zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update hub-and-spoke example to use only external cft modules, update the code to HCL2

This commit is contained in:
Aleksandr Averbukh 2019-10-07 18:06:07 +02:00
parent c427fd47a4
commit e6e7fa8840
6 changed files with 279 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
infrastructure/net-hub-and-spoke/instances.tf
View File

@ -13,11 +13,11 @@
# limitations under the License.
resource "google_compute_instance" "hub" {
count = "${length(var.hub_subnet_names)}"
project = "${var.project_id}"
name = "${var.prefix}-hub-${element(var.hub_subnet_names, count.index)}"
count = length(var.hub_subnets)
project = var.hub_project_id
name = "${var.prefix}-hub-${element(var.hub_subnets, count.index)["subnet_name"]}"
machine_type = "f1-micro"
zone = "${element(var.hub_subnet_regions, count.index)}-b"
zone = "${element(local.hub_subnet_regions, count.index)}-b"
tags = ["ssh"]
boot_disk {
initialize_params {
@ -25,16 +25,17 @@ resource "google_compute_instance" "hub" {
}
}
network_interface {
subnetwork = "${lookup(module.vpc-hub.subnet_self_links, element(var.hub_subnet_names, count.index))}"
access_config = {}
subnetwork = element(module.vpc-hub.subnets_self_links, count.index)
access_config {}
}
}
resource "google_compute_instance" "spoke-1" {
count = "${length(var.spoke_1_subnet_names)}"
project = "${var.project_id}"
name = "${var.prefix}-spoke-1-${element(var.spoke_1_subnet_names, count.index)}"
count = length(var.spoke_1_subnets)
project = var.spoke_1_project_id
name = "${var.prefix}-spoke-1-${element(var.spoke_1_subnets, count.index)["subnet_name"]}"
machine_type = "f1-micro"
zone = "${element(var.spoke_1_subnet_regions, count.index)}-b"
zone = "${element(local.spoke_1_subnet_regions, count.index)}-b"
tags = ["ssh"]
boot_disk {
initialize_params {
@ -42,16 +43,17 @@ resource "google_compute_instance" "spoke-1" {
}
}
network_interface {
subnetwork = "${lookup(module.vpc-spoke-1.subnet_self_links, element(var.spoke_1_subnet_names, count.index))}"
access_config = {}
subnetwork = element(module.vpc-spoke-1.subnets_self_links, count.index)
access_config {}
}
}
resource "google_compute_instance" "spoke-2" {
count = "${length(var.spoke_2_subnet_names)}"
project = "${var.project_id}"
name = "${var.prefix}-spoke-2-${element(var.spoke_2_subnet_names, count.index)}"
count = length(var.spoke_2_subnets)
project = var.spoke_2_project_id
name = "${var.prefix}-spoke-2-${element(var.spoke_2_subnets, count.index)["subnet_name"]}"
machine_type = "f1-micro"
zone = "${element(var.spoke_2_subnet_regions, count.index)}-b"
zone = "${element(local.spoke_2_subnet_regions, count.index)}-b"
tags = ["ssh"]
boot_disk {
initialize_params {
@ -59,7 +61,7 @@ resource "google_compute_instance" "spoke-2" {
}
}
network_interface {
subnetwork = "${lookup(module.vpc-spoke-2.subnet_self_links, element(var.spoke_2_subnet_names, count.index))}"
access_config = {}
subnetwork = element(module.vpc-spoke-2.subnets_self_links, count.index)
access_config {}
}
}
}

