Skip to content

Commit

Permalink
Merge development branch (#44)
Browse files Browse the repository at this point in the history
* VPN-HA module initial commit

* Added readme for net-vpn-ha module

* Update readme, add simple description

* Merge new modules list and environments foundation example (#30)

* gke-cluster

* net-vpc module and tests

* add TODO to net-vpc module

* add minimal README files with input/output variables to gke and net-vpc modules

* BigQuery Module (#24)

* Bigquery Module

* Added README file

* Added type hints

* gke-cluster

* net-vpc module and tests

* add TODO to net-vpc module

* add minimal README files with input/output variables to gke and net-vpc modules

* BigQuery Module (#24)

* Bigquery Module

* Added README file

* Added type hints

* GCS module

* net vpc module: improve secondary range outputs

* net vpc module: add serve project registration

* project module

* move bigquery module to not-ready folder

* folders module

* rename project module's iam variables

* slight tweak to folder module outputs

* gcs module

* simplify net-vpc module variables

* fix module tests configurations, fix net-vpc module tests

* add pydoc utility

* add/update module READMEs

* add/update module READMEs

* add/update module READMEs

* improve variable type summary generation in tfdoc

* tfdoc: add support for replacing doc in README.md files

* improve module READMEs

* net-vpc-firewall module

* add support for sensitive output attribute in tfdoc

* remove empty function from tfdoc

* render variable type as code in tfdoc

* update module READMEs

* net address module

* net cloudnat module

* remove redundant variable from net-cloudnat module

* vpc module: add support for peering, use network name as subnet name prefix

* net-vpn-static module

* net-vpn-static module README

* net-vpn-static module README

* tfdoc: fix error on undeclared variable type

* dns module

* set version for all modules

* kms module (untested)

* change kms key self links output to map, fix gcs and kms iam variable descriptions

* fix kms module

* update kms module readme

* simplify local iam pairs in modules

* service accounts module (unfinished)

* work on service accounts module

* project module: add gcr service account

* project module: update outputs in README

* first working version of the iam service accounts module

* iam service accounts module: extra checks in locals

* modules/net-cloudnat: reorder variables

* modules/net-vpn-dynamic: initial import (untested)

* modules/net-vpn-dynamic: first working version

* modules/net-vpn-dynamic: add outputs for auto-created router

* modules/net-vpn-dynamic: update README

* modules/net-[vpn,cloudnat]: clean up variable,s remove prefix

* modules/net-vpn-dynamic: add advertisement configuration to tunnel bgp peer, refactor variables

* tfdoc: add tooltips for variable types and defaults

* modules: update README variables and outputs

* tfdoc: improve variable default rendering

* modules: update README variables and outputs

* modules/net-vpc: minimal output refactoring

* modules/vm-cos: initial import, base resources working, no outputs

* modules/vm-cos: add variable descriptions

* tfdoc: fix parsing in type and default blocks

* modules/vm-cos: fix README

* tfdoc: fix parsing in type and default blocks

* modules/vm-cos: fix README

* modules/compute-vm: initial working import (not fully tested)

* modules/vm-cos: move to not-ready

* tfdoc: fix variable defaults formatting

* modules: update README files with tfdoc fixes

* modules: add initial examples

* gke-nodepool: initial import, untested

* gke nodepool: add README, fix location variable, set node count default to 1

* gke cluster: fix private cluster variables

* gke nodepool: fix README title

* gke cluster: add output for cluster location

* gke nodepool: add missing variables for project id and cluster name, remove default from location variable, fix gke version assignment

* gke nodepool: update README

* net-cloudnat: fix router name when creating default router

* fix variables used for address and router optional creation

* vpn dynamic: fix README

* modules/net-vpn-dynamic: fix router name output

* modules/compute-vm: remove unused variable

* modules/compute-vm-cos-coredns: initial import

* Update foundations modules versions (#26)

* update foundations modules versions

* update Terraform version to v0.12.19 in CI test configuration

* backport tfdoc from Ludo's branch (#27)

