From 3fa86e42ffeba43c29d3c602d09d1e98ab2c68cf Mon Sep 17 00:00:00 2001 From: Horia Gunica <43091730+horiagunica@users.noreply.github.com> Date: Thu, 23 Nov 2023 18:52:17 +0200 Subject: [PATCH] refactor(modules/vpc)!: VPC module refactor (#227) Co-authored-by: michalbil <92343355+michalbil@users.noreply.github.com> Co-authored-by: Migara Ekanayake <2110772+migara@users.noreply.github.com> --- .github/workflows/pr_ci.yml | 2 +- examples/autoscale/README.md | 2 +- examples/autoscale/versions.tf | 2 +- examples/multi_nic_common/README.md | 232 +++++ examples/multi_nic_common/example.tfvars | 378 ++++++++ examples/multi_nic_common/main.tf | 213 +++++ examples/multi_nic_common/main_test.go | 65 ++ examples/multi_nic_common/outputs.tf | 24 + .../templates/bootstrap_common.tmpl | 826 ++++++++++++++++++ .../multi_nic_common/templates/init-cfg.tmpl | 12 + examples/multi_nic_common/variables.tf | 367 ++++++++ examples/multi_nic_common/versions.tf | 13 + examples/panorama_standalone/README.md | 6 +- examples/panorama_standalone/example.tfvars | 32 +- examples/panorama_standalone/main.tf | 19 +- examples/panorama_standalone/variables.tf | 31 +- examples/panorama_standalone/versions.tf | 2 +- .../README.md | 20 +- .../example.tfvars | 81 +- .../main.tf | 54 +- .../main_test.go | 2 +- .../outputs.tf | 10 +- .../variables.tf | 141 ++- .../versions.tf | 3 +- examples/vmseries_ha/README.md | 16 +- examples/vmseries_ha/example.tfvars | 226 +++-- examples/vmseries_ha/main.tf | 32 +- examples/vmseries_ha/variables.tf | 55 +- examples/vmseries_ha/versions.tf | 2 +- examples/vpc_peering_common/README.md | 16 +- examples/vpc_peering_common/example.tfvars | 186 ++-- examples/vpc_peering_common/main.tf | 32 +- examples/vpc_peering_common/variables.tf | 55 +- examples/vpc_peering_common/versions.tf | 2 +- .../README.md | 106 +-- .../example.tfvars | 332 ++++--- .../main.tf | 251 ++---- .../outputs.tf | 55 +- .../variables.tf | 445 ++-------- .../versions.tf | 2 +- examples/vpc_peering_dedicated/README.md | 14 +- examples/vpc_peering_dedicated/example.tfvars | 209 +++-- examples/vpc_peering_dedicated/main.tf | 32 +- examples/vpc_peering_dedicated/variables.tf | 56 +- examples/vpc_peering_dedicated/versions.tf | 2 +- modules/autoscale/README.md | 2 +- modules/autoscale/versions.tf | 2 +- modules/bootstrap/README.md | 2 +- modules/bootstrap/versions.tf | 2 +- modules/iam_service_account/README.md | 2 +- modules/iam_service_account/versions.tf | 2 +- modules/lb_external/README.md | 2 +- modules/lb_external/versions.tf | 2 +- modules/lb_http_ext_global/README.md | 2 +- modules/lb_http_ext_global/versions.tf | 2 +- modules/lb_internal/README.md | 2 +- modules/lb_internal/versions.tf | 2 +- modules/panorama/README.md | 2 +- modules/panorama/versions.tf | 2 +- modules/vmseries/README.md | 2 +- modules/vmseries/versions.tf | 2 +- modules/vpc-peering/README.md | 2 +- modules/vpc-peering/versions.tf | 2 +- modules/vpc/README.md | 32 +- modules/vpc/main.tf | 82 +- modules/vpc/outputs.tf | 28 +- modules/vpc/variables.tf | 192 ++-- modules/vpc/versions.tf | 2 +- modules/vpn/README.md | 2 +- modules/vpn/versions.tf | 2 +- 70 files changed, 3661 insertions(+), 1378 deletions(-) create mode 100644 examples/multi_nic_common/README.md create mode 100644 examples/multi_nic_common/example.tfvars create mode 100644 examples/multi_nic_common/main.tf create mode 100644 examples/multi_nic_common/main_test.go create mode 100644 examples/multi_nic_common/outputs.tf create mode 100644 examples/multi_nic_common/templates/bootstrap_common.tmpl create mode 100644 examples/multi_nic_common/templates/init-cfg.tmpl create mode 100644 examples/multi_nic_common/variables.tf create mode 100644 examples/multi_nic_common/versions.tf diff --git a/.github/workflows/pr_ci.yml b/.github/workflows/pr_ci.yml index acaa40cc..71b0fe44 100644 --- a/.github/workflows/pr_ci.yml +++ b/.github/workflows/pr_ci.yml @@ -23,7 +23,7 @@ jobs: secrets: inherit with: cloud: gcp - tf_version: 1.2 1.3 1.4 1.5 + tf_version: 1.3 1.4 1.5 validate_max_parallel: 20 test_max_parallel: 10 fail_fast: false diff --git a/examples/autoscale/README.md b/examples/autoscale/README.md index f923034b..1dc17374 100644 --- a/examples/autoscale/README.md +++ b/examples/autoscale/README.md @@ -238,7 +238,7 @@ hping3 -1 -i u10000 | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | | [google](#requirement\_google) | ~> 4.58 | ### Providers diff --git a/examples/autoscale/versions.tf b/examples/autoscale/versions.tf index 634d154b..b9f6089a 100644 --- a/examples/autoscale/versions.tf +++ b/examples/autoscale/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" required_providers { google = { version = "~> 4.58" } } diff --git a/examples/multi_nic_common/README.md b/examples/multi_nic_common/README.md new file mode 100644 index 00000000..29be2eef --- /dev/null +++ b/examples/multi_nic_common/README.md @@ -0,0 +1,232 @@ +--- +show_in_hub: false +--- +# Common Option + +The common firewall option leverages a single set of VM-Series firewalls. The sole set of firewalls operates as a shared resource and may present scale limitations with all traffic flowing through a single set of firewalls due to the performance degradation that occurs when traffic crosses virtual routers. This option is suitable for proof-of-concepts and smaller scale deployments because the number of firewalls is low. However, the technical integration complexity is high. + +![VM-Series-Multi-NIC-Common-Firewall-Option](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/assets/43091730/ff652bc1-977c-4f83-aeb0-641b46f38c4c) + +The scope of this code is to deploy an example of the [VM-Series Common Firewall Option](https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/guides/gcp-architecture-guide#Design%20Model) but with a slight modification in the architecture - the VM-Series is directly connected to the spoke VPCs. There are some advantages to this architecture from a routing perspective but there is also a limitation related to the [maximum number of NICs on the VM-Series](https://cloud.google.com/vpc/docs/create-use-multiple-interfaces#max-interfaces) within GCP. + +The example makes use of VM-Series full [bootstrap process](https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/bootstrap-the-vm-series-firewall/bootstrap-the-vm-series-firewall-on-google) using XML templates to properly parametrize the initial Day 0 configuration. + +With default variable values the topology consists of : + - 4 VPC networks : + - Management VPC + - Untrust (outside) VPC + - Spoke-1 (Trust 1) VPC + - Spoke-2 (Trust 2) VPC + - 2 VM-Series firewalls + - 2 Linux Ubuntu VMs (inside Spoke VPCs - for testing purposes) + - two internal network loadbalancers (for outbound/east-west traffic) - one per spoke VPC + - one external regional network loadbalancer (for inbound traffic) + +## Prerequisites + +The following steps should be followed before deploying the Terraform code presented here. + +1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/) +2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) + +## Usage + +1. Access Google Cloud Shell or any other environment that has access to your GCP project + +2. Clone the repository: + +``` +git clone https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules +cd terraform-google-vmseries-modules/examples/multi_nic_common +``` + +3. Copy the `example.tfvars` to `terraform.tfvars`. + +`project`, `ssh_keys` and `source_ranges` should be modified for successful deployment and access to the instance. + +There are also a few variables that have some default values but which should also be changed as per deployment requirements + + - `region` + - `vmseries..bootstrap_options` + - `linux_vms..linux_disk_size` + +1. Apply the terraform code: + +``` +terraform init +terraform apply +``` + +4. Check the output plan and confirm the apply. + +5. Check the successful application and outputs of the resulting infrastructure: + +``` +Apply complete! Resources: 77 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars) + +Outputs: + +lbs_external_ips = { + "external-lb" = { + "all-ports" = "" + } +} +lbs_internal_ips = { + "internal-lb-spoke1" = "10.10.12.5" + "internal-lb-spoke2" = "10.10.13.5" +} +linux_vm_ips = { + "spoke1-vm" = "192.168.1.2" + "spoke2-vm" = "192.168.2.2" +} +vmseries_private_ips = { + "fw-vmseries-01" = { + "0" = "10.10.11.2" + "1" = "10.10.10.2" + "2" = "10.10.12.2" + "3" = "10.10.13.2" + } + "fw-vmseries-02" = { + "0" = "10.10.11.3" + "1" = "10.10.10.3" + "2" = "10.10.12.3" + "3" = "10.10.13.3" + } +} +vmseries_public_ips = { + "fw-vmseries-01" = { + "0" = "" + "1" = "" + } + "fw-vmseries-02" = { + "0" = "" + "1" = "" + } +} + +``` + + +## Post build + +Connect to the VM-Series instance(s) via SSH using your associated private key and check if the bootstrap process if finished successfuly and then set a password : + - Please allow for up to 10-15 minutes for the bootstrap process to finish + - The key output you should check for is "Auto-commit Successful" + +``` +ssh admin@x.x.x.x -i /PATH/TO/YOUR/KEY/id_rsa +Welcome admin. +admin@PA-VM> show system bootstrap status + +Bootstrap Phase Status Details +=============== ====== ======= +Media Detection Success Media detected successfully +Media Sanity Check Success Media sanity check successful +Parsing of Initial Config Successful +Auto-commit Successful + +admin@PA-VM> configure +Entering configuration mode +[edit] +admin@PA-VM# set mgt-config users admin password +Enter password : +Confirm password : + +[edit] +admin@PA-VM# commit +Configuration committed successfully +``` + +## Check access via web UI + +Use a web browser to access `https://` and login with admin and your previously configured password. + +## Change the public Loopback public IP Address + +For the VM-Series that are backend instance group members of the public-facing loadbalancer - go to Network -> Interfaces -> Loopback and change the value of `1.1.1.1` with the value from the `EXTERNAL_LB_PUBLIC_IP` from the terraform outputs. + +## Check traffic from spoke VMs + +The firewalls are bootstrapped with a generic `allow any` policy just for demo purposes along with an outboud SNAT policy to allow Inernet access from spoke VMs. + +SSH to one of the spoke VMs using GCP IAP and gcloud command and test connectivity : + + +``` +gcloud compute ssh spoke1-vm +No zone specified. Using zone [us-east1-b] for instance: [spoke1-vm]. +External IP address was not found; defaulting to using IAP tunneling. +WARNING: + +To increase the performance of the tunnel, consider installing NumPy. For instructions, +please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the_tcp_upload_bandwidth + +@spoke1-vm:~$ping 8.8.8.8 +@spoke1-vm:~$ping 192.168.2.2 +``` + +## Reference + +### Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | + +### Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | n/a | +| [local](#provider\_local) | n/a | + +### Modules + +| Name | Source | Version | +|------|--------|---------| +| [bootstrap](#module\_bootstrap) | ../../modules/bootstrap | n/a | +| [iam\_service\_account](#module\_iam\_service\_account) | ../../modules/iam_service_account | n/a | +| [lb\_external](#module\_lb\_external) | ../../modules/lb_external | n/a | +| [lb\_internal](#module\_lb\_internal) | ../../modules/lb_internal | n/a | +| [vmseries](#module\_vmseries) | ../../modules/vmseries | n/a | +| [vpc](#module\_vpc) | ../../modules/vpc | n/a | +| [vpc\_peering](#module\_vpc\_peering) | ../../modules/vpc-peering | n/a | + +### Resources + +| Name | Type | +|------|------| +| [google_compute_instance.linux_vm](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) | resource | +| [google_compute_route.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource | +| [local_file.bootstrap_xml](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | +| [local_file.init_cfg](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | +| [google_compute_image.my_image](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_image) | data source | + +### Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [bootstrap\_buckets](#input\_bootstrap\_buckets) | A map containing each bootstrap bucket setting.

Example of variable deployment:
bootstrap_buckets = {
  vmseries-bootstrap-bucket-01 = {
    bucket_name_prefix  = "bucket-01-"
    location            = "us"
    service_account_key = "sa-vmseries-01"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/bootstrap#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [lbs\_external](#input\_lbs\_external) | A map containing each external loadbalancer setting.

Example of variable deployment :
lbs_external = {
  "external-lb" = {
    name     = "external-lb"
    backends = ["fw-vmseries-01", "fw-vmseries-02"]
    rules = {
      "all-ports" = {
        ip_protocol = "L3_DEFAULT"
      }
    }
    http_health_check_port         = "80"
    http_health_check_request_path = "/php/login.php"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_external#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting.

Example of variable deployment :
lbs_internal = {
  "internal-lb" = {
    name              = "internal-lb"
    health_check_port = "80"
    backends          = ["fw-vmseries-01", "fw-vmseries-02"]
    ip_address        = "10.10.12.5"
    subnetwork_key    = "fw-trust-sub"
    vpc_network_key   = "fw-trust-vpc"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_internal#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [linux\_vms](#input\_linux\_vms) | A map containing each Linux VM configuration that will be placed in SPOKE VPCs for testing purposes.

Example of varaible deployment:
linux_vms = {
  spoke1-vm = {
    linux_machine_type = "n2-standard-4"
    zone               = "us-east1-b"
    linux_disk_size    = "50" # Modify this value as per deployment requirements
    vpc_network_key    = "fw-spoke1-vpc"
    subnetwork_key     = "fw-spoke1-sub"
    private_ip         = "192.168.1.2"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    service_account_key = "sa-linux-01"
  }
}
| `map(any)` | `{}` | no | +| [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings. | `string` | `"example-"` | no | +| [networks](#input\_networks) | A map containing each network setting.

Example of variable deployment :
networks = {
  fw-mgmt-vpc = {
    vpc_name = "fw-mgmt-vpc"
    create_network = true
    delete_default_routes_on_create = false
    mtu = "1460"
    routing_mode = "REGIONAL"
    subnetworks = {
      fw-mgmt-sub = {
        name              = "fw-mgmt-sub"
        create_subnetwork = true
        ip_cidr_range     = "10.10.10.0/28"
        region            = "us-east1"
      }
    }
    firewall_rules = {
      allow-mgmt-ingress = {
        name             = "allow-mgmt-vpc"
        source_ranges    = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
        priority         = "1000"
        allowed_protocol = "all"
        allowed_ports    = []
      }
    }
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code. | `any` | `{}` | no | +| [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no | +| [region](#input\_region) | The region into which to deploy the infrastructure in to. | `string` | `"us-central1"` | no | +| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.

Example of variable deployment :
routes = {
  "default-route-trust" = {
    name = "fw-default-trust"
    destination_range = "0.0.0.0/0"
    vpc_network_key = "fw-trust-vpc"
    lb_internal_name = "internal-lb"
  }
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.

Example of variable deployment :
service_accounts = {
  "sa-vmseries-01" = {
    service_account_id = "sa-vmseries-01"
    display_name       = "VM-Series SA"
    roles = [
      "roles/compute.networkViewer",
      "roles/logging.logWriter",
      "roles/monitoring.metricWriter",
      "roles/monitoring.viewer",
      "roles/viewer"
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/iam_service_account#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
  "fw-vmseries-01" = {
    name             = "fw-vmseries-01"
    zone             = "us-east1-b"
    machine_type     = "n2-standard-4"
    min_cpu_platform = "Intel Cascade Lake"
    tags                 = ["vmseries"]
    service_account_key  = "sa-vmseries-01"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
    bootstrap_options = {
      panorama-server = "1.1.1.1"
      dns-primary     = "8.8.8.8"
      dns-secondary   = "8.8.4.4"
    }
    bootstrap_template_map = {
      trust_gcp_router_ip   = "10.10.12.1"
      untrust_gcp_router_ip = "10.10.11.1"
      private_network_cidr  = "192.168.0.0/16"
      untrust_loopback_ip   = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
      trust_loopback_ip     = "10.10.12.5/32"
    }
    named_ports = [
      {
        name = "http"
        port = 80
      },
      {
        name = "https"
        port = 443
      }
    ]
    network_interfaces = [
      {
        vpc_network_key  = "fw-untrust-vpc"
        subnetwork_key       = "fw-untrust-sub"
        private_ip       = "10.10.11.2"
        create_public_ip = true
      },
      {
        vpc_network_key  = "fw-mgmt-vpc"
        subnetwork_key       = "fw-mgmt-sub"
        private_ip       = "10.10.10.2"
        create_public_ip = true
      },
      {
        vpc_network_key = "fw-trust-vpc"
        subnetwork_key = "fw-trust-sub"
        private_ip = "10.10.12.2"
      },
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | `{}` | no | +| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
  ssh_keys            = "admin:AAAABBBB..."
  vmseries_image      = "vmseries-flex-byol-1022h2"
  machine_type        = "n2-standard-4"
  min_cpu_platform    = "Intel Cascade Lake"
  service_account_key = "sa-vmseries-01"
  bootstrap_options = {
    type                = "dhcp-client"
    mgmt-interface-swap = "enable"
  }
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | `{}` | no | +| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

Example of variable deployment :
vpc_peerings = {
  "trust-to-spoke1" = {
    local_network_key = "fw-trust-vpc"
    peer_network_key  = "fw-spoke1-vpc"

    local_export_custom_routes                = true
    local_import_custom_routes                = true
    local_export_subnet_routes_with_public_ip = true
    local_import_subnet_routes_with_public_ip = true