26
infrastructure/net-hub-and-spoke/locals.tf
View File

@ -14,19 +14,13 @@
# limitations under the License.
locals {
all_subnets = ["${concat(
var.hub_subnet_cidr_ranges,
var.spoke_1_subnet_cidr_ranges,
var.spoke_2_subnet_cidr_ranges
)}"]
hub_to_spoke_1_router = "${
var.hub_custom_route_advertisement
? element(concat(google_compute_router.hub-to-spoke-1-custom.*.name, list("")), 0)
: element(concat(google_compute_router.hub-to-spoke-1-default.*.name, list("")), 0)
}"
hub_to_spoke_2_router = "${
var.hub_custom_route_advertisement
? element(concat(google_compute_router.hub-to-spoke-2-custom.*.name, list("")), 0)
: element(concat(google_compute_router.hub-to-spoke-2-default.*.name, list("")), 0)
}"
}
hub_subnet_regions = [for subnet in var.hub_subnets : subnet["subnet_region"]]
spoke_1_subnet_regions = [for subnet in var.spoke_1_subnets : subnet["subnet_region"]]
spoke_2_subnet_regions = [for subnet in var.spoke_2_subnets : subnet["subnet_region"]]
hub_subnet_cidr_ranges = [for subnet in var.hub_subnets : subnet["subnet_ip"]]
spoke_1_subnet_cidr_ranges = [for subnet in var.spoke_1_subnets : subnet["subnet_ip"]]
spoke_2_subnet_cidr_ranges = [for subnet in var.spoke_2_subnets : subnet["subnet_ip"]]
all_subnet_cidrs = concat(local.hub_subnet_cidr_ranges, local.spoke_1_subnet_cidr_ranges, local.spoke_2_subnet_cidr_ranges)
hub_to_spoke_1_router = var.hub_custom_route_advertisement ? element(concat(google_compute_router.hub-to-spoke-1-custom.*.name, list("")), 0) : element(concat(google_compute_router.hub-to-spoke-1-default.*.name, list("")), 0)
hub_to_spoke_2_router = var.hub_custom_route_advertisement ? element(concat(google_compute_router.hub-to-spoke-2-custom.*.name, list("")), 0) : element(concat(google_compute_router.hub-to-spoke-2-default.*.name, list("")), 0)
}

