384 lines
12 KiB
HCL
384 lines
12 KiB
HCL
/**
|
|
* Copyright 2022 Google LLC
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
locals {
|
|
attached_disks = {
|
|
for disk in var.attached_disks :
|
|
disk.name => merge(disk, {
|
|
options = disk.options == null ? var.attached_disk_defaults : disk.options
|
|
})
|
|
}
|
|
attached_disks_regional = {
|
|
for k, v in local.attached_disks :
|
|
k => v if try(v.options.replica_zone, null) != null
|
|
}
|
|
attached_disks_zonal = {
|
|
for k, v in local.attached_disks :
|
|
k => v if try(v.options.replica_zone, null) == null
|
|
}
|
|
on_host_maintenance = (
|
|
var.options.preemptible || var.confidential_compute
|
|
? "TERMINATE"
|
|
: "MIGRATE"
|
|
)
|
|
region = join("-", slice(split("-", var.zone), 0, 2))
|
|
service_account_email = (
|
|
var.service_account_create
|
|
? (
|
|
length(google_service_account.service_account) > 0
|
|
? google_service_account.service_account[0].email
|
|
: null
|
|
)
|
|
: var.service_account
|
|
)
|
|
service_account_scopes = (
|
|
length(var.service_account_scopes) > 0
|
|
? var.service_account_scopes
|
|
: (
|
|
var.service_account_create
|
|
? [
|
|
"https://www.googleapis.com/auth/cloud-platform",
|
|
"https://www.googleapis.com/auth/userinfo.email"
|
|
]
|
|
: [
|
|
"https://www.googleapis.com/auth/devstorage.read_only",
|
|
"https://www.googleapis.com/auth/logging.write",
|
|
"https://www.googleapis.com/auth/monitoring.write"
|
|
]
|
|
)
|
|
)
|
|
|
|
network_interface_options = {
|
|
for i, v in var.network_interfaces : i => lookup(var.network_interface_options, i, {
|
|
alias_ips = null,
|
|
nic_type = null
|
|
})
|
|
}
|
|
}
|
|
|
|
resource "google_compute_disk" "disks" {
|
|
for_each = var.create_template ? {} : {
|
|
for k, v in local.attached_disks_zonal :
|
|
k => v if v.source_type != "attach"
|
|
}
|
|
project = var.project_id
|
|
zone = var.zone
|
|
name = "${var.name}-${each.key}"
|
|
type = each.value.options.type
|
|
size = each.value.size
|
|
image = each.value.source_type == "image" ? each.value.source : null
|
|
snapshot = each.value.source_type == "snapshot" ? each.value.source : null
|
|
labels = merge(var.labels, {
|
|
disk_name = each.value.name
|
|
disk_type = each.value.options.type
|
|
})
|
|
dynamic "disk_encryption_key" {
|
|
for_each = var.encryption != null ? [""] : []
|
|
content {
|
|
raw_key = var.encryption.disk_encryption_key_raw
|
|
kms_key_self_link = var.encryption.kms_key_self_link
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "google_compute_region_disk" "disks" {
|
|
provider = google-beta
|
|
for_each = var.create_template ? {} : {
|
|
for k, v in local.attached_disks_regional :
|
|
k => v if v.source_type != "attach"
|
|
}
|
|
project = var.project_id
|
|
region = local.region
|
|
replica_zones = [var.zone, each.value.options.replica_zone]
|
|
name = "${var.name}-${each.key}"
|
|
type = each.value.options.type
|
|
size = each.value.size
|
|
# image = each.value.source_type == "image" ? each.value.source : null
|
|
snapshot = each.value.source_type == "snapshot" ? each.value.source : null
|
|
labels = merge(var.labels, {
|
|
disk_name = each.value.name
|
|
disk_type = each.value.options.type
|
|
})
|
|
dynamic "disk_encryption_key" {
|
|
for_each = var.encryption != null ? [""] : []
|
|
content {
|
|
raw_key = var.encryption.disk_encryption_key_raw
|
|
# TODO: check if self link works here
|
|
kms_key_name = var.encryption.kms_key_self_link
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "google_compute_instance" "default" {
|
|
provider = google-beta
|
|
count = var.create_template ? 0 : 1
|
|
project = var.project_id