    peer_export_custom_routes                = true
    peer_import_custom_routes                = true
    peer_export_subnet_routes_with_public_ip = true
    peer_import_subnet_routes_with_public_ip = true
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | + +### Outputs + +| Name | Description | +|------|-------------| +| [lbs\_external\_ips](#output\_lbs\_external\_ips) | Public IP addresses of external network loadbalancers. | +| [lbs\_internal\_ips](#output\_lbs\_internal\_ips) | Private IP addresses of internal network loadbalancers. | +| [linux\_vm\_ips](#output\_linux\_vm\_ips) | Private IP addresses of Linux VMs. | +| [vmseries\_private\_ips](#output\_vmseries\_private\_ips) | Private IP addresses of the vmseries instances. | +| [vmseries\_public\_ips](#output\_vmseries\_public\_ips) | Public IP addresses of the vmseries instances. | + diff --git a/examples/multi_nic_common/example.tfvars b/examples/multi_nic_common/example.tfvars new file mode 100644 index 00000000..690adcc0 --- /dev/null +++ b/examples/multi_nic_common/example.tfvars @@ -0,0 +1,378 @@ +# General +project = "" +region = "us-east1" # Modify this value as per deployment requirements +name_prefix = "" + +# Service accounts + +service_accounts = { + sa-vmseries-01 = { + service_account_id = "sa-vmseries-01" + display_name = "VM-Series SA" + roles = [ + "roles/compute.networkViewer", + "roles/logging.logWriter", + "roles/monitoring.metricWriter", + "roles/monitoring.viewer", + "roles/viewer" + ] + }, + sa-linux-01 = { + service_account_id = "sa-linux-01" + display_name = "Linux VMs SA" + roles = [ + "roles/compute.networkViewer", + "roles/logging.logWriter", + "roles/monitoring.metricWriter", + "roles/monitoring.viewer", + "roles/viewer" + ] + } +} + +bootstrap_buckets = { + vmseries-bootstrap-bucket-01 = { + bucket_name_prefix = "bucket-01-" + location = "us" + service_account_key = "sa-vmseries-01" + } +} + +# VPC + +networks = { + fw-mgmt-vpc = { + vpc_name = "fw-mgmt-vpc" + create_network = true + delete_default_routes_on_create = false + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-mgmt-sub = { + name = "fw-mgmt-sub" + create_subnetwork = true + ip_cidr_range = "10.10.10.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-mgmt-ingress = { + name = "allow-mgmt-vpc" + source_ranges = ["1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } + }, + fw-untrust-vpc = { + vpc_name = "fw-untrust-vpc" + create_network = true + delete_default_routes_on_create = false + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-untrust-sub = { + name = "fw-untrust-sub" + create_subnetwork = true + ip_cidr_range = "10.10.11.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-untrust-ingress = { + name = "allow-untrust-vpc" + source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } + }, + fw-spoke1-vpc = { + vpc_name = "fw-spoke1-vpc" + create_network = true + delete_default_routes_on_create = true + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-spoke1-inside-sub = { + name = "fw-spoke1-inside-sub" + create_subnetwork = true + ip_cidr_range = "10.10.12.0/28" + region = "us-east1" + }, + fw-spoke1-sub = { + name = "fw-spoke1-sub" + create_subnetwork = true + ip_cidr_range = "192.168.1.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-spoke1-ingress = { + name = "allow-spoke1-vpc" + source_ranges = ["192.168.0.0/16", "35.235.240.0/20", "35.191.0.0/16", "130.211.0.0/22", "10.10.12.0/28"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } + }, + fw-spoke2-vpc = { + vpc_name = "fw-spoke2-vpc" + create_network = true + delete_default_routes_on_create = true + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-spoke2-inside-sub = { + name = "fw-spoke2-inside-sub" + create_subnetwork = true + ip_cidr_range = "10.10.13.0/28" + region = "us-east1" + }, + fw-spoke2-sub = { + name = "fw-spoke2-sub" + create_subnetwork = true + ip_cidr_range = "192.168.2.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-spoke2-ingress = { + name = "allow-spoke2-vpc" + source_ranges = ["192.168.0.0/16", "35.235.240.0/20", "35.191.0.0/16", "130.211.0.0/22", "10.10.12.0/28"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } + } +} + +# Static routes +routes = { + fw-default-spoke1 = { + name = "fw-default-spoke1" + destination_range = "0.0.0.0/0" + vpc_network_key = "fw-spoke1-vpc" + lb_internal_key = "internal-lb-spoke1" + }, + fw-default-spoke2 = { + name = "fw-default-spoke2" + destination_range = "0.0.0.0/0" + vpc_network_key = "fw-spoke2-vpc" + lb_internal_key = "internal-lb-spoke2" + } +} + +# VM-Series + +vmseries_common = { + ssh_keys = "admin:" + vmseries_image = "vmseries-flex-byol-1022h2" + machine_type = "n2-standard-4" + min_cpu_platform = "Intel Cascade Lake" + service_account_key = "sa-vmseries-01" + bootstrap_options = { + type = "dhcp-client" + mgmt-interface-swap = "enable" + } +} + +vmseries = { + fw-vmseries-01 = { + name = "fw-vmseries-01" + zone = "us-east1-b" + tags = ["vmseries"] + scopes = [ + "https://www.googleapis.com/auth/compute.readonly", + "https://www.googleapis.com/auth/cloud.useraccounts.readonly", + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + ] + bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" + bootstrap_options = { + panorama-server = "1.1.1.1" # Modify this value as per deployment requirements + dns-primary = "8.8.8.8" # Modify this value as per deployment requirements + dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + } + bootstrap_template_map = { + spoke1_gcp_router_ip = "10.10.12.1" + spoke2_gcp_router_ip = "10.10.13.1" + untrust_gcp_router_ip = "10.10.11.1" + private_network_cidr = "192.168.0.0/16" + untrust_loopback_ip = "1.1.1.1/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed + spoke1_loopback_ip = "10.10.12.5/32" + spoke2_loopback_ip = "10.10.13.5/32" + } + named_ports = [ + { + name = "http" + port = 80 + }, + { + name = "https" + port = 443 + } + ] + network_interfaces = [ + { + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" + private_ip = "10.10.11.2" + create_public_ip = true + }, + { + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" + private_ip = "10.10.10.2" + create_public_ip = true + }, + { + vpc_network_key = "fw-spoke1-vpc" + subnetwork_key = "fw-spoke1-inside-sub" + private_ip = "10.10.12.2" + }, + { + vpc_network_key = "fw-spoke2-vpc" + subnetwork_key = "fw-spoke2-inside-sub" + private_ip = "10.10.13.2" + } + ] + }, + fw-vmseries-02 = { + name = "fw-vmseries-02" + zone = "us-east1-c" + tags = ["vmseries"] + scopes = [ + "https://www.googleapis.com/auth/compute.readonly", + "https://www.googleapis.com/auth/cloud.useraccounts.readonly", + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + ] + bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" + bootstrap_options = { + panorama-server = "1.1.1.1" # Modify this value as per deployment requirements + dns-primary = "8.8.8.8" # Modify this value as per deployment requirements + dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + } + bootstrap_template_map = { + spoke1_gcp_router_ip = "10.10.12.1" + spoke2_gcp_router_ip = "10.10.13.1" + untrust_gcp_router_ip = "10.10.11.1" + private_network_cidr = "192.168.0.0/16" + untrust_loopback_ip = "1.1.1.1/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed + spoke1_loopback_ip = "10.10.12.5/32" + spoke2_loopback_ip = "10.10.13.5/32" + } + named_ports = [ + { + name = "http" + port = 80 + }, + { + name = "https" + port = 443 + } + ] + network_interfaces = [ + { + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" + private_ip = "10.10.11.3" + create_public_ip = true + }, + { + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" + private_ip = "10.10.10.3" + create_public_ip = true + }, + { + vpc_network_key = "fw-spoke1-vpc" + subnetwork_key = "fw-spoke1-inside-sub" + private_ip = "10.10.12.3" + }, + { + vpc_network_key = "fw-spoke2-vpc" + subnetwork_key = "fw-spoke2-inside-sub" + private_ip = "10.10.13.3" + } + ] + } +} + +# Spoke Linux VMs +linux_vms = { + spoke1-vm = { + linux_machine_type = "n2-standard-4" + zone = "us-east1-b" + linux_disk_size = "50" # Modify this value as per deployment requirements + vpc_network_key = "fw-spoke1-vpc" + subnetwork_key = "fw-spoke1-sub" + private_ip = "192.168.1.2" + scopes = [ + "https://www.googleapis.com/auth/compute.readonly", + "https://www.googleapis.com/auth/cloud.useraccounts.readonly", + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + ] + service_account_key = "sa-linux-01" + }, + spoke2-vm = { + linux_machine_type = "n2-standard-4" + zone = "us-east1-b" + linux_disk_size = "50" # Modify this value as per deployment requirements + vpc_network_key = "fw-spoke2-vpc" + subnetwork_key = "fw-spoke2-sub" + private_ip = "192.168.2.2" + scopes = [ + "https://www.googleapis.com/auth/compute.readonly", + "https://www.googleapis.com/auth/cloud.useraccounts.readonly", + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + ] + service_account_key = "sa-linux-01" + } +} + +# Internal Network Loadbalancer +lbs_internal = { + internal-lb-spoke1 = { + name = "internal-lb-spoke1" + health_check_port = "80" + backends = ["fw-vmseries-01", "fw-vmseries-02"] + ip_address = "10.10.12.5" + vpc_network_key = "fw-spoke1-vpc" + subnetwork_key = "fw-spoke1-inside-sub" + }, + internal-lb-spoke2 = { + name = "internal-lb-spoke2" + health_check_port = "80" + backends = ["fw-vmseries-01", "fw-vmseries-02"] + ip_address = "10.10.13.5" + vpc_network_key = "fw-spoke2-vpc" + subnetwork_key = "fw-spoke2-inside-sub" + } +} + +# External Network Loadbalancer +lbs_external = { + external-lb = { + name = "external-lb" + backends = ["fw-vmseries-01", "fw-vmseries-02"] + rules = { + all-ports = { + ip_protocol = "L3_DEFAULT" + } + } + http_health_check_port = "80" + http_health_check_request_path = "/php/login.php" + } +} \ No newline at end of file diff --git a/examples/multi_nic_common/main.tf b/examples/multi_nic_common/main.tf new file mode 100644 index 00000000..5ee3d581 --- /dev/null +++ b/examples/multi_nic_common/main.tf @@ -0,0 +1,213 @@ +module "iam_service_account" { + source = "../../modules/iam_service_account" + + for_each = var.service_accounts + + service_account_id = "${var.name_prefix}${each.value.service_account_id}" + display_name = "${var.name_prefix}${each.value.display_name}" + roles = each.value.roles + project_id = var.project +} + +resource "local_file" "bootstrap_xml" { + + for_each = { for k, v in var.vmseries : k => v + if can(v.bootstrap_template_map) + } + + filename = "files/${each.key}/config/bootstrap.xml" + content = templatefile("templates/bootstrap_common.tmpl", + { + spoke1_gcp_router_ip = each.value.bootstrap_template_map.spoke1_gcp_router_ip + spoke2_gcp_router_ip = each.value.bootstrap_template_map.spoke2_gcp_router_ip + private_network_cidr = each.value.bootstrap_template_map.private_network_cidr + untrust_gcp_router_ip = each.value.bootstrap_template_map.untrust_gcp_router_ip + spoke1_loopback_ip = each.value.bootstrap_template_map.spoke1_loopback_ip + spoke2_loopback_ip = each.value.bootstrap_template_map.spoke2_loopback_ip + untrust_loopback_ip = each.value.bootstrap_template_map.untrust_loopback_ip + } + ) +} + +resource "local_file" "init_cfg" { + + for_each = { for k, v in var.vmseries : k => v + if can(v.bootstrap_template_map) + } + + filename = "files/${each.key}/config/init-cfg.txt" + content = templatefile("templates/init-cfg.tmpl", + { + panorama-server = try(each.value.bootstrap_options.panorama-server, var.vmseries_common.bootstrap_options.panorama-server, "") + type = try(each.value.bootstrap_options.type, var.vmseries_common.bootstrap_options.type, "") + dns-primary = try(each.value.bootstrap_options.dns-primary, var.vmseries_common.bootstrap_options.dns-primary, "") + dns-secondary = try(each.value.bootstrap_options.dns-secondary, var.vmseries_common.bootstrap_options.dns-secondary, "") + }) +} + +module "bootstrap" { + source = "../../modules/bootstrap" + + for_each = var.bootstrap_buckets + + folders = keys(var.vmseries) + + name_prefix = "${var.name_prefix}${each.value.bucket_name_prefix}" + service_account = module.iam_service_account[each.value.service_account_key].email + location = each.value.location + files = merge( + { for k, v in var.vmseries : "files/${k}/config/bootstrap.xml" => "${k}/config/bootstrap.xml" }, + { for k, v in var.vmseries : "files/${k}/config/init-cfg.txt" => "${k}/config/init-cfg.txt" }, + ) +} + +module "vpc" { + source = "../../modules/vpc" + + for_each = var.networks + + project_id = var.project + name = "${var.name_prefix}${each.value.vpc_name}" + create_network = each.value.create_network + delete_default_routes_on_create = each.value.delete_default_routes_on_create + mtu = each.value.mtu + routing_mode = each.value.routing_mode + subnetworks = { for k, v in each.value.subnetworks : k => merge(v, { + name = "${var.name_prefix}${v.name}" + }) + } + firewall_rules = try({ for k, v in each.value.firewall_rules : k => merge(v, { + name = "${var.name_prefix}${v.name}" + }) + }, {}) +} + +resource "google_compute_route" "this" { + + for_each = var.routes + + name = "${var.name_prefix}${each.value.name}" + dest_range = each.value.destination_range + network = module.vpc[each.value.vpc_network_key].network.self_link + next_hop_ilb = module.lb_internal[each.value.lb_internal_key].forwarding_rule + priority = 100 +} + +module "vpc_peering" { + source = "../../modules/vpc-peering" + + for_each = var.vpc_peerings + + local_network = module.vpc[each.value.local_network_key].network.id + peer_network = module.vpc[each.value.peer_network_key].network.id + + local_export_custom_routes = each.value.local_export_custom_routes + local_import_custom_routes = each.value.local_import_custom_routes + local_export_subnet_routes_with_public_ip = each.value.local_export_subnet_routes_with_public_ip + local_import_subnet_routes_with_public_ip = each.value.local_import_subnet_routes_with_public_ip + + peer_export_custom_routes = each.value.peer_export_custom_routes + peer_import_custom_routes = each.value.peer_import_custom_routes + peer_export_subnet_routes_with_public_ip = each.value.peer_export_subnet_routes_with_public_ip + peer_import_subnet_routes_with_public_ip = each.value.peer_import_subnet_routes_with_public_ip +} + +module "vmseries" { + source = "../../modules/vmseries" + + for_each = var.vmseries + + name = "${var.name_prefix}${each.value.name}" + zone = each.value.zone + ssh_keys = try(each.value.ssh_keys, var.vmseries_common.ssh_keys) + vmseries_image = try(each.value.vmseries_image, var.vmseries_common.vmseries_image) + machine_type = try(each.value.machine_type, var.vmseries_common.machine_type) + min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform, "Intel Cascade Lake") + tags = try(each.value.tags, var.vmseries_common.tags, []) + service_account = try(module.iam_service_account[each.value.service_account_key].email, module.iam_service_account[var.vmseries_common.service_account_key].email) + scopes = try(each.value.scopes, var.vmseries_common.scopes, []) + create_instance_group = true + + bootstrap_options = try( + merge( + { vmseries-bootstrap-gce-storagebucket = "${module.bootstrap[each.value.bootstrap_bucket_key].bucket_name}/${each.key}/" }, + var.vmseries_common.bootstrap_options), + merge( + try(each.value.bootstrap_options, {}), + try(var.vmseries_common.bootstrap_options, {}) + )) + + named_ports = try(each.value.named_ports, []) + + network_interfaces = [for v in each.value.network_interfaces : + { + subnetwork = module.vpc[v.vpc_network_key].subnetworks[v.subnetwork_key].self_link + private_ip = v.private_ip + create_public_ip = try(v.create_public_ip, false) + }] +} + +data "google_compute_image" "my_image" { + family = "ubuntu-pro-2204-lts" + project = "ubuntu-os-pro-cloud" +} + +resource "google_compute_instance" "linux_vm" { + for_each = var.linux_vms + + name = "${var.name_prefix}${each.key}" + machine_type = each.value.linux_machine_type + zone = each.value.zone + + boot_disk { + initialize_params { + image = data.google_compute_image.my_image.id + size = each.value.linux_disk_size + } + } + + network_interface { + subnetwork = module.vpc[each.value.vpc_network_key].subnetworks[each.value.subnetwork_key].self_link + network_ip = each.value.private_ip + } + + metadata = { + enable-oslogin = true + } + + + service_account { + email = module.iam_service_account[each.value.service_account_key].email + scopes = each.value.scopes + } +} + +module "lb_internal" { + source = "../../modules/lb_internal" + + for_each = var.lbs_internal + + name = "${var.name_prefix}${each.value.name}" + region = var.region + health_check_port = try(each.value.health_check_port, "80") + backends = { for v in each.value.backends : v => module.vmseries[v].instance_group_self_link } + ip_address = each.value.ip_address + subnetwork = module.vpc[each.value.vpc_network_key].subnetworks[each.value.subnetwork_key].self_link + network = module.vpc[each.value.vpc_network_key].network.self_link + all_ports = true +} + +module "lb_external" { + source = "../../modules/lb_external" + + for_each = var.lbs_external + + project = var.project + + name = "${var.name_prefix}${each.value.name}" + backend_instance_groups = { for v in each.value.backends : v => module.vmseries[v].instance_group_self_link } + rules = each.value.rules + + health_check_http_port = each.value.http_health_check_port + health_check_http_request_path = try(each.value.http_health_check_request_path, "/php/login.php") +} \ No newline at end of file diff --git a/examples/multi_nic_common/main_test.go b/examples/multi_nic_common/main_test.go new file mode 100644 index 00000000..c482b1f3 --- /dev/null +++ b/examples/multi_nic_common/main_test.go @@ -0,0 +1,65 @@ +package multi_nic_common + +import ( + "testing" + "log" + + "github.com/PaloAltoNetworks/terraform-modules-vmseries-tests-skeleton/pkg/testskeleton" + "github.com/gruntwork-io/terratest/modules/logger" + "github.com/gruntwork-io/terratest/modules/terraform" +) + +func CreateTerraformOptions(t *testing.T) *terraform.Options { + varsInfo, err := testskeleton.GenerateTerraformVarsInfo("gcp") + if err != nil { + // Handle the error + log.Fatalf("Error generating terraform vars info: %v", err) + } + + // define options for Terraform + terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ + TerraformDir: ".", + VarFiles: []string{"example.tfvars"}, + Vars: map[string]interface{}{ + "name_prefix": varsInfo.NamePrefix, + "project": varsInfo.GoogleProjectId, + }, + Logger: logger.Default, + Lock: true, + Upgrade: true, + SetVarsAfterVarFiles: true, + }) + + return terraformOptions +} + +func TestValidate(t *testing.T) { + testskeleton.ValidateCode(t, nil) +} + +func TestPlan(t *testing.T) { + // define options for Terraform + terraformOptions := CreateTerraformOptions(t) + // prepare list of items to check + assertList := []testskeleton.AssertExpression{} + // plan test infrastructure and verify outputs + testskeleton.PlanInfraCheckErrors(t, terraformOptions, assertList, "No errors are expected") +} + +func TestApply(t *testing.T) { + // define options for Terraform + terraformOptions := CreateTerraformOptions(t) + // prepare list of items to check + assertList := []testskeleton.AssertExpression{} + // deploy test infrastructure and verify outputs and check if there are no planned changes after deployment + testskeleton.DeployInfraCheckOutputs(t, terraformOptions, assertList) +} + +func TestIdempotence(t *testing.T) { + // define options for Terraform + terraformOptions := CreateTerraformOptions(t) + // prepare list of items to check + assertList := []testskeleton.AssertExpression{} + // deploy test infrastructure and verify outputs and check if there are no planned changes after deployment + testskeleton.DeployInfraCheckOutputsVerifyChanges(t, terraformOptions, assertList) +} \ No newline at end of file diff --git a/examples/multi_nic_common/outputs.tf b/examples/multi_nic_common/outputs.tf new file mode 100644 index 00000000..6d434f41 --- /dev/null +++ b/examples/multi_nic_common/outputs.tf @@ -0,0 +1,24 @@ +output "vmseries_private_ips" { + description = "Private IP addresses of the vmseries instances." + value = { for k, v in module.vmseries : k => v.private_ips } +} + +output "vmseries_public_ips" { + description = "Public IP addresses of the vmseries instances." + value = { for k, v in module.vmseries : k => v.public_ips } +} + +output "lbs_internal_ips" { + description = "Private IP addresses of internal network loadbalancers." + value = { for k, v in module.lb_internal : k => v.address } +} + +output "lbs_external_ips" { + description = "Public IP addresses of external network loadbalancers." + value = { for k, v in module.lb_external : k => v.ip_addresses } +} + +output "linux_vm_ips" { + description = "Private IP addresses of Linux VMs." + value = { for k, v in resource.google_compute_instance.linux_vm : k => v.network_interface[0].network_ip } +} diff --git a/examples/multi_nic_common/templates/bootstrap_common.tmpl b/examples/multi_nic_common/templates/bootstrap_common.tmpl new file mode 100644 index 00000000..47620e7b --- /dev/null +++ b/examples/multi_nic_common/templates/bootstrap_common.tmpl @@ -0,0 +1,826 @@ + + + + + + * + + + yes + + + + + + yes + 8 + + + + + + + + + + + + yes + 5 + + + yes + 5 + + + yes + 5 + + + yes + 10 + + + yes + 5 + + + + yes + + + + 10 + 10 + + 100 + 50 + + + + 10 + 10 + + 100 + 50 + + + + + + 100 + yes + + + + + + + + + + + + no + + + + no + + + no + + + no + + lb_health_check + + no + + + + + + + no + + + + no + + + no + + + no + + + no + + lb_health_check + + + + + + no + + + + no + + + no + + + no + + + no + + lb_health_check + + + + + + + + no + + + + + + + lb_health_check + + + + + + + + 3 + 5 + wait-recover + + + + + + + + + + + yes + + + + + + + + + aes-128-cbc + 3des + + + sha1 + + + group2 + + + 8 + + + + + aes-128-cbc + + + sha256 + + + group19 + + + 8 + + + + + aes-256-cbc + + + sha384 + + + group20 + + + 8 + + + + + + + + aes-128-cbc + 3des + + + sha1 + + + group2 + + 1 + + + + + + aes-128-gcm + + + none + + + group19 + + 1 + + + + + + aes-256-gcm + + + none + + + group20 + + 1 + + + + + + + aes-128-cbc + + + sha1 + + + + + + + + + + + + + real-time + + + high + + + high + + + medium + + + medium + + + low + + + low + + + low + + + + + + + + + + + + no + + + 1.25 + 0.5 + 900 + 300 + 900 + yes + + + + + yes + + + + + no + + + no + + + no + + + + ethernet1/1 + ethernet1/2 + ethernet1/3 + loopback.10 + + + + + + yes + yes + 4 + + + + + + + ${untrust_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/1 + 10 + 35.191.0.0/16 + + + + + + + ${spoke1_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/2 + 10 + 35.191.0.0/16 + + + + + + + ${spoke2_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/3 + 10 + 35.191.0.0/16 + + + + + + + ${untrust_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/1 + 10 + 209.85.152.0/22 + + + + + + + ${spoke1_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/2 + 10 + 209.85.152.0/22 + + + + + + + ${spoke2_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/3 + 10 + 209.85.152.0/22 + + + + + + + ${untrust_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/1 + 10 + 209.85.204.0/22 + + + + + + + ${spoke1_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/2 + 10 + 209.85.204.0/22 + + + + + + + ${spoke2_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/3 + 10 + 209.85.204.0/22 + + + + + + + ${untrust_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/1 + 10 + 130.211.0.0/22 + + + + + + + ${spoke1_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/2 + 10 + 130.211.0.0/22 + + + + + + + ${spoke2_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/3 + 10 + 130.211.0.0/22 + + + + + + + ${untrust_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/1 + 10 + 0.0.0.0/0 + + + + + + + ${spoke1_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/2 + 10 + ${private_network_cidr} + + + + + + + ${spoke2_gcp_router_ip} + + + None + + + no + any + 2 + + ethernet1/3 + 10 + ${private_network_cidr} + + + + + + + + + + + + + + + yes + no + no + no + + + updates.paloaltonetworks.com + + + + + wednesday + 01:02 + download-only + + + + + US/Pacific + + yes + yes + + + + 0.us.pool.ntp.org + + + + + + 1.us.pool.ntp.org + + + + + + + + + yes + + + FQDN + + panadmin + + + yes + no + no + no + + + + + + + + + + + + + + + ethernet1/1 + loopback.10 + + + + + + + ethernet1/2 + ethernet1/3 + + + + + + + + + + + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + allow + + + + + + + + + + ethernet1/1 + + + + + public + + + private + + + ${private_network_cidr} + + + any + + any + + + + + + + + ethernet1/1 + ethernet1/2 + ethernet1/3 + loopback.10 + + + + + + + + \ No newline at end of file diff --git a/examples/multi_nic_common/templates/init-cfg.tmpl b/examples/multi_nic_common/templates/init-cfg.tmpl new file mode 100644 index 00000000..a15be671 --- /dev/null +++ b/examples/multi_nic_common/templates/init-cfg.tmpl @@ -0,0 +1,12 @@ +%{ if panorama-server != "" ~} +panorama-server=${panorama-server} +%{ endif ~} +%{ if type != "" ~} +type=${type} +%{ endif ~} +%{ if dns-primary != "" ~} +dns-primary=${dns-primary} +%{ endif ~} +%{ if dns-secondary != "" ~} +dns-secondary=${dns-secondary} +%{ endif ~} \ No newline at end of file diff --git a/examples/multi_nic_common/variables.tf b/examples/multi_nic_common/variables.tf new file mode 100644 index 00000000..0cfce607 --- /dev/null +++ b/examples/multi_nic_common/variables.tf @@ -0,0 +1,367 @@ +# General +variable "project" { + description = "The project name to deploy the infrastructure in to." + type = string + default = null +} +variable "region" { + description = "The region into which to deploy the infrastructure in to." + type = string + default = "us-central1" +} +variable "name_prefix" { + description = "A string to prefix resource namings." + type = string + default = "example-" +} + +#Service Account + +variable "service_accounts" { + description = <<-EOF + A map containing each service account setting. + + Example of variable deployment : + ``` + service_accounts = { + "sa-vmseries-01" = { + service_account_id = "sa-vmseries-01" + display_name = "VM-Series SA" + roles = [ + "roles/compute.networkViewer", + "roles/logging.logWriter", + "roles/monitoring.metricWriter", + "roles/monitoring.viewer", + "roles/viewer" + ] + } + } + ``` + For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/iam_service_account#Inputs) + + Multiple keys can be added and will be deployed by the code. + + EOF + type = map(any) + default = {} +} + +#Bootstrap bucket + +variable "bootstrap_buckets" { + description = <<-EOF + A map containing each bootstrap bucket setting. + + Example of variable deployment: + + ``` + bootstrap_buckets = { + vmseries-bootstrap-bucket-01 = { + bucket_name_prefix = "bucket-01-" + location = "us" + service_account_key = "sa-vmseries-01" + } + } + ``` + + For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/bootstrap#Inputs) + + Multiple keys can be added and will be deployed by the code. + + EOF + type = map(any) + default = {} +} + +#VPC + +variable "networks" { + description = <<-EOF + A map containing each network setting. + + Example of variable deployment : + + ``` + networks = { + fw-mgmt-vpc = { + vpc_name = "fw-mgmt-vpc" + create_network = true + delete_default_routes_on_create = false + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-mgmt-sub = { + name = "fw-mgmt-sub" + create_subnetwork = true + ip_cidr_range = "10.10.10.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-mgmt-ingress = { + name = "allow-mgmt-vpc" + source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } + } + } + ``` + + For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks) + + Multiple keys can be added and will be deployed by the code. + EOF + type = any + default = {} +} + +variable "vpc_peerings" { + description = <<-EOF + A map containing each VPC peering setting. + + Example of variable deployment : + + ``` + vpc_peerings = { + "trust-to-spoke1" = { + local_network_key = "fw-trust-vpc" + peer_network_key = "fw-spoke1-vpc" + + local_export_custom_routes = true + local_import_custom_routes = true + local_export_subnet_routes_with_public_ip = true + local_import_subnet_routes_with_public_ip = true + + peer_export_custom_routes = true + peer_import_custom_routes = true + peer_export_subnet_routes_with_public_ip = true + peer_import_subnet_routes_with_public_ip = true + } + } + ``` + For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc-peering#inputs) + + Multiple keys can be added and will be deployed by the code. + EOF + type = map(any) + default = {} +} + +variable "routes" { + description = <<-EOF + A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule. + + Example of variable deployment : + + ``` + routes = { + "default-route-trust" = { + name = "fw-default-trust" + destination_range = "0.0.0.0/0" + vpc_network_key = "fw-trust-vpc" + lb_internal_name = "internal-lb" + } + } + ``` + + Multiple keys can be added and will be deployed by the code. + EOF + type = map(any) + default = {} +} + +#vmseries + +variable "vmseries_common" { + description = <<-EOF + A map containing common vmseries setting. + + Example of variable deployment : + + ``` + vmseries_common = { + ssh_keys = "admin:AAAABBBB..." + vmseries_image = "vmseries-flex-byol-1022h2" + machine_type = "n2-standard-4" + min_cpu_platform = "Intel Cascade Lake" + service_account_key = "sa-vmseries-01" + bootstrap_options = { + type = "dhcp-client" + mgmt-interface-swap = "enable" + } + } + ``` + + Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). + EOF + type = any + default = {} +} +variable "vmseries" { + description = <<-EOF + A map containing each individual vmseries setting. + + Example of variable deployment : + + ``` + vmseries = { + "fw-vmseries-01" = { + name = "fw-vmseries-01" + zone = "us-east1-b" + machine_type = "n2-standard-4" + min_cpu_platform = "Intel Cascade Lake" + tags = ["vmseries"] + service_account_key = "sa-vmseries-01" + scopes = [ + "https://www.googleapis.com/auth/compute.readonly", + "https://www.googleapis.com/auth/cloud.useraccounts.readonly", + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + ] + bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" + bootstrap_options = { + panorama-server = "1.1.1.1" + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" + } + bootstrap_template_map = { + trust_gcp_router_ip = "10.10.12.1" + untrust_gcp_router_ip = "10.10.11.1" + private_network_cidr = "192.168.0.0/16" + untrust_loopback_ip = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed + trust_loopback_ip = "10.10.12.5/32" + } + named_ports = [ + { + name = "http" + port = 80 + }, + { + name = "https" + port = 443 + } + ] + network_interfaces = [ + { + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" + private_ip = "10.10.11.2" + create_public_ip = true + }, + { + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" + private_ip = "10.10.10.2" + create_public_ip = true + }, + { + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" + private_ip = "10.10.12.2" + }, + ] + } + } + ``` + For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs) + + The bootstrap_template_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs. + Multiple keys can be added and will be deployed by the code. + + EOF + type = any + default = {} +} + +#Load Balancers + +variable "lbs_internal" { + description = <<-EOF + A map containing each internal loadbalancer setting. + + Example of variable deployment : + + ``` + lbs_internal = { + "internal-lb" = { + name = "internal-lb" + health_check_port = "80" + backends = ["fw-vmseries-01", "fw-vmseries-02"] + ip_address = "10.10.12.5" + subnetwork_key = "fw-trust-sub" + vpc_network_key = "fw-trust-vpc" + } + } + ``` + For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_internal#inputs) + + Multiple keys can be added and will be deployed by the code. + EOF + type = map(any) + default = {} +} +variable "lbs_external" { + description = <<-EOF + A map containing each external loadbalancer setting. + + Example of variable deployment : + + ``` + lbs_external = { + "external-lb" = { + name = "external-lb" + backends = ["fw-vmseries-01", "fw-vmseries-02"] + rules = { + "all-ports" = { + ip_protocol = "L3_DEFAULT" + } + } + http_health_check_port = "80" + http_health_check_request_path = "/php/login.php" + } + } + ``` + For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_external#inputs) + + Multiple keys can be added and will be deployed by the code. + EOF + type = map(any) + default = {} +} + +#Spoke VPCs Linux VMs + +variable "linux_vms" { + description = <<-EOF + A map containing each Linux VM configuration that will be placed in SPOKE VPCs for testing purposes. + + Example of varaible deployment: + + ``` + linux_vms = { + spoke1-vm = { + linux_machine_type = "n2-standard-4" + zone = "us-east1-b" + linux_disk_size = "50" # Modify this value as per deployment requirements + vpc_network_key = "fw-spoke1-vpc" + subnetwork_key = "fw-spoke1-sub" + private_ip = "192.168.1.2" + scopes = [ + "https://www.googleapis.com/auth/compute.readonly", + "https://www.googleapis.com/auth/cloud.useraccounts.readonly", + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + ] + service_account_key = "sa-linux-01" + } + } + ``` + EOF + type = map(any) + default = {} +} \ No newline at end of file diff --git a/examples/multi_nic_common/versions.tf b/examples/multi_nic_common/versions.tf new file mode 100644 index 00000000..785e9269 --- /dev/null +++ b/examples/multi_nic_common/versions.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.3, < 2.0" +} + +provider "google" { + project = var.project + region = var.region +} + +provider "google-beta" { + project = var.project + region = var.region +} diff --git a/examples/panorama_standalone/README.md b/examples/panorama_standalone/README.md index d56c06ca..1ced5af5 100644 --- a/examples/panorama_standalone/README.md +++ b/examples/panorama_standalone/README.md @@ -27,7 +27,7 @@ The topology consists of : 1. Access Google Cloud Shell or any other environment which has access to your GCP project -2. Clone the repository and fill out any modifications to tfvars file (`example.tfvars` - at least `project`, `ssh_keys` and `allowed_sources` should be filled in for successful deployment and access to the instance after deployment) +2. Clone the repository and fill out any modifications to tfvars file (`example.tfvars` - at least `project`, `ssh_keys` and `source_ranges` should be filled in for successful deployment and access to the instance after deployment) ``` git clone https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules @@ -88,7 +88,7 @@ Use a web browser to access https://x.x.x.x and login with admin and your previo | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | ### Providers @@ -110,7 +110,7 @@ No resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings | `string` | `""` | no | -| [networks](#input\_networks) | A map containing each network setting.

Example of variable deployment :
vpcs = {
  "panorama-vpc" = {
    vpc_name          = "panorama-vpc"
    subnet_name       = "panorama-subnet"
    cidr              = "172.21.21.0/24"
    allowed_sources   = ["1.1.1.1/32" , "2.2.2.2/32"]
    create_network    = true
    create_subnetwork = true
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code | `any` | n/a | yes | +| [networks](#input\_networks) | A map containing each network setting.

Example of variable deployment :
networks = {
  "panorama-vpc" = {
    vpc_name                        = "firewall-vpc"
    create_network                  = true
    delete_default_routes_on_create = "false"
    mtu                             = "1460"
    routing_mode                    = "REGIONAL"
    subnetworks = {
      "panorama-sub" = {
        name              = "panorama-subnet"
        create_subnetwork = true
        ip_cidr_range     = "172.21.21.0/24"
        region            = "us-central1"
      }
    }
    firewall_rules = {
      "allow-panorama-ingress" = {
        name             = "panorama-mgmt"
        source_ranges    = ["1.1.1.1/32", "2.2.2.2/32"]
        priority         = "1000"
        allowed_protocol = "all"
        allowed_ports    = []
      }
    }
  }
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code | `any` | n/a | yes | | [panoramas](#input\_panoramas) | A map containing each panorama setting.