* Update docs using tfdoc format (#28)

* update README files

* set all types on variables

* foundations/environments: move log filter to a variable, use org for xpn by default

* foundations/environments: do not use liens by default

* modules/ntp-vpc: better shared_vpc_host variable description

* modules/logging-sinks: initial version

* modules/logging-sinks: streamline options in sinks variable

* modules/compute-vm-cos-coredns: add support for additional files

* modules/folders: rename from 'folder'

* modules/logging-sinks: fix circular dependencies and improve variables

* modules/project: remove extra variable

* modules/bigquery: new module with dataset support only

* foundations/environments: refactor using local modules

* modules/bigquery: better variables, README description and example

* modules: fix a few READMEs

Co-authored-by: Julio Castillo <[email protected]>

* modules/net-vpc: README description and examples

* modules/net-vpc: tweak README description and examples

* modules/net-vpc: tweak README description and examples

* modules/net-vpc-firewall: change tag-based rule default ranges, improve README examples and description

* modules/compute-vm: README changes

* modules/compute-vm: use an object for the service account variable, update README

* modules/compute-vm: update README variables table

* modules/compute-vm: add TODO list to README

* modules/compute-vm: add TODO list to README

* modules/compute-vm: add outputs for service account

* modules/net-cloudnat: README

* modules/net-cloudnat: README

* modules/net-cloudnat: add router_create variable

* modules/compute-vm: simplify service account variables

* modules/net-vpn-dynamic: fix README example, use local secret for both empty string and null

* modules/net-vpn-dynamic: improve README example

* modules/gke-cluster: minimal README tweaks

* modules/kms: fix ephemeral keys resource name

* modules/iam-service-accounts: add storage roles

* modules/gke-nodepool: fix node default scopes

* New project variable to prevent deletion of default network (#32)

* New project variable to prevent deletion of default network

This is a workaround to fix
#31 while the GCP
terraform provider is fixed

* Add TODOs to remove workarounds in the project module

* Fix Cloud Build files

* modules/gke-nodepool: add monitoring scope to defaults

* modules/iam-service-accounts: add support for IAM bindings onthe service accounts

* playground module in sandbox, remove not ready modules

* Fix ci configurations in development branch (#33)

* try fixing ci confgurations

* add exclusion match to ci boilerplate check

* add skip boilerplate comment to compute-vm-cos-coredns template fragment

* modules/gke-cluster: fix boilerplate in outputs

* Simplify tests, re-enable CI

* add instance group support to compute-vm, start tests refactoring

* modules/compute-vm: group fixes, tests

* modules/compute-vm: minimal test beautification

* simplify top-level pytest fixture

* modules/dns: tests and minor tweaks

* fix missing boilerplate in tests

* re-add requirements file to tests folder

* re-enable tests in ci build configuration

* Folder module tests and fixes (#38)

* folder tests wip

* modules/folders: tests and tweaks

* update folders and compute-vm README files

* modules/gcs: tests and minor tweaks

* Create README.md

* Update README.md

* Update README.md

* Update README.md

* Added docker image for strongSwan

* Add support for routes and tests to net-vpc module (#39)

* modules/net-vpc: add routes (untested)

* initial tests

* modules/net-vpc: add test for flow logs

* modules/net-vpc: split tests into two separate files

* modules/net-vpc: routes test

* modules/net-vpc: test routes

* Add support for Terraform plugin cache in ci test build file (#40)

* add Terraform plugin caching to test ci build configuration

* fix mkdir in test build configuration

* trigger test check

* Refactor dynamic vpn configuration for on-prem-in-a-box module

* Fix dynamic vpn for onprem-in-a-box module

* Migrate Shared VPC example to local modules (#41)

* wip

* wip

* validated, untested

* modules/compute-vm: make service account email in locals resilient to destroy

* modules/project: make project id output depend on iam roles

* fixes

* shared-vpc tweaks

* update diagram

* update README input output tables

* modules/compute-vm: add service account IAM email output

* move GKE service account roles at the project level, add GCE service account roles

