-
Notifications
You must be signed in to change notification settings - Fork 34
/
iap_proxy.tf
56 lines (45 loc) · 1.54 KB
/
iap_proxy.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# the resources here are only created
# if enable_private_endpoint = "true"
resource "google_compute_subnetwork" "iap" {
count = var.enable_private_endpoint ? 1 : 0
name = "${var.gke_cluster_name}-iap-subnet"
ip_cidr_range = var.iap_proxy_ip_cidr
network = google_compute_network.k8s.id
private_ip_google_access = "true"
region = var.region
}
resource "google_compute_firewall" "iap_tcp_forwarding" {
count = var.enable_private_endpoint ? 1 : 0
name = "allow-ingress-from-iap"
network = google_compute_network.k8s.name
direction = "INGRESS"
allow {
protocol = "tcp"
ports = ["22", "8888"] # 8888 = tinyproxy port
}
# https://cloud.google.com/iap/docs/using-tcp-forwarding
source_ranges = data.google_netblock_ip_ranges.iap-forwarders.cidr_blocks_ipv4
target_tags = ["iap"]
}
resource "google_compute_instance" "iap-proxy" {
count = var.enable_private_endpoint ? 1 : 0
name = "gke-iap-proxy"
machine_type = "e2-micro"
zone = var.zone
tags = ["iap"]
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
# because we're setting a count on the iap subnet,
# we now have to reference it with an index as well
network_interface {
network = google_compute_network.k8s.id
subnetwork = google_compute_subnetwork.iap[count.index].name
}
metadata_startup_script = file("./scripts/startup.sh")
depends_on = [
google_compute_router_nat.k8s_vpc
]
}