Example of variable deployment :
panoramas = {
  "panorama-01" = {
    panorama_name     = "panorama-01"
    panorama_vpc      = "panorama-vpc"
    panorama_subnet   = "panorama-subnet"
    panorama_version  = "panorama-byol-1000"
    ssh_keys          = "admin:PUBLIC-KEY"
    attach_public_ip  = true
    private_static_ip = "172.21.21.2"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/panorama#inputs)

Multiple keys can be added and will be deployed by the code | `any` | n/a | yes | | [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no | | [region](#input\_region) | The region into which to deploy the infrastructure in to | `string` | `"us-central1"` | no | diff --git a/examples/panorama_standalone/example.tfvars b/examples/panorama_standalone/example.tfvars index 9e86dc6f..85164ae8 100644 --- a/examples/panorama_standalone/example.tfvars +++ b/examples/panorama_standalone/example.tfvars @@ -7,12 +7,28 @@ name_prefix = "" networks = { "panorama-vpc" = { - create_network = true - create_subnetwork = true - name = "panorama-vpc" - subnetwork_name = "panorama-subnet" - ip_cidr_range = "172.21.21.0/24" - allowed_sources = ["1.1.1.1/32", "2.2.2.2/32"] + vpc_name = "firewall-vpc" + create_network = true + delete_default_routes_on_create = "false" + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + "panorama-sub" = { + name = "panorama-subnet" + create_subnetwork = true + ip_cidr_range = "172.21.21.0/24" + region = "us-central1" + } + } + firewall_rules = { + "allow-panorama-ingress" = { + name = "panorama-mgmt" + source_ranges = ["1.1.1.1/32", "2.2.2.2/32"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } } } @@ -22,8 +38,8 @@ panoramas = { "panorama-01" = { zone = "us-central1-a" panorama_name = "panorama-01" - panorama_vpc = "panorama-vpc" - panorama_subnet = "panorama-subnet" + vpc_network_key = "panorama-vpc" + subnetwork_key = "panorama-sub" panorama_version = "panorama-byol-1000" ssh_keys = "admin:" attach_public_ip = true diff --git a/examples/panorama_standalone/main.tf b/examples/panorama_standalone/main.tf index 1bbb2896..c8817953 100644 --- a/examples/panorama_standalone/main.tf +++ b/examples/panorama_standalone/main.tf @@ -1,11 +1,22 @@ module "vpc" { source = "../../modules/vpc" - networks = { for k, v in var.networks : k => merge(v, { - name = "${var.name_prefix}${v.name}" - subnetwork_name = "${var.name_prefix}${v.subnetwork_name}" + for_each = var.networks + + project_id = var.project + name = "${var.name_prefix}${each.value.vpc_name}" + create_network = each.value.create_network + delete_default_routes_on_create = each.value.delete_default_routes_on_create + mtu = each.value.mtu + routing_mode = each.value.routing_mode + subnetworks = { for k, v in each.value.subnetworks : k => merge(v, { + name = "${var.name_prefix}${v.name}" }) } + firewall_rules = try({ for k, v in each.value.firewall_rules : k => merge(v, { + name = "${var.name_prefix}${v.name}" + }) + }, {}) } module "panorama" { @@ -19,7 +30,7 @@ module "panorama" { zone = each.value.zone panorama_version = each.value.panorama_version ssh_keys = each.value.ssh_keys - subnet = module.vpc.subnetworks["${var.name_prefix}${each.value.panorama_subnet}"].self_link + subnet = module.vpc[each.value.vpc_network_key].subnetworks[each.value.subnetwork_key].self_link private_static_ip = each.value.private_static_ip attach_public_ip = each.value.attach_public_ip log_disks = try(each.value.log_disks, []) diff --git a/examples/panorama_standalone/variables.tf b/examples/panorama_standalone/variables.tf index 9c50b62b..193f2a5f 100644 --- a/examples/panorama_standalone/variables.tf +++ b/examples/panorama_standalone/variables.tf @@ -23,16 +23,31 @@ variable "networks" { Example of variable deployment : ``` - vpcs = { + networks = { "panorama-vpc" = { - vpc_name = "panorama-vpc" - subnet_name = "panorama-subnet" - cidr = "172.21.21.0/24" - allowed_sources = ["1.1.1.1/32" , "2.2.2.2/32"] - create_network = true - create_subnetwork = true + vpc_name = "firewall-vpc" + create_network = true + delete_default_routes_on_create = "false" + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + "panorama-sub" = { + name = "panorama-subnet" + create_subnetwork = true + ip_cidr_range = "172.21.21.0/24" + region = "us-central1" + } + } + firewall_rules = { + "allow-panorama-ingress" = { + name = "panorama-mgmt" + source_ranges = ["1.1.1.1/32", "2.2.2.2/32"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } } - } ``` For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks) diff --git a/examples/panorama_standalone/versions.tf b/examples/panorama_standalone/versions.tf index 5d83db04..cac47ea0 100644 --- a/examples/panorama_standalone/versions.tf +++ b/examples/panorama_standalone/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" } provider "google" { diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/README.md b/examples/standalone_vmseries_with_metadata_bootstrap/README.md index 3e2b6978..f163554a 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/README.md +++ b/examples/standalone_vmseries_with_metadata_bootstrap/README.md @@ -13,7 +13,7 @@ This example can be used to familarize oneself with both the VM-Series NGFW and | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | ### Providers @@ -23,8 +23,8 @@ No providers. | Name | Source | Version | |------|--------|---------| -| [management\_vpc](#module\_management\_vpc) | ../../modules/vpc | n/a | | [vmseries](#module\_vmseries) | ../../modules/vmseries | n/a | +| [vpc](#module\_vpc) | ../../modules/vpc | n/a | ### Resources @@ -34,18 +34,16 @@ No resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [allowed\_sources](#input\_allowed\_sources) | n/a | `any` | n/a | yes | -| [bootstrap\_options](#input\_bootstrap\_options) | n/a | `any` | n/a | yes | -| [name](#input\_name) | n/a | `any` | n/a | yes | -| [project](#input\_project) | n/a | `any` | n/a | yes | -| [region](#input\_region) | n/a | `any` | n/a | yes | -| [ssh\_keys](#input\_ssh\_keys) | n/a | `any` | n/a | yes | -| [vmseries\_image](#input\_vmseries\_image) | n/a | `any` | n/a | yes | +| [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings | `string` | `""` | no | +| [networks](#input\_networks) | A map containing each network setting.

Example of variable deployment :
networks = {
  "vmseries-vpc" = {
    vpc_name                        = "firewall-vpc"
    create_network                  = true
    delete_default_routes_on_create = "false"
    mtu                             = "1460"
    routing_mode                    = "REGIONAL"
    subnetworks = {
      "vmseries-sub" = {
        name              = "vmseries-subnet"
        create_subnetwork = true
        ip_cidr_range     = "172.21.21.0/24"
        region            = "us-central1"
      }
    }
    firewall_rules = {
      "allow-vmseries-ingress" = {
        name             = "vmseries-mgmt"
        source_ranges    = ["1.1.1.1/32", "2.2.2.2/32"]
        priority         = "1000"
        allowed_protocol = "all"
        allowed_ports    = []
      }
    }
  }
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code | `any` | n/a | yes | +| [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no | +| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
    "fw-vmseries-01" = {
      name             = "fw-vmseries-01"
      zone             = "us-central1-b"
      vmseries_image   = "vmseries-flex-byol-1022h2"
      ssh_keys         = "admin:"
      machine_type     = "n2-standard-4"
      min_cpu_platform = "Intel Cascade Lake"
      tags             = ["vmseries"]
      scopes = [
        "https://www.googleapis.com/auth/compute.readonly",
        "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
        "https://www.googleapis.com/auth/devstorage.read_only",
        "https://www.googleapis.com/auth/logging.write",
        "https://www.googleapis.com/auth/monitoring.write",
      ]
      bootstrap_options = {
        panorama-server = "1.1.1.1" # Modify this value as per deployment requirements
        dns-primary     = "8.8.8.8" # Modify this value as per deployment requirements
        dns-secondary   = "8.8.4.4" # Modify this value as per deployment requirements
      }
      named_ports = [
        {
          name = "http"
          port = 80
        },
        {
          name = "https"
          port = 443
        }
      ]
      network_interfaces = [
        {
          vpc_network_key  = "vmseries-vpc"
          subnetwork_key   = "fw-mgmt-sub"
          private_ip       = "10.10.10.2"
          create_public_ip = true
        }
      ]
    }
  }
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | +| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
  ssh_keys            = "admin:AAAABBBB..."
  vmseries_image      = "vmseries-flex-byol-1022h2"
  machine_type        = "n2-standard-4"
  min_cpu_platform    = "Intel Cascade Lake"
  service_account_key = "sa-vmseries-01"
  bootstrap_options = {
    type                = "dhcp-client"
    mgmt-interface-swap = "enable"
  }
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `map` | `{}` | no | ### Outputs | Name | Description | |------|-------------| -| [vmseries\_address](#output\_vmseries\_address) | n/a | -| [vmseries\_ssh\_command](#output\_vmseries\_ssh\_command) | n/a | +| [vmseries\_private\_ips](#output\_vmseries\_private\_ips) | Private IP addresses of the vmseries instances. | +| [vmseries\_public\_ips](#output\_vmseries\_public\_ips) | Public IP addresses of the vmseries instances. | \ No newline at end of file diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars b/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars index deafc591..9619eaa0 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars +++ b/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars @@ -1,12 +1,71 @@ -project = "example" -region = "us-central1" -name = "example-vmseries" -allowed_sources = ["1.1.1.1/32", "2.2.2.2/32"] # Replace these values with your own source CIDRs. -ssh_keys = "admin:" -vmseries_image = "vmseries-flex-byol-1020" -bootstrap_options = { - hostname = "vms01" - panorama-server = "10.1.2.3" - plugin-op-commands = "numa-perf-optimize:enable,set-dp-cores:2" - type = "dhcp-client" +project = "" +name_prefix = "" + +networks = { + "vmseries-vpc" = { + vpc_name = "firewall-vpc" + create_network = true + delete_default_routes_on_create = false + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + "vmseries-sub" = { + name = "vmseries-subnet" + create_subnetwork = true + ip_cidr_range = "10.10.10.0/24" + region = "us-central1" + } + } + firewall_rules = { + "allow-vmseries-ingress" = { + name = "vmseries-mgmt" + source_ranges = ["1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } + } } + +vmseries = { + "fw-vmseries-01" = { + name = "fw-vmseries-01" + zone = "us-central1-b" + vmseries_image = "vmseries-flex-byol-1022h2" + ssh_keys = "admin:" + machine_type = "n2-standard-4" + min_cpu_platform = "Intel Cascade Lake" + tags = ["vmseries"] + scopes = [ + "https://www.googleapis.com/auth/compute.readonly", + "https://www.googleapis.com/auth/cloud.useraccounts.readonly", + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + ] + bootstrap_options = { + panorama-server = "1.1.1.1" # Modify this value as per deployment requirements + dns-primary = "8.8.8.8" # Modify this value as per deployment requirements + dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + } + named_ports = [ + { + name = "http" + port = 80 + }, + { + name = "https" + port = 443 + } + ] + network_interfaces = [ + { + vpc_network_key = "vmseries-vpc" + subnetwork_key = "vmseries-sub" + private_ip = "10.10.10.2" + create_public_ip = true + } + ] + } +} \ No newline at end of file diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/main.tf b/examples/standalone_vmseries_with_metadata_bootstrap/main.tf index af771902..09b588a3 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/main.tf +++ b/examples/standalone_vmseries_with_metadata_bootstrap/main.tf @@ -1,31 +1,47 @@ -module "management_vpc" { +module "vpc" { source = "../../modules/vpc" - networks = [ - { - name = "example-mgmt" - subnetwork_name = "example-mgmt" - ip_cidr_range = "10.236.64.0/28" - allowed_sources = var.allowed_sources - } - ] + for_each = var.networks + + project_id = var.project + name = "${var.name_prefix}${each.value.vpc_name}" + create_network = each.value.create_network + delete_default_routes_on_create = each.value.delete_default_routes_on_create + mtu = each.value.mtu + routing_mode = each.value.routing_mode + subnetworks = { for k, v in each.value.subnetworks : k => merge(v, { + name = "${var.name_prefix}${v.name}" + }) + } + firewall_rules = try({ for k, v in each.value.firewall_rules : k => merge(v, { + name = "${var.name_prefix}${v.name}" + }) + }, {}) } module "vmseries" { source = "../../modules/vmseries" - name = "example-vmseries" - zone = "us-central1-a" + for_each = var.vmseries + + name = "${var.name_prefix}${each.value.name}" + zone = each.value.zone + ssh_keys = try(each.value.ssh_keys, var.vmseries_common.ssh_keys) + vmseries_image = try(each.value.vmseries_image, var.vmseries_common.vmseries_image) + machine_type = try(each.value.machine_type, var.vmseries_common.machine_type) + min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform, "Intel Cascade Lake") + tags = try(each.value.tags, var.vmseries_common.tags, []) + scopes = try(each.value.scopes, var.vmseries_common.scopes, []) + create_instance_group = true - ssh_keys = var.ssh_keys - vmseries_image = var.vmseries_image + bootstrap_options = try(each.value.bootstrap_options, {}) - bootstrap_options = var.bootstrap_options + named_ports = try(each.value.named_ports, []) - network_interfaces = [ + network_interfaces = [for v in each.value.network_interfaces : { - subnetwork = module.management_vpc.subnetworks["example-mgmt"].self_link - create_public_ip = true - }, - ] + subnetwork = module.vpc[v.vpc_network_key].subnetworks[v.subnetwork_key].self_link + private_ip = v.private_ip + create_public_ip = try(v.create_public_ip, false) + }] } \ No newline at end of file diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/main_test.go b/examples/standalone_vmseries_with_metadata_bootstrap/main_test.go index 5734fc9b..7c48a624 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/main_test.go +++ b/examples/standalone_vmseries_with_metadata_bootstrap/main_test.go @@ -21,7 +21,7 @@ func CreateTerraformOptions(t *testing.T) *terraform.Options { TerraformDir: ".", VarFiles: []string{"example.tfvars"}, Vars: map[string]interface{}{ - "name": varsInfo.NamePrefix, + "name_prefix": varsInfo.NamePrefix, "project": varsInfo.GoogleProjectId, }, Logger: logger.Default, diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/outputs.tf b/examples/standalone_vmseries_with_metadata_bootstrap/outputs.tf index f7a6dddd..78fd4100 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/outputs.tf +++ b/examples/standalone_vmseries_with_metadata_bootstrap/outputs.tf @@ -1,7 +1,9 @@ -output "vmseries_address" { - value = module.vmseries.public_ips[0] +output "vmseries_private_ips" { + description = "Private IP addresses of the vmseries instances." + value = { for k, v in module.vmseries : k => v.private_ips } } -output "vmseries_ssh_command" { - value = "ssh admin@${module.vmseries.public_ips[0]}" +output "vmseries_public_ips" { + description = "Public IP addresses of the vmseries instances." + value = { for k, v in module.vmseries : k => v.public_ips } } \ No newline at end of file diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/variables.tf b/examples/standalone_vmseries_with_metadata_bootstrap/variables.tf index 59db966e..f56533ea 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/variables.tf +++ b/examples/standalone_vmseries_with_metadata_bootstrap/variables.tf @@ -1,7 +1,134 @@ -variable "project" {} -variable "region" {} -variable "name" {} -variable "allowed_sources" {} -variable "ssh_keys" {} -variable "vmseries_image" {} -variable "bootstrap_options" {} \ No newline at end of file +# General +variable "project" { + description = "The project name to deploy the infrastructure in to." + type = string + default = null +} +variable "name_prefix" { + description = "A string to prefix resource namings" + type = string + default = "" +} + +# VPC +variable "networks" { + description = <<-EOF + A map containing each network setting. + + Example of variable deployment : + + ``` + networks = { + "vmseries-vpc" = { + vpc_name = "firewall-vpc" + create_network = true + delete_default_routes_on_create = "false" + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + "vmseries-sub" = { + name = "vmseries-subnet" + create_subnetwork = true + ip_cidr_range = "172.21.21.0/24" + region = "us-central1" + } + } + firewall_rules = { + "allow-vmseries-ingress" = { + name = "vmseries-mgmt" + source_ranges = ["1.1.1.1/32", "2.2.2.2/32"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } + } + ``` + + For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks) + + Multiple keys can be added and will be deployed by the code + EOF +} + +variable "vmseries" { + description = <<-EOF + A map containing each individual vmseries setting. + + Example of variable deployment : + + ``` + vmseries = { + "fw-vmseries-01" = { + name = "fw-vmseries-01" + zone = "us-central1-b" + vmseries_image = "vmseries-flex-byol-1022h2" + ssh_keys = "admin:" + machine_type = "n2-standard-4" + min_cpu_platform = "Intel Cascade Lake" + tags = ["vmseries"] + scopes = [ + "https://www.googleapis.com/auth/compute.readonly", + "https://www.googleapis.com/auth/cloud.useraccounts.readonly", + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + ] + bootstrap_options = { + panorama-server = "1.1.1.1" # Modify this value as per deployment requirements + dns-primary = "8.8.8.8" # Modify this value as per deployment requirements + dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + } + named_ports = [ + { + name = "http" + port = 80 + }, + { + name = "https" + port = 443 + } + ] + network_interfaces = [ + { + vpc_network_key = "vmseries-vpc" + subnetwork_key = "fw-mgmt-sub" + private_ip = "10.10.10.2" + create_public_ip = true + } + ] + } + } + ``` + For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs) + + The bootstrap_template_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs. + Multiple keys can be added and will be deployed by the code. + + EOF +} + +variable "vmseries_common" { + description = <<-EOF + A map containing common vmseries setting. + + Example of variable deployment : + + ``` + vmseries_common = { + ssh_keys = "admin:AAAABBBB..." + vmseries_image = "vmseries-flex-byol-1022h2" + machine_type = "n2-standard-4" + min_cpu_platform = "Intel Cascade Lake" + service_account_key = "sa-vmseries-01" + bootstrap_options = { + type = "dhcp-client" + mgmt-interface-swap = "enable" + } + } + ``` + + Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). + EOF + default = {} +} \ No newline at end of file diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/versions.tf b/examples/standalone_vmseries_with_metadata_bootstrap/versions.tf index 83568113..d861a9e9 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/versions.tf +++ b/examples/standalone_vmseries_with_metadata_bootstrap/versions.tf @@ -1,8 +1,7 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" } provider "google" { project = var.project - region = var.region } diff --git a/examples/vmseries_ha/README.md b/examples/vmseries_ha/README.md index a0d1ee87..924961cf 100644 --- a/examples/vmseries_ha/README.md +++ b/examples/vmseries_ha/README.md @@ -66,7 +66,7 @@ cd terraform-google-vmseries-modules/examples/vmseries_ha 3. Copy the `example.tfvars` to `terraform.tfvars`. -`project`, `ssh_keys` and `allowed_sources` should be modified for successful deployment and access to the instance. +`project`, `ssh_keys` and `source_ranges` should be modified for successful deployment and access to the instance. There are also a few variables that have some default values but which should also be changed as per deployment requirements @@ -223,7 +223,7 @@ Check the succesful inbound and outbound traffic fail-over to and from the spoke | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | ### Providers @@ -260,17 +260,17 @@ Check the succesful inbound and outbound traffic fail-over to and from the spoke |------|-------------|------|---------|:--------:| | [bootstrap\_buckets](#input\_bootstrap\_buckets) | A map containing each bootstrap bucket setting.

Example of variable deployment:
bootstrap_buckets = {
  vmseries-bootstrap-bucket-01 = {
    bucket_name_prefix  = "bucket-01-"
    location            = "us"
    service_account_key = "sa-vmseries-01"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/bootstrap#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [lbs\_external](#input\_lbs\_external) | A map containing each external loadbalancer setting.

Example of variable deployment :
lbs_external = {
  "external-lb" = {
    name     = "external-lb"
    backends = ["fw-vmseries-01", "fw-vmseries-02"]
    rules = {
      "all-ports" = {
        ip_protocol = "L3_DEFAULT"
      }
    }
    http_health_check_port         = "80"
    http_health_check_request_path = "/php/login.php"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_external#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting.

Example of variable deployment :
lbs_internal = {
  "internal-lb" = {
    name              = "internal-lb"
    health_check_port = "80"
    backends          = ["fw-vmseries-01", "fw-vmseries-02"]
    ip_address        = "10.10.12.5"
    subnetwork        = "fw-trust-sub"
    network           = "fw-trust-vpc"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_internal#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [linux\_vms](#input\_linux\_vms) | A map containing each Linux VM configuration that will be placed in SPOKE VPCs for testing purposes.

Example of varaible deployment:
linux_vms = {
  spoke1-vm = {
    linux_machine_type = "n2-standard-4"
    zone               = "us-east1-b"
    linux_disk_size    = "50" # Modify this value as per deployment requirements
    subnetwork         = "spoke1-sub"
    private_ip         = "192.168.1.2"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    service_account_key = "sa-linux-01"
  }
}
| `any` | `{}` | no | +| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting.

Example of variable deployment :
lbs_internal = {
  "internal-lb" = {
    name              = "internal-lb"
    health_check_port = "80"
    backends          = ["fw-vmseries-01", "fw-vmseries-02"]
    ip_address        = "10.10.12.5"
    subnetwork_key    = "fw-trust-sub"
    vpc_network_key   = "fw-trust-vpc"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_internal#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [linux\_vms](#input\_linux\_vms) | A map containing each Linux VM configuration that will be placed in SPOKE VPCs for testing purposes.

Example of varaible deployment:
linux_vms = {
  spoke1-vm = {
    linux_machine_type = "n2-standard-4"
    zone               = "us-east1-b"
    linux_disk_size    = "50" # Modify this value as per deployment requirements
    vpc_network_key    = "fw-spoke1-vpc"
    subnetwork_key     = "fw-spoke1-sub"
    private_ip         = "192.168.1.2"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    service_account_key = "sa-linux-01"
  }
}
| `any` | `{}` | no | | [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings. | `string` | `"example-"` | no | -| [networks](#input\_networks) | A map containing each network setting.

Example of variable deployment :
networks = {
  "mgmt-network" = {
    create_network                  = true
    create_subnetwork               = true
    name                            = "fw-mgmt-vpc"
    subnetwork_name                 = "fw-mgmt-sub"
    ip_cidr_range                   = "10.10.10.0/28"
    allowed_sources                 = ["1.1.1.1/32"]
    delete_default_routes_on_create = false
    allowed_protocol                = "all"
    allowed_ports                   = []
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | +| [networks](#input\_networks) | A map containing each network setting.

Example of variable deployment :
networks = {
  fw-mgmt-vpc = {
    vpc_name = "fw-mgmt-vpc"
    create_network = true
    delete_default_routes_on_create = false
    mtu = "1460"
    routing_mode = "REGIONAL"
    subnetworks = {
      fw-mgmt-sub = {
        name              = "fw-mgmt-sub"
        create_subnetwork = true
        ip_cidr_range = "10.10.10.0/28"
        region = "us-east1"
      }
    }
    firewall_rules = {
      allow-mgmt-ingress = {
        name = "allow-mgmt-vpc"
        source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
        priority = "1000"
        allowed_protocol = "all"
        allowed_ports = []
      }
    }
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | | [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no | | [region](#input\_region) | The region into which to deploy the infrastructure in to. | `string` | `"us-central1"` | no | -| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.

Example of variable deployment :
routes = {
  "default-route-trust" = {
    name = "fw-default-trust"
    destination_range = "0.0.0.0/0"
    network = "fw-trust-vpc"
    lb_internal_name = "internal-lb"
  }
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.

Example of variable deployment :
routes = {
  "default-route-trust" = {
    name = "fw-default-trust"
    destination_range = "0.0.0.0/0"
    vpc_network_key = "fw-trust-vpc"
    lb_internal_name = "internal-lb"
  }
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.

Example of variable deployment :
service_accounts = {
  "sa-vmseries-01" = {
    service_account_id = "sa-vmseries-01"
    display_name       = "VM-Series SA"
    roles = [
      "roles/compute.networkViewer",
      "roles/logging.logWriter",
      "roles/monitoring.metricWriter",
      "roles/monitoring.viewer",
      "roles/viewer"
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/iam_service_account#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
  "fw-vmseries-01" = {
    name             = "fw-vmseries-01"
    zone             = "us-east1-b"
    machine_type     = "n2-standard-4"
    min_cpu_platform = "Intel Cascade Lake"
    tags                 = ["vmseries"]
    service_account_key  = "sa-vmseries-01"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
    bootstrap_options = {
      panorama-server = "1.1.1.1"
      dns-primary     = "8.8.8.8"
      dns-secondary   = "8.8.4.4"
    }
    bootstrap_template_map = {
      trust_gcp_router_ip   = "10.10.12.1"
      untrust_gcp_router_ip = "10.10.11.1"
      private_network_cidr  = "192.168.0.0/16"
      untrust_loopback_ip   = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
      trust_loopback_ip     = "10.10.12.5/32"
    }
    named_ports = [
      {
        name = "http"
        port = 80
      },
      {
        name = "https"
        port = 443
      }
    ]
    network_interfaces = [
      {
        subnetwork       = "fw-untrust-sub"
        private_ip       = "10.10.11.2"
        create_public_ip = true
      },
      {
        subnetwork       = "fw-mgmt-sub"
        private_ip       = "10.10.10.2"
        create_public_ip = true
      },
      {
        subnetwork = "fw-trust-sub"
        private_ip = "10.10.12.2"
      }
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | +| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
  "fw-vmseries-01" = {
    name             = "fw-vmseries-01"
    zone             = "us-east1-b"
    machine_type     = "n2-standard-4"
    min_cpu_platform = "Intel Cascade Lake"
    tags                 = ["vmseries"]
    service_account_key  = "sa-vmseries-01"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
    bootstrap_options = {
      panorama-server = "1.1.1.1"
      dns-primary     = "8.8.8.8"
      dns-secondary   = "8.8.4.4"
    }
    bootstrap_template_map = {
      trust_gcp_router_ip   = "10.10.12.1"
      untrust_gcp_router_ip = "10.10.11.1"
      private_network_cidr  = "192.168.0.0/16"
      untrust_loopback_ip   = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
      trust_loopback_ip     = "10.10.12.5/32"
    }
    named_ports = [
      {
        name = "http"
        port = 80
      },
      {
        name = "https"
        port = 443
      }
    ]
    network_interfaces = [
      {
        vpc_network_key  = "fw-untrust-vpc"
        subnetwork_key       = "fw-untrust-sub"
        private_ip       = "10.10.11.2"
        create_public_ip = true
      },
      {
        vpc_network_key  = "fw-mgmt-vpc"
        subnetwork_key       = "fw-mgmt-sub"
        private_ip       = "10.10.10.2"
        create_public_ip = true
      },
      {
        vpc_network_key = "fw-trust-vpc"
        subnetwork_key = "fw-trust-sub"
        private_ip = "10.10.12.2"
      },
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | | [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
  ssh_keys            = "admin:AAAABBBB..."
  vmseries_image      = "vmseries-flex-byol-1022h2"
  machine_type        = "n2-standard-4"
  min_cpu_platform    = "Intel Cascade Lake"
  service_account_key = "sa-vmseries-01"
  bootstrap_options = {
    type                = "dhcp-client"
    mgmt-interface-swap = "enable"
  }
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes | -| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

Example of variable deployment :
vpc_peerings = {
  "trust-to-spoke1" = {
    local_network = "fw-trust-vpc"
    peer_network  = "spoke1-vpc"

    local_export_custom_routes                = true
    local_import_custom_routes                = true
    local_export_subnet_routes_with_public_ip = true
    local_import_subnet_routes_with_public_ip = true

    peer_export_custom_routes                = true
    peer_import_custom_routes                = true
    peer_export_subnet_routes_with_public_ip = true
    peer_import_subnet_routes_with_public_ip = true
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

