:  |  Height:  |  Size: 154 KiB

143
networking/onprem-google-access-dns/main.tf
View File

@ -15,8 +15,10 @@
*/
locals {
bgp_interface_gcp = "${cidrhost(var.bgp_interface_ranges.gcp, 1)}"
bgp_interface_onprem = "${cidrhost(var.bgp_interface_ranges.gcp, 2)}"
bgp_interface_gcp1 = "${cidrhost(var.bgp_interface_ranges.gcp1, 1)}"
bgp_interface_onprem1 = "${cidrhost(var.bgp_interface_ranges.gcp1, 2)}"
bgp_interface_gcp2 = "${cidrhost(var.bgp_interface_ranges.gcp2, 1)}"
bgp_interface_onprem2 = "${cidrhost(var.bgp_interface_ranges.gcp2, 2)}"
netblocks = {
dns = data.google_netblock_ip_ranges.dns-forwarders.cidr_blocks_ipv4.0
private = data.google_netblock_ip_ranges.private-googleapis.cidr_blocks_ipv4.0
@ -54,9 +56,15 @@ module "vpc" {
name = "to-onprem"
subnets = [
{
ip_cidr_range = var.ip_ranges.gcp
name = "subnet"
region = var.region
ip_cidr_range = var.ip_ranges.gcp1
name = "subnet1"
region = var.region.gcp1
secondary_ip_range = {}
},
{
ip_cidr_range = var.ip_ranges.gcp2
name = "subnet2"
region = var.region.gcp2
secondary_ip_range = {}
}
]
@ -71,18 +79,18 @@ module "vpc-firewall" {
ssh_source_ranges = var.ssh_source_ranges
}
module "vpn" {
module "vpn1" {
source = "../../modules/net-vpn-dynamic"
project_id = var.project_id
region = module.vpc.subnet_regions["${var.region}/subnet"]
region = var.region.gcp1
network = module.vpc.name
name = "to-onprem"
router_asn = var.bgp_asn.gcp
name = "to-onprem1"
router_asn = var.bgp_asn.gcp1
tunnels = {
onprem = {
bgp_peer = {
address = local.bgp_interface_onprem
asn = var.bgp_asn.onprem
address = local.bgp_interface_onprem1
asn = var.bgp_asn.onprem1
}
bgp_peer_options = {
advertise_groups = ["ALL_SUBNETS"]
@ -94,7 +102,7 @@ module "vpn" {
advertise_mode = "CUSTOM"
route_priority = 1000
}
bgp_session_range = "${local.bgp_interface_gcp}/30"
bgp_session_range = "${local.bgp_interface_gcp1}/30"
ike_version = 2
peer_ip = module.vm-onprem.external_ips.0
shared_secret = ""
@ -102,13 +110,52 @@ module "vpn" {
}
}
module "nat" {
module "vpn2" {
source = "../../modules/net-vpn-dynamic"
project_id = var.project_id
region = var.region.gcp2
network = module.vpc.name
name = "to-onprem2"
router_asn = var.bgp_asn.gcp2
tunnels = {
onprem = {
bgp_peer = {
address = local.bgp_interface_onprem2
asn = var.bgp_asn.onprem2
}
bgp_peer_options = {
advertise_groups = ["ALL_SUBNETS"]
advertise_ip_ranges = {
(local.netblocks.dns) = "DNS resolvers"
(local.netblocks.private) = "private.gooogleapis.com"
(local.netblocks.restricted) = "restricted.gooogleapis.com"
}
advertise_mode = "CUSTOM"
route_priority = 1000
}
bgp_session_range = "${local.bgp_interface_gcp2}/30"
ike_version = 2
peer_ip = module.vm-onprem.external_ips.0
shared_secret = ""
}
}
}
module "nat1" {
source = "../../modules/net-cloudnat"
project_id = var.project_id
region = var.region
region = var.region.gcp1
name = "default"
router_create = false
router_name = module.vpn.router_name
router_name = module.vpn1.router_name
}
module "nat2" {
source = "../../modules/net-cloudnat"
project_id = var.project_id
region = var.region.gcp2
name = "default"
router_create = false
router_name = module.vpn2.router_name
}
################################################################################
@ -125,7 +172,11 @@ module "dns-gcp" {
recordsets = concat(
[{ name = "localhost", type = "A", ttl = 300, records = ["127.0.0.1"] }],
[
for name, ip in zipmap(module.vm-test.names, module.vm-test.internal_ips) :
for name, ip in zipmap(module.vm-test1.names, module.vm-test1.internal_ips) :
{ name = name, type = "A", ttl = 300, records = [ip] }
],
[
for name, ip in zipmap(module.vm-test2.names, module.vm-test2.internal_ips) :
{ name = name, type = "A", ttl = 300, records = [ip] }
]
)
@ -152,7 +203,7 @@ module "dns-onprem" {
name = "onprem-example"
domain = "onprem.example.org."
client_networks = [module.vpc.self_link]
forwarders = { cidrhost(var.ip_ranges.onprem, 3) = null }
forwarders = [cidrhost(var.ip_ranges.onprem, 3)]
}
resource "google_dns_policy" "inbound" {
@ -170,9 +221,9 @@ resource "google_dns_policy" "inbound" {
################################################################################
module "service-account-gce" {
source = "../../modules/iam-service-account"
source = "../../modules/iam-service-accounts"
project_id = var.project_id
name = "gce-test"
names = ["gce-test"]
iam_project_roles = {
(var.project_id) = [
"roles/logging.logWriter",
@ -181,14 +232,32 @@ module "service-account-gce" {
}
}
module "vm-test" {
module "vm-test1" {
source = "../../modules/compute-vm"
project_id = var.project_id
region = var.region
name = "test"
region = var.region.gcp1
name = "test-1"
network_interfaces = [{
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
subnetwork = module.vpc.subnet_self_links["${var.region.gcp1}/subnet1"]
nat = false
addresses = null
alias_ips = null
}]
metadata = { startup-script = local.vm-startup-script }
service_account = module.service-account-gce.email
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
tags = ["ssh"]
}
module "vm-test2" {
source = "../../modules/compute-vm"
project_id = var.project_id
region = var.region.gcp2
name = "test-2"
network_interfaces = [{
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["${var.region.gcp2}/subnet2"]
nat = false
addresses = null
alias_ips = null
@ -209,22 +278,28 @@ module "config-onprem" {
coredns_config = "${path.module}/assets/Corefile"
local_ip_cidr_range = var.ip_ranges.onprem
vpn_config = {
peer_ip = module.vpn.address
shared_secret = module.vpn.random_secret
type = "dynamic"
peer_ip = module.vpn1.address
peer_ip2 = module.vpn2.address
shared_secret = module.vpn1.random_secret
shared_secret2 = module.vpn2.random_secret
type = "dynamic"
}
vpn_dynamic_config = {
local_bgp_asn = var.bgp_asn.onprem
local_bgp_address = local.bgp_interface_onprem
peer_bgp_asn = var.bgp_asn.gcp
peer_bgp_address = local.bgp_interface_gcp
local_bgp_asn = var.bgp_asn.onprem1
local_bgp_address = local.bgp_interface_onprem1
peer_bgp_asn = var.bgp_asn.gcp1
peer_bgp_address = local.bgp_interface_gcp1
local_bgp_asn2 = var.bgp_asn.onprem2
local_bgp_address2 = local.bgp_interface_onprem2
peer_bgp_asn2 = var.bgp_asn.gcp2
peer_bgp_address2 = local.bgp_interface_gcp2
}
}
module "service-account-onprem" {
source = "../../modules/iam-service-account"
source = "../../modules/iam-service-accounts"
project_id = var.project_id
name = "gce-onprem"
names = ["gce-onprem"]
iam_project_roles = {
(var.project_id) = [
"roles/compute.viewer",
@ -237,7 +312,7 @@ module "service-account-onprem" {
module "vm-onprem" {
source = "../../modules/compute-vm"
project_id = var.project_id
region = var.region
region = var.region.gcp1
instance_type = "f1-micro"
name = "onprem"
boot_disk = {
@ -250,7 +325,7 @@ module "vm-onprem" {
}
network_interfaces = [{
network = module.vpc.name
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
subnetwork = module.vpc.subnet_self_links["${var.region.gcp1}/subnet1"]
nat = true
addresses = null
alias_ips = null

