diff --git a/blueprints/serverless/cloud-run-corporate/main.tf b/blueprints/serverless/cloud-run-corporate/main.tf index 5e16a9a1..2644ea81 100644 --- a/blueprints/serverless/cloud-run-corporate/main.tf +++ b/blueprints/serverless/cloud-run-corporate/main.tf @@ -41,6 +41,20 @@ module "project_host" { ] } +# Simulated onprem environment +module "project_onprem" { + source = "../../../modules/project" + count = var.prj_onprem_id != null ? 1 : 0 + name = var.prj_onprem_id + project_create = var.prj_onprem_create != null + billing_account = try(var.prj_onprem_create.billing_account_id, null) + parent = try(var.prj_onprem_create.parent, null) + services = [ + "compute.googleapis.com", + "dns.googleapis.com" + ] +} + ############################################################################### # Cloud Run # ############################################################################### @@ -75,7 +89,7 @@ module "vpc_host" { name = "vpc-host" subnets = [ { - ip_cidr_range = var.ip_ranges_host.subnet + ip_cidr_range = var.ip_ranges["host"].subnet name = "subnet-host" region = var.region enable_private_access = true # PGA enabled @@ -83,7 +97,7 @@ module "vpc_host" { ] } -# VPC Firewall with default config, IAP for SSH enabled +# Host VPC Firewall with default config, IAP for SSH enabled module "firewall_host" { source = "../../../modules/net-vpc-firewall" project_id = module.project_host.project_id @@ -94,16 +108,44 @@ module "firewall_host" { } } +# VPC in simulated onprem environment +module "vpc_onprem" { + source = "../../../modules/net-vpc" + count = length(module.project_onprem) + project_id = module.project_onprem[0].project_id + name = "vpc-onprem" + subnets = [ + { + ip_cidr_range = var.ip_ranges["onprem"].subnet + name = "subnet-onprem" + region = var.region + } + ] +} + +# Onprem VPC Firewall with default config, IAP for SSH enabled +module "firewall_onprem" { + source = "../../../modules/net-vpc-firewall" + count = length(module.project_onprem) + project_id = module.project_onprem[0].project_id + network = module.vpc_onprem[0].name + default_rules_config = { + http_ranges = [] + https_ranges = [] + } +} + ############################################################################### # PSC # ############################################################################### +# PSC configured in the host module "psc_addr_host" { source = "../../../modules/net-address" project_id = module.project_host.project_id psc_addresses = { psc-addr-host = { - address = var.ip_ranges_host.psc_addr + address = var.ip_ranges["host"].psc_addr network = module.vpc_host.self_link } } @@ -125,6 +167,7 @@ resource "google_compute_global_forwarding_rule" "psc_endpoint_host" { module "vm_test_host" { source = "../../../modules/compute-vm" + count = 1 - length(module.project_onprem) project_id = module.project_host.project_id zone = "${var.region}-b" name = "vm-test-host" @@ -136,12 +179,27 @@ module "vm_test_host" { tags = ["ssh"] } +module "vm_test_onprem" { + source = "../../../modules/compute-vm" + count = length(module.project_onprem) + project_id = module.project_onprem[0].project_id + zone = "${var.region}-b" + name = "vm-test-onprem" + instance_type = "e2-micro" + network_interfaces = [{ + network = module.vpc_onprem[0].self_link + subnetwork = module.vpc_onprem[0].subnet_self_links["${var.region}/subnet-onprem"] + }] + tags = ["ssh"] +} + ############################################################################### # DNS # ############################################################################### module "private_dns_host" { source = "../../../modules/dns" + count = 1 - length(module.project_onprem) project_id = module.project_host.project_id type = "private" name = "dns-host" @@ -151,3 +209,89 @@ module "private_dns_host" { "A " = { records = [module.psc_addr_host.psc_addresses["psc-addr-host"].address] } } } + +module "private_dns_onprem" { + source = "../../../modules/dns" + count = length(module.project_onprem) + project_id = module.project_onprem[0].project_id + type = "private" + name = "dns-onprem" + client_networks = [module.vpc_onprem[0].self_link] + domain = local.domain_cr_host + recordsets = { + "A " = { records = [module.psc_addr_host.psc_addresses["psc-addr-host"].address] } + } +} + +############################################################################### +# VPN # +############################################################################### + +# VPN between main project and "onprem" environment +module "vpn_host" { + source = "../../../modules/net-vpn-ha" + count = length(module.project_onprem) + project_id = module.project_host.project_id + region = var.region + network = module.vpc_host.self_link + name = "vpn-host-to-onprem" + peer_gateway = { gcp = module.vpn_onprem[0].self_link } + router_config = { + asn = 65001 + custom_advertise = { + all_subnets = true + ip_ranges = { + (var.ip_ranges["host"].psc_addr) = "to-psc-endpoint" + } + } + } + tunnels = { + tunnel-0 = { + bgp_peer = { + address = "169.254.0.2" + asn = 65002 + } + bgp_session_range = "169.254.0.1/30" + vpn_gateway_interface = 0 + } + tunnel-1 = { + bgp_peer = { + address = "169.254.1.2" + asn = 65002 + } + bgp_session_range = "169.254.1.1/30" + vpn_gateway_interface = 1 + } + } +} + +module "vpn_onprem" { + source = "../../../modules/net-vpn-ha" + count = length(module.project_onprem) + project_id = module.project_onprem[0].project_id + region = var.region + network = module.vpc_onprem[0].self_link + name = "vpn-onprem-to-host" + peer_gateway = { gcp = module.vpn_host[0].self_link } + router_config = { asn = 65002 } + tunnels = { + tunnel-0 = { + bgp_peer = { + address = "169.254.0.1" + asn = 65001 + } + bgp_session_range = "169.254.0.2/30" + vpn_gateway_interface = 0 + shared_secret = module.vpn_host[0].random_secret + } + tunnel-1 = { + bgp_peer = { + address = "169.254.1.1" + asn = 65001 + } + bgp_session_range = "169.254.1.2/30" + vpn_gateway_interface = 1 + shared_secret = module.vpn_host[0].random_secret + } + } +} diff --git a/blueprints/serverless/cloud-run-corporate/variables.tf b/blueprints/serverless/cloud-run-corporate/variables.tf index 540a764f..422e3506 100644 --- a/blueprints/serverless/cloud-run-corporate/variables.tf +++ b/blueprints/serverless/cloud-run-corporate/variables.tf @@ -26,15 +26,17 @@ variable "ingress_settings" { default = "all" } -variable "ip_ranges_host" { +variable "ip_ranges" { description = "IPs or IP ranges used by VPCs" - type = object({ - subnet = string - psc_addr = string - }) + type = map(map(string)) default = { - subnet = "10.0.1.0/24" - psc_addr = "10.0.0.100" + host = { + subnet = "10.0.1.0/24" + psc_addr = "10.0.0.100" + } + onprem = { + subnet = "172.16.1.0/24" + } } } @@ -52,6 +54,21 @@ variable "prj_host_id" { type = string } +variable "prj_onprem_create" { + description = "Parameters for the creation of an 'onprem' project." + type = object({ + billing_account_id = string + parent = string + }) + default = null +} + +variable "prj_onprem_id" { + description = "Host Project ID." + type = string + default = null +} + variable "region" { description = "Cloud region where resource will be deployed." type = string