Example of variable deployment :
vpc_peerings = {
  "trust-to-spoke1" = {
    local_network_key = "fw-trust-vpc"
    peer_network_key  = "fw-spoke1-vpc"

    local_export_custom_routes                = true
    local_import_custom_routes                = true
    local_export_subnet_routes_with_public_ip = true
    local_import_subnet_routes_with_public_ip = true

    peer_export_custom_routes                = true
    peer_import_custom_routes                = true
    peer_export_subnet_routes_with_public_ip = true
    peer_import_subnet_routes_with_public_ip = true
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | ### Outputs diff --git a/examples/vmseries_ha/example.tfvars b/examples/vmseries_ha/example.tfvars index 0ad4e6db..31c7633f 100644 --- a/examples/vmseries_ha/example.tfvars +++ b/examples/vmseries_ha/example.tfvars @@ -41,71 +41,149 @@ bootstrap_buckets = { # VPC networks = { - mgmt = { + fw-mgmt-vpc = { + vpc_name = "fw-mgmt-vpc" create_network = true - create_subnetwork = true - name = "fw-mgmt-vpc" - subnetwork_name = "fw-mgmt-sub" - ip_cidr_range = "10.10.10.0/28" - allowed_sources = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. delete_default_routes_on_create = false - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-mgmt-sub = { + name = "fw-mgmt-sub" + create_subnetwork = true + ip_cidr_range = "10.10.10.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-mgmt-ingress = { + name = "allow-mgmt-vpc" + source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - untrust = { + fw-untrust-vpc = { + vpc_name = "fw-untrust-vpc" create_network = true - create_subnetwork = true - name = "fw-untrust-vpc" - subnetwork_name = "fw-untrust-sub" - ip_cidr_range = "10.10.11.0/28" - allowed_sources = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. delete_default_routes_on_create = false - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-untrust-sub = { + name = "fw-untrust-sub" + create_subnetwork = true + ip_cidr_range = "10.10.11.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-untrust-ingress = { + name = "allow-untrust-vpc" + source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - trust = { + fw-trust-vpc = { + vpc_name = "fw-trust-vpc" create_network = true - create_subnetwork = true - name = "fw-trust-vpc" - subnetwork_name = "fw-trust-sub" - ip_cidr_range = "10.10.12.0/28" - allowed_sources = ["192.168.0.0/16", "35.191.0.0/16", "130.211.0.0/22"] delete_default_routes_on_create = true - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-trust-sub = { + name = "fw-trust-sub" + create_subnetwork = true + ip_cidr_range = "10.10.12.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-trust-ingress = { + name = "allow-trust-vpc" + source_ranges = ["192.168.0.0/16", "35.191.0.0/16", "130.211.0.0/22"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - ha-2 = { + fw-ha2-vpc = { + vpc_name = "fw-ha2-vpc" create_network = true - create_subnetwork = true - name = "fw-ha2-vpc" - subnetwork_name = "fw-ha2-sub" - ip_cidr_range = "10.10.13.0/28" - allowed_sources = ["10.10.13.0/28"] delete_default_routes_on_create = true - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-ha2-sub = { + name = "fw-ha2-sub" + create_subnetwork = true + ip_cidr_range = "10.10.13.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-ha2-ingress = { + name = "allow-ha2-vpc" + source_ranges = ["10.10.13.0/28"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - spoke1 = { + fw-spoke1-vpc = { + vpc_name = "fw-spoke1-vpc" create_network = true - create_subnetwork = true - name = "spoke1-vpc" - subnetwork_name = "spoke1-sub" - ip_cidr_range = "192.168.1.0/28" - allowed_sources = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28"] delete_default_routes_on_create = true - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-spoke1-sub = { + name = "fw-spoke1-sub" + create_subnetwork = true + ip_cidr_range = "192.168.1.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-spoke1-ingress = { + name = "allow-spoke1-vpc" + source_ranges = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - spoke2 = { + fw-spoke2-vpc = { + vpc_name = "fw-spoke2-vpc" create_network = true - create_subnetwork = true - name = "spoke2-vpc" - subnetwork_name = "spoke2-sub" - ip_cidr_range = "192.168.2.0/28" - allowed_sources = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28"] delete_default_routes_on_create = true - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-spoke2-sub = { + name = "fw-spoke2-sub" + create_subnetwork = true + ip_cidr_range = "192.168.2.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-spoke2-ingress = { + name = "allow-spoke2-vpc" + source_ranges = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } } } @@ -113,8 +191,8 @@ networks = { vpc_peerings = { trust-to-spoke1 = { - local_network = "fw-trust-vpc" - peer_network = "spoke1-vpc" + local_network_key = "fw-trust-vpc" + peer_network_key = "fw-spoke1-vpc" local_export_custom_routes = true local_import_custom_routes = true @@ -127,8 +205,8 @@ vpc_peerings = { peer_import_subnet_routes_with_public_ip = true }, trust-to-spoke2 = { - local_network = "fw-trust-vpc" - peer_network = "spoke2-vpc" + local_network_key = "fw-trust-vpc" + peer_network_key = "fw-spoke2-vpc" local_export_custom_routes = true local_import_custom_routes = true @@ -147,7 +225,7 @@ routes = { fw-default-trust = { name = "fw-default-trust" destination_range = "0.0.0.0/0" - network = "fw-trust-vpc" + vpc_network_key = "fw-trust-vpc" lb_internal_key = "internal-lb" } } @@ -207,22 +285,26 @@ vmseries = { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" private_ip = "10.10.11.2" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" private_ip = "10.10.10.2" create_public_ip = true }, { - subnetwork = "fw-trust-sub" - private_ip = "10.10.12.2" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" + private_ip = "10.10.12.2" }, { - subnetwork = "fw-ha2-sub" - private_ip = "10.10.13.2" + vpc_network_key = "fw-ha2-vpc" + subnetwork_key = "fw-ha2-sub" + private_ip = "10.10.13.2" } ] }, @@ -266,22 +348,26 @@ vmseries = { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" private_ip = "10.10.11.3" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" private_ip = "10.10.10.3" create_public_ip = true }, { - subnetwork = "fw-trust-sub" - private_ip = "10.10.12.3" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" + private_ip = "10.10.12.3" }, { - subnetwork = "fw-ha2-sub" - private_ip = "10.10.13.3" + vpc_network_key = "fw-ha2-vpc" + subnetwork_key = "fw-ha2-sub" + private_ip = "10.10.13.3" } ] } @@ -293,7 +379,8 @@ linux_vms = { linux_machine_type = "n2-standard-4" zone = "us-east1-b" linux_disk_size = "50" # Modify this value as per deployment requirements - subnetwork = "spoke1-sub" + vpc_network_key = "fw-spoke1-vpc" + subnetwork_key = "fw-spoke1-sub" private_ip = "192.168.1.2" scopes = [ "https://www.googleapis.com/auth/compute.readonly", @@ -331,7 +418,8 @@ linux_vms = { linux_machine_type = "n2-standard-4" zone = "us-east1-b" linux_disk_size = "50" # Modify this value as per deployment requirements - subnetwork = "spoke2-sub" + vpc_network_key = "fw-spoke2-vpc" + subnetwork_key = "fw-spoke2-sub" private_ip = "192.168.2.2" scopes = [ "https://www.googleapis.com/auth/compute.readonly", @@ -351,8 +439,8 @@ lbs_internal = { health_check_port = "80" backends = ["fw-vmseries-01", "fw-vmseries-02"] ip_address = "10.10.12.5" - subnetwork = "fw-trust-sub" - network = "fw-trust-vpc" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" } } diff --git a/examples/vmseries_ha/main.tf b/examples/vmseries_ha/main.tf index ca5fc888..d1f1de4e 100644 --- a/examples/vmseries_ha/main.tf +++ b/examples/vmseries_ha/main.tf @@ -68,12 +68,22 @@ module "bootstrap" { module "vpc" { source = "../../modules/vpc" - networks = { for k, v in var.networks : k => merge(v, { - name = "${var.name_prefix}${v.name}" - subnetwork_name = "${var.name_prefix}${v.subnetwork_name}" + for_each = var.networks + + project_id = var.project + name = "${var.name_prefix}${each.value.vpc_name}" + create_network = each.value.create_network + delete_default_routes_on_create = each.value.delete_default_routes_on_create + mtu = each.value.mtu + routing_mode = each.value.routing_mode + subnetworks = { for k, v in each.value.subnetworks : k => merge(v, { + name = "${var.name_prefix}${v.name}" }) } - + firewall_rules = try({ for k, v in each.value.firewall_rules : k => merge(v, { + name = "${var.name_prefix}${v.name}" + }) + }, {}) } resource "google_compute_route" "this" { @@ -82,7 +92,7 @@ resource "google_compute_route" "this" { name = "${var.name_prefix}${each.value.name}" dest_range = each.value.destination_range - network = module.vpc.networks["${var.name_prefix}${each.value.network}"].self_link + network = module.vpc[each.value.vpc_network_key].network.self_link next_hop_ilb = module.lb_internal[each.value.lb_internal_key].forwarding_rule priority = 100 } @@ -92,8 +102,8 @@ module "vpc_peering" { for_each = var.vpc_peerings - local_network = module.vpc.networks["${var.name_prefix}${each.value.local_network}"].id - peer_network = module.vpc.networks["${var.name_prefix}${each.value.peer_network}"].id + local_network = module.vpc[each.value.local_network_key].network.id + peer_network = module.vpc[each.value.peer_network_key].network.id local_export_custom_routes = each.value.local_export_custom_routes local_import_custom_routes = each.value.local_import_custom_routes @@ -135,7 +145,7 @@ module "vmseries" { network_interfaces = [for v in each.value.network_interfaces : { - subnetwork = module.vpc.subnetworks["${var.name_prefix}${v.subnetwork}"].self_link + subnetwork = module.vpc[v.vpc_network_key].subnetworks[v.subnetwork_key].self_link private_ip = v.private_ip create_public_ip = try(v.create_public_ip, false) }] @@ -161,7 +171,7 @@ resource "google_compute_instance" "linux_vm" { } network_interface { - subnetwork = module.vpc.subnetworks["${var.name_prefix}${each.value.subnetwork}"].self_link + subnetwork = module.vpc[each.value.vpc_network_key].subnetworks[each.value.subnetwork_key].self_link network_ip = each.value.private_ip } @@ -187,8 +197,8 @@ module "lb_internal" { health_check_port = try(each.value.health_check_port, "80") backends = { for v in each.value.backends : v => module.vmseries[v].instance_group_self_link } ip_address = each.value.ip_address - subnetwork = module.vpc.subnetworks["${var.name_prefix}${each.value.subnetwork}"].self_link - network = module.vpc.networks["${var.name_prefix}${each.value.network}"].self_link + subnetwork = module.vpc[each.value.vpc_network_key].subnetworks[each.value.subnetwork_key].self_link + network = module.vpc[each.value.vpc_network_key].network.self_link all_ports = true } diff --git a/examples/vmseries_ha/variables.tf b/examples/vmseries_ha/variables.tf index 6dd36bd2..1d391aaa 100644 --- a/examples/vmseries_ha/variables.tf +++ b/examples/vmseries_ha/variables.tf @@ -83,16 +83,29 @@ variable "networks" { ``` networks = { - "mgmt-network" = { - create_network = true - create_subnetwork = true - name = "fw-mgmt-vpc" - subnetwork_name = "fw-mgmt-sub" - ip_cidr_range = "10.10.10.0/28" - allowed_sources = ["1.1.1.1/32"] + fw-mgmt-vpc = { + vpc_name = "fw-mgmt-vpc" + create_network = true delete_default_routes_on_create = false - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-mgmt-sub = { + name = "fw-mgmt-sub" + create_subnetwork = true + ip_cidr_range = "10.10.10.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-mgmt-ingress = { + name = "allow-mgmt-vpc" + source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } } } ``` @@ -112,8 +125,8 @@ variable "vpc_peerings" { ``` vpc_peerings = { "trust-to-spoke1" = { - local_network = "fw-trust-vpc" - peer_network = "spoke1-vpc" + local_network_key = "fw-trust-vpc" + peer_network_key = "fw-spoke1-vpc" local_export_custom_routes = true local_import_custom_routes = true @@ -146,7 +159,7 @@ variable "routes" { "default-route-trust" = { name = "fw-default-trust" destination_range = "0.0.0.0/0" - network = "fw-trust-vpc" + vpc_network_key = "fw-trust-vpc" lb_internal_name = "internal-lb" } } @@ -230,19 +243,22 @@ variable "vmseries" { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" private_ip = "10.10.11.2" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" private_ip = "10.10.10.2" create_public_ip = true }, { - subnetwork = "fw-trust-sub" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" private_ip = "10.10.12.2" - } + }, ] } } @@ -270,8 +286,8 @@ variable "lbs_internal" { health_check_port = "80" backends = ["fw-vmseries-01", "fw-vmseries-02"] ip_address = "10.10.12.5" - subnetwork = "fw-trust-sub" - network = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" + vpc_network_key = "fw-trust-vpc" } } ``` @@ -325,7 +341,8 @@ variable "linux_vms" { linux_machine_type = "n2-standard-4" zone = "us-east1-b" linux_disk_size = "50" # Modify this value as per deployment requirements - subnetwork = "spoke1-sub" + vpc_network_key = "fw-spoke1-vpc" + subnetwork_key = "fw-spoke1-sub" private_ip = "192.168.1.2" scopes = [ "https://www.googleapis.com/auth/compute.readonly", diff --git a/examples/vmseries_ha/versions.tf b/examples/vmseries_ha/versions.tf index 671d80df..be4682a0 100644 --- a/examples/vmseries_ha/versions.tf +++ b/examples/vmseries_ha/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" } provider "google" { diff --git a/examples/vpc_peering_common/README.md b/examples/vpc_peering_common/README.md index 800dbbec..2ebc164c 100644 --- a/examples/vpc_peering_common/README.md +++ b/examples/vpc_peering_common/README.md @@ -65,7 +65,7 @@ cd terraform-google-vmseries-modules/examples/vpc-peering-common 3. Copy the `example.tfvars` to `terraform.tfvars`. -`project`, `ssh_keys` and `allowed_sources` should be modified for successful deployment and access to the instance. +`project`, `ssh_keys` and `source_ranges` should be modified for successful deployment and access to the instance. There are also a few variables that have some default values but which should also be changed as per deployment requirements @@ -188,7 +188,7 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | ### Providers @@ -225,17 +225,17 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the |------|-------------|------|---------|:--------:| | [bootstrap\_buckets](#input\_bootstrap\_buckets) | A map containing each bootstrap bucket setting.

Example of variable deployment:
bootstrap_buckets = {
  vmseries-bootstrap-bucket-01 = {
    bucket_name_prefix  = "bucket-01-"
    location            = "us"
    service_account_key = "sa-vmseries-01"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/bootstrap#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [lbs\_external](#input\_lbs\_external) | A map containing each external loadbalancer setting.

Example of variable deployment :
lbs_external = {
  "external-lb" = {
    name     = "external-lb"
    backends = ["fw-vmseries-01", "fw-vmseries-02"]
    rules = {
      "all-ports" = {
        ip_protocol = "L3_DEFAULT"
      }
    }
    http_health_check_port         = "80"
    http_health_check_request_path = "/php/login.php"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_external#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting.

Example of variable deployment :
lbs_internal = {
  "internal-lb" = {
    name              = "internal-lb"
    health_check_port = "80"
    backends          = ["fw-vmseries-01", "fw-vmseries-02"]
    ip_address        = "10.10.12.5"
    subnetwork        = "fw-trust-sub"
    network           = "fw-trust-vpc"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_internal#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [linux\_vms](#input\_linux\_vms) | A map containing each Linux VM configuration that will be placed in SPOKE VPCs for testing purposes.

Example of varaible deployment:
linux_vms = {
  spoke1-vm = {
    linux_machine_type = "n2-standard-4"
    zone               = "us-east1-b"
    linux_disk_size    = "50" # Modify this value as per deployment requirements
    subnetwork         = "spoke1-sub"
    private_ip         = "192.168.1.2"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    service_account_key = "sa-linux-01"
  }
}
| `map(any)` | `{}` | no | +| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting.

Example of variable deployment :
lbs_internal = {
  "internal-lb" = {
    name              = "internal-lb"
    health_check_port = "80"
    backends          = ["fw-vmseries-01", "fw-vmseries-02"]
    ip_address        = "10.10.12.5"
    subnetwork_key    = "fw-trust-sub"
    vpc_network_key   = "fw-trust-vpc"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_internal#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [linux\_vms](#input\_linux\_vms) | A map containing each Linux VM configuration that will be placed in SPOKE VPCs for testing purposes.

Example of varaible deployment:
linux_vms = {
  spoke1-vm = {
    linux_machine_type = "n2-standard-4"
    zone               = "us-east1-b"
    linux_disk_size    = "50" # Modify this value as per deployment requirements
    vpc_network_key    = "fw-spoke1-vpc"
    subnetwork_key     = "fw-spoke1-sub"
    private_ip         = "192.168.1.2"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    service_account_key = "sa-linux-01"
  }
}
| `map(any)` | `{}` | no | | [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings. | `string` | `"example-"` | no | -| [networks](#input\_networks) | A map containing each network setting.

Example of variable deployment :
networks = {
  "mgmt-network" = {
    create_network                  = true
    create_subnetwork               = true
    name                            = "fw-mgmt-vpc"
    subnetwork_name                 = "fw-mgmt-sub"
    ip_cidr_range                   = "10.10.10.0/28"
    allowed_sources                 = ["1.1.1.1/32"]
    delete_default_routes_on_create = false
    allowed_protocol                = "all"
    allowed_ports                   = []
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | +| [networks](#input\_networks) | A map containing each network setting.

Example of variable deployment :
networks = {
  fw-mgmt-vpc = {
    vpc_name = "fw-mgmt-vpc"
    create_network = true
    delete_default_routes_on_create = false
    mtu = "1460"
    routing_mode = "REGIONAL"
    subnetworks = {
      fw-mgmt-sub = {
        name = "fw-mgmt-sub"
        create_subnetwork = true
        ip_cidr_range = "10.10.10.0/28"
        region = "us-east1"
      }
    }
    firewall_rules = {
      allow-mgmt-ingress = {
        name = "allow-mgmt-vpc"
        source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
        priority = "1000"
        allowed_protocol = "all"
        allowed_ports = []
      }
    }
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | | [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no | | [region](#input\_region) | The region into which to deploy the infrastructure in to. | `string` | `"us-central1"` | no | -| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.

Example of variable deployment :
routes = {
  "default-route-trust" = {
    name = "fw-default-trust"
    destination_range = "0.0.0.0/0"
    network = "fw-trust-vpc"
    lb_internal_name = "internal-lb"
  }
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.

Example of variable deployment :
routes = {
  "default-route-trust" = {
    name = "fw-default-trust"
    destination_range = "0.0.0.0/0"
    vpc_network_key = "fw-trust-vpc"
    lb_internal_name = "internal-lb"
  }
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.

Example of variable deployment :
service_accounts = {
  "sa-vmseries-01" = {
    service_account_id = "sa-vmseries-01"
    display_name       = "VM-Series SA"
    roles = [
      "roles/compute.networkViewer",
      "roles/logging.logWriter",
      "roles/monitoring.metricWriter",
      "roles/monitoring.viewer",
      "roles/viewer"
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/iam_service_account#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
  "fw-vmseries-01" = {
    name             = "fw-vmseries-01"
    zone             = "us-east1-b"
    machine_type     = "n2-standard-4"
    min_cpu_platform = "Intel Cascade Lake"
    tags                 = ["vmseries"]
    service_account_key  = "sa-vmseries-01"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
    bootstrap_options = {
      panorama-server = "1.1.1.1"
      dns-primary     = "8.8.8.8"
      dns-secondary   = "8.8.4.4"
    }
    bootstrap_template_map = {
      trust_gcp_router_ip   = "10.10.12.1"
      untrust_gcp_router_ip = "10.10.11.1"
      private_network_cidr  = "192.168.0.0/16"
      untrust_loopback_ip   = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
      trust_loopback_ip     = "10.10.12.5/32"
    }
    named_ports = [
      {
        name = "http"
        port = 80
      },
      {
        name = "https"
        port = 443
      }
    ]
    network_interfaces = [
      {
        subnetwork       = "fw-untrust-sub"
        private_ip       = "10.10.11.2"
        create_public_ip = true
      },
      {
        subnetwork       = "fw-mgmt-sub"
        private_ip       = "10.10.10.2"
        create_public_ip = true
      },
      {
        subnetwork = "fw-trust-sub"
        private_ip = "10.10.12.2"
      }
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | +| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
  "fw-vmseries-01" = {
    name             = "fw-vmseries-01"
    zone             = "us-east1-b"
    machine_type     = "n2-standard-4"
    min_cpu_platform = "Intel Cascade Lake"
    tags                 = ["vmseries"]
    service_account_key  = "sa-vmseries-01"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
    bootstrap_options = {
      panorama-server = "1.1.1.1"
      dns-primary     = "8.8.8.8"
      dns-secondary   = "8.8.4.4"
    }
    bootstrap_template_map = {
      trust_gcp_router_ip   = "10.10.12.1"
      untrust_gcp_router_ip = "10.10.11.1"
      private_network_cidr  = "192.168.0.0/16"
      untrust_loopback_ip   = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
      trust_loopback_ip     = "10.10.12.5/32"
    }
    named_ports = [
      {
        name = "http"
        port = 80
      },
      {
        name = "https"
        port = 443
      }
    ]
    network_interfaces = [
      {
        vpc_network_key  = "fw-untrust-vpc"
        subnetwork_key       = "fw-untrust-sub"
        private_ip       = "10.10.11.2"
        create_public_ip = true
      },
      {
        vpc_network_key  = "fw-mgmt-vpc"
        subnetwork_key       = "fw-mgmt-sub"
        private_ip       = "10.10.10.2"
        create_public_ip = true
      },
      {
        vpc_network_key = "fw-trust-vpc"
        subnetwork_key = "fw-trust-sub"
        private_ip = "10.10.12.2"
      },
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | | [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
  ssh_keys            = "admin:AAAABBBB..."
  vmseries_image      = "vmseries-flex-byol-1022h2"
  machine_type        = "n2-standard-4"
  min_cpu_platform    = "Intel Cascade Lake"
  service_account_key = "sa-vmseries-01"
  bootstrap_options = {
    type                = "dhcp-client"
    mgmt-interface-swap = "enable"
  }
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes | -| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

Example of variable deployment :
vpc_peerings = {
  "trust-to-spoke1" = {
    local_network = "fw-trust-vpc"
    peer_network  = "spoke1-vpc"

    local_export_custom_routes                = true
    local_import_custom_routes                = true
    local_export_subnet_routes_with_public_ip = true
    local_import_subnet_routes_with_public_ip = true

    peer_export_custom_routes                = true
    peer_import_custom_routes                = true
    peer_export_subnet_routes_with_public_ip = true
    peer_import_subnet_routes_with_public_ip = true
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

Example of variable deployment :
vpc_peerings = {
  "trust-to-spoke1" = {
    local_network_key = "fw-trust-vpc"
    peer_network_key  = "fw-spoke1-vpc"

    local_export_custom_routes                = true
    local_import_custom_routes                = true
    local_export_subnet_routes_with_public_ip = true
    local_import_subnet_routes_with_public_ip = true