13
networking/onprem-google-access-dns/outputs.tf
View File

@ -23,10 +23,17 @@ output "onprem-instance" {
}
}
output "test-instance" {
output "test-instance1" {
description = "Test instance details."
value = join(" ", [
module.vm-test.names[0],
module.vm-test.internal_ips[0]
module.vm-test1.names[0],
module.vm-test1.internal_ips[0]
])
}
output "test-instance2" {
description = "Test instance details."
value = join(" ", [
module.vm-test2.names[0],
module.vm-test2.internal_ips[0]
])
}

19
networking/onprem-google-access-dns/variables.tf
View File

@ -18,8 +18,10 @@ variable "bgp_asn" {
description = "BGP ASNs."
type = map(number)
default = {
gcp = 64513
onprem = 64514
gcp1 = 64513
gcp2 = 64520
onprem1 = 64514
onprem2 = 64514
}
}
@ -27,7 +29,8 @@ variable "bgp_interface_ranges" {
description = "BGP interface IP CIDR ranges."
type = map(string)
default = {
gcp = "169.254.1.0/30"
gcp1 = "169.254.1.0/30"
gcp2 = "169.254.2.0/30"
}
}
@ -41,7 +44,8 @@ variable "ip_ranges" {
description = "IP CIDR ranges."
type = map(string)
default = {
gcp = "10.0.0.0/24"
gcp1 = "10.0.0.0/24"
gcp2 = "10.10.0.0/24"
onprem = "10.0.16.0/24"
}
}
@ -53,8 +57,11 @@ variable "project_id" {
variable "region" {
description = "VPC region."
type = string
default = "europe-west1"
type = map(string)
default = {
gcp1 = "europe-west1"
gcp2 = "europe-west2"
}
}
variable "forwarder_address" {

17
networking/onprem-google-access-dns/versions.tf Normal file
View File

@ -0,0 +1,17 @@
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
terraform {
required_version = ">= 0.12.6"
}