* update diagram and README

* modules/project: add extra output for IAM-dependent project id

* update modules READMEs

* minor tweaks

* modules/compute-vm: fix service account output

* remove static address from NAT

* fix container service agent binding dependency

* rename shared vpc

* Update README.md

* Update README.md

* Add static vpn gw to on-prem-in-a-box module

* Refactor hub and spoke to use new modules (#42)

* modules/compute-vm: saner defaults for service account scopes

* hub and spoke refactor, docs still missing

* complete hub and spoke

* Update README.md

* Add toolbox docker container, fix gw routing to the internet

* Add DNS Hybrid connectivity parameters

* Fix onprem dns zone for the static vpn configuration

* Added readme.md for on-prem module

* Add new line at the end of the files

* Add boilerplate for cloudbuild config files

* fix boilerplate in strongswan shell script

* Update README.md

* include missing file to fix merge conflict

* remove missing file to fix merge conflict

* include missing file to fix merge conflict (again)

* remove content from spurious file used to avoid merge conflicts

* Add net-vpc-peering module

* Initial commit for hub-and-spoke-peering infrastructure example

* Fix typos in infrastructure/ READMEs

* remove stale file

* use larger resolution version of hub and spoke diagram

* Update README.md

* Update hub-and-spoke-peerings example to use internal modules

* Add initial project tests (#46)

* modules/project: make prefix optional

* initial project module tests

* modules/project: use null for unset parent

* modules/dns: backport PR6 from the CFT dns module

* Add testing resources including on-prem-in-a-box to hub-and-spoke-peerings example

* Fix firewall rules to allow connectivity, switch to custom route advertisement for onprem -> spokes connectivity

* Move locals out of main.tf

* remove ssh tag from compute-vm variable default

* Add ssh tag to the test vms

* Update README.md

* Update README.md

* Update README.md

* Hub and spoke peering changes (#48)

* rename hub-and-spoke-vpn

* add ssh tag to shared-vpc-gke instance

* rename and rework hub and spoke peering

* fix test requirements

* align hub and spoke peering with module contents

* diagram

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* minimal fixes to onprem examples variable files

* onprem example stub, missing DNS zones and private.googleapis records onprem

* add missing boilerplate

* Update README.md

* Update README.md

* infra/onprem: add test instance and minimal outputs

* add DNS modules and resource

* infra/onprem: diagram and initial README

* minor changes to onprem module and example (#49)

* update toolbox image

* infra/onprem: add zone for private access, add metadata domain to onprem dns

* infra/onprem: onnprem service account, add testing procedure in README

* Update README.md

* infra/onprem: remove extra variable

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* infra/onprem: rename forwarder address variable

* Update README:

Added explicit --tunnel-through-iap for gcloud compute ssh commands

* Update top-level and section READMEs (#50)

* top-level README WIP

* rewrite top-level README

* change top-level README title

* remove initial quote in top-level README

* Update README.md

* Update README.md

* Update README.md

* foundations README

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* add experimental scheduled cloud function module

* scheduled cloud function module: allow disabling schedule

* business-units foundation example (#52)

* Added folder-units module.

* Business units example update (WIP)

* Update all BU modules to internal ones

* Refactoring business-units example, add billing and org IAM handling

* update projects tests for new iam additive naming

* update project README for new iam additive naming

* streamline bu example and module (#53)

Co-authored-by: Ludovico Magnocavallo <[email protected]>

* align net-vpn-ha interface with the other vpn modules

* update module README files

* Update README.md

* Update README.md

* Create CHANGELOG.md

* Refactor COS module to be generic (#51)

* Create generic COS module and update CoreDNS module to use it

* Update compute-vm-cos README

* Fix COS README

* Update COS example

* Skip boilerplate check for COS file template

* Make COS module more generic and provide preset configurations

* Update COS module documentation

* tfdoc: add support for multiple variables files

* compute-vm: split boot disk in separate variable file for cos module support

* Streamline cos modules (#54)