177
infrastructure/net-hub-and-spoke/main.tf
View File

@ -11,101 +11,126 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module "vpc-hub" {
source = "../../modules/net-vpc-simple"
prefix = "${var.prefix}-hub"
project_id = "${var.project_id}"
subnet_names = ["${var.hub_subnet_names}"]
subnet_regions = ["${var.hub_subnet_regions}"]
subnet_ip_cidr_ranges = ["${var.hub_subnet_cidr_ranges}"]
routing_mode = "GLOBAL"
source = "terraform-google-modules/network/google"
version = "~> 1.2.0"
project_id = var.hub_project_id
network_name = "${var.prefix}-hub"
subnets = var.hub_subnets
routing_mode = "GLOBAL"
}
module "vpc-spoke-1" {
source = "../../modules/net-vpc-simple"
prefix = "${var.prefix}-spoke-1"
project_id = "${var.project_id}"
subnet_names = ["${var.spoke_1_subnet_names}"]
subnet_regions = ["${var.spoke_1_subnet_regions}"]
subnet_ip_cidr_ranges = ["${var.spoke_1_subnet_cidr_ranges}"]
routing_mode = "GLOBAL"
source = "terraform-google-modules/network/google"
version = "~> 1.2.0"
project_id = var.spoke_1_project_id
network_name = "${var.prefix}-spoke-1"
subnets = var.spoke_1_subnets
routing_mode = "GLOBAL"
}
module "vpc-spoke-2" {
source = "../../modules/net-vpc-simple"
prefix = "${var.prefix}-spoke-2"
project_id = "${var.project_id}"
subnet_names = ["${var.spoke_2_subnet_names}"]
subnet_regions = ["${var.spoke_2_subnet_regions}"]
subnet_ip_cidr_ranges = ["${var.spoke_2_subnet_cidr_ranges}"]
routing_mode = "GLOBAL"
source = "terraform-google-modules/network/google"
version = "~> 1.2.0"
project_id = var.spoke_2_project_id
network_name = "${var.prefix}-spoke-2"
subnets = var.spoke_2_subnets
routing_mode = "GLOBAL"
}
module "firewall-hub" {
source = "../../modules/net-firewall"
project_id = "${var.project_id}"
network = "${module.vpc-hub.name}"
source = "terraform-google-modules/network/google//modules/fabric-net-firewall"
version = "~> 1.2.0"
project_id = var.hub_project_id
network = module.vpc-hub.network_name
admin_ranges_enabled = true
admin_ranges = ["${local.all_subnets}"]
admin_ranges = local.all_subnet_cidrs
}
module "firewall-spoke-1" {
source = "../../modules/net-firewall"
project_id = "${var.project_id}"
network = "${module.vpc-spoke-1.name}"
source = "terraform-google-modules/network/google//modules/fabric-net-firewall"
version = "~> 1.2.0"
project_id = var.spoke_1_project_id
network = module.vpc-spoke-1.network_name
admin_ranges_enabled = true
admin_ranges = ["${local.all_subnets}"]
admin_ranges = local.all_subnet_cidrs
}
module "firewall-spoke-2" {
source = "../../modules/net-firewall"
project_id = "${var.project_id}"
network = "${module.vpc-spoke-2.name}"
source = "terraform-google-modules/network/google//modules/fabric-net-firewall"
version = "~> 1.2.0"
project_id = var.spoke_2_project_id
network = module.vpc-spoke-2.network_name
admin_ranges_enabled = true
admin_ranges = ["${local.all_subnets}"]
admin_ranges = local.all_subnet_cidrs
}
module "vpn-hub-to-spoke-1" {
source = "../../modules/net-vpn-dynamic"
project_id = "${var.project_id}"
network = "${module.vpc-hub.name}"
region = "${element(var.hub_subnet_regions, 0)}"
prefix = "hub-to-spoke-1"
peer_ip = "${module.vpn-spoke-1-to-hub.gateway_address}"
bgp_cr_session_range = "169.254.0.1/30"
bgp_remote_session_range = "169.254.0.2"
peer_asn = "${var.spoke_1_bgp_asn}"
router = "${local.hub_to_spoke_1_router}"
source = "terraform-google-modules/vpn/google"
version = "~> 1.1.0"
project_id = var.hub_project_id
network = module.vpc-hub.network_name
region = element(local.hub_subnet_regions, 0)
tunnel_name_prefix = "hub-to-spoke-1"
peer_ips = [module.vpn-spoke-1-to-hub.gateway_ip]
bgp_cr_session_range = ["169.254.0.1/30"]
bgp_remote_session_range = ["169.254.0.2"]
peer_asn = [var.spoke_1_bgp_asn]
cr_name = local.hub_to_spoke_1_router
}
module "vpn-hub-to-spoke-2" {
source = "../../modules/net-vpn-dynamic"
project_id = "${var.project_id}"
network = "${module.vpc-hub.name}"
region = "${element(var.hub_subnet_regions, 1)}"
prefix = "hub-to-spoke-2"
peer_ip = "${module.vpn-spoke-2-to-hub.gateway_address}"
bgp_cr_session_range = "169.254.1.1/30"
bgp_remote_session_range = "169.254.1.2"
peer_asn = "${var.spoke_2_bgp_asn}"
router = "${local.hub_to_spoke_2_router}"
source = "terraform-google-modules/vpn/google"
version = "~> 1.1.0"
project_id = var.hub_project_id
network = module.vpc-hub.network_name
region = element(local.hub_subnet_regions, 1)
tunnel_name_prefix = "hub-to-spoke-2"
peer_ips = [module.vpn-spoke-2-to-hub.gateway_ip]
bgp_cr_session_range = ["169.254.1.1/30"]
bgp_remote_session_range = ["169.254.1.2"]
peer_asn = [var.spoke_2_bgp_asn]
cr_name = local.hub_to_spoke_2_router
}
module "vpn-spoke-1-to-hub" {
source = "../../modules/net-vpn-dynamic"
project_id = "${var.project_id}"
network = "${module.vpc-spoke-1.name}"
region = "${element(var.spoke_1_subnet_regions, 0)}"
prefix = "spoke-1-to-hub"
shared_secret = "${module.vpn-hub-to-spoke-1.shared_secret}"
peer_ip = "${module.vpn-hub-to-spoke-1.gateway_address}"
bgp_cr_session_range = "169.254.0.2/30"
bgp_remote_session_range = "169.254.0.1"
peer_asn = "${var.hub_bgp_asn}"
router = "${google_compute_router.spoke-1.name}"
source = "terraform-google-modules/vpn/google"
version = "~> 1.1.0"
project_id = var.spoke_1_project_id
network = module.vpc-spoke-1.network_name
region = element(local.spoke_1_subnet_regions, 0)
tunnel_name_prefix = "spoke-1-to-hub"
shared_secret = module.vpn-hub-to-spoke-1.ipsec_secret-dynamic[0]
peer_ips = [module.vpn-hub-to-spoke-1.gateway_ip]
bgp_cr_session_range = ["169.254.0.2/30"]
bgp_remote_session_range = ["169.254.0.1"]
peer_asn = [var.hub_bgp_asn]
cr_name = google_compute_router.spoke-1.name
}
module "vpn-spoke-2-to-hub" {
source = "../../modules/net-vpn-dynamic"
project_id = "${var.project_id}"
network = "${module.vpc-spoke-2.name}"
region = "${element(var.spoke_2_subnet_regions, 0)}"
prefix = "spoke-2-to-hub"
shared_secret = "${module.vpn-hub-to-spoke-2.shared_secret}"
peer_ip = "${module.vpn-hub-to-spoke-2.gateway_address}"
bgp_cr_session_range = "169.254.1.2/30"
bgp_remote_session_range = "169.254.1.1"
peer_asn = "${var.hub_bgp_asn}"
router = "${google_compute_router.spoke-2.name}"
}
source = "terraform-google-modules/vpn/google"
version = "~> 1.1.0"
project_id = var.spoke_2_project_id
network = module.vpc-spoke-2.network_name
region = element(local.spoke_2_subnet_regions, 0)
tunnel_name_prefix = "spoke-2-to-hub"
shared_secret = module.vpn-hub-to-spoke-2.ipsec_secret-dynamic[0]
peer_ips = [module.vpn-hub-to-spoke-2.gateway_ip]
bgp_cr_session_range = ["169.254.1.2/30"]
bgp_remote_session_range = ["169.254.1.1"]
peer_asn = [var.hub_bgp_asn]
cr_name = google_compute_router.spoke-2.name
}