    peer_export_custom_routes                = true
    peer_import_custom_routes                = true
    peer_export_subnet_routes_with_public_ip = true
    peer_import_subnet_routes_with_public_ip = true
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | ### Outputs diff --git a/examples/vpc_peering_common/example.tfvars b/examples/vpc_peering_common/example.tfvars index b4d514ff..23691dba 100644 --- a/examples/vpc_peering_common/example.tfvars +++ b/examples/vpc_peering_common/example.tfvars @@ -41,60 +41,125 @@ bootstrap_buckets = { # VPC networks = { - mgmt = { + fw-mgmt-vpc = { + vpc_name = "fw-mgmt-vpc" create_network = true - create_subnetwork = true - name = "fw-mgmt-vpc" - subnetwork_name = "fw-mgmt-sub" - ip_cidr_range = "10.10.10.0/28" - allowed_sources = ["1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. delete_default_routes_on_create = false - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-mgmt-sub = { + name = "fw-mgmt-sub" + create_subnetwork = true + ip_cidr_range = "10.10.10.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-mgmt-ingress = { + name = "allow-mgmt-vpc" + source_ranges = ["1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - untrust = { + fw-untrust-vpc = { + vpc_name = "fw-untrust-vpc" create_network = true - create_subnetwork = true - name = "fw-untrust-vpc" - subnetwork_name = "fw-untrust-sub" - ip_cidr_range = "10.10.11.0/28" - allowed_sources = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"] delete_default_routes_on_create = false - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-untrust-sub = { + name = "fw-untrust-sub" + create_subnetwork = true + ip_cidr_range = "10.10.11.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-untrust-ingress = { + name = "allow-untrust-vpc" + source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - trust = { + fw-trust-vpc = { + vpc_name = "fw-trust-vpc" create_network = true - create_subnetwork = true - name = "fw-trust-vpc" - subnetwork_name = "fw-trust-sub" - ip_cidr_range = "10.10.12.0/28" - allowed_sources = ["192.168.0.0/16", "35.191.0.0/16", "130.211.0.0/22"] delete_default_routes_on_create = true - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-trust-sub = { + name = "fw-trust-sub" + create_subnetwork = true + ip_cidr_range = "10.10.12.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-trust-ingress = { + name = "allow-trust-vpc" + source_ranges = ["192.168.0.0/16", "35.191.0.0/16", "130.211.0.0/22"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - spoke1 = { + fw-spoke1-vpc = { + vpc_name = "fw-spoke1-vpc" create_network = true - create_subnetwork = true - name = "spoke1-vpc" - subnetwork_name = "spoke1-sub" - ip_cidr_range = "192.168.1.0/28" - allowed_sources = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28"] delete_default_routes_on_create = true - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-spoke1-sub = { + name = "fw-spoke1-sub" + create_subnetwork = true + ip_cidr_range = "192.168.1.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-spoke1-ingress = { + name = "allow-spoke1-vpc" + source_ranges = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - spoke2 = { + fw-spoke2-vpc = { + vpc_name = "fw-spoke2-vpc" create_network = true - create_subnetwork = true - name = "spoke2-vpc" - subnetwork_name = "spoke2-sub" - ip_cidr_range = "192.168.2.0/28" - allowed_sources = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28"] delete_default_routes_on_create = true - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-spoke2-sub = { + name = "fw-spoke2-sub" + create_subnetwork = true + ip_cidr_range = "192.168.2.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-spoke2-ingress = { + name = "allow-spoke2-vpc" + source_ranges = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } } } @@ -102,8 +167,8 @@ networks = { vpc_peerings = { trust-to-spoke1 = { - local_network = "fw-trust-vpc" - peer_network = "spoke1-vpc" + local_network_key = "fw-trust-vpc" + peer_network_key = "fw-spoke1-vpc" local_export_custom_routes = true local_import_custom_routes = true @@ -116,8 +181,8 @@ vpc_peerings = { peer_import_subnet_routes_with_public_ip = true }, trust-to-spoke2 = { - local_network = "fw-trust-vpc" - peer_network = "spoke2-vpc" + local_network_key = "fw-trust-vpc" + peer_network_key = "fw-spoke2-vpc" local_export_custom_routes = true local_import_custom_routes = true @@ -136,7 +201,7 @@ routes = { fw-default-trust = { name = "fw-default-trust" destination_range = "0.0.0.0/0" - network = "fw-trust-vpc" + vpc_network_key = "fw-trust-vpc" lb_internal_key = "internal-lb" } } @@ -192,18 +257,21 @@ vmseries = { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" private_ip = "10.10.11.2" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" private_ip = "10.10.10.2" create_public_ip = true }, { - subnetwork = "fw-trust-sub" - private_ip = "10.10.12.2" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" + private_ip = "10.10.12.2" } ] }, @@ -243,18 +311,21 @@ vmseries = { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" private_ip = "10.10.11.3" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" private_ip = "10.10.10.3" create_public_ip = true }, { - subnetwork = "fw-trust-sub" - private_ip = "10.10.12.3" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" + private_ip = "10.10.12.3" } ] } @@ -266,7 +337,8 @@ linux_vms = { linux_machine_type = "n2-standard-4" zone = "us-east1-b" linux_disk_size = "50" # Modify this value as per deployment requirements - subnetwork = "spoke1-sub" + vpc_network_key = "fw-spoke1-vpc" + subnetwork_key = "fw-spoke1-sub" private_ip = "192.168.1.2" scopes = [ "https://www.googleapis.com/auth/compute.readonly", @@ -281,7 +353,8 @@ linux_vms = { linux_machine_type = "n2-standard-4" zone = "us-east1-b" linux_disk_size = "50" # Modify this value as per deployment requirements - subnetwork = "spoke2-sub" + vpc_network_key = "fw-spoke2-vpc" + subnetwork_key = "fw-spoke2-sub" private_ip = "192.168.2.2" scopes = [ "https://www.googleapis.com/auth/compute.readonly", @@ -302,7 +375,8 @@ lbs_internal = { backends = ["fw-vmseries-01", "fw-vmseries-02"] ip_address = "10.10.12.5" subnetwork = "fw-trust-sub" - network = "fw-trust-vpc" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" } } diff --git a/examples/vpc_peering_common/main.tf b/examples/vpc_peering_common/main.tf index df9dc42a..82a25ed7 100644 --- a/examples/vpc_peering_common/main.tf +++ b/examples/vpc_peering_common/main.tf @@ -62,12 +62,22 @@ module "bootstrap" { module "vpc" { source = "../../modules/vpc" - networks = { for k, v in var.networks : k => merge(v, { - name = "${var.name_prefix}${v.name}" - subnetwork_name = "${var.name_prefix}${v.subnetwork_name}" + for_each = var.networks + + project_id = var.project + name = "${var.name_prefix}${each.value.vpc_name}" + create_network = each.value.create_network + delete_default_routes_on_create = each.value.delete_default_routes_on_create + mtu = each.value.mtu + routing_mode = each.value.routing_mode + subnetworks = { for k, v in each.value.subnetworks : k => merge(v, { + name = "${var.name_prefix}${v.name}" }) } - + firewall_rules = try({ for k, v in each.value.firewall_rules : k => merge(v, { + name = "${var.name_prefix}${v.name}" + }) + }, {}) } resource "google_compute_route" "this" { @@ -76,7 +86,7 @@ resource "google_compute_route" "this" { name = "${var.name_prefix}${each.value.name}" dest_range = each.value.destination_range - network = module.vpc.networks["${var.name_prefix}${each.value.network}"].self_link + network = module.vpc[each.value.vpc_network_key].network.self_link next_hop_ilb = module.lb_internal[each.value.lb_internal_key].forwarding_rule priority = 100 } @@ -86,8 +96,8 @@ module "vpc_peering" { for_each = var.vpc_peerings - local_network = module.vpc.networks["${var.name_prefix}${each.value.local_network}"].id - peer_network = module.vpc.networks["${var.name_prefix}${each.value.peer_network}"].id + local_network = module.vpc[each.value.local_network_key].network.id + peer_network = module.vpc[each.value.peer_network_key].network.id local_export_custom_routes = each.value.local_export_custom_routes local_import_custom_routes = each.value.local_import_custom_routes @@ -129,7 +139,7 @@ module "vmseries" { network_interfaces = [for v in each.value.network_interfaces : { - subnetwork = module.vpc.subnetworks["${var.name_prefix}${v.subnetwork}"].self_link + subnetwork = module.vpc[v.vpc_network_key].subnetworks[v.subnetwork_key].self_link private_ip = v.private_ip create_public_ip = try(v.create_public_ip, false) }] @@ -155,7 +165,7 @@ resource "google_compute_instance" "linux_vm" { } network_interface { - subnetwork = module.vpc.subnetworks["${var.name_prefix}${each.value.subnetwork}"].self_link + subnetwork = module.vpc[each.value.vpc_network_key].subnetworks[each.value.subnetwork_key].self_link network_ip = each.value.private_ip } @@ -180,8 +190,8 @@ module "lb_internal" { health_check_port = try(each.value.health_check_port, "80") backends = { for v in each.value.backends : v => module.vmseries[v].instance_group_self_link } ip_address = each.value.ip_address - subnetwork = module.vpc.subnetworks["${var.name_prefix}${each.value.subnetwork}"].self_link - network = module.vpc.networks["${var.name_prefix}${each.value.network}"].self_link + subnetwork = module.vpc[each.value.vpc_network_key].subnetworks[each.value.subnetwork_key].self_link + network = module.vpc[each.value.vpc_network_key].network.self_link all_ports = true } diff --git a/examples/vpc_peering_common/variables.tf b/examples/vpc_peering_common/variables.tf index b0e8dd23..fefef8ef 100644 --- a/examples/vpc_peering_common/variables.tf +++ b/examples/vpc_peering_common/variables.tf @@ -83,16 +83,29 @@ variable "networks" { ``` networks = { - "mgmt-network" = { - create_network = true - create_subnetwork = true - name = "fw-mgmt-vpc" - subnetwork_name = "fw-mgmt-sub" - ip_cidr_range = "10.10.10.0/28" - allowed_sources = ["1.1.1.1/32"] + fw-mgmt-vpc = { + vpc_name = "fw-mgmt-vpc" + create_network = true delete_default_routes_on_create = false - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-mgmt-sub = { + name = "fw-mgmt-sub" + create_subnetwork = true + ip_cidr_range = "10.10.10.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-mgmt-ingress = { + name = "allow-mgmt-vpc" + source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } } } ``` @@ -112,8 +125,8 @@ variable "vpc_peerings" { ``` vpc_peerings = { "trust-to-spoke1" = { - local_network = "fw-trust-vpc" - peer_network = "spoke1-vpc" + local_network_key = "fw-trust-vpc" + peer_network_key = "fw-spoke1-vpc" local_export_custom_routes = true local_import_custom_routes = true @@ -146,7 +159,7 @@ variable "routes" { "default-route-trust" = { name = "fw-default-trust" destination_range = "0.0.0.0/0" - network = "fw-trust-vpc" + vpc_network_key = "fw-trust-vpc" lb_internal_name = "internal-lb" } } @@ -230,19 +243,22 @@ variable "vmseries" { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" private_ip = "10.10.11.2" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" private_ip = "10.10.10.2" create_public_ip = true }, { - subnetwork = "fw-trust-sub" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" private_ip = "10.10.12.2" - } + }, ] } } @@ -270,8 +286,8 @@ variable "lbs_internal" { health_check_port = "80" backends = ["fw-vmseries-01", "fw-vmseries-02"] ip_address = "10.10.12.5" - subnetwork = "fw-trust-sub" - network = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" + vpc_network_key = "fw-trust-vpc" } } ``` @@ -325,7 +341,8 @@ variable "linux_vms" { linux_machine_type = "n2-standard-4" zone = "us-east1-b" linux_disk_size = "50" # Modify this value as per deployment requirements - subnetwork = "spoke1-sub" + vpc_network_key = "fw-spoke1-vpc" + subnetwork_key = "fw-spoke1-sub" private_ip = "192.168.1.2" scopes = [ "https://www.googleapis.com/auth/compute.readonly", diff --git a/examples/vpc_peering_common/versions.tf b/examples/vpc_peering_common/versions.tf index 5f141c52..785e9269 100644 --- a/examples/vpc_peering_common/versions.tf +++ b/examples/vpc_peering_common/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" } provider "google" { diff --git a/examples/vpc_peering_common_with_network_tags/README.md b/examples/vpc_peering_common_with_network_tags/README.md index bc67dcd7..9522645b 100644 --- a/examples/vpc_peering_common_with_network_tags/README.md +++ b/examples/vpc_peering_common_with_network_tags/README.md @@ -25,8 +25,7 @@ With default variable values the topology consists of : ### Traffic flows details -- Spoke Linux VM 1 will have the network tag value of the `var.region-1` variable thus inheriting the default route towards region-1 internal loadbalancer. -- Spoke Linux VM 2 will inherit the network tag value of the `var.region-2` variable thus sending traffic towards region-2 internal laodbalancer. +- Each Spoke VM will have the network tag value of the `each.value.region` iterated variable thus inheriting the default route towards local region internal loadbalancer . - In the bootstrap XML file there are two NAT policies configured : - One for outside traffic (trust to untrust). - One for east-west traffic (trust to trust) - this one is required for symmetric traffic flows for east-west traffic in case there are multiple spoke VPC networks. @@ -48,10 +47,7 @@ git clone https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules cd terraform-google-vmseries-modules/examples/vpc-peering-common-with-network-tags ``` -3. Fill out any modifications to `example.tfvars` file - at least `project`, `ssh_keys` and `allowed_sources` should be modified for successful deployment and access to the instance. There is also a few variables that have some default values but which should also be changed as per deployment requirements : - - General - - region_1 - - region_2 +3. Fill out any modifications to `example.tfvars` file - at least `project`, `ssh_keys` and `source_ranges` should be modified for successful deployment and access to the instance. There is also a few variables that have some default values but which should also be changed as per deployment requirements : - vmseries - bootstrap_options - panorama-server @@ -76,29 +72,23 @@ Apply complete! Resources: 115 added, 0 changed, 0 destroyed. (Number of resourc Outputs: -lbs_external_ips_region_1 = { - "external-lb" = { +lbs_external_ips = { + "external-lb-region-1" = { "all-ports-region-1" = "" } -} -lbs_external_ips_region_2 = { - "external-lb" = { + "external-lb-region-2" = { "all-ports-region-2" = "" } } -lbs_internal_ips_region_1 = { - "internal-lb" = "10.10.12.5" -} -lbs_internal_ips_region_2 = { - "internal-lb" = "10.20.12.5" +lbs_internal_ips = { + "internal-lb-region-1" = "10.10.12.5" + "internal-lb-region-2" = "10.20.12.5" } -linux_vm_ips_region_1 = { +linux_vm_ips = { "spoke1-vm" = "192.168.1.2" -} -linux_vm_ips_region_2 = { "spoke2-vm" = "192.168.2.2" } -vmseries_private_ips_region_1 = { +vmseries_private_ips = { "fw-vmseries-01" = { "0" = "10.10.11.2" "1" = "10.10.10.2" @@ -109,8 +99,6 @@ vmseries_private_ips_region_1 = { "1" = "10.10.10.3" "2" = "10.10.12.3" } -} -vmseries_private_ips_region_2 = { "fw-vmseries-03" = { "0" = "10.20.11.2" "1" = "10.20.10.2" @@ -122,17 +110,15 @@ vmseries_private_ips_region_2 = { "2" = "10.20.12.3" } } -vmseries_public_ips_region_1 = { +vmseries_public_ips = { "fw-vmseries-01" = { "0" = "" - "1" = "34.23.101.41" + "1" = "" } "fw-vmseries-02" = { "0" = "" "1" = "" } -} -vmseries_public_ips_region_2 = { "fw-vmseries-03" = { "0" = "" "1" = "" @@ -142,6 +128,7 @@ vmseries_public_ips_region_2 = { "1" = "" } } + ``` @@ -191,7 +178,7 @@ SSH to the spoke VMs using GCP IAP and gcloud command and test connectivity : ``` -gcloud compute ssh spoke1-vm +gcloud compute ssh spoke1-vm- No zone specified. Using zone [us-east1-b] for instance: [spoke1-vm]. External IP address was not found; defaulting to using IAP tunneling. WARNING: @@ -203,7 +190,7 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the ``` ``` -gcloud compute ssh spoke2-vm +gcloud compute ssh spoke2-vm- No zone specified. Using zone [us-west1-b] for instance: [spoke2-vm]. External IP address was not found; defaulting to using IAP tunneling. WARNING: @@ -220,7 +207,7 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | ### Providers @@ -235,28 +222,20 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the |------|--------|---------| | [bootstrap](#module\_bootstrap) | ../../modules/bootstrap | n/a | | [iam\_service\_account](#module\_iam\_service\_account) | ../../modules/iam_service_account | n/a | -| [lb\_external\_region\_1](#module\_lb\_external\_region\_1) | ../../modules/lb_external | n/a | -| [lb\_external\_region\_2](#module\_lb\_external\_region\_2) | ../../modules/lb_external | n/a | -| [lb\_internal\_region\_1](#module\_lb\_internal\_region\_1) | ../../modules/lb_internal | n/a | -| [lb\_internal\_region\_2](#module\_lb\_internal\_region\_2) | ../../modules/lb_internal | n/a | -| [vmseries\_region\_1](#module\_vmseries\_region\_1) | ../../modules/vmseries | n/a | -| [vmseries\_region\_2](#module\_vmseries\_region\_2) | ../../modules/vmseries | n/a | +| [lb\_external](#module\_lb\_external) | ../../modules/lb_external | n/a | +| [lb\_internal](#module\_lb\_internal) | ../../modules/lb_internal | n/a | +| [vmseries](#module\_vmseries) | ../../modules/vmseries | n/a | +| [vpc](#module\_vpc) | ../../modules/vpc | n/a | | [vpc\_peering](#module\_vpc\_peering) | ../../modules/vpc-peering | n/a | -| [vpc\_region\_1](#module\_vpc\_region\_1) | ../../modules/vpc | n/a | -| [vpc\_region\_2](#module\_vpc\_region\_2) | ../../modules/vpc | n/a | ### Resources | Name | Type | |------|------| -| [google_compute_instance.linux_vm_region_1](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) | resource | -| [google_compute_instance.linux_vm_region_2](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) | resource | -| [google_compute_route.route_region_1](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource | -| [google_compute_route.route_region_2](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource | -| [local_file.bootstrap_xml_region_1](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | -| [local_file.bootstrap_xml_region_2](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | -| [local_file.init_cfg_region_1](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | -| [local_file.init_cfg_region_2](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | +| [google_compute_instance.linux_vm](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) | resource | +| [google_compute_route.route](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource | +| [local_file.bootstrap_xml](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | +| [local_file.init_cfg](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | [google_compute_image.my_image](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_image) | data source | ### Inputs @@ -264,38 +243,25 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [bootstrap\_buckets](#input\_bootstrap\_buckets) | A map containing each bootstrap bucket setting.

Example of variable deployment:
bootstrap_buckets = {
  vmseries-bootstrap-bucket-01 = {
    bucket_name_prefix  = "bucket-01-"
    location            = "us"
    service_account_key = "sa-vmseries-01"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/bootstrap#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [lbs\_external\_region\_1](#input\_lbs\_external\_region\_1) | A map containing each external loadbalancer setting for region\_1 instances.

Example of variable deployment :
lbs_external_region_1 = {
  external-lb = {
    name     = "external-lb"
    backends = ["fw-vmseries-01", "fw-vmseries-02"]
    rules = {
      all-ports-region_1 = {
        ip_protocol = "L3_DEFAULT"
      }
    }
    http_health_check_port         = "80"
    http_health_check_request_path = "/php/login.php"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_external#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [lbs\_external\_region\_2](#input\_lbs\_external\_region\_2) | A map containing each external loadbalancer setting for region\_2 instances.

Example of variable deployment :
lbs_external_region_2 = {
  external-lb = {
    name     = "external-lb"
    backends = ["fw-vmseries-03", "fw-vmseries-04"]
    rules = {
      all-ports-region_2 = {
        ip_protocol = "L3_DEFAULT"
      }
    }
    http_health_check_port         = "80"
    http_health_check_request_path = "/php/login.php"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_external#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [lbs\_internal\_region\_1](#input\_lbs\_internal\_region\_1) | A map containing each internal loadbalancer setting for region\_1 instances.

Example of variable deployment :
lbs_internal_region_1 = {
  internal-lb = {
    name              = "internal-lb"
    health_check_port = "80"
    backends          = ["fw-vmseries-01", "fw-vmseries-02"]
    ip_address        = "10.10.12.5"
    subnetwork        = "fw-trust-sub"
    network           = "fw-trust-vpc"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_internal#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [lbs\_internal\_region\_2](#input\_lbs\_internal\_region\_2) | A map containing each internal loadbalancer setting for region\_2 instances.

Example of variable deployment :
lbs_internal_region_2 = {
  internal-lb = {
    name              = "internal-lb"
    health_check_port = "80"
    backends          = ["fw-vmseries-03", "fw-vmseries-04"]
    ip_address        = "10.20.12.5"
    subnetwork        = "fw-trust-sub"
    network           = "fw-trust-vpc"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_internal#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [linux\_vms\_region\_1](#input\_linux\_vms\_region\_1) | A map containing each Linux VM configuration in region\_1 that will be placed in spoke VPC network for testing purposes.

Example of varaible deployment:
linux_vms_region_1 = {
  spoke1-vm = {
    linux_machine_type = "n2-standard-4"
    zone               = "us-east1-b"
    linux_disk_size    = "50" # Modify this value as per deployment requirements
    subnetwork         = "spoke1-sub"
    private_ip         = "192.168.1.2"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    service_account_key = "sa-linux-01"
  }
}
| `map(any)` | `{}` | no | -| [linux\_vms\_region\_2](#input\_linux\_vms\_region\_2) | A map containing each Linux VM configuration in region\_2 that will be placed in spoke VPC network for testing purposes.

Example of varaible deployment:
linux_vms_region_2 = {
  spoke2-vm = {
    linux_machine_type = "n2-standard-4"
    zone               = "us-west1-b"
    linux_disk_size    = "50" # Modify this value as per deployment requirements
    subnetwork         = "spoke1-sub"
    private_ip         = "192.168.2.2"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    service_account_key = "sa-linux-01"
  }
}
| `map(any)` | `{}` | no | +| [lbs\_external](#input\_lbs\_external) | A map containing each external loadbalancer setting .

Example of variable deployment :
lbs_external_region_1 = {
  external-lb-region-1 = {
    name     = "external-lb"
    region   = "us-east1"
    backends = ["fw-vmseries-01", "fw-vmseries-02"]
    rules = {
      all-ports-region-1 = {
        ip_protocol = "L3_DEFAULT"
      }
    }
    http_health_check_port         = "80"
    http_health_check_request_path = "/php/login.php"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_external#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting .

Example of variable deployment :
lbs_internal = {
  internal-lb-region-1 = {
    name              = "internal-lb"
    region            = "us-east1"
    health_check_port = "80"
    backends          = ["fw-vmseries-01", "fw-vmseries-02"]
    ip_address        = "10.10.12.5"
    subnetwork_key    = "fw-trust-sub-region-1"
    vpc_network_key   = "fw-trust-vpc"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_internal#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [linux\_vms](#input\_linux\_vms) | A map containing each Linux VM configuration in region\_1 that will be placed in spoke VPC network for testing purposes.

Example of varaible deployment:
linux_vms = {
  spoke1-vm = {
    linux_machine_type = "n2-standard-4"
    region             = "us-east1"
    zone               = "us-east1-b"
    linux_disk_size    = "50" # Modify this value as per deployment requirements
    vpc_network_key    = "fw-spoke1-vpc"
    subnetwork_key     = "fw-spoke1-sub-region-1"
    private_ip         = "192.168.1.2"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    service_account_key = "sa-linux-01"
  }
}
| `map(any)` | `{}` | no | | [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings. | `string` | `"example-"` | no | -| [networks\_region\_1](#input\_networks\_region\_1) | A map containing each network setting for region\_1.

This map also contains the VPC networks creation for the deployment.

Example of variable deployment :
networks_region_1 = {
  mgmt = {
    create_network                  = true
    create_subnetwork               = true
    name                            = "fw-mgmt-vpc"
    subnetwork_name                 = "fw-mgmt-sub"
    ip_cidr_range                   = "10.10.10.0/28"
    allowed_sources                 = ["1.1.1.1/32"]
    delete_default_routes_on_create = false
    allowed_protocol                = "all"
    allowed_ports                   = []
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | -| [networks\_region\_2](#input\_networks\_region\_2) | A map containing each network setting for region\_2.

In this map - only subnetworks are being created, while referencing previously created VPC networks.

Example of variable deployment :
networks_region_2 = {
  mgmt = {
    create_network    = false
    create_subnetwork = true
    name              = "fw-mgmt-vpc"
    subnetwork_name   = "fw-mgmt-sub"
    ip_cidr_range     = "10.20.10.0/28"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | +| [networks](#input\_networks) | A map containing each network setting.

Example of variable deployment :
networks = {
  fw-mgmt-vpc = {
    vpc_name = "fw-mgmt-vpc"
    create_network = true
    delete_default_routes_on_create = false
    mtu = "1460"
    routing_mode = "REGIONAL"
    subnetworks = {
      fw-mgmt-sub = {
        name = "fw-mgmt-sub"
        create_subnetwork = true
        ip_cidr_range = "10.10.10.0/28"
        region = "us-east1"
      }
    }
    firewall_rules = {
      allow-mgmt-ingress = {
        name = "allow-mgmt-vpc"
        source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
        priority = "1000"
        allowed_protocol = "all"
        allowed_ports = []
      }
    }
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | | [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no | -| [region\_1](#input\_region\_1) | The first region into which to deploy the infrastructure in to. | `string` | `"us-east1"` | no | -| [region\_2](#input\_region\_2) | The second region into which to deploy the infrastructure in to. | `string` | `"us-west1"` | no | -| [routes\_region\_1](#input\_routes\_region\_1) | A map containing each route setting for region\_1. Note that you can only add routes using a next-hop type of internal load-balance rule.

The code automatically binds this route to an instance network tag that has the value of region\_1 variable.

Example of variable deployment :
routes-region_1 = {
  fw-default-trust = {
    name              = "fw-default-trust"
    destination_range = "0.0.0.0/0"
    network           = "spoke1-vpc"
    lb_internal_key   = "internal-lb"
  }
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [routes\_region\_2](#input\_routes\_region\_2) | A map containing each route setting for region\_2. Note that you can only add routes using a next-hop type of internal load-balance rule.

The code automatically binds this route to an instance network tag that has the value of region\_2 variable.

Example of variable deployment :
routes-region_2 = {
  fw-default-trust = {
    name              = "fw-default-trust"
    destination_range = "0.0.0.0/0"
    network           = "spoke1-vpc"
    lb_internal_key   = "internal-lb"
  }
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.

Example of variable deployment :
routes = {
  fw-default-trust-region-1 = {
    name              = "fw-default-trust"
    destination_range = "0.0.0.0/0"
    vpc_network_key   = "fw-spoke1-vpc"
    lb_internal_key   = "internal-lb-region-1"
    region            = "us-east1"
    tags              = ["us-east1"]
  },
  fw-default-trust-region-2 = {
    name              = "fw-default-trust"
    destination_range = "0.0.0.0/0"
    vpc_network_key   = "fw-spoke1-vpc"
    lb_internal_key   = "internal-lb-region-2"
    region            = "us-west1"
    tags              = ["us-west1"]
  }
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.

Example of variable deployment :
service_accounts = {
  "sa-vmseries-01" = {
    service_account_id = "sa-vmseries-01"
    display_name       = "VM-Series SA"
    roles = [
      "roles/compute.networkViewer",
      "roles/logging.logWriter",
      "roles/monitoring.metricWriter",
      "roles/monitoring.viewer",
      "roles/viewer"
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/iam_service_account#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting for vmseries instances.

Example of variable deployment :
vmseries = {
  fw-vmseries-01 = {
    name   = "fw-vmseries-01"
    region = "us-east1"
    zone   = "us-east1-b"
    tags   = ["vmseries"]
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
    bootstrap_options = {
      panorama-server = "1.1.1.1" # Modify this value as per deployment requirements
      dns-primary     = "8.8.8.8" # Modify this value as per deployment requirements
      dns-secondary   = "8.8.4.4" # Modify this value as per deployment requirements
    }
    bootstrap_template_map = {
      trust_gcp_router_ip   = "10.10.12.1"
      untrust_gcp_router_ip = "10.10.11.1"
      private_network_cidr  = "192.168.0.0/16"
      untrust_loopback_ip   = "1.1.1.1/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address (Region-1) after the infrastructure is deployed
      trust_loopback_ip     = "10.10.12.5/32"
    }
    named_ports = [
      {
        name = "http"
        port = 80
      },
      {
        name = "https"
        port = 443
      }
    ]
    network_interfaces = [
      {
        vpc_network_key  = "fw-untrust-vpc"
        subnetwork_key   = "fw-untrust-sub-region-1"
        private_ip       = "10.10.11.2"
        create_public_ip = true
      },
      {
        vpc_network_key  = "fw-mgmt-vpc"
        subnetwork_key   = "fw-mgmt-sub-region-1"
        private_ip       = "10.10.10.2"
        create_public_ip = true
      },
      {
        vpc_network_key = "fw-trust-vpc"
        subnetwork_key  = "fw-trust-sub-region-1"
        private_ip      = "10.10.12.2"
      }
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | | [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
  ssh_keys            = "admin:AAABBB..."
  vmseries_image      = "vmseries-flex-byol-1022h2"
  machine_type        = "n2-standard-4"
  min_cpu_platform    = "Intel Cascade Lake"
  service_account_key = "sa-vmseries-01"
  bootstrap_options = {
    type                = "dhcp-client"
    mgmt-interface-swap = "enable"
  }
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes | -| [vmseries\_region\_1](#input\_vmseries\_region\_1) | A map containing each individual vmseries setting for region\_1 instances.

Example of variable deployment :
vmseries_region_1 = {
  fw-vmseries-01 = {
    name = "fw-vmseries-01"
    zone = "us-east1-b"
    tags = ["vmseries"]
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
    bootstrap_options = {
      panorama-server = "1.1.1.1"
      dns-primary     = "8.8.8.8"
      dns-secondary   = "8.8.4.4"
    }
    bootstrap_template_map = {
      trust_gcp_router_ip   = "10.10.12.1"
      untrust_gcp_router_ip = "10.10.11.1"
      private_network_cidr  = "192.168.0.0/16"
      untrust_loopback_ip   = "1.1.1.1/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address (region_1) after the infrastructure is deployed
      trust_loopback_ip     = "10.10.12.5/32"
    }
    named_ports = [
      {
        name = "http"
        port = 80
      },
      {
        name = "https"
        port = 443
      }
    ]
    network_interfaces = [
      {
        subnetwork       = "fw-untrust-sub"
        private_ip       = "10.10.11.2"
        create_public_ip = true
      },
      {
        subnetwork       = "fw-mgmt-sub"
        private_ip       = "10.10.10.2"
        create_public_ip = true
      },
      {
        subnetwork = "fw-trust-sub"
        private_ip = "10.10.12.2"
      }
    ]
  },
  fw-vmseries-02 = {
    name = "fw-vmseries-02"
    zone = "us-east1-c"
    tags = ["vmseries"]
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
    bootstrap_options = {
      panorama-server = "1.1.1.1"
      dns-primary     = "8.8.8.8"
      dns-secondary   = "8.8.4.4"
    }
    bootstrap_template_map = {
      trust_gcp_router_ip   = "10.10.12.1"
      untrust_gcp_router_ip = "10.10.11.1"
      private_network_cidr  = "192.168.0.0/16"
      untrust_loopback_ip   = "1.1.1.1/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address (region_1) after the infrastructure is deployed
      trust_loopback_ip     = "10.10.12.5/32"
    }
    named_ports = [
      {
        name = "http"
        port = 80
      },
      {
        name = "https"
        port = 443
      }
    ]
    network_interfaces = [
      {
        subnetwork       = "fw-untrust-sub"
        private_ip       = "10.10.11.3"
        create_public_ip = true
      },
      {
        subnetwork       = "fw-mgmt-sub"
        private_ip       = "10.10.10.3"
        create_public_ip = true
      },
      {
        subnetwork = "fw-trust-sub"
        private_ip = "10.10.12.3"
      }
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | -| [vmseries\_region\_2](#input\_vmseries\_region\_2) | A map containing each individual vmseries setting for region\_2 instances.

Example of variable deployment :
vmseries_region_2 = {
  fw-vmseries-03 = {
    name = "fw-vmseries-03"
    zone = "us-west1-b"
    tags = ["vmseries"]
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
    bootstrap_options = {
      panorama-server = "1.1.1.1"
      dns-primary     = "8.8.8.8"
      dns-secondary   = "8.8.4.4"
    }
    bootstrap_template_map = {
      trust_gcp_router_ip   = "10.20.12.1"
      untrust_gcp_router_ip = "10.20.11.1"
      private_network_cidr  = "192.168.0.0/16"
      untrust_loopback_ip   = "2.2.2.2/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address (region_2) after the infrastructure is deployed
      trust_loopback_ip     = "10.20.12.5/32"
    }
    named_ports = [
      {
        name = "http"
        port = 80
      },
      {
        name = "https"
        port = 443
      }
    ]
    network_interfaces = [
      {
        subnetwork       = "fw-untrust-sub"
        private_ip       = "10.20.11.2"
        create_public_ip = true
      },
      {
        subnetwork       = "fw-mgmt-sub"
        private_ip       = "10.20.10.2"
        create_public_ip = true
      },
      {
        subnetwork = "fw-trust-sub"
        private_ip = "10.20.12.2"
      }
    ]
  },
  fw-vmseries-04 = {
    name = "fw-vmseries-04"
    zone = "us-west1-c"
    tags = ["vmseries"]
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
    bootstrap_options = {
      panorama-server = "1.1.1.1"
      dns-primary     = "8.8.8.8"
      dns-secondary   = "8.8.4.4"
    }
    bootstrap_template_map = {
      trust_gcp_router_ip   = "10.20.12.1"
      untrust_gcp_router_ip = "10.20.11.1"
      private_network_cidr  = "192.168.0.0/16"
      untrust_loopback_ip   = "2.2.2.2/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address (region_2) after the infrastructure is deployed
      trust_loopback_ip     = "10.20.12.5/32"
    }
    named_ports = [
      {
        name = "http"
        port = 80
      },
      {
        name = "https"
        port = 443
      }
    ]
    network_interfaces = [
      {
        subnetwork       = "fw-untrust-sub"
        private_ip       = "10.20.11.3"
        create_public_ip = true
      },
      {
        subnetwork       = "fw-mgmt-sub"
        private_ip       = "10.20.10.3"
        create_public_ip = true
      },
      {
        subnetwork = "fw-trust-sub"
        private_ip = "10.20.12.3"
      }
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | -| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

This is done only once since it's being called at the network level and not at the subnetwork which is dependent on the region.