* tfdoc: fix bug in last commit

* compute-vm: add support for user-data

* compute-vm: restore noncos variable split

* remove compute-vm-cos-coredns

* compute-vm: revert to original state

* cos-container/coredns

* fix variables mess

* cos/coredns fixes

* cos/mysql

* remove stale compute-vm-cos module

* add test instance to cos modules

* tfdoc: add support for multiple output files

* cos: add initial READMEs

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* add test apply fixture

* cos-coredns: tested

* Update README.md

* Fix typo

* cos-coredns: refactor README

* Update README.md

* test yaml validity in cos modules tests

* cos mysql tests

* cos mysql: refactor and test (disk tests missing)

* onprem: fix Coredns

* cos mysql: additional disk working

* cos modules: fix instance disks for no instance

* update some modules READMEs

* update some modules READMEs

* Update README.md

* Update README.md

* add simple tests for foundations/environments

* change default for org id in foundations/environments to avoid errors when none is specified

* fix null/empty organization id in foundations/environments

* fix errors when destroying on empty state in foundations/environments

* fundations/bu: fix errors when destroying with empty state

* modules/gcs: make outputs resilient on destroy with empty state

* modules/folders: make outputs resilient on destroy with empty state

* switch organization_id variable to long form in foundations/bu and modules/folders-unit

* Update README.md

* infra/shared-vpc: remove duplicate tag attribute from bastion

Co-authored-by: Aleksandr Averbukh <[email protected]>
Co-authored-by: Julio Castillo <[email protected]>
Co-authored-by: Julio Castillo <[email protected]>
  • Loading branch information
4 people authored Apr 3, 2020
1 parent b278c4e commit c486bfc
Show file tree
Hide file tree
Showing 282 changed files with 14,289 additions and 2,752 deletions.
1 change: 1 addition & 0 deletions .ci/.terraformrc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
plugin_cache_dir = "/workspace/.terraform.d/plugin-cache"
12 changes: 6 additions & 6 deletions .ci/cloudbuild.lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,12 @@


steps:
- name: "python:3-alpine"
id: "boilerplate"
- name: python:3-alpine
id: boilerplate
args: ["/workspace/.ci/scripts/check_boilerplate.py", "/workspace"]
- name: "wata727/tflint"
id: "lint"
- name: wata727/tflint
id: lint
args: ["/workspace"]
tags:
- "ci"
- "lint"
- ci
- lint
21 changes: 7 additions & 14 deletions .ci/cloudbuild.test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,28 +23,21 @@ steps:
wget https://releases.hashicorp.com/terraform/${_TERRAFORM_VERSION}/terraform_${_TERRAFORM_VERSION}_linux_amd64.zip &&
unzip terraform_${_TERRAFORM_VERSION}_linux_amd64.zip -d /builder/home/.local/bin &&
rm terraform_${_TERRAFORM_VERSION}_linux_amd64.zip &&
chmod 755 /builder/home/.local/bin/terraform
# TODO(ludoo): split into two triggers with different filters
chmod 755 /builder/home/.local/bin/terraform &&
mkdir -p /workspace/.terraform.d/plugin-cache
# TODO(ludoo): add a step that detects change files and sets tests to run
- name: python:3-alpine
id: test-foundations
id: test-modules
entrypoint: pytest
args:
- -v
- tests/foundations
- tests/modules
env:
- PATH=/usr/local/bin:/usr/bin:/bin:/builder/home/.local/bin
- name: python:3-alpine
id: test-infrastructure
entrypoint: pytest
args:
- -v
- tests/infrastructure
env:
- PATH=/usr/local/bin:/usr/bin:/bin:/builder/home/.local/bin
- PYTHONDONTWRITEBYTECODE=true
- TF_CLI_CONFIG_FILE=/workspace/.ci/.terraformrc

substitutions:
_TERRAFORM_VERSION: 0.12.19
_TERRAFORM_VERSION: 0.12.20

tags:
- "ci"
Expand Down
6 changes: 5 additions & 1 deletion .ci/scripts/check_boilerplate.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@