46
infrastructure/net-hub-and-spoke/outputs.tf
View File

@ -11,42 +11,44 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
output "hub" {
value = {
name = "${module.vpc-hub.name}"
subnets = "${zipmap(
values(module.vpc-hub.subnet_names),
values(module.vpc-hub.subnet_ranges)
)}"
instances = "${zipmap(
name = module.vpc-hub.network_name
subnets = zipmap(
module.vpc-hub.subnets_names,
module.vpc-hub.subnets_ips
)
instances = zipmap(
google_compute_instance.hub.*.name,
google_compute_instance.hub.*.zone
)}"
)
}
}
output "spoke-1" {
value = {
name = "${module.vpc-spoke-1.name}"
subnets = "${zipmap(
values(module.vpc-spoke-1.subnet_names),
values(module.vpc-spoke-1.subnet_ranges)
)}"
instances = "${zipmap(
name = module.vpc-spoke-1.network_name
subnets = zipmap(
module.vpc-spoke-1.subnets_names,
module.vpc-spoke-1.subnets_ips
)
instances = zipmap(
google_compute_instance.spoke-1.*.name,
google_compute_instance.spoke-1.*.zone
)}"
)
}
}
output "spoke-2" {
value = {
name = "${module.vpc-spoke-2.name}"
subnets = "${zipmap(
values(module.vpc-spoke-2.subnet_names),
values(module.vpc-spoke-2.subnet_ranges)
)}"
instances = "${zipmap(
name = module.vpc-spoke-2.network_name
subnets = zipmap(
module.vpc-spoke-2.subnets_names,
module.vpc-spoke-2.subnets_ips
)
instances = zipmap(
google_compute_instance.spoke-2.*.name,
google_compute_instance.spoke-2.*.zone
)}"
)
}
}
}