Example of variable deployment :
vpc_peerings = {
  "trust-to-spoke1" = {
    local_network = "fw-trust-vpc"
    peer_network  = "spoke1-vpc"

    local_export_custom_routes                = true
    local_import_custom_routes                = true
    local_export_subnet_routes_with_public_ip = true
    local_import_subnet_routes_with_public_ip = true

    peer_export_custom_routes                = true
    peer_import_custom_routes                = true
    peer_export_subnet_routes_with_public_ip = true
    peer_import_subnet_routes_with_public_ip = true
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

Example of variable deployment :
vpc_peerings = {
  "trust-to-spoke1" = {
    local_network_key = "fw-trust-vpc"
    peer_network_key  = "fw-spoke1-vpc"

    local_export_custom_routes                = true
    local_import_custom_routes                = true
    local_export_subnet_routes_with_public_ip = true
    local_import_subnet_routes_with_public_ip = true

    peer_export_custom_routes                = true
    peer_import_custom_routes                = true
    peer_export_subnet_routes_with_public_ip = true
    peer_import_subnet_routes_with_public_ip = true
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | ### Outputs | Name | Description | |------|-------------| -| [lbs\_external\_ips\_region\_1](#output\_lbs\_external\_ips\_region\_1) | Public IP addresses of external network loadbalancers in region-1. | -| [lbs\_external\_ips\_region\_2](#output\_lbs\_external\_ips\_region\_2) | Public IP addresses of external network loadbalancers in region-2. | -| [lbs\_internal\_ips\_region\_1](#output\_lbs\_internal\_ips\_region\_1) | Private IP addresses of internal network loadbalancers in region-1. | -| [lbs\_internal\_ips\_region\_2](#output\_lbs\_internal\_ips\_region\_2) | Private IP addresses of internal network loadbalancers in region-2. | -| [linux\_vm\_ips\_region\_1](#output\_linux\_vm\_ips\_region\_1) | Private IP addresses of Linux VMs in region-1. | -| [linux\_vm\_ips\_region\_2](#output\_linux\_vm\_ips\_region\_2) | Private IP addresses of Linux VMs in region-2. | -| [vmseries\_private\_ips\_region\_1](#output\_vmseries\_private\_ips\_region\_1) | Private IP addresses of the vmseries instances in region-1. | -| [vmseries\_private\_ips\_region\_2](#output\_vmseries\_private\_ips\_region\_2) | Private IP addresses of the vmseries instances in region-2. | -| [vmseries\_public\_ips\_region\_1](#output\_vmseries\_public\_ips\_region\_1) | Public IP addresses of the vmseries instances in region-1. | -| [vmseries\_public\_ips\_region\_2](#output\_vmseries\_public\_ips\_region\_2) | Public IP addresses of the vmseries instances in region-2. | +| [lbs\_external\_ips](#output\_lbs\_external\_ips) | Public IP addresses of external network loadbalancers. | +| [lbs\_internal\_ips](#output\_lbs\_internal\_ips) | Private IP addresses of internal network loadbalancers. | +| [linux\_vm\_ips](#output\_linux\_vm\_ips) | Private IP addresses of Linux VMs. | +| [vmseries\_private\_ips](#output\_vmseries\_private\_ips) | Private IP addresses of the vmseries instances. | +| [vmseries\_public\_ips](#output\_vmseries\_public\_ips) | Public IP addresses of the vmseries instances. | diff --git a/examples/vpc_peering_common_with_network_tags/example.tfvars b/examples/vpc_peering_common_with_network_tags/example.tfvars index 869ec49d..9b1481e2 100644 --- a/examples/vpc_peering_common_with_network_tags/example.tfvars +++ b/examples/vpc_peering_common_with_network_tags/example.tfvars @@ -1,7 +1,5 @@ # General project = "" -region_1 = "us-east1" # Modify this value as per deployment requirements -region_2 = "us-west1" # Modify this value as per deployment requirements name_prefix = "" # Service accounts @@ -41,81 +39,126 @@ bootstrap_buckets = { # VPC -networks_region_1 = { - mgmt = { +networks = { + fw-mgmt-vpc = { + vpc_name = "fw-mgmt-vpc" create_network = true - create_subnetwork = true - name = "fw-mgmt-vpc" - subnetwork_name = "fw-mgmt-sub" - ip_cidr_range = "10.10.10.0/28" - allowed_sources = ["1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. delete_default_routes_on_create = false - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-mgmt-sub-region-1 = { + name = "fw-mgmt-sub" + create_subnetwork = true + ip_cidr_range = "10.10.10.0/28" + region = "us-east1" + }, + fw-mgmt-sub-region-2 = { + name = "fw-mgmt-sub" + create_subnetwork = true + ip_cidr_range = "10.20.10.0/28" + region = "us-west1" + } + } + firewall_rules = { + allow-mgmt-ingress = { + name = "allow-mgmt-vpc" + source_ranges = ["1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - untrust = { + fw-untrust-vpc = { + vpc_name = "fw-untrust-vpc" create_network = true - create_subnetwork = true - name = "fw-untrust-vpc" - subnetwork_name = "fw-untrust-sub" - ip_cidr_range = "10.10.11.0/28" - allowed_sources = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"] delete_default_routes_on_create = false - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-untrust-sub-region-1 = { + name = "fw-untrust-sub" + create_subnetwork = true + ip_cidr_range = "10.10.11.0/28" + region = "us-east1" + }, + fw-untrust-sub-region-2 = { + name = "fw-untrust-sub" + create_subnetwork = true + ip_cidr_range = "10.20.11.0/28" + region = "us-west1" + } + } + firewall_rules = { + allow-untrust-ingress = { + name = "allow-untrust-vpc" + source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - trust = { + fw-trust-vpc = { + vpc_name = "fw-trust-vpc" create_network = true - create_subnetwork = true - name = "fw-trust-vpc" - subnetwork_name = "fw-trust-sub" - ip_cidr_range = "10.10.12.0/28" - allowed_sources = ["192.168.0.0/16", "35.191.0.0/16", "130.211.0.0/22"] delete_default_routes_on_create = true - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-trust-sub-region-1 = { + name = "fw-trust-sub" + create_subnetwork = true + ip_cidr_range = "10.10.12.0/28" + region = "us-east1" + }, + fw-trust-sub-region-2 = { + name = "fw-trust-sub" + create_subnetwork = true + ip_cidr_range = "10.20.12.0/28" + region = "us-west1" + } + } + firewall_rules = { + allow-trust-ingress = { + name = "allow-trust-vpc" + source_ranges = ["192.168.0.0/16", "35.191.0.0/16", "130.211.0.0/22"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - spoke1 = { + fw-spoke1-vpc = { + vpc_name = "fw-spoke1-vpc" create_network = true - create_subnetwork = true - name = "spoke1-vpc" - subnetwork_name = "spoke1-sub" - ip_cidr_range = "192.168.1.0/28" - allowed_sources = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28", "10.20.12.0/28"] delete_default_routes_on_create = true - allowed_protocol = "all" - allowed_ports = [] - } -} - -networks_region_2 = { - mgmt = { - create_network = false - create_subnetwork = true - name = "fw-mgmt-vpc" - subnetwork_name = "fw-mgmt-sub" - ip_cidr_range = "10.20.10.0/28" - }, - untrust = { - create_network = false - create_subnetwork = true - name = "fw-untrust-vpc" - subnetwork_name = "fw-untrust-sub" - ip_cidr_range = "10.20.11.0/28" - }, - trust = { - create_network = false - create_subnetwork = true - name = "fw-trust-vpc" - subnetwork_name = "fw-trust-sub" - ip_cidr_range = "10.20.12.0/28" - } - spoke1 = { - create_network = false - create_subnetwork = true - name = "spoke1-vpc" - subnetwork_name = "spoke1-sub" - ip_cidr_range = "192.168.2.0/28" + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-spoke1-sub-region-1 = { + name = "fw-spoke1-sub" + create_subnetwork = true + ip_cidr_range = "192.168.1.0/28" + region = "us-east1" + }, + fw-spoke1-sub-region-2 = { + name = "fw-spoke1-sub" + create_subnetwork = true + ip_cidr_range = "192.168.2.0/28" + region = "us-west1" + } + } + firewall_rules = { + allow-spoke1-ingress = { + name = "allow-spoke1-vpc" + source_ranges = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28", "10.20.12.0/28"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } } } @@ -123,8 +166,8 @@ networks_region_2 = { vpc_peerings = { trust-to-spoke1 = { - local_network = "fw-trust-vpc" - peer_network = "spoke1-vpc" + local_network_key = "fw-trust-vpc" + peer_network_key = "fw-spoke1-vpc" local_export_custom_routes = true local_import_custom_routes = true @@ -139,21 +182,22 @@ vpc_peerings = { } # Static routes -routes_region_1 = { - fw-default-trust = { +routes = { + fw-default-trust-region-1 = { name = "fw-default-trust" destination_range = "0.0.0.0/0" - network = "spoke1-vpc" - lb_internal_key = "internal-lb" - } -} - -routes_region_2 = { - fw-default-trust = { + vpc_network_key = "fw-spoke1-vpc" + lb_internal_key = "internal-lb-region-1" + region = "us-east1" + tags = ["us-east1"] + }, + fw-default-trust-region-2 = { name = "fw-default-trust" destination_range = "0.0.0.0/0" - network = "spoke1-vpc" - lb_internal_key = "internal-lb" + vpc_network_key = "fw-spoke1-vpc" + lb_internal_key = "internal-lb-region-2" + region = "us-west1" + tags = ["us-west1"] } } @@ -171,11 +215,12 @@ vmseries_common = { } } -vmseries_region_1 = { +vmseries = { fw-vmseries-01 = { - name = "fw-vmseries-01" - zone = "us-east1-b" - tags = ["vmseries"] + name = "fw-vmseries-01" + region = "us-east1" + zone = "us-east1-b" + tags = ["vmseries"] scopes = [ "https://www.googleapis.com/auth/compute.readonly", "https://www.googleapis.com/auth/cloud.useraccounts.readonly", @@ -208,25 +253,29 @@ vmseries_region_1 = { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub-region-1" private_ip = "10.10.11.2" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub-region-1" private_ip = "10.10.10.2" create_public_ip = true }, { - subnetwork = "fw-trust-sub" - private_ip = "10.10.12.2" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub-region-1" + private_ip = "10.10.12.2" } ] }, fw-vmseries-02 = { - name = "fw-vmseries-02" - zone = "us-east1-c" - tags = ["vmseries"] + name = "fw-vmseries-02" + region = "us-east1" + zone = "us-east1-c" + tags = ["vmseries"] scopes = [ "https://www.googleapis.com/auth/compute.readonly", "https://www.googleapis.com/auth/cloud.useraccounts.readonly", @@ -259,28 +308,29 @@ vmseries_region_1 = { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub-region-1" private_ip = "10.10.11.3" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub-region-1" private_ip = "10.10.10.3" create_public_ip = true }, { - subnetwork = "fw-trust-sub" - private_ip = "10.10.12.3" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub-region-1" + private_ip = "10.10.12.3" } ] - } -} - -vmseries_region_2 = { + }, fw-vmseries-03 = { - name = "fw-vmseries-03" - zone = "us-west1-b" - tags = ["vmseries"] + name = "fw-vmseries-03" + region = "us-west1" + zone = "us-west1-b" + tags = ["vmseries"] scopes = [ "https://www.googleapis.com/auth/compute.readonly", "https://www.googleapis.com/auth/cloud.useraccounts.readonly", @@ -313,25 +363,29 @@ vmseries_region_2 = { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub-region-2" private_ip = "10.20.11.2" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub-region-2" private_ip = "10.20.10.2" create_public_ip = true }, { - subnetwork = "fw-trust-sub" - private_ip = "10.20.12.2" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub-region-2" + private_ip = "10.20.12.2" } ] }, fw-vmseries-04 = { - name = "fw-vmseries-04" - zone = "us-west1-c" - tags = ["vmseries"] + name = "fw-vmseries-04" + region = "us-west1" + zone = "us-west1-c" + tags = ["vmseries"] scopes = [ "https://www.googleapis.com/auth/compute.readonly", "https://www.googleapis.com/auth/cloud.useraccounts.readonly", @@ -364,30 +418,35 @@ vmseries_region_2 = { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub-region-2" private_ip = "10.20.11.3" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub-region-2" private_ip = "10.20.10.3" create_public_ip = true }, { - subnetwork = "fw-trust-sub" - private_ip = "10.20.12.3" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub-region-2" + private_ip = "10.20.12.3" } ] } } # Spoke Linux VMs -linux_vms_region_1 = { +linux_vms = { spoke1-vm = { linux_machine_type = "n2-standard-4" + region = "us-east1" zone = "us-east1-b" linux_disk_size = "50" # Modify this value as per deployment requirements - subnetwork = "spoke1-sub" + vpc_network_key = "fw-spoke1-vpc" + subnetwork_key = "fw-spoke1-sub-region-1" private_ip = "192.168.1.2" scopes = [ "https://www.googleapis.com/auth/compute.readonly", @@ -397,15 +456,15 @@ linux_vms_region_1 = { "https://www.googleapis.com/auth/monitoring.write", ] service_account_key = "sa-linux-01" - } -} - -linux_vms_region_2 = { + tags = ["us-east1"] + }, spoke2-vm = { linux_machine_type = "n2-standard-4" + region = "us-west1" zone = "us-west1-b" linux_disk_size = "50" # Modify this value as per deployment requirements - subnetwork = "spoke1-sub" + vpc_network_key = "fw-spoke1-vpc" + subnetwork_key = "fw-spoke1-sub-region-2" private_ip = "192.168.2.2" scopes = [ "https://www.googleapis.com/auth/compute.readonly", @@ -415,36 +474,37 @@ linux_vms_region_2 = { "https://www.googleapis.com/auth/monitoring.write", ] service_account_key = "sa-linux-01" + tags = ["us-west1"] } } # Internal Network Loadbalancer -lbs_internal_region_1 = { - internal-lb = { +lbs_internal = { + internal-lb-region-1 = { name = "internal-lb" + region = "us-east1" health_check_port = "80" backends = ["fw-vmseries-01", "fw-vmseries-02"] ip_address = "10.10.12.5" - subnetwork = "fw-trust-sub" - network = "fw-trust-vpc" - } -} - -lbs_internal_region_2 = { - internal-lb = { + subnetwork_key = "fw-trust-sub-region-1" + vpc_network_key = "fw-trust-vpc" + }, + internal-lb-region-2 = { name = "internal-lb" + region = "us-west1" health_check_port = "80" backends = ["fw-vmseries-03", "fw-vmseries-04"] ip_address = "10.20.12.5" - subnetwork = "fw-trust-sub" - network = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub-region-2" + vpc_network_key = "fw-trust-vpc" } } # External Network Loadbalancer -lbs_external_region_1 = { - external-lb = { +lbs_external = { + external-lb-region-1 = { name = "external-lb" + region = "us-east1" backends = ["fw-vmseries-01", "fw-vmseries-02"] rules = { all-ports-region-1 = { @@ -453,12 +513,10 @@ lbs_external_region_1 = { } http_health_check_port = "80" http_health_check_request_path = "/php/login.php" - } -} - -lbs_external_region_2 = { - external-lb = { + }, + external-lb-region-2 = { name = "external-lb" + region = "us-west1" backends = ["fw-vmseries-03", "fw-vmseries-04"] rules = { all-ports-region-2 = { diff --git a/examples/vpc_peering_common_with_network_tags/main.tf b/examples/vpc_peering_common_with_network_tags/main.tf index a1c93187..9949e157 100644 --- a/examples/vpc_peering_common_with_network_tags/main.tf +++ b/examples/vpc_peering_common_with_network_tags/main.tf @@ -9,9 +9,9 @@ module "iam_service_account" { project_id = var.project } -resource "local_file" "bootstrap_xml_region_1" { +resource "local_file" "bootstrap_xml" { - for_each = { for k, v in var.vmseries_region_1 : k => v + for_each = { for k, v in var.vmseries : k => v if can(v.bootstrap_template_map) } @@ -27,43 +27,9 @@ resource "local_file" "bootstrap_xml_region_1" { ) } -resource "local_file" "bootstrap_xml_region_2" { +resource "local_file" "init_cfg" { - for_each = { for k, v in var.vmseries_region_2 : k => v - if can(v.bootstrap_template_map) - } - - filename = "files/${each.key}/config/bootstrap.xml" - content = templatefile("templates/bootstrap_common.tmpl", - { - trust_gcp_router_ip = each.value.bootstrap_template_map.trust_gcp_router_ip - private_network_cidr = each.value.bootstrap_template_map.private_network_cidr - untrust_gcp_router_ip = each.value.bootstrap_template_map.untrust_gcp_router_ip - trust_loopback_ip = each.value.bootstrap_template_map.trust_loopback_ip - untrust_loopback_ip = each.value.bootstrap_template_map.untrust_loopback_ip - } - ) -} - -resource "local_file" "init_cfg_region_1" { - - for_each = { for k, v in var.vmseries_region_1 : k => v - if can(v.bootstrap_template_map) - } - - filename = "files/${each.key}/config/init-cfg.txt" - content = templatefile("templates/init-cfg.tmpl", - { - panorama-server = try(each.value.bootstrap_options.panorama-server, var.vmseries_common.bootstrap_options.panorama-server, "") - type = try(each.value.bootstrap_options.type, var.vmseries_common.bootstrap_options.type, "") - dns-primary = try(each.value.bootstrap_options.dns-primary, var.vmseries_common.bootstrap_options.dns-primary, "") - dns-secondary = try(each.value.bootstrap_options.dns-secondary, var.vmseries_common.bootstrap_options.dns-secondary, "") - }) -} - -resource "local_file" "init_cfg_region_2" { - - for_each = { for k, v in var.vmseries_region_2 : k => v + for_each = { for k, v in var.vmseries : k => v if can(v.bootstrap_template_map) } @@ -82,65 +48,48 @@ module "bootstrap" { for_each = var.bootstrap_buckets - folders = keys(merge(var.vmseries_region_1, var.vmseries_region_2)) + folders = keys(var.vmseries) name_prefix = "${var.name_prefix}${each.value.bucket_name_prefix}" service_account = module.iam_service_account[each.value.service_account_key].email location = each.value.location files = merge( - { for k, v in var.vmseries_region_1 : "files/${k}/config/bootstrap.xml" => "${k}/config/bootstrap.xml" }, - { for k, v in var.vmseries_region_1 : "files/${k}/config/init-cfg.txt" => "${k}/config/init-cfg.txt" }, - { for k, v in var.vmseries_region_2 : "files/${k}/config/bootstrap.xml" => "${k}/config/bootstrap.xml" }, - { for k, v in var.vmseries_region_2 : "files/${k}/config/init-cfg.txt" => "${k}/config/init-cfg.txt" }, + { for k, v in var.vmseries : "files/${k}/config/bootstrap.xml" => "${k}/config/bootstrap.xml" }, + { for k, v in var.vmseries : "files/${k}/config/init-cfg.txt" => "${k}/config/init-cfg.txt" }, ) } -module "vpc_region_1" { +module "vpc" { source = "../../modules/vpc" - networks = { for k, v in var.networks_region_1 : k => merge(v, { - name = "${var.name_prefix}${v.name}" - subnetwork_name = "${var.name_prefix}${v.subnetwork_name}-${var.region_1}" - region = var.region_1 - }) - } - -} - -module "vpc_region_2" { - source = "../../modules/vpc" + for_each = var.networks - networks = { for k, v in var.networks_region_2 : k => merge(v, { - name = "${var.name_prefix}${v.name}" - subnetwork_name = "${var.name_prefix}${v.subnetwork_name}-${var.region_2}" - region = var.region_2 + project_id = var.project + name = "${var.name_prefix}${each.value.vpc_name}" + create_network = each.value.create_network + delete_default_routes_on_create = each.value.delete_default_routes_on_create + mtu = each.value.mtu + routing_mode = each.value.routing_mode + subnetworks = { for k, v in each.value.subnetworks : k => merge(v, { + name = "${var.name_prefix}${v.name}-${v.region}" }) } - depends_on = [module.vpc_region_1] -} - -resource "google_compute_route" "route_region_1" { - - for_each = var.routes_region_1 - - name = "${var.name_prefix}${each.value.name}-${var.region_1}" - dest_range = each.value.destination_range - network = module.vpc_region_1.networks["${var.name_prefix}${each.value.network}"].self_link - next_hop_ilb = module.lb_internal_region_1[each.value.lb_internal_key].address - priority = 100 - tags = [var.region_1] + firewall_rules = try({ for k, v in each.value.firewall_rules : k => merge(v, { + name = "${var.name_prefix}${v.name}" + }) + }, {}) } -resource "google_compute_route" "route_region_2" { +resource "google_compute_route" "route" { - for_each = var.routes_region_2 + for_each = var.routes - name = "${var.name_prefix}${each.value.name}-${var.region_2}" + name = "${var.name_prefix}${each.value.name}-${each.value.region}" dest_range = each.value.destination_range - network = module.vpc_region_2.networks["${var.name_prefix}${each.value.network}"].self_link - next_hop_ilb = module.lb_internal_region_2[each.value.lb_internal_key].address + network = module.vpc[each.value.vpc_network_key].network.self_link + next_hop_ilb = module.lb_internal[each.value.lb_internal_key].address priority = 100 - tags = [var.region_2] + tags = each.value.tags } module "vpc_peering" { @@ -148,8 +97,8 @@ module "vpc_peering" { for_each = var.vpc_peerings - local_network = module.vpc_region_1.networks["${var.name_prefix}${each.value.local_network}"].id - peer_network = module.vpc_region_1.networks["${var.name_prefix}${each.value.peer_network}"].id + local_network = module.vpc[each.value.local_network_key].network.id + peer_network = module.vpc[each.value.peer_network_key].network.id local_export_custom_routes = each.value.local_export_custom_routes local_import_custom_routes = each.value.local_import_custom_routes @@ -162,47 +111,12 @@ module "vpc_peering" { peer_import_subnet_routes_with_public_ip = each.value.peer_import_subnet_routes_with_public_ip } -module "vmseries_region_1" { - source = "../../modules/vmseries" - - for_each = var.vmseries_region_1 - - name = "${var.name_prefix}${each.value.name}-${var.region_1}" - zone = each.value.zone - ssh_keys = try(each.value.ssh_keys, var.vmseries_common.ssh_keys) - vmseries_image = try(each.value.vmseries_image, var.vmseries_common.vmseries_image) - machine_type = try(each.value.machine_type, var.vmseries_common.machine_type) - min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform, "Intel Cascade Lake") - tags = try(each.value.tags, var.vmseries_common.tags, []) - service_account = try(module.iam_service_account[each.value.service_account_key].email, module.iam_service_account[var.vmseries_common.service_account_key].email) - scopes = try(each.value.scopes, var.vmseries_common.scopes, []) - create_instance_group = true - - bootstrap_options = try( - merge( - { vmseries-bootstrap-gce-storagebucket = "${module.bootstrap[each.value.bootstrap_bucket_key].bucket_name}/${each.key}/" }, - var.vmseries_common.bootstrap_options), - merge( - try(each.value.bootstrap_options, {}), - try(var.vmseries_common.bootstrap_options, {}) - )) - - named_ports = try(each.value.named_ports, []) - - network_interfaces = [for v in each.value.network_interfaces : - { - subnetwork = module.vpc_region_1.subnetworks["${var.name_prefix}${v.subnetwork}-${var.region_1}"].self_link - private_ip = v.private_ip - create_public_ip = try(v.create_public_ip, false) - }] -} - -module "vmseries_region_2" { +module "vmseries" { source = "../../modules/vmseries" - for_each = var.vmseries_region_2 + for_each = var.vmseries - name = "${var.name_prefix}${each.value.name}-${var.region_2}" + name = "${var.name_prefix}${each.value.name}-${each.value.region}" zone = each.value.zone ssh_keys = try(each.value.ssh_keys, var.vmseries_common.ssh_keys) vmseries_image = try(each.value.vmseries_image, var.vmseries_common.vmseries_image) @@ -226,7 +140,7 @@ module "vmseries_region_2" { network_interfaces = [for v in each.value.network_interfaces : { - subnetwork = module.vpc_region_2.subnetworks["${var.name_prefix}${v.subnetwork}-${var.region_2}"].self_link + subnetwork = module.vpc[v.vpc_network_key].subnetworks[v.subnetwork_key].self_link private_ip = v.private_ip create_public_ip = try(v.create_public_ip, false) }] @@ -237,10 +151,10 @@ data "google_compute_image" "my_image" { project = "ubuntu-os-pro-cloud" } -resource "google_compute_instance" "linux_vm_region_1" { - for_each = var.linux_vms_region_1 +resource "google_compute_instance" "linux_vm" { + for_each = var.linux_vms - name = "${var.name_prefix}${each.key}-${var.region_1}" + name = "${var.name_prefix}${each.key}-${each.value.region}" machine_type = each.value.linux_machine_type zone = each.value.zone @@ -252,11 +166,11 @@ resource "google_compute_instance" "linux_vm_region_1" { } network_interface { - subnetwork = module.vpc_region_1.subnetworks["${var.name_prefix}${each.value.subnetwork}-${var.region_1}"].self_link + subnetwork = module.vpc[each.value.vpc_network_key].subnetworks[each.value.subnetwork_key].self_link network_ip = each.value.private_ip } - tags = [var.region_1] + tags = each.value.tags metadata = { enable-oslogin = true @@ -269,98 +183,33 @@ resource "google_compute_instance" "linux_vm_region_1" { } } -resource "google_compute_instance" "linux_vm_region_2" { - for_each = var.linux_vms_region_2 - - name = "${var.name_prefix}${each.key}-${var.region_2}" - machine_type = each.value.linux_machine_type - zone = each.value.zone - - boot_disk { - initialize_params { - image = data.google_compute_image.my_image.id - size = each.value.linux_disk_size - } - } - - network_interface { - subnetwork = module.vpc_region_2.subnetworks["${var.name_prefix}${each.value.subnetwork}-${var.region_2}"].self_link - network_ip = each.value.private_ip - } - - tags = [var.region_2] - - metadata = { - enable-oslogin = true - } - - - service_account { - email = module.iam_service_account[each.value.service_account_key].email - scopes = each.value.scopes - } -} - -module "lb_internal_region_1" { - source = "../../modules/lb_internal" - - for_each = var.lbs_internal_region_1 - - region = var.region_1 - - name = "${var.name_prefix}${each.value.name}-${var.region_1}" - health_check_port = try(each.value.health_check_port, "80") - backends = { for v in each.value.backends : v => module.vmseries_region_1[v].instance_group_self_link } - ip_address = each.value.ip_address - subnetwork = module.vpc_region_1.subnetworks["${var.name_prefix}${each.value.subnetwork}-${var.region_1}"].self_link - network = module.vpc_region_1.networks["${var.name_prefix}${each.value.network}"].self_link - all_ports = true -} - -module "lb_internal_region_2" { +module "lb_internal" { source = "../../modules/lb_internal" - for_each = var.lbs_internal_region_2 + for_each = var.lbs_internal - region = var.region_2 + region = each.value.region - name = "${var.name_prefix}${each.value.name}-${var.region_2}" + name = "${var.name_prefix}${each.value.name}-${each.value.region}" health_check_port = try(each.value.health_check_port, "80") - backends = { for v in each.value.backends : v => module.vmseries_region_2[v].instance_group_self_link } + backends = { for v in each.value.backends : v => module.vmseries[v].instance_group_self_link } ip_address = each.value.ip_address - subnetwork = module.vpc_region_2.subnetworks["${var.name_prefix}${each.value.subnetwork}-${var.region_2}"].self_link - network = module.vpc_region_2.networks["${var.name_prefix}${each.value.network}"].self_link + subnetwork = module.vpc[each.value.vpc_network_key].subnetworks[each.value.subnetwork_key].self_link + network = module.vpc[each.value.vpc_network_key].network.self_link all_ports = true } -module "lb_external_region_1" { - source = "../../modules/lb_external" - - for_each = var.lbs_external_region_1 - - project = var.project - - region = var.region_1 - - name = "${var.name_prefix}${each.value.name}-${var.region_1}" - backend_instance_groups = { for v in each.value.backends : v => module.vmseries_region_1[v].instance_group_self_link } - rules = each.value.rules - - health_check_http_port = each.value.http_health_check_port - health_check_http_request_path = try(each.value.http_health_check_request_path, "/php/login.php") -} - -module "lb_external_region_2" { +module "lb_external" { source = "../../modules/lb_external" - for_each = var.lbs_external_region_2 + for_each = var.lbs_external project = var.project - region = var.region_2 + region = each.value.region - name = "${var.name_prefix}${each.value.name}-${var.region_2}" - backend_instance_groups = { for v in each.value.backends : v => module.vmseries_region_2[v].instance_group_self_link } + name = "${var.name_prefix}${each.value.name}-${each.value.region}" + backend_instance_groups = { for v in each.value.backends : v => module.vmseries[v].instance_group_self_link } rules = each.value.rules health_check_http_port = each.value.http_health_check_port diff --git a/examples/vpc_peering_common_with_network_tags/outputs.tf b/examples/vpc_peering_common_with_network_tags/outputs.tf index 7ef55294..7d183526 100644 --- a/examples/vpc_peering_common_with_network_tags/outputs.tf +++ b/examples/vpc_peering_common_with_network_tags/outputs.tf @@ -1,49 +1,24 @@ -output "vmseries_private_ips_region_1" { - description = "Private IP addresses of the vmseries instances in region-1." - value = { for k, v in module.vmseries_region_1 : k => v.private_ips } +output "vmseries_private_ips" { + description = "Private IP addresses of the vmseries instances." + value = { for k, v in module.vmseries : k => v.private_ips } } -output "vmseries_private_ips_region_2" { - description = "Private IP addresses of the vmseries instances in region-2." - value = { for k, v in module.vmseries_region_2 : k => v.private_ips } +output "vmseries_public_ips" { + description = "Public IP addresses of the vmseries instances." + value = { for k, v in module.vmseries : k => v.public_ips } } -output "vmseries_public_ips_region_1" { - description = "Public IP addresses of the vmseries instances in region-1." - value = { for k, v in module.vmseries_region_1 : k => v.public_ips } +output "lbs_internal_ips" { + description = "Private IP addresses of internal network loadbalancers." + value = { for k, v in module.lb_internal : k => v.address } } -output "vmseries_public_ips_region_2" { - description = "Public IP addresses of the vmseries instances in region-2." - value = { for k, v in module.vmseries_region_2 : k => v.public_ips } +output "lbs_external_ips" { + description = "Public IP addresses of external network loadbalancers." + value = { for k, v in module.lb_external : k => v.ip_addresses } } -output "lbs_internal_ips_region_1" { - description = "Private IP addresses of internal network loadbalancers in region-1." - value = { for k, v in module.lb_internal_region_1 : k => v.address } -} - -output "lbs_internal_ips_region_2" { - description = "Private IP addresses of internal network loadbalancers in region-2." - value = { for k, v in module.lb_internal_region_2 : k => v.address } -} - -output "lbs_external_ips_region_1" { - description = "Public IP addresses of external network loadbalancers in region-1." - value = { for k, v in module.lb_external_region_1 : k => v.ip_addresses } -} - -output "lbs_external_ips_region_2" { - description = "Public IP addresses of external network loadbalancers in region-2." - value = { for k, v in module.lb_external_region_2 : k => v.ip_addresses } -} - -output "linux_vm_ips_region_1" { - description = "Private IP addresses of Linux VMs in region-1." - value = { for k, v in resource.google_compute_instance.linux_vm_region_1 : k => v.network_interface[0].network_ip } -} - -output "linux_vm_ips_region_2" { - description = "Private IP addresses of Linux VMs in region-2." - value = { for k, v in resource.google_compute_instance.linux_vm_region_2 : k => v.network_interface[0].network_ip } +output "linux_vm_ips" { + description = "Private IP addresses of Linux VMs." + value = { for k, v in resource.google_compute_instance.linux_vm : k => v.network_interface[0].network_ip } } \ No newline at end of file diff --git a/examples/vpc_peering_common_with_network_tags/variables.tf b/examples/vpc_peering_common_with_network_tags/variables.tf index 499b463d..646f1dce 100644 --- a/examples/vpc_peering_common_with_network_tags/variables.tf +++ b/examples/vpc_peering_common_with_network_tags/variables.tf @@ -4,16 +4,6 @@ variable "project" { type = string default = null } -variable "region_1" { - description = "The first region into which to deploy the infrastructure in to." - type = string - default = "us-east1" -} -variable "region_2" { - description = "The second region into which to deploy the infrastructure in to." - type = string - default = "us-west1" -} variable "name_prefix" { description = "A string to prefix resource namings." type = string @@ -80,52 +70,37 @@ variable "bootstrap_buckets" { #VPC -variable "networks_region_1" { +variable "networks" { description = <<-EOF - A map containing each network setting for region_1. - - This map also contains the VPC networks creation for the deployment. + A map containing each network setting. Example of variable deployment : ``` - networks_region_1 = { - mgmt = { - create_network = true - create_subnetwork = true - name = "fw-mgmt-vpc" - subnetwork_name = "fw-mgmt-sub" - ip_cidr_range = "10.10.10.0/28" - allowed_sources = ["1.1.1.1/32"] + networks = { + fw-mgmt-vpc = { + vpc_name = "fw-mgmt-vpc" + create_network = true delete_default_routes_on_create = false - allowed_protocol = "all" - allowed_ports = [] - } - } - ``` - - For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks) - - Multiple keys can be added and will be deployed by the code. - EOF -} - -variable "networks_region_2" { - description = <<-EOF - A map containing each network setting for region_2. - - In this map - only subnetworks are being created, while referencing previously created VPC networks. - - Example of variable deployment : - - ``` - networks_region_2 = { - mgmt = { - create_network = false - create_subnetwork = true - name = "fw-mgmt-vpc" - subnetwork_name = "fw-mgmt-sub" - ip_cidr_range = "10.20.10.0/28" + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-mgmt-sub = { + name = "fw-mgmt-sub" + create_subnetwork = true + ip_cidr_range = "10.10.10.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-mgmt-ingress = { + name = "allow-mgmt-vpc" + source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } } } ``` @@ -140,15 +115,13 @@ variable "vpc_peerings" { description = <<-EOF A map containing each VPC peering setting. - This is done only once since it's being called at the network level and not at the subnetwork which is dependent on the region. - Example of variable deployment : ``` vpc_peerings = { "trust-to-spoke1" = { - local_network = "fw-trust-vpc" - peer_network = "spoke1-vpc" + local_network_key = "fw-trust-vpc" + peer_network_key = "fw-spoke1-vpc" local_export_custom_routes = true local_import_custom_routes = true @@ -162,6 +135,7 @@ variable "vpc_peerings" { } } ``` + For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc-peering#inputs) Multiple keys can be added and will be deployed by the code. @@ -170,46 +144,29 @@ variable "vpc_peerings" { default = {} } -variable "routes_region_1" { +variable "routes" { description = <<-EOF - A map containing each route setting for region_1. Note that you can only add routes using a next-hop type of internal load-balance rule. - - The code automatically binds this route to an instance network tag that has the value of region_1 variable. + A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule. Example of variable deployment : ``` - routes-region_1 = { - fw-default-trust = { + routes = { + fw-default-trust-region-1 = { name = "fw-default-trust" destination_range = "0.0.0.0/0" - network = "spoke1-vpc" - lb_internal_key = "internal-lb" - } - } - ``` - - Multiple keys can be added and will be deployed by the code. - EOF - type = map(any) - default = {} -} - -variable "routes_region_2" { - description = <<-EOF - A map containing each route setting for region_2. Note that you can only add routes using a next-hop type of internal load-balance rule. - - The code automatically binds this route to an instance network tag that has the value of region_2 variable. - - Example of variable deployment : - - ``` - routes-region_2 = { - fw-default-trust = { + vpc_network_key = "fw-spoke1-vpc" + lb_internal_key = "internal-lb-region-1" + region = "us-east1" + tags = ["us-east1"] + }, + fw-default-trust-region-2 = { name = "fw-default-trust" destination_range = "0.0.0.0/0" - network = "spoke1-vpc" - lb_internal_key = "internal-lb" + vpc_network_key = "fw-spoke1-vpc" + lb_internal_key = "internal-lb-region-2" + region = "us-west1" + tags = ["us-west1"] } } ``` @@ -245,18 +202,19 @@ variable "vmseries_common" { Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). EOF } -variable "vmseries_region_1" { +variable "vmseries" { description = <<-EOF - A map containing each individual vmseries setting for region_1 instances. + A map containing each individual vmseries setting for vmseries instances. Example of variable deployment : ``` - vmseries_region_1 = { + vmseries = { fw-vmseries-01 = { - name = "fw-vmseries-01" - zone = "us-east1-b" - tags = ["vmseries"] + name = "fw-vmseries-01" + region = "us-east1" + zone = "us-east1-b" + tags = ["vmseries"] scopes = [ "https://www.googleapis.com/auth/compute.readonly", "https://www.googleapis.com/auth/cloud.useraccounts.readonly", @@ -266,15 +224,15 @@ variable "vmseries_region_1" { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" - dns-primary = "8.8.8.8" - dns-secondary = "8.8.4.4" + panorama-server = "1.1.1.1" # Modify this value as per deployment requirements + dns-primary = "8.8.8.8" # Modify this value as per deployment requirements + dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" untrust_gcp_router_ip = "10.10.11.1" private_network_cidr = "192.168.0.0/16" - untrust_loopback_ip = "1.1.1.1/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address (region_1) after the infrastructure is deployed + untrust_loopback_ip = "1.1.1.1/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address (Region-1) after the infrastructure is deployed trust_loopback_ip = "10.10.12.5/32" } named_ports = [ @@ -289,189 +247,21 @@ variable "vmseries_region_1" { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub-region-1" private_ip = "10.10.11.2" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub-region-1" private_ip = "10.10.10.2" create_public_ip = true }, { - subnetwork = "fw-trust-sub" - private_ip = "10.10.12.2" - } - ] - }, - fw-vmseries-02 = { - name = "fw-vmseries-02" - zone = "us-east1-c" - tags = ["vmseries"] - scopes = [ - "https://www.googleapis.com/auth/compute.readonly", - "https://www.googleapis.com/auth/cloud.useraccounts.readonly", - "https://www.googleapis.com/auth/devstorage.read_only", - "https://www.googleapis.com/auth/logging.write", - "https://www.googleapis.com/auth/monitoring.write", - ] - bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" - bootstrap_options = { - panorama-server = "1.1.1.1" - dns-primary = "8.8.8.8" - dns-secondary = "8.8.4.4" - } - bootstrap_template_map = { - trust_gcp_router_ip = "10.10.12.1" - untrust_gcp_router_ip = "10.10.11.1" - private_network_cidr = "192.168.0.0/16" - untrust_loopback_ip = "1.1.1.1/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address (region_1) after the infrastructure is deployed - trust_loopback_ip = "10.10.12.5/32" - } - named_ports = [ - { - name = "http" - port = 80 - }, - { - name = "https" - port = 443 - } - ] - network_interfaces = [ - { - subnetwork = "fw-untrust-sub" - private_ip = "10.10.11.3" - create_public_ip = true - }, - { - subnetwork = "fw-mgmt-sub" - private_ip = "10.10.10.3" - create_public_ip = true - }, - { - subnetwork = "fw-trust-sub" - private_ip = "10.10.12.3" - } - ] - } - } - ``` - For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs) - - The bootstrap_template_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs. - Multiple keys can be added and will be deployed by the code. - - EOF -} - -variable "vmseries_region_2" { - description = <<-EOF - A map containing each individual vmseries setting for region_2 instances. - - Example of variable deployment : - - ``` - vmseries_region_2 = { - fw-vmseries-03 = { - name = "fw-vmseries-03" - zone = "us-west1-b" - tags = ["vmseries"] - scopes = [ - "https://www.googleapis.com/auth/compute.readonly", - "https://www.googleapis.com/auth/cloud.useraccounts.readonly", - "https://www.googleapis.com/auth/devstorage.read_only", - "https://www.googleapis.com/auth/logging.write", - "https://www.googleapis.com/auth/monitoring.write", - ] - bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" - bootstrap_options = { - panorama-server = "1.1.1.1" - dns-primary = "8.8.8.8" - dns-secondary = "8.8.4.4" - } - bootstrap_template_map = { - trust_gcp_router_ip = "10.20.12.1" - untrust_gcp_router_ip = "10.20.11.1" - private_network_cidr = "192.168.0.0/16" - untrust_loopback_ip = "2.2.2.2/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address (region_2) after the infrastructure is deployed - trust_loopback_ip = "10.20.12.5/32" - } - named_ports = [ - { - name = "http" - port = 80 - }, - { - name = "https" - port = 443 - } - ] - network_interfaces = [ - { - subnetwork = "fw-untrust-sub" - private_ip = "10.20.11.2" - create_public_ip = true - }, - { - subnetwork = "fw-mgmt-sub" - private_ip = "10.20.10.2" - create_public_ip = true - }, - { - subnetwork = "fw-trust-sub" - private_ip = "10.20.12.2" - } - ] - }, - fw-vmseries-04 = { - name = "fw-vmseries-04" - zone = "us-west1-c" - tags = ["vmseries"] - scopes = [ - "https://www.googleapis.com/auth/compute.readonly", - "https://www.googleapis.com/auth/cloud.useraccounts.readonly", - "https://www.googleapis.com/auth/devstorage.read_only", - "https://www.googleapis.com/auth/logging.write", - "https://www.googleapis.com/auth/monitoring.write", - ] - bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" - bootstrap_options = { - panorama-server = "1.1.1.1" - dns-primary = "8.8.8.8" - dns-secondary = "8.8.4.4" - } - bootstrap_template_map = { - trust_gcp_router_ip = "10.20.12.1" - untrust_gcp_router_ip = "10.20.11.1" - private_network_cidr = "192.168.0.0/16" - untrust_loopback_ip = "2.2.2.2/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address (region_2) after the infrastructure is deployed - trust_loopback_ip = "10.20.12.5/32" - } - named_ports = [ - { - name = "http" - port = 80 - }, - { - name = "https" - port = 443 - } - ] - network_interfaces = [ - { - subnetwork = "fw-untrust-sub" - private_ip = "10.20.11.3" - create_public_ip = true - }, - { - subnetwork = "fw-mgmt-sub" - private_ip = "10.20.10.3" - create_public_ip = true - }, - { - subnetwork = "fw-trust-sub" - private_ip = "10.20.12.3" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub-region-1" + private_ip = "10.10.12.2" } ] } @@ -487,47 +277,22 @@ variable "vmseries_region_2" { #Load Balancers -variable "lbs_internal_region_1" { +variable "lbs_internal" { description = <<-EOF - A map containing each internal loadbalancer setting for region_1 instances. + A map containing each internal loadbalancer setting . Example of variable deployment : ``` - lbs_internal_region_1 = { - internal-lb = { + lbs_internal = { + internal-lb-region-1 = { name = "internal-lb" + region = "us-east1" health_check_port = "80" backends = ["fw-vmseries-01", "fw-vmseries-02"] ip_address = "10.10.12.5" - subnetwork = "fw-trust-sub" - network = "fw-trust-vpc" - } - } - ``` - For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_internal#inputs) - - Multiple keys can be added and will be deployed by the code. - EOF - type = map(any) - default = {} -} - -variable "lbs_internal_region_2" { - description = <<-EOF - A map containing each internal loadbalancer setting for region_2 instances. - - Example of variable deployment : - - ``` - lbs_internal_region_2 = { - internal-lb = { - name = "internal-lb" - health_check_port = "80" - backends = ["fw-vmseries-03", "fw-vmseries-04"] - ip_address = "10.20.12.5" - subnetwork = "fw-trust-sub" - network = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub-region-1" + vpc_network_key = "fw-trust-vpc" } } ``` @@ -539,48 +304,20 @@ variable "lbs_internal_region_2" { default = {} } -variable "lbs_external_region_1" { +variable "lbs_external" { description = <<-EOF - A map containing each external loadbalancer setting for region_1 instances. + A map containing each external loadbalancer setting . Example of variable deployment : ``` lbs_external_region_1 = { - external-lb = { + external-lb-region-1 = { name = "external-lb" + region = "us-east1" backends = ["fw-vmseries-01", "fw-vmseries-02"] rules = { - all-ports-region_1 = { - ip_protocol = "L3_DEFAULT" - } - } - http_health_check_port = "80" - http_health_check_request_path = "/php/login.php" - } - } - ``` - For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_external#inputs) - - Multiple keys can be added and will be deployed by the code. - EOF - type = map(any) - default = {} -} - -variable "lbs_external_region_2" { - description = <<-EOF - A map containing each external loadbalancer setting for region_2 instances. - - Example of variable deployment : - - ``` - lbs_external_region_2 = { - external-lb = { - name = "external-lb" - backends = ["fw-vmseries-03", "fw-vmseries-04"] - rules = { - all-ports-region_2 = { + all-ports-region-1 = { ip_protocol = "L3_DEFAULT" } } @@ -599,19 +336,21 @@ variable "lbs_external_region_2" { #Spoke VPCs Linux VMs -variable "linux_vms_region_1" { +variable "linux_vms" { description = <<-EOF A map containing each Linux VM configuration in region_1 that will be placed in spoke VPC network for testing purposes. Example of varaible deployment: ``` - linux_vms_region_1 = { + linux_vms = { spoke1-vm = { linux_machine_type = "n2-standard-4" + region = "us-east1" zone = "us-east1-b" linux_disk_size = "50" # Modify this value as per deployment requirements - subnetwork = "spoke1-sub" + vpc_network_key = "fw-spoke1-vpc" + subnetwork_key = "fw-spoke1-sub-region-1" private_ip = "192.168.1.2" scopes = [ "https://www.googleapis.com/auth/compute.readonly", @@ -627,34 +366,4 @@ variable "linux_vms_region_1" { EOF type = map(any) default = {} -} - -variable "linux_vms_region_2" { - description = <<-EOF - A map containing each Linux VM configuration in region_2 that will be placed in spoke VPC network for testing purposes. - - Example of varaible deployment: - - ``` - linux_vms_region_2 = { - spoke2-vm = { - linux_machine_type = "n2-standard-4" - zone = "us-west1-b" - linux_disk_size = "50" # Modify this value as per deployment requirements - subnetwork = "spoke1-sub" - private_ip = "192.168.2.2" - scopes = [ - "https://www.googleapis.com/auth/compute.readonly", - "https://www.googleapis.com/auth/cloud.useraccounts.readonly", - "https://www.googleapis.com/auth/devstorage.read_only", - "https://www.googleapis.com/auth/logging.write", - "https://www.googleapis.com/auth/monitoring.write", - ] - service_account_key = "sa-linux-01" - } - } - ``` - EOF - type = map(any) - default = {} } \ No newline at end of file diff --git a/examples/vpc_peering_common_with_network_tags/versions.tf b/examples/vpc_peering_common_with_network_tags/versions.tf index 13628661..8f1124b9 100644 --- a/examples/vpc_peering_common_with_network_tags/versions.tf +++ b/examples/vpc_peering_common_with_network_tags/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" } provider "google" { diff --git a/examples/vpc_peering_dedicated/README.md b/examples/vpc_peering_dedicated/README.md index 4dce8f46..eb1e3033 100644 --- a/examples/vpc_peering_dedicated/README.md +++ b/examples/vpc_peering_dedicated/README.md @@ -62,7 +62,7 @@ cd terraform-google-vmseries-modules/examples/vpc-peering-dedicated 3. Copy the `example.tfvars` to `terraform.tfvars`. -`project`, `ssh_keys` and `allowed_sources` should be modified for successful deployment and access to the instance. +`project`, `ssh_keys` and `source_ranges` should be modified for successful deployment and access to the instance. There are also a few variables that have some default values but which should also be changed as per deployment requirements @@ -203,7 +203,7 @@ The GCP Global HTTP LB acts as a proxy and sends traffic to the VM-Series `Untru | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | ### Providers @@ -240,17 +240,17 @@ The GCP Global HTTP LB acts as a proxy and sends traffic to the VM-Series `Untru |------|-------------|------|---------|:--------:| | [bootstrap\_buckets](#input\_bootstrap\_buckets) | A map containing each bootstrap bucket setting.