_EXCLUDE_DIRS = ('.git', '.terraform')
_EXCLUDE_RE = re.compile(r'# skip boilerplate check')
_MATCH_FILES = (
'Dockerfile', '.py', '.sh', '.tf', '.yaml', '.yml'
)
Expand All @@ -40,8 +41,11 @@ def main(dir):
for fname in files:
if fname in _MATCH_FILES or os.path.splitext(fname)[1] in _MATCH_FILES:
fpath = os.path.abspath(os.path.join(root, fname))
content = open(fpath).read()
if _EXCLUDE_RE.search(content):
continue
try:
if not _MATCH_RE.search(open(fpath).read()):
if not _MATCH_RE.search(content):
errors.append(fpath)
except (IOError, OSError):
warnings.append(fpath)
Expand Down
13 changes: 13 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Changelog

All notable changes to this project will be documented in this file.

## [Unreleased]

## [1.0.0] - 2020-03-27

- merge development branch with suite of new modules and end-to-end examples


[Unreleased]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v1.0.0...HEAD
[1.0.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v0.1...v1.0
42 changes: 33 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,17 +1,41 @@
# Cloud Foundation Toolkit - Fabric
# Terraform Examples and Modules for Google Cloud

Cloud Foundation Fabric provides end-to-end Terraform code examples on GCP, which are meant for prototyping and as minimal samples to aid in designing real-world infrastructures. As such, these samples are meant to be adapted and updated for your different use cases, and often do not implement GCP security best practices for production use.
This repository provides **end-to-end examples** and a **suite of Terraform modules** for Google Cloud, which support different use cases:

All the examples leverage composition, combining different Cloud Foundation Toolkit modules to realize an integrated design. Additional modules can be combined in to tailor the examples to specific needs, and to implement additional best practices. You can check the [full list of Cloud Foundation Toolkit modules here](https://github.com/terraform-google-modules).
- starter kits used to bootstrap real-word cloud foundations and infrastructure
- reference examples used to deep dive on network patterns or product features
- composable modules that support quick prototyping and testing
- a comprehensive source of lean modules that lend themselves well to changes

The examples are organized into two main sections: GCP foundational design, and infrastructure design
The whole repository is meant to be cloned as a single unit, and then forked into separate owned repositories to seed production usage, or used as-is and periodically updated as a complete toolkit for prototyping.

## Foundational examples
Both the examples and modules require some measure of Terraform skills to be used effectively. If you are looking for a feature-rich black box to manage project or product creation with minimal specific skills, you might be better served by the [Cloud Foundation Toolkit](https://registry.terraform.io/modules/terraform-google-modules) suite of modules.

Foundational examples deal with organization-level management of GCP resources, and take care of folder hierarchy, initial automation requirements (service accounts, GCS buckets), and high level best practices like audit log exports and organization policies.
## End-to-end examples

They are simplified versions of real-life use cases, and put a particular emphasis on separation of duties at the environment or tenant level, and decoupling high level permissions from the day to day running of infrastructure automation. More details and the actual examples are available in the [foundations folder](foundations).
The examples in this repository are split in two main sections: **foundational examples** that bootstrap the organizational hierarchy and automation prerequisites, and **infrastructure scenarios** that implement core networking patterns or features.

## Infrastructure examples
Currently available examples:

Infrastructure examples showcase typical networking configurations on GCP, and are meant to illustrate how to automate them with Terraform, and to offer an easy way of testing different scenarios. Like the foundational examples, they are simplified versions of real-life use cases. More details and the actual examples are available in the [infrastructure folder](infrastructure).
- **foundations** - [single level hierarchy](./foundations/environments/) (environments), [multiple level hierarchy](./foundations/business-units/) (business units + environments)
- **infrastructure** - [hub and spoke via peering](./infrastructure/hub-and-spoke-peering/), [hub and spoke via VPN](./infrastructure/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./infrastructure/onprem-google-access-dns/), [Shared VPC with GKE support](./infrastructure/shared-vpc-gke/)

For more information see the README files in the [foundations](./foundations/) and [infrastructure](./infrastructure/) folders.

