History

Ludovico Magnocavallo b278c4eae4 infrastructure/shared-vpc: update module versions, fixes #34 (#36 )		2020-02-18 20:56:47 +01:00
..
.terraform.tfstate.lock.info	infrastructure/shared-vpc: update module versions, fixes #34 (#36 )	2020-02-18 20:56:47 +01:00
README.md	Update docs using tfdoc format (#28 )	2020-01-10 13:44:54 +01:00
backend.tf.sample	Shared VPC example (#13 )	2019-10-20 08:17:32 +02:00
diagram.gcpdraw	Shared VPC example (#13 )	2019-10-20 08:17:32 +02:00
diagram.png	Shared VPC example (#13 )	2019-10-20 08:17:32 +02:00
locals.tf	Shared VPC example (#13 )	2019-10-20 08:17:32 +02:00
main.tf	infrastructure/shared-vpc: update module versions, fixes #34 (#36 )	2020-02-18 20:56:47 +01:00
outputs.tf	Shared VPC example (#13 )	2019-10-20 08:17:32 +02:00
test-resources.tf	Shared VPC example (#13 )	2019-10-20 08:17:32 +02:00
variables.tf	Update docs using tfdoc format (#28 )	2020-01-10 13:44:54 +01:00
versions.tf	Shared VPC example (#13 )	2019-10-20 08:17:32 +02:00

README.md

Shared VPC sample

This sample creates a basic Shared VPC infrastructure, where two service projects are connected to separate subnets, and the host project exposes Cloud DNS and Cloud KMS as centralized services. The service projects are slightly different, as they are meant to illustrate the IAM-level differences that need to be taken into account when sharing subnets for GCE or GKE.

The purpose of this sample is showing how to wire different Cloud Foundation Fabric modules to create Shared VPC infrastructures, and as such it is meant to be used for prototyping, or to experiment with networking configurations. Additional best practices and security considerations need to be taken into account for real world usage (eg removal of default service accounts, disabling of external IPs, firewall design, etc).

Managed resources and services

This sample creates several distinct groups of resources:

three projects (Shared VPC host and two service projects)
VPC-level resources (VPC, subnets, firewall rules, etc.) in the host project
one internal Cloud DNS zone in the host project
one Cloud KMS keyring with one key in the host project
IAM roles to wire all the above resource together
one test instance in each project, with their associated DNS records

Test resources

A set of test resources are included for convenience, as they facilitate experimenting with different networking configurations (firewall rules, external connectivity via VPN, etc.). They are encapsulated in the test-resources.tf file, and can be safely removed as a single unit.

SSH access to instances is configured via OS Login, except for the GKE project instance since GKE nodes do not support OS Login. To access the GKe instance, use a SSH key set at the project or instance level. External access is allowed via the default SSH rule created by the firewall module, and corresponding ssh tags on the instances.

The GCE instance is somewhat special, as it's configured to run a containerized MySQL server using the cos-mysql module, to show a practical example of using this module with KMS encryption for its secret, and to demonstrate how to define a custom firewall rule in the firewall module.

The networking and GKE instances have dig and the mysql client installed via startup scripts, so that tests can be run as soon as they are created.

Destroying

There's a minor glitch that can surface running terraform destroy, with a simple workaround. The glitch is due to a delay between the API reporting service project removal from the Shared VPC as successful (google_compute_shared_vpc_service_project resources destroyed), and the Shared VPC resource being aligned with that event. This results in an error that prevents disabling the Shared VPC feature: Error disabling Shared VPC Host [...] Cannot disable project as a shared VPC host because it has active service projects.. The workaround is to run terraform destroy again after a few seconds, giving the Shared VPC resource time to be in sync with service project removal.

Variables

name	description	type	required	default
billing_account_id	Billing account id used as default for new projects.	`string`	✓
prefix	Prefix used for resources that need unique names.	`string`	✓
root_node	Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'.	`string`	✓
kms_keyring_location	Location used for the KMS keyring.	`string`		`europe`
kms_keyring_name	Name used for the KMS keyring.	`string`		`svpc-example`
oslogin_admins_gce	GCE project oslogin admin members, in IAM format.	`list(string)`		`[]`
oslogin_users_gce	GCE project oslogin user members, in IAM format.	`list(string)`		`[]`
owners_gce	GCE project owners, in IAM format.	`list(string)`		`[]`
owners_gke	GKE project owners, in IAM format.	`list(string)`		`[]`
owners_host	Host project owners, in IAM format.	`list(string)`		`[]`
project_services	Service APIs enabled by default in new projects.	`list(string)`		`...`
subnet_secondary_ranges	Shared VPC subnets secondary range definitions.	`map(list(object({...})))`		`...`
subnets	Shared VPC subnet definitions.	`list(object({...}))`		`...`

Outputs

name	description	sensitive
host_project_id	VPC host project id.
service_project_ids	Service project ids.
vpc_name	Shared VPC name
vpc_subnets	Shared VPC subnets.