Example of variable deployment:
bootstrap_buckets = {
  vmseries-bootstrap-bucket-01 = {
    bucket_name_prefix  = "bucket-01-"
    location            = "us"
    service_account_key = "sa-vmseries-01"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/bootstrap#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [lbs\_global\_http](#input\_lbs\_global\_http) | A map containing each Global HTTP loadbalancer setting.

Example of variable deployment:
lbs_global_http = {
  "global-http" = {
    name                  = "global-http"
    backends              = ["fw-vmseries-01", "fw-vmseries-02"]
    max_rate_per_instance = 5000
    backend_port_name     = "http"
    backend_protocol      = "HTTP"
    health_check_port     = 80
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_http_ext_global#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting.

Example of variable deployment :
lbs_internal = {
  "internal-lb" = {
    name              = "internal-lb"
    health_check_port = "80"
    backends          = ["fw-vmseries-01", "fw-vmseries-02"]
    ip_address        = "10.10.12.5"
    subnetwork        = "fw-trust-sub"
    network           = "fw-trust-vpc"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_internal#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting.

Example of variable deployment :
lbs_internal = {
  "internal-lb" = {
    name              = "internal-lb"
    health_check_port = "80"
    backends          = ["fw-vmseries-01", "fw-vmseries-02"]
    ip_address        = "10.10.12.5"
    subnetwork_key    = "fw-trust-sub"
    vpc_network_key   = "fw-trust-vpc"
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_internal#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [linux\_vms](#input\_linux\_vms) | A map containing each Linux VM configuration that will be placed in SPOKE VPCs for testing purposes.

Example of variable deployment:
linux_vms = {
  spoke1-vm = {
    linux_machine_type = "n2-standard-4"
    zone               = "us-east1-b"
    linux_disk_size    = "50" # Modify this value as per deployment requirements
    subnetwork         = "spoke1-sub"
    private_ip         = "192.168.1.2"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    service_account_key = "sa-linux-01"
  }
}
| `map(any)` | `{}` | no | | [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings. | `string` | `"example-"` | no | -| [networks](#input\_networks) | A map containing each network setting.

Example of variable deployment :
networks = {
  "mgmt-network" = {
    create_network                  = true
    create_subnetwork               = true
    name                            = "fw-mgmt-vpc"
    subnetwork_name                 = "fw-mgmt-sub"
    ip_cidr_range                   = "10.10.10.0/28"
    allowed_sources                 = ["1.1.1.1/32"]
    delete_default_routes_on_create = false
    allowed_protocol                = "all"
    allowed_ports                   = []
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | +| [networks](#input\_networks) | A map containing each network setting.

Example of variable deployment :
networks = {
  fw-mgmt-vpc = {
    vpc_name = "fw-mgmt-vpc"
    create_network = true
    delete_default_routes_on_create = false
    mtu = "1460"
    routing_mode = "REGIONAL"
    subnetworks = {
      fw-mgmt-sub = {
        name = "fw-mgmt-sub"
        create_subnetwork = true
        ip_cidr_range = "10.10.10.0/28"
        region = "us-east1"
      }
    }
    firewall_rules = {
      allow-mgmt-ingress = {
        name = "allow-mgmt-vpc"
        source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
        priority = "1000"
        allowed_protocol = "all"
        allowed_ports = []
      }
    }
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | | [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no | | [region](#input\_region) | The region into which to deploy the infrastructure in to. | `string` | `"us-central1"` | no | -| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.

Example of variable deployment :
routes = {
  "default-route-trust" = {
    name = "fw-default-trust"
    destination_range = "0.0.0.0/0"
    network = "fw-trust-vpc"
    lb_internal_name = "internal-lb"
  }
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.

Example of variable deployment :
routes = {
  "default-route-trust" = {
    name = "fw-default-trust"
    destination_range = "0.0.0.0/0"
    vpc_network_key = "fw-trust-vpc"
    lb_internal_name = "internal-lb"
  }
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.

Example of variable deployment :
service_accounts = {
  "sa-vmseries-01" = {
    service_account_id = "sa-vmseries-01"
    display_name       = "VM-Series SA"
    roles = [
      "roles/compute.networkViewer",
      "roles/logging.logWriter",
      "roles/monitoring.metricWriter",
      "roles/monitoring.viewer",
      "roles/viewer"
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/iam_service_account#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | -| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
  "fw-vmseries-01" = {
    name             = "fw-vmseries-01"
    zone             = "us-east1-b"
    machine_type     = "n2-standard-4"
    min_cpu_platform = "Intel Cascade Lake"
    tags             = ["vmseries"]
    service_account  = "sa-vmseries-01"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
    bootstrap_options = {
      panorama-server = "1.1.1.1"
      dns-primary     = "8.8.8.8"
      dns-secondary   = "8.8.4.4"
    }
    bootstrap_template_map = {
      trust_gcp_router_ip   = "10.10.12.1"
      untrust_gcp_router_ip = "10.10.11.1"
      private_network_cidr  = "192.168.0.0/16"
      untrust_loopback_ip   = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
      trust_loopback_ip     = "10.10.12.5/32"
    }
    named_ports = [
      {
        name = "http"
        port = 80
      },
      {
        name = "https"
        port = 443
      }
    ]
    network_interfaces = [
      {
        subnetwork       = "fw-untrust-sub"
        private_ip       = "10.10.11.2"
        create_public_ip = true
      },
      {
        subnetwork       = "fw-mgmt-sub"
        private_ip       = "10.10.10.2"
        create_public_ip = true
      },
      {
        subnetwork = "fw-trust-sub"
        private_ip = "10.10.12.2"
      }
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | +| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
  "fw-vmseries-01" = {
    name             = "fw-vmseries-01"
    zone             = "us-east1-b"
    machine_type     = "n2-standard-4"
    min_cpu_platform = "Intel Cascade Lake"
    tags                 = ["vmseries"]
    service_account_key  = "sa-vmseries-01"
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
    ]
    bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
    bootstrap_options = {
      panorama-server = "1.1.1.1"
      dns-primary     = "8.8.8.8"
      dns-secondary   = "8.8.4.4"
    }
    bootstrap_template_map = {
      trust_gcp_router_ip   = "10.10.12.1"
      untrust_gcp_router_ip = "10.10.11.1"
      private_network_cidr  = "192.168.0.0/16"
      untrust_loopback_ip   = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
      trust_loopback_ip     = "10.10.12.5/32"
    }
    named_ports = [
      {
        name = "http"
        port = 80
      },
      {
        name = "https"
        port = 443
      }
    ]
    network_interfaces = [
      {
        vpc_network_key  = "fw-untrust-vpc"
        subnetwork_key       = "fw-untrust-sub"
        private_ip       = "10.10.11.2"
        create_public_ip = true
      },
      {
        vpc_network_key  = "fw-mgmt-vpc"
        subnetwork_key       = "fw-mgmt-sub"
        private_ip       = "10.10.10.2"
        create_public_ip = true
      },
      {
        vpc_network_key = "fw-trust-vpc"
        subnetwork_key = "fw-trust-sub"
        private_ip = "10.10.12.2"
      },
    ]
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | | [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
  ssh_keys            = "admin:AAABBB..."
  vmseries_image      = "vmseries-flex-byol-1022h2"
  machine_type        = "n2-standard-4"
  min_cpu_platform    = "Intel Cascade Lake"
  service_account_key = "sa-vmseries-01"
  bootstrap_options = {
    type                = "dhcp-client"
    mgmt-interface-swap = "enable"
  }
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes | -| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

Example of variable deployment :
vpc_peerings = {
  "trust-to-spoke1" = {
    local_network = "fw-trust-vpc"
    peer_network  = "spoke1-vpc"

    local_export_custom_routes                = true
    local_import_custom_routes                = true
    local_export_subnet_routes_with_public_ip = true
    local_import_subnet_routes_with_public_ip = true

    peer_export_custom_routes                = true
    peer_import_custom_routes                = true
    peer_export_subnet_routes_with_public_ip = true
    peer_import_subnet_routes_with_public_ip = true
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | +| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