## Modules

The suite of modules in this repository are designed for rapid composition and reuse, and to be reasonably simple and readable so that they can be forked and changed where use of third party code and sources is not allowed.

All modules share a similar interface where each module tries to stay close to the underlying provider resources, support IAM together with resource creation and modification, offer the option of creating multiple resources where it makes sense (eg not for projects), and be completely free of side-effects (eg no external commands).

The current list of modules supports most of the core foundational and networking components used to design end-to-end infrastructure, with more modules in active development for specialized compute, security, and data scenarios.

Currently available modules:

- **foundational** - [folders](./modules/folders), [log sinks](./modules/logging-sinks), [project](./modules/project), [service accounts](./modules/iam-service-accounts)
- **networking** - [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), VPN ([static](./modules/net-vpn-static), [dynamic](./modules/net-vpn-dynamic), [HA](./modules/net-vpn-ha)), [NAT](./modules/net-cloudnat), [address reservation](./modules/net-address), [DNS](./modules/dns)
- **compute** - [VM/VM group](./modules/compute-vm), [GKE cluster](./modules/gke-cluster), [GKE nodepool](./modules/gke-nodepool), [COS container](./modules/compute-vm-cos-coredns)
- **data** - [GCS](./modules/gcs), [BigQuery dataset](./modules/bigquery)
- **other** - [KMS](./modules/kms), [on-premises in Docker](./modules/on-prem-in-a-box)

For more information and usage examples see each module's README file.
34 changes: 34 additions & 0 deletions docker-images/strongswan/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

FROM alpine:latest

RUN set -xe \
&& apk add --no-cache strongswan bash sudo

COPY entrypoint.sh /entrypoint.sh
RUN chmod 0755 /entrypoint.sh

COPY ipsec-vti.sh /var/lib/strongswan/ipsec-vti.sh
RUN chmod 0755 /var/lib/strongswan/ipsec-vti.sh

RUN echo 'ipsec ALL=NOPASSWD:SETENV:/usr/sbin/ipsec,/sbin/ip,/sbin/sysctl' > /etc/sudoers.d/ipsec
RUN chmod 0440 /etc/sudoers.d/ipsec

ENV VPN_DEVICE=eth0
ENV LAN_NETWORKS=192.168.0.0/24

EXPOSE 500/udp 4500/udp

ENTRYPOINT ["/entrypoint.sh"]
44 changes: 44 additions & 0 deletions docker-images/strongswan/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@

# StrongSwan docker container

### [strongSwan](https://www.strongswan.org/) is an OpenSource IPsec-based VPN Solution

### Docker compose example
```yaml
version: "3"
services:
vpn:
image: gcr.io/pso-cft-fabric/strongswan:latest
networks:
default:
ipv4_address: 192.168.0.2
cap_add:
- NET_ADMIN
ports:
- "500:500/udp"
- "4500:4500/udp"
- "179:179/tcp"
privileged: true
volumes:
- "/lib/modules:/lib/modules:ro"
- "/etc/localtime:/etc/localtime:ro"
- "/var/lib/docker-compose/onprem/ipsec/ipsec.conf:/etc/ipsec.conf:ro"
- "/var/lib/docker-compose/onprem/ipsec/ipsec.secrets:/etc/ipsec.secrets:ro"
- "/var/lib/docker-compose/onprem/ipsec/vti.conf:/etc/strongswan.d/vti.conf:ro"
bird:
image: pierky/bird
network_mode: service:vpn
cap_add:
- NET_ADMIN
- NET_BROADCAST
- NET_RAW
privileged: true
volumes:
- "/var/lib/docker-compose/onprem/bird/bird.conf:/etc/bird/bird.conf:ro"