|
|
zone = var.zone
|
|
name = var.name
|
|
hostname = var.hostname
|
|
description = var.description
|
|
tags = var.tags
|
|
machine_type = var.instance_type
|
|
min_cpu_platform = var.min_cpu_platform
|
|
can_ip_forward = var.can_ip_forward
|
|
allow_stopping_for_update = var.options.allow_stopping_for_update
|
|
deletion_protection = var.options.deletion_protection
|
|
enable_display = var.enable_display
|
|
labels = var.labels
|
|
metadata = var.metadata
|
|
|
|
dynamic "attached_disk" {
|
|
for_each = local.attached_disks_zonal
|
|
iterator = config
|
|
content {
|
|
device_name = config.value.name
|
|
mode = config.value.options.mode
|
|
source = (
|
|
config.value.source_type == "attach"
|
|
? config.value.source
|
|
: google_compute_disk.disks[config.key].name
|
|
)
|
|
}
|
|
}
|
|
|
|
dynamic "attached_disk" {
|
|
for_each = local.attached_disks_regional
|
|
iterator = config
|
|
content {
|
|
device_name = config.value.name
|
|
mode = config.value.options.mode
|
|
source = (
|
|
config.value.source_type == "attach"
|
|
? config.value.source
|
|
: google_compute_region_disk.disks[config.key].name
|
|
)
|
|
}
|
|
}
|
|
|
|
boot_disk {
|
|
auto_delete = var.boot_disk_delete
|
|
initialize_params {
|
|
type = var.boot_disk.type
|
|
image = var.boot_disk.image
|
|
size = var.boot_disk.size
|
|
}
|
|
disk_encryption_key_raw = var.encryption != null ? var.encryption.disk_encryption_key_raw : null
|
|
kms_key_self_link = var.encryption != null ? var.encryption.kms_key_self_link : null
|
|
}
|
|
|
|
dynamic "confidential_instance_config" {
|
|
for_each = var.confidential_compute ? [""] : []
|
|
content {
|
|
enable_confidential_compute = true
|
|
}
|
|
}
|
|
|
|
dynamic "network_interface" {
|
|
for_each = var.network_interfaces
|
|
iterator = config
|
|
content {
|
|
network = config.value.network
|
|
subnetwork = config.value.subnetwork
|
|
network_ip = try(config.value.addresses.internal, null)
|
|
dynamic "access_config" {
|
|
for_each = config.value.nat ? [""] : []
|
|
content {
|
|
nat_ip = try(config.value.addresses.external, null)
|
|
}
|
|
}
|
|
dynamic "alias_ip_range" {
|
|
for_each = local.network_interface_options[config.key].alias_ips != null ? local.network_interface_options[config.key].alias_ips : {}
|
|
iterator = config_alias
|
|
content {
|
|
subnetwork_range_name = config_alias.key
|
|
ip_cidr_range = config_alias.value
|
|
}
|
|
}
|
|
nic_type = local.network_interface_options[config.key].nic_type
|
|
}
|
|
}
|
|
|
|
scheduling {
|
|
automatic_restart = !var.options.preemptible
|
|
on_host_maintenance = local.on_host_maintenance
|
|
preemptible = var.options.preemptible
|
|
}
|
|
|
|
dynamic "scratch_disk" {
|
|
for_each = [
|
|
for i in range(0, var.scratch_disks.count) : var.scratch_disks.interface
|
|
]
|
|
iterator = config
|
|
content {
|
|
interface = config.value
|
|
}
|
|
}
|
|
|
|
service_account {
|
|
email = local.service_account_email
|
|
scopes = local.service_account_scopes
|
|
}
|
|
|
|
dynamic "shielded_instance_config" {
|
|
for_each = var.shielded_config != null ? [var.shielded_config] : []
|
|
iterator = config
|
|
content {
|
|
enable_secure_boot = config.value.enable_secure_boot
|
|
enable_vtpm = config.value.enable_vtpm
|
|
enable_integrity_monitoring = config.value.enable_integrity_monitoring
|
|
}
|
|
}
|
|
|
|
# guest_accelerator
|
|
}
|
|
|
|
resource "google_compute_instance_iam_binding" "default" {
|
|
project = var.project_id
|
|
for_each = var.iam
|
|
zone = var.zone
|
|
instance_name = var.name
|
|
role = each.key
|
|
members = each.value
|
|
depends_on = [google_compute_instance.default]
|
|
}
|
|
|
|