Example of variable deployment :
vpc_peerings = {
  "trust-to-spoke1" = {
    local_network_key = "fw-trust-vpc"
    peer_network_key  = "fw-spoke1-vpc"

    local_export_custom_routes                = true
    local_import_custom_routes                = true
    local_export_subnet_routes_with_public_ip = true
    local_import_subnet_routes_with_public_ip = true

    peer_export_custom_routes                = true
    peer_import_custom_routes                = true
    peer_export_subnet_routes_with_public_ip = true
    peer_import_subnet_routes_with_public_ip = true
  }
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | ### Outputs diff --git a/examples/vpc_peering_dedicated/example.tfvars b/examples/vpc_peering_dedicated/example.tfvars index 93c43b9d..aab11132 100644 --- a/examples/vpc_peering_dedicated/example.tfvars +++ b/examples/vpc_peering_dedicated/example.tfvars @@ -41,60 +41,125 @@ bootstrap_buckets = { # VPC networks = { - mgmt = { + fw-mgmt-vpc = { + vpc_name = "fw-mgmt-vpc" create_network = true - create_subnetwork = true - name = "fw-mgmt-vpc" - subnetwork_name = "fw-mgmt-sub" - ip_cidr_range = "10.10.10.0/28" - allowed_sources = ["1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. delete_default_routes_on_create = false - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-mgmt-sub = { + name = "fw-mgmt-sub" + create_subnetwork = true + ip_cidr_range = "10.10.10.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-mgmt-ingress = { + name = "allow-mgmt-vpc" + source_ranges = ["1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - untrust = { + fw-untrust-vpc = { + vpc_name = "fw-untrust-vpc" create_network = true - create_subnetwork = true - name = "fw-untrust-vpc" - subnetwork_name = "fw-untrust-sub" - ip_cidr_range = "10.10.11.0/28" - allowed_sources = ["35.191.0.0/16", "130.211.0.0/22"] delete_default_routes_on_create = false - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-untrust-sub = { + name = "fw-untrust-sub" + create_subnetwork = true + ip_cidr_range = "10.10.11.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-untrust-ingress = { + name = "allow-untrust-vpc" + source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - trust = { + fw-trust-vpc = { + vpc_name = "fw-trust-vpc" create_network = true - create_subnetwork = true - name = "fw-trust-vpc" - subnetwork_name = "fw-trust-sub" - ip_cidr_range = "10.10.12.0/28" - allowed_sources = ["192.168.0.0/16", "35.191.0.0/16", "130.211.0.0/22"] delete_default_routes_on_create = true - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-trust-sub = { + name = "fw-trust-sub" + create_subnetwork = true + ip_cidr_range = "10.10.12.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-trust-ingress = { + name = "allow-trust-vpc" + source_ranges = ["192.168.0.0/16", "35.191.0.0/16", "130.211.0.0/22"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - spoke1 = { + fw-spoke1-vpc = { + vpc_name = "fw-spoke1-vpc" create_network = true - create_subnetwork = true - name = "spoke1-vpc" - subnetwork_name = "spoke1-sub" - ip_cidr_range = "192.168.1.0/28" - allowed_sources = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28"] delete_default_routes_on_create = true - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-spoke1-sub = { + name = "fw-spoke1-sub" + create_subnetwork = true + ip_cidr_range = "192.168.1.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-spoke1-ingress = { + name = "allow-spoke1-vpc" + source_ranges = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } }, - spoke2 = { + fw-spoke2-vpc = { + vpc_name = "fw-spoke2-vpc" create_network = true - create_subnetwork = true - name = "spoke2-vpc" - subnetwork_name = "spoke2-sub" - ip_cidr_range = "192.168.2.0/28" - allowed_sources = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28"] delete_default_routes_on_create = true - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-spoke2-sub = { + name = "fw-spoke2-sub" + create_subnetwork = true + ip_cidr_range = "192.168.2.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-spoke2-ingress = { + name = "allow-spoke2-vpc" + source_ranges = ["192.168.0.0/16", "35.235.240.0/20", "10.10.12.0/28"] + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } } } @@ -102,8 +167,8 @@ networks = { vpc_peerings = { trust-to-spoke1 = { - local_network = "fw-trust-vpc" - peer_network = "spoke1-vpc" + local_network_key = "fw-trust-vpc" + peer_network_key = "fw-spoke1-vpc" local_export_custom_routes = true local_import_custom_routes = true @@ -116,8 +181,8 @@ vpc_peerings = { peer_import_subnet_routes_with_public_ip = true }, trust-to-spoke2 = { - local_network = "fw-trust-vpc" - peer_network = "spoke2-vpc" + local_network_key = "fw-trust-vpc" + peer_network_key = "fw-spoke2-vpc" local_export_custom_routes = true local_import_custom_routes = true @@ -137,7 +202,7 @@ routes = { fw-default-trust = { name = "fw-default-trust" destination_range = "0.0.0.0/0" - network = "fw-trust-vpc" + vpc_network_key = "fw-trust-vpc" lb_internal_key = "internal-lb" } } @@ -190,18 +255,21 @@ vmseries = { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" private_ip = "10.10.11.2" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" private_ip = "10.10.10.2" create_public_ip = true }, { - subnetwork = "fw-trust-sub" - private_ip = "10.10.12.2" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" + private_ip = "10.10.12.2" } ] }, @@ -239,18 +307,21 @@ vmseries = { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" private_ip = "10.10.11.3" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" private_ip = "10.10.10.3" create_public_ip = true }, { - subnetwork = "fw-trust-sub" - private_ip = "10.10.12.3" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" + private_ip = "10.10.12.3" } ] }, @@ -289,18 +360,21 @@ vmseries = { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" private_ip = "10.10.11.6" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" private_ip = "10.10.10.6" create_public_ip = true }, { - subnetwork = "fw-trust-sub" - private_ip = "10.10.12.6" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" + private_ip = "10.10.12.6" } ] }, @@ -339,18 +413,21 @@ vmseries = { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" private_ip = "10.10.11.7" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" private_ip = "10.10.10.7" create_public_ip = true }, { - subnetwork = "fw-trust-sub" - private_ip = "10.10.12.7" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" + private_ip = "10.10.12.7" } ] } @@ -363,7 +440,8 @@ linux_vms = { linux_machine_type = "n2-standard-4" zone = "us-east1-b" linux_disk_size = "50" # Modify this value as per deployment requirements - subnetwork = "spoke1-sub" + vpc_network_key = "fw-spoke1-vpc" + subnetwork_key = "fw-spoke1-sub" private_ip = "192.168.1.2" scopes = [ "https://www.googleapis.com/auth/compute.readonly", @@ -378,7 +456,8 @@ linux_vms = { linux_machine_type = "n2-standard-4" zone = "us-east1-b" linux_disk_size = "50" # Modify this value as per deployment requirements - subnetwork = "spoke2-sub" + vpc_network_key = "fw-spoke2-vpc" + subnetwork_key = "fw-spoke2-sub" private_ip = "192.168.2.2" scopes = [ "https://www.googleapis.com/auth/compute.readonly", @@ -399,8 +478,8 @@ lbs_internal = { health_check_port = "80" backends = ["fw-vmseries-03", "fw-vmseries-04"] ip_address = "10.10.12.5" - subnetwork = "fw-trust-sub" - network = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" + vpc_network_key = "fw-trust-vpc" } } diff --git a/examples/vpc_peering_dedicated/main.tf b/examples/vpc_peering_dedicated/main.tf index 2fcb39a2..7bb254c9 100644 --- a/examples/vpc_peering_dedicated/main.tf +++ b/examples/vpc_peering_dedicated/main.tf @@ -62,12 +62,22 @@ module "bootstrap" { module "vpc" { source = "../../modules/vpc" - networks = { for k, v in var.networks : k => merge(v, { - name = "${var.name_prefix}${v.name}" - subnetwork_name = "${var.name_prefix}${v.subnetwork_name}" + for_each = var.networks + + project_id = var.project + name = "${var.name_prefix}${each.value.vpc_name}" + create_network = each.value.create_network + delete_default_routes_on_create = each.value.delete_default_routes_on_create + mtu = each.value.mtu + routing_mode = each.value.routing_mode + subnetworks = { for k, v in each.value.subnetworks : k => merge(v, { + name = "${var.name_prefix}${v.name}" }) } - + firewall_rules = try({ for k, v in each.value.firewall_rules : k => merge(v, { + name = "${var.name_prefix}${v.name}" + }) + }, {}) } module "vpc_peering" { @@ -75,8 +85,8 @@ module "vpc_peering" { for_each = var.vpc_peerings - local_network = module.vpc.networks["${var.name_prefix}${each.value.local_network}"].id - peer_network = module.vpc.networks["${var.name_prefix}${each.value.peer_network}"].id + local_network = module.vpc[each.value.local_network_key].network.id + peer_network = module.vpc[each.value.peer_network_key].network.id local_export_custom_routes = each.value.local_export_custom_routes local_import_custom_routes = each.value.local_import_custom_routes @@ -95,7 +105,7 @@ resource "google_compute_route" "this" { name = "${var.name_prefix}${each.value.name}" dest_range = each.value.destination_range - network = module.vpc.networks["${var.name_prefix}${each.value.network}"].self_link + network = module.vpc[each.value.vpc_network_key].network.self_link next_hop_ilb = module.lb_internal[each.value.lb_internal_key].forwarding_rule priority = 100 } @@ -129,7 +139,7 @@ module "vmseries" { network_interfaces = [for v in each.value.network_interfaces : { - subnetwork = module.vpc.subnetworks["${var.name_prefix}${v.subnetwork}"].self_link + subnetwork = module.vpc[v.vpc_network_key].subnetworks[v.subnetwork_key].self_link private_ip = v.private_ip create_public_ip = try(v.create_public_ip, false) }] @@ -155,7 +165,7 @@ resource "google_compute_instance" "linux_vm" { } network_interface { - subnetwork = module.vpc.subnetworks["${var.name_prefix}${each.value.subnetwork}"].self_link + subnetwork = module.vpc[each.value.vpc_network_key].subnetworks[each.value.subnetwork_key].self_link network_ip = each.value.private_ip } @@ -180,8 +190,8 @@ module "lb_internal" { health_check_port = try(each.value.health_check_port, "80") backends = { for v in each.value.backends : v => module.vmseries[v].instance_group_self_link } ip_address = each.value.ip_address - subnetwork = module.vpc.subnetworks["${var.name_prefix}${each.value.subnetwork}"].self_link - network = module.vpc.networks["${var.name_prefix}${each.value.network}"].self_link + subnetwork = module.vpc[each.value.vpc_network_key].subnetworks[each.value.subnetwork_key].self_link + network = module.vpc[each.value.vpc_network_key].network.self_link all_ports = true } diff --git a/examples/vpc_peering_dedicated/variables.tf b/examples/vpc_peering_dedicated/variables.tf index 2284217d..a7cbbdc9 100644 --- a/examples/vpc_peering_dedicated/variables.tf +++ b/examples/vpc_peering_dedicated/variables.tf @@ -83,16 +83,29 @@ variable "networks" { ``` networks = { - "mgmt-network" = { - create_network = true - create_subnetwork = true - name = "fw-mgmt-vpc" - subnetwork_name = "fw-mgmt-sub" - ip_cidr_range = "10.10.10.0/28" - allowed_sources = ["1.1.1.1/32"] + fw-mgmt-vpc = { + vpc_name = "fw-mgmt-vpc" + create_network = true delete_default_routes_on_create = false - allowed_protocol = "all" - allowed_ports = [] + mtu = "1460" + routing_mode = "REGIONAL" + subnetworks = { + fw-mgmt-sub = { + name = "fw-mgmt-sub" + create_subnetwork = true + ip_cidr_range = "10.10.10.0/28" + region = "us-east1" + } + } + firewall_rules = { + allow-mgmt-ingress = { + name = "allow-mgmt-vpc" + source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes. + priority = "1000" + allowed_protocol = "all" + allowed_ports = [] + } + } } } ``` @@ -112,8 +125,8 @@ variable "vpc_peerings" { ``` vpc_peerings = { "trust-to-spoke1" = { - local_network = "fw-trust-vpc" - peer_network = "spoke1-vpc" + local_network_key = "fw-trust-vpc" + peer_network_key = "fw-spoke1-vpc" local_export_custom_routes = true local_import_custom_routes = true @@ -146,7 +159,7 @@ variable "routes" { "default-route-trust" = { name = "fw-default-trust" destination_range = "0.0.0.0/0" - network = "fw-trust-vpc" + vpc_network_key = "fw-trust-vpc" lb_internal_name = "internal-lb" } } @@ -196,8 +209,8 @@ variable "vmseries" { zone = "us-east1-b" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" - tags = ["vmseries"] - service_account = "sa-vmseries-01" + tags = ["vmseries"] + service_account_key = "sa-vmseries-01" scopes = [ "https://www.googleapis.com/auth/compute.readonly", "https://www.googleapis.com/auth/cloud.useraccounts.readonly", @@ -230,19 +243,22 @@ variable "vmseries" { ] network_interfaces = [ { - subnetwork = "fw-untrust-sub" + vpc_network_key = "fw-untrust-vpc" + subnetwork_key = "fw-untrust-sub" private_ip = "10.10.11.2" create_public_ip = true }, { - subnetwork = "fw-mgmt-sub" + vpc_network_key = "fw-mgmt-vpc" + subnetwork_key = "fw-mgmt-sub" private_ip = "10.10.10.2" create_public_ip = true }, { - subnetwork = "fw-trust-sub" + vpc_network_key = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" private_ip = "10.10.12.2" - } + }, ] } } @@ -270,8 +286,8 @@ variable "lbs_internal" { health_check_port = "80" backends = ["fw-vmseries-01", "fw-vmseries-02"] ip_address = "10.10.12.5" - subnetwork = "fw-trust-sub" - network = "fw-trust-vpc" + subnetwork_key = "fw-trust-sub" + vpc_network_key = "fw-trust-vpc" } } ``` diff --git a/examples/vpc_peering_dedicated/versions.tf b/examples/vpc_peering_dedicated/versions.tf index 5f141c52..785e9269 100644 --- a/examples/vpc_peering_dedicated/versions.tf +++ b/examples/vpc_peering_dedicated/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" } provider "google" { diff --git a/modules/autoscale/README.md b/modules/autoscale/README.md index abc62e62..4254c170 100644 --- a/modules/autoscale/README.md +++ b/modules/autoscale/README.md @@ -6,7 +6,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | | [google](#requirement\_google) | ~> 4.54 | ### Providers diff --git a/modules/autoscale/versions.tf b/modules/autoscale/versions.tf index 5b743222..d47a6968 100644 --- a/modules/autoscale/versions.tf +++ b/modules/autoscale/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" required_providers { google = { version = "~> 4.54" diff --git a/modules/bootstrap/README.md b/modules/bootstrap/README.md index f5a62912..25088a75 100644 --- a/modules/bootstrap/README.md +++ b/modules/bootstrap/README.md @@ -6,7 +6,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | | [google](#requirement\_google) | ~> 4.54 | ### Providers diff --git a/modules/bootstrap/versions.tf b/modules/bootstrap/versions.tf index 0f1d2522..999ddae9 100644 --- a/modules/bootstrap/versions.tf +++ b/modules/bootstrap/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" required_providers { google = { version = "~> 4.54" } } diff --git a/modules/iam_service_account/README.md b/modules/iam_service_account/README.md index 9675f934..bd870b82 100644 --- a/modules/iam_service_account/README.md +++ b/modules/iam_service_account/README.md @@ -13,7 +13,7 @@ The account produced by this module is intended to have minimal required permiss | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | | [google](#requirement\_google) | ~> 4.54 | ### Providers diff --git a/modules/iam_service_account/versions.tf b/modules/iam_service_account/versions.tf index 5a50f19e..0c06b087 100644 --- a/modules/iam_service_account/versions.tf +++ b/modules/iam_service_account/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" required_providers { google = { version = "~> 4.54" } } diff --git a/modules/lb_external/README.md b/modules/lb_external/README.md index 24132082..186cfa41 100644 --- a/modules/lb_external/README.md +++ b/modules/lb_external/README.md @@ -14,7 +14,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | | [google](#requirement\_google) | ~> 4.54 | ### Providers diff --git a/modules/lb_external/versions.tf b/modules/lb_external/versions.tf index 0f1d2522..999ddae9 100644 --- a/modules/lb_external/versions.tf +++ b/modules/lb_external/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" required_providers { google = { version = "~> 4.54" } } diff --git a/modules/lb_http_ext_global/README.md b/modules/lb_http_ext_global/README.md index 833fba6d..5e859bf9 100644 --- a/modules/lb_http_ext_global/README.md +++ b/modules/lb_http_ext_global/README.md @@ -37,7 +37,7 @@ Thus if you re-use the same IG for this module (HTTP LB) you need balancing_mode | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | | [google](#requirement\_google) | ~> 4.54 | ### Providers diff --git a/modules/lb_http_ext_global/versions.tf b/modules/lb_http_ext_global/versions.tf index 0f1d2522..999ddae9 100644 --- a/modules/lb_http_ext_global/versions.tf +++ b/modules/lb_http_ext_global/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" required_providers { google = { version = "~> 4.54" } } diff --git a/modules/lb_internal/README.md b/modules/lb_internal/README.md index 2286629b..9a1dce8f 100644 --- a/modules/lb_internal/README.md +++ b/modules/lb_internal/README.md @@ -6,7 +6,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | | [google](#requirement\_google) | ~> 4.54 | ### Providers diff --git a/modules/lb_internal/versions.tf b/modules/lb_internal/versions.tf index 0f1d2522..999ddae9 100644 --- a/modules/lb_internal/versions.tf +++ b/modules/lb_internal/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" required_providers { google = { version = "~> 4.54" } } diff --git a/modules/panorama/README.md b/modules/panorama/README.md index a61fe52c..4aa4b57a 100644 --- a/modules/panorama/README.md +++ b/modules/panorama/README.md @@ -12,7 +12,7 @@ For usage, check the "examples" folder in the root of the repository. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | | [google](#requirement\_google) | ~> 4.54 | ### Providers diff --git a/modules/panorama/versions.tf b/modules/panorama/versions.tf index 5b743222..d47a6968 100644 --- a/modules/panorama/versions.tf +++ b/modules/panorama/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" required_providers { google = { version = "~> 4.54" diff --git a/modules/vmseries/README.md b/modules/vmseries/README.md index e15358fd..a56648c4 100644 --- a/modules/vmseries/README.md +++ b/modules/vmseries/README.md @@ -12,7 +12,7 @@ When troubleshooting you can use this module also with a good ol' Linux image. I | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | | [google](#requirement\_google) | ~> 4.54 | | [null](#requirement\_null) | ~> 3.1 | diff --git a/modules/vmseries/versions.tf b/modules/vmseries/versions.tf index 8bc65819..2bccc382 100644 --- a/modules/vmseries/versions.tf +++ b/modules/vmseries/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" required_providers { null = { version = "~> 3.1" } google = { version = "~> 4.54" } diff --git a/modules/vpc-peering/README.md b/modules/vpc-peering/README.md index a16dfabf..f5e921e0 100644 --- a/modules/vpc-peering/README.md +++ b/modules/vpc-peering/README.md @@ -10,7 +10,7 @@ By default, no routes are exported/imported for each direction, every option has | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | ### Providers diff --git a/modules/vpc-peering/versions.tf b/modules/vpc-peering/versions.tf index 4a252e8a..4b6b366c 100644 --- a/modules/vpc-peering/versions.tf +++ b/modules/vpc-peering/versions.tf @@ -1,3 +1,3 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" } \ No newline at end of file diff --git a/modules/vpc/README.md b/modules/vpc/README.md index ab4adacb..9661f69e 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -1,15 +1,8 @@ -# VPC Networks Module for GCP +# VPC Network Module for GCP -The module that creates networks and subnetworks on GCP. +A Terraform module for deploying a VPC and associated subnetworks and firewall rules in GCP. -It is primarily intended for **Terraform 0.12.x** users, because it offers possibility to conditionally handle either new or pre-existing -networks/subnetworks without changing the source code. It is useful for 0.12 which doesn't allow conditional module instantiation. - -This module is not strictly required for constructing inputs to be passed to other modules (including to vmseries or to autoscale modules). -Any existing networks/subnetworks can work equally well, independent on how they were created. - -For Terraform 0.13+, a viable alternative is to use [Goggle-authored Terraform modules](https://registry.terraform.io/modules/terraform-google-modules/network) -and employ `for_each` or `count` parameters when needed. +One advantage of this module over the [terraform-google-network](https://github.com/terraform-google-modules/terraform-google-network/tree/master) module is that this module lets you use existing VPC networks and subnetworks to support brownfield deployments. ## Reference @@ -17,7 +10,7 @@ and employ `for_each` or `count` parameters when needed. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | | [google](#requirement\_google) | ~> 4.54 | ### Providers @@ -44,18 +37,19 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [allowed\_ports](#input\_allowed\_ports) | A list of ports to pass for the `networks` entries that do not have their own `allowed_ports` attribute. For example ["22", "443"]. Can also include ranges, for example ["80", "8080-8999"]. Empty list means to allow all. | `list(string)` | `[]` | no | -| [allowed\_protocol](#input\_allowed\_protocol) | A protocol (TCP or UDP) to pass for the `networks` entries that do not have their own `allowed_protocol` attribute. | `string` | `"all"` | no | -| [networks](#input\_networks) | Map of networks, a minimal example:
{
  "my-vpc" = {
    name            = "my-vpc"
    subnetwork_name = "my-subnet"
    ip_cidr_range   = "192.168.1.0/24"
  }
}
An advanced example:
{
  "my-vpc" = {
    name            = "my-vpc"
    subnetwork_name = "my-subnet"
    ip_cidr_range   = "192.168.1.0/24"
    allowed_sources = ["209.85.152.0/22"]
    log_metadata    = "INCLUDE_ALL_METADATA"
    mtu             = 1500
    routing_mode    = "REGIONAL"
  }
}
Full example:
{
  "my-vpc" = {
    name             = "my-vpc"
    subnetwork_name  = "my-subnet"
    ip_cidr_range    = "192.168.1.0/24"
    allowed_sources  = ["10.0.0.0/8", "98.98.98.0/28"]
    allowed_protocol = "UDP"
    allowed_ports    = ["53", "123-125"]
    log_metadata     = "EXCLUDE_ALL_METADATA"
    routing_mode     = "GLOBAL"

    delete_default_routes_on_create = true
  }
  "imported-from-hostproject" = {
    name              = "existing-core-vpc"
    subnetwork_name   = "existing-subnet"
    create_network    = false
    create_subnetwork = false
    host_project_id   = "my-core-project-id"
  }
}
Terraform 0.12.x and 0.13.x limitation: the existing networks/subnetworks names should be static strings and not come from other `resource` objects.
It is allowed from Terraform 0.14 onwards. | `any` | n/a | yes | +| [create\_network](#input\_create\_network) | A flag to indicate the creation or import of a VPC network.
Setting this to `true` will create a new network managed by Terraform.
Setting this to `false` will try to read the existing network identified by `name` and `project` variables. | `bool` | `true` | no | +| [delete\_default\_routes\_on\_create](#input\_delete\_default\_routes\_on\_create) | A flag to indicate the deletion of the default routes at VPC creation.
Setting this to `true` the default route `0.0.0.0/0` will be deleted upon network creation.
Setting this to `false` the default route `0.0.0.0/0` will be not be deleted upon network creation. | `bool` | `false` | no | +| [firewall\_rules](#input\_firewall\_rules) | A map containing each firewall rule configuration.
Action of the firewall rule is always `allow`.
The only possible direction of the firewall rule is `INGRESS`.

List of available attributes of each firewall rule entry:
- `name` : Name of the firewall rule.
- `source_ranges` : (Optional) A list of strings containing the source IP ranges to be allowed on the firewall rule.
- `source_tags` : (Optional) A list of strings containing the source network tags to be allowed on the firewall rule.
- `source_service_accounts` : (Optional) A list of strings containg the source servce accounts to be allowed on the firewall rule.
- `target_service_accounts` : (Optional) A list of strings containing the service accounts for which the firewall rule applies to.
- `target_tags` : (Optional) A list of strings containing the network tags for which the firewall rule applies to.
- `allowed_protocol` : The protocol type to match in the firewall rule. Possible values are: `tcp`, `udp`, `icmp`, `esp`, `ah`, `sctp`, `ipip`, `all`.
- `ports` : A list of strings containing TCP or UDP port numbers to match in the firewall rule. This type of setting can only be configured if allowing TCP and UDP as protocols.
- `priority` : (Optional) A priority value for the firewall rule. The lower the number - the more preferred the rule is.
- `log_metadata` : (Optional) This field denotes whether to include or exclude metadata for firewall logs. Possible values are: `EXCLUDE_ALL_METADATA`, `INCLUDE_ALL_METADATA`.

Example :
firewall_rules = {
  firewall-rule-1 = {
    name = "first-rule"
    source_ranges = ["10.10.10.0/24", "1.1.1.0/24"]
    priority = "2000"
    target_tags = ["vmseries-firewalls"]
    allowed_protocol = "TCP"
    allowed_ports = ["443", "22"]
  }
}
| 
map(object({
    name                    = string
    source_ranges           = optional(list(string))
    source_tags             = optional(list(string))
    source_service_accounts = optional(list(string))
    allowed_protocol        = string
    allowed_ports           = list(string)
    priority                = optional(string)
    target_service_accounts = optional(list(string))
    target_tags             = optional(list(string))
    log_metadata            = optional(string)
  }))
| `{}` | no | +| [mtu](#input\_mtu) | MTU value for VPC Network. Acceptable values are between 1300 and 8896. | `number` | `1460` | no | +| [name](#input\_name) | The name of the created or already existing VPC Network. | `string` | n/a | yes | | [project\_id](#input\_project\_id) | Project in which to create or look for VPCs and subnets | `string` | `null` | no | -| [region](#input\_region) | GCP region for all the created subnetworks and for all the imported subnetworks. Set to null to use a default provider's region.

To add subnetworks with another region use a separate instance of this module (and specify `create_network=false` to avoid creating a duplicate network). | `string` | `null` | no | +| [routing\_mode](#input\_routing\_mode) | Type of network-wide routing mode to use. Possible types are: REGIONAL and GLOBAL.
REGIONAL routing mode will set the cloud routers to only advertise subnetworks within the same region as the router.
GLOBAL routing mode will set the cloud routers to advertise all the subnetworks that belong to this network. | `string` | `"REGIONAL"` | no | +| [subnetworks](#input\_subnetworks) | A map containing subnetworks configuration. Subnets can belong to different regions.
List of available attributes of each subnetwork entry:
- `name` : Name of the subnetwork.
- `create_subnetwork` : Boolean value to control the creation or reading of the subnetwork. If set to `true` - this will create the subnetwork. If set to `false` - this will read a subnet with provided information.
- `ip_cidr_range` : A string that contains the subnetwork to create. Only IPv4 format is supported.
- `region` : Region where to configure or import the subnet.

Example:
subnetworks = {
  my-sub = {
    name = "my-sub"
    create_subnetwork = true
    ip_cidr_range = "192.168.0.0/24"
    region = "us-east1"
  }
}
| 
map(object({
    name              = string
    create_subnetwork = optional(bool, true)
    ip_cidr_range     = string
    region            = string
  }))
| `{}` | no | ### Outputs | Name | Description | |------|-------------| -| [networks](#output\_networks) | n/a | -| [networks\_by\_key](#output\_networks\_by\_key) | Map with network objects corresponding to input keys (or index if list was provided) of `networks` variable. | -| [subnetworks](#output\_subnetworks) | n/a | -| [subnetworks\_by\_key](#output\_subnetworks\_by\_key) | Map with subnetwork objects corresponding to input key (or index if list was provided) of `networks` variable. | +| [network](#output\_network) | Created or read network attributes. | +| [subnetworks](#output\_subnetworks) | Map containing key, value pairs of created or read subnetwork attributes. | diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf index 073d5dfa..a12acf84 100644 --- a/modules/vpc/main.tf +++ b/modules/vpc/main.tf @@ -1,86 +1,72 @@ locals { - // All the networks: - networks = { for v in var.networks : v.name => v } // tested on tf-0.12, when list elements shift indexes, this map prevents destroy - - // Some networks already exist: - networks_existing = { - for k, v in local.networks - : k => v - if try(v.create_network == false, false) - } - - // Some networks need to be created: - networks_to_create = { - for k, v in local.networks - : k => v - if !(try(v.create_network == false, false)) - } - - // We have networks, now the same for subnetworks: - subnetworks = { for v in var.networks : v.subnetwork_name => v } - - // Some subnetworks already exist: subnetworks_existing = { - for k, v in local.subnetworks + for k, v in var.subnetworks : k => v if try(v.create_subnetwork == false, false) } // Some subnetworks need to be created: subnetworks_to_create = { - for k, v in local.subnetworks + for k, v in var.subnetworks : k => v if !(try(v.create_subnetwork == false, false)) } } data "google_compute_network" "this" { - for_each = local.networks_existing + count = var.create_network == true ? 0 : 1 - name = each.value.name - project = try(each.value.host_project_id, each.value.project, var.project_id, null) + name = var.name + project = var.project_id } resource "google_compute_network" "this" { - for_each = local.networks_to_create + count = var.create_network == true ? 1 : 0 - name = each.value.name - project = try(each.value.host_project_id, each.value.project, var.project_id, null) - delete_default_routes_on_create = try(each.value.delete_default_routes_on_create, false) - mtu = try(each.value.mtu, null) + name = var.name + project = var.project_id + delete_default_routes_