```

### Build
```bash
gcloud builds submit . --config=cloudbuild.yaml
```
Original file line number Diff line number Diff line change
@@ -1,27 +1,30 @@
# Copyright 2019 Google LLC

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"Plan fixture."

import os

import pytest


_TFDIR = os.path.sep.join(os.path.abspath(__file__).split(os.path.sep)[-3:-1])

# In this directory, run the following command to build this builder.
# $ gcloud builds submit . --config=cloudbuild.yaml

@pytest.fixture(scope='package')
def plan(plan):
return plan(_TFDIR)
steps:
- name: 'gcr.io/cloud-builders/docker'
args:
- build
- --tag=gcr.io/$PROJECT_ID/strongswan
- --tag=gcr.io/$PROJECT_ID/strongswan:latest
- .

images:
- 'gcr.io/$PROJECT_ID/strongswan:latest'

timeout: 1200s
35 changes: 35 additions & 0 deletions docker-images/strongswan/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
#!/bin/sh -e

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1

# Stop ipsec when terminating
_stop_ipsec() {
echo "Shutting down strongSwan/ipsec..."
ipsec stop
}
trap _stop_ipsec SIGTERM

# Making the containter to work as a default gateway for LAN_NETWORKS
iptables -t nat -A POSTROUTING -s ${LAN_NETWORKS} -o ${VPN_DEVICE} -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s ${LAN_NETWORKS} -o ${VPN_DEVICE} -j MASQUERADE

# Start ipsec
echo "Starting up strongSwan/ipsec..."
ipsec start --nofork "$@" &
child=$!
wait "$child"
66 changes: 66 additions & 0 deletions docker-images/strongswan/ipsec-vti.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
#!/bin/bash

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# originally published at
# https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan

set -o nounset
set -o errexit

IP=$(which ip)

PLUTO_MARK_OUT_ARR=(${PLUTO_MARK_OUT//// })
PLUTO_MARK_IN_ARR=(${PLUTO_MARK_IN//// })

VTI_TUNNEL_ID=${1}
VTI_REMOTE=${2}
VTI_LOCAL=${3}

LOCAL_IF="${PLUTO_INTERFACE}"
VTI_IF="vti${VTI_TUNNEL_ID}"
# GCP's MTU is 1460
GCP_MTU="1460"
# ipsec overhead is 73 bytes, we need to compute new mtu.
VTI_MTU=$((GCP_MTU-73))

case "${PLUTO_VERB}" in
up-client)
sudo ${IP} link add ${VTI_IF} type vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
sudo ${IP} addr add ${VTI_LOCAL} remote ${VTI_REMOTE} dev "${VTI_IF}"
sudo ${IP} link set ${VTI_IF} up mtu ${VTI_MTU}

# Disable IPSEC Policy
sudo /sbin/sysctl -w net.ipv4.conf.${VTI_IF}.disable_policy=1

# Enable loosy source validation, if possible. Otherwise disable validation.
sudo /sbin/sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=2 || sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=0

# If you would like to use VTI for policy-based you shoud take care of routing by yourselv, e.x.
if [[ "${PLUTO_PEER_CLIENT}" != "0.0.0.0/0" ]]; then
${IP} r add "${PLUTO_PEER_CLIENT}" dev "${VTI_IF}"
fi
;;
down-client)
sudo ${IP} tunnel del "${VTI_IF}"
;;
esac

# Enable IPv4 forwarding
sudo /sbin/sysctl -w net.ipv4.ip_forward=1

# Disable IPSEC Encryption on local net
sudo /sbin/sysctl -w net.ipv4.conf.${LOCAL_IF}.disable_xfrm=1
sudo /sbin/sysctl -w net.ipv4.conf.${LOCAL_IF}.disable_policy=1
Loading

0 comments on commit c486bfc

Please sign in to comment.