resource "google_compute_instance_template" "default" {
|
|
provider = google-beta
|
|
count = var.create_template ? 1 : 0
|
|
project = var.project_id
|
|
region = local.region
|
|
name_prefix = "${var.name}-"
|
|
description = var.description
|
|
tags = var.tags
|
|
machine_type = var.instance_type
|
|
min_cpu_platform = var.min_cpu_platform
|
|
can_ip_forward = var.can_ip_forward
|
|
metadata = var.metadata
|
|
labels = var.labels
|
|
|
|
disk {
|
|
auto_delete = var.boot_disk_delete
|
|
boot = true
|
|
disk_size_gb = var.boot_disk.size
|
|
disk_type = var.boot_disk.type
|
|
source_image = var.boot_disk.image
|
|
}
|
|
|
|
dynamic "confidential_instance_config" {
|
|
for_each = var.confidential_compute ? [""] : []
|
|
content {
|
|
enable_confidential_compute = true
|
|
}
|
|
}
|
|
|
|
dynamic "disk" {
|
|
for_each = local.attached_disks
|
|
iterator = config
|
|
content {
|
|
# auto_delete = config.value.options.auto_delete
|
|
device_name = config.value.name
|
|
# Cannot use `source` with any of the fields in
|
|
# [disk_size_gb disk_name disk_type source_image labels]
|
|
disk_type = (
|
|
config.value.source_type != "attach" ? config.value.options.type : null
|
|
)
|
|
disk_size_gb = (
|
|
config.value.source_type != "attach" ? config.value.size : null
|
|
)
|
|
mode = config.value.options.mode
|
|
source_image = (
|
|
config.value.source_type == "image" ? config.value.source : null
|
|
)
|
|
source = (
|
|
config.value.source_type == "attach" ? config.value.source : null
|
|
)
|
|
disk_name = (
|
|
config.value.source_type != "attach" ? config.value.name : null
|
|
)
|
|
type = "PERSISTENT"
|
|
}
|
|
}
|
|
|
|
dynamic "network_interface" {
|
|
for_each = var.network_interfaces
|
|
iterator = config
|
|
content {
|
|
network = config.value.network
|
|
subnetwork = config.value.subnetwork
|
|
network_ip = try(config.value.addresses.internal, null)
|
|
dynamic "access_config" {
|
|
for_each = config.value.nat ? [""] : []
|
|
content {
|
|
nat_ip = try(config.value.addresses.external, null)
|
|
}
|
|
}
|
|
dynamic "alias_ip_range" {
|
|
for_each = local.network_interface_options[config.key].alias_ips != null ? local.network_interface_options[config.key].alias_ips : {}
|
|
iterator = config_alias
|
|
content {
|
|
subnetwork_range_name = config_alias.key
|
|
ip_cidr_range = config_alias.value
|
|
}
|
|
}
|
|
nic_type = local.network_interface_options[config.key].nic_type
|
|
}
|
|
}
|
|
|
|
scheduling {
|
|
automatic_restart = !var.options.preemptible
|
|
on_host_maintenance = local.on_host_maintenance
|
|
preemptible = var.options.preemptible
|
|
}
|
|
|
|
service_account {
|
|
email = local.service_account_email
|
|
scopes = local.service_account_scopes
|
|
}
|
|
|
|
lifecycle {
|
|
create_before_destroy = true
|
|
}
|
|
}
|
|
|
|
resource "google_compute_instance_group" "unmanaged" {
|
|
count = var.group != null && !var.create_template ? 1 : 0
|
|
project = var.project_id
|
|
network = (
|
|
length(var.network_interfaces) > 0
|
|
? var.network_interfaces.0.network
|
|
: ""
|
|
)
|
|
zone = var.zone
|
|
name = var.name
|
|
description = var.description
|
|
instances = [google_compute_instance.default.0.self_link]
|
|
dynamic "named_port" {
|
|
for_each = var.group.named_ports != null ? var.group.named_ports : {}
|
|
iterator = config
|
|
content {
|
|
name = config.key
|
|
port = config.value
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "google_service_account" "service_account" {
|
|
count = var.service_account_create ? 1 : 0
|
|
project = var.project_id
|
|
account_id = "tf-vm-${var.name}"
|
|
display_name = "Terraform VM ${var.name}."
|
|
}
|