90
infrastructure/net-hub-and-spoke/routers.tf
View File

@ -13,79 +13,99 @@
# limitations under the License.
resource "null_resource" "spoke-1-ranges-to-advertise" {
count = "${length(var.spoke_1_subnet_names)}"
count = length(local.spoke_1_subnet_cidr_ranges)
triggers = {
range = "${element(var.spoke_1_subnet_cidr_ranges, count.index)}"
range = element(local.spoke_1_subnet_cidr_ranges, count.index)
}
}
resource "null_resource" "spoke-2-ranges-to-advertise" {
count = "${length(var.spoke_2_subnet_names)}"
count = length(local.spoke_2_subnet_cidr_ranges)
triggers = {
range = "${element(var.spoke_2_subnet_cidr_ranges, count.index)}"
range = element(local.spoke_2_subnet_cidr_ranges, count.index)
}
}
resource "google_compute_router" "hub-to-spoke-1-custom" {
count = "${var.hub_custom_route_advertisement ? 1 : 0}"
count = var.hub_custom_route_advertisement ? 1 : 0
name = "hub-to-spoke-1-custom"
region = "${element(var.hub_subnet_regions, 0)}"
network = "${module.vpc-hub.name}"
project = "${var.project_id}"
region = element(local.hub_subnet_regions, 0)
network = module.vpc-hub.network_name
project = var.hub_project_id
bgp {
asn = "${var.hub_bgp_asn}"
asn = var.hub_bgp_asn
advertise_mode = "CUSTOM"
advertised_groups = ["ALL_SUBNETS"]
advertised_ip_ranges = ["${null_resource.spoke-2-ranges-to-advertise.*.triggers}"]
dynamic "advertised_ip_ranges" {
for_each = [for trigger in null_resource.spoke-1-ranges-to-advertise.*.triggers: {
range = trigger["range"]
}]
content {
range = advertised_ip_ranges.value.range
}
}
}
}
resource "google_compute_router" "hub-to-spoke-2-custom" {
count = "${var.hub_custom_route_advertisement ? 1 : 0}"
count = var.hub_custom_route_advertisement ? 1 : 0
name = "hub-to-spoke-2-custom"
region = "${element(var.hub_subnet_regions, 1)}"
network = "${module.vpc-hub.name}"
project = "${var.project_id}"
region = element(local.hub_subnet_regions, 1)
network = module.vpc-hub.network_name
project = var.hub_project_id
bgp {
asn = "${var.hub_bgp_asn}"
asn = var.hub_bgp_asn
advertise_mode = "CUSTOM"
advertised_groups = ["ALL_SUBNETS"]
advertised_ip_ranges = ["${null_resource.spoke-1-ranges-to-advertise.*.triggers}"]
dynamic "advertised_ip_ranges" {
for_each = [for trigger in null_resource.spoke-2-ranges-to-advertise.*.triggers: {
range = trigger["range"]
}]
content {
range = advertised_ip_ranges.value.range
}
}
}
}
resource "google_compute_router" "hub-to-spoke-1-default" {
count = "${var.hub_custom_route_advertisement ? 0 : 1}"
count = var.hub_custom_route_advertisement ? 0 : 1
name = "hub-to-spoke-1-default"
region = "${element(var.hub_subnet_regions, 0)}"
network = "${module.vpc-hub.name}"
project = "${var.project_id}"
region = element(local.hub_subnet_regions, 0)
network = module.vpc-hub.network_name
project = var.hub_project_id
bgp {
asn = "${var.hub_bgp_asn}"
asn = var.hub_bgp_asn
}
}
resource "google_compute_router" "hub-to-spoke-2-default" {
count = "${var.hub_custom_route_advertisement ? 0 : 1}"
count = var.hub_custom_route_advertisement ? 0 : 1
name = "hub-to-spoke-2-default"
region = "${element(var.hub_subnet_regions, 1)}"
network = "${module.vpc-hub.name}"
project = "${var.project_id}"
region = element(local.hub_subnet_regions, 1)
network = module.vpc-hub.network_name
project = var.hub_project_id
bgp {
asn = "${var.hub_bgp_asn}"
asn = var.hub_bgp_asn
}
}
resource "google_compute_router" "spoke-1" {
name = "spoke-1"
region = "${element(var.spoke_1_subnet_regions, 0)}"
network = "${module.vpc-spoke-1.name}"
project = "${var.project_id}"
region = element(local.spoke_1_subnet_regions, 0)
network = module.vpc-spoke-1.network_name
project = var.spoke_1_project_id
bgp {
asn = "${var.spoke_1_bgp_asn}"
asn = var.spoke_1_bgp_asn
}
}
resource "google_compute_router" "spoke-2" {
name = "spoke-2"
region = "${element(var.spoke_2_subnet_regions, 0)}"
network = "${module.vpc-spoke-2.name}"
project = "${var.project_id}"
region = element(local.spoke_2_subnet_regions, 0)
network = module.vpc-spoke-2.network_name
project = var.spoke_2_project_id
bgp {
asn = "${var.spoke_2_bgp_asn}"
asn = var.spoke_2_bgp_asn
}
}
}

