6941313c7d
* factories refactor doc * Adds file schema and filesystem organization * Update 20231106-factories.md * move factories out of blueprints and create new factories README * align factory in billing-account module * align factory in dataplex-datascan module * align factory in billing-account module * align factory in net-firewall-policy module * align factory in dns-response-policy module * align factory in net-vpc-firewall module * align factory in net-vpc module * align factory variable names in FAST * remove decentralized firewall blueprint * bump terraform version * bump module versions * update top-level READMEs * move project factory to modules * fix variable names and tests * tfdoc * remove changelog link * add project factory to top-level README * fix cludrun eventarc diff * fix README * fix cludrun eventarc diff --------- Co-authored-by: Simone Ruffilli <sruffilli@google.com> |
||
|---|---|---|
| .. | ||
| files | ||
| README.md | ||
| cloud-config.yaml | ||
| main.tf | ||
| outputs.tf | ||
| variables.tf | ||
| versions.tf | ||
README.md
Google Simple NVA Module
The module allows you to create Network Virtual Appliances (NVAs) as a stub for future appliances deployments.
This NVAs can be used to interconnect up to 8 VPCs.
The NVAs run Container-Optimized OS (COS). COS is a Linux-based OS designed for running containers. By default, it only allows SSH ingress connections. To see the exact host firewall configuration, run sudo iptables -L -v. More info available in the official documentation.
To configure the firewall, you can either
- use the open_ports variable
- for a thiner grain control, pass a custom bash script at startup with iptables commands
Examples
Simple example
locals {
network_interfaces = [
{
addresses = null
name = "dev"
nat = false
network = "dev_vpc_self_link"
routes = ["10.128.0.0/9"]
subnetwork = "dev_vpc_nva_subnet_self_link"
},
{
addresses = null
name = "prod"
nat = false
network = "prod_vpc_self_link"
routes = ["10.0.0.0/9"]
subnetwork = "prod_vpc_nva_subnet_self_link"
}
]
}
module "cos-nva" {
source = "./fabric/modules/cloud-config-container/simple-nva"
enable_health_checks = true
network_interfaces = local.network_interfaces
# files = {
# "/var/lib/cloud/scripts/per-boot/firewall-rules.sh" = {
# content = file("./your_path/to/firewall-rules.sh")
# owner = "root"
# permissions = 0700
# }
# }
}
module "vm" {
source = "./fabric/modules/compute-vm"
project_id = "my-project"
zone = "europe-west8-b"
name = "cos-nva"
network_interfaces = local.network_interfaces
can_ip_forward = true
metadata = {
user-data = module.cos-nva.cloud_config
google-logging-enabled = true
}
boot_disk = {
initialize_params = {
image = "projects/cos-cloud/global/images/family/cos-stable"
type = "pd-ssd"
size = 10
}
}
tags = ["nva", "ssh"]
}
# tftest modules=1 resources=1
Example with advanced routing capabilities (FRR)
The sample code brings up FRRouting container.
# tftest-file id=frr_conf path=./frr.conf
# Example frr.conf file
log syslog informational
no ipv6 forwarding
router bgp 65001
neighbor 10.128.0.2 remote-as 65002
line vty
Following code assumes a file in the same folder named frr.conf exists.
locals {
network_interfaces = [
{
addresses = null
name = "dev"
nat = false
network = "dev_vpc_self_link"
routes = ["10.128.0.0/9"]
subnetwork = "dev_vpc_nva_subnet_self_link"
enable_masquerading = true
non_masq_cidrs = ["10.0.0.0/8"]
},
{
addresses = null
name = "prod"
nat = false
network = "prod_vpc_self_link"
routes = ["10.0.0.0/9"]
subnetwork = "prod_vpc_nva_subnet_self_link"
}
]
}
module "cos-nva" {
source = "./fabric/modules/cloud-config-container/simple-nva"
enable_health_checks = true
network_interfaces = local.network_interfaces
frr_config = { config_file = "./frr.conf", daemons_enabled = ["bgpd"] }
run_cmds = ["ls -l"]
}
module "vm" {
source = "./fabric/modules/compute-vm"
project_id = "my-project"
zone = "europe-west8-b"
name = "cos-nva"
network_interfaces = local.network_interfaces
can_ip_forward = true
metadata = {
user-data = module.cos-nva.cloud_config
google-logging-enabled = true
}
boot_disk = {
image = "projects/cos-cloud/global/images/family/cos-stable"
type = "pd-ssd"
size = 10
}
tags = ["nva", "ssh"]
}
# tftest modules=1 resources=1 files=frr_conf
The FRR container is managed as a systemd service. To interact with the service, use the standard systemd commands: sudo systemctl {start|stop|restart} frr.
To interact with the FRR CLI run:
# get the container ID
CONTAINER_ID =`sudo docker ps -a -q`
sudo docker exec -it $CONTAINER_ID vtysh
Check FRR running configuration with show running-config from vtysh. Please always refer to the official documentation for more information how to deal with vtysh and useful commands.
Sample frr.conf file is based on the documentation available here. It configures a BGP service with ASN 65001 on FRR container establishing a BGP session with a remote neighbor with IP address 10.128.0.2 and ASN 65002. Check BGP status for FRR with show bgp summary from vtysh.
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| network_interfaces | Network interfaces configuration. | list(object({…})) |
✓ | |
| cloud_config | Cloud config template path. If null default will be used. | string |
null |
|
| enable_health_checks | Configures routing to enable responses to health check probes. | bool |
false |
|
| files | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | map(object({…})) |
{} |
|
| frr_config | FRR configuration for container running on the NVA. | object({…}) |
null |
|
| open_ports | Optional firewall ports to open. | object({…}) |
{…} |
|
| run_cmds | Optional cloud init run commands to execute. | list(string) |
[] |
Outputs
| name | description | sensitive |
|---|---|---|
| cloud_config | Rendered cloud-config file to be passed as user-data instance metadata. |