110
infrastructure/net-hub-and-spoke/variables.tf
View File

@ -11,62 +11,88 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
variable "project_id" {
description = "Project id to use for resources."
variable "hub_project_id" {
description = "Hub Project id."
}
variable "spoke_1_project_id" {
description = "Spoke 1 Project id."
}
variable "spoke_2_project_id" {
description = "Spoke 2 Project id."
}
variable "prefix" {
description = "Prefix for VPC names."
}
variable "hub_subnet_names" {
description = "Hub VPC subnet names."
default = ["a", "b"]
}
variable "hub_subnet_regions" {
description = "Hub subnet regions."
default = ["europe-west1", "europe-west2"]
}
variable "hub_subnet_cidr_ranges" {
description = "Hub subnet IP CIDR ranges."
default = ["10.10.10.0/24", "10.10.20.0/24"]
}
variable "hub_bgp_asn" {
description = "Hub BGP ASN."
default = 64515
}
variable "hub_custom_route_advertisement" {
description = "Use custom route advertisement in hub routers to advertise all spoke subnets."
default = true
}
variable "spoke_1_subnet_names" {
description = "Spoke 1 VPC subnet names."
default = ["a", "b"]
}
variable "spoke_1_subnet_regions" {
description = "Spoke 1 subnet regions."
default = ["asia-east1", "asia-northeast1"]
}
variable "spoke_1_subnet_cidr_ranges" {
description = "Spoke 1 subnet IP CIDR ranges."
default = ["10.20.10.0/24", "10.20.20.0/24"]
variable "hub_bgp_asn" {
description = "Hub BGP ASN."
default = 64515
}
variable "spoke_1_bgp_asn" {
description = "Spoke 1 BGP ASN."
default = 64516
}
variable "spoke_2_subnet_names" {
description = "Spoke 2 VPC subnet names."
default = ["a", "b"]
}
variable "spoke_2_subnet_regions" {
description = "Spoke 2 subnet regions."
default = ["us-west1", "us-west2"]
}
variable "spoke_2_subnet_cidr_ranges" {
description = "Spoke 2 subnet IP CIDR ranges."
default = ["10.30.10.0/24", "10.30.20.0/24"]
}
variable "spoke_2_bgp_asn" {
description = "Spoke 2 BGP ASN."
default = 64517
}
}
variable "hub_subnets" {
description = "Hub VPC subnets configuration."
default = [{
subnet_name = "subnet-a"
subnet_ip = "10.10.10.0/24"
subnet_region = "europe-west1"
},
{
subnet_name = "subnet-b"
subnet_ip = "10.10.20.0/24"
subnet_region = "europe-west2"
},
]
}
variable "spoke_1_subnets" {
description = "Spoke 1 VPC subnets configuration."
default = [{
subnet_name = "subnet-a"
subnet_ip = "10.20.10.0/24"
subnet_region = "asia-east1"
},
{
subnet_name = "subnet-b"
subnet_ip = "10.20.20.0/24"
subnet_region = "asia-northeast1"
},
]
}
variable "spoke_2_subnets" {
description = "Spoke 2 VPC subnets configuration."
default = [{
subnet_name = "subnet-a"
subnet_ip = "10.30.10.0/24"
subnet_region = "us-west1"
},
{
subnet_name = "subnet-b"
subnet_ip = "10.30.20.0/24"
subnet_region = "us-west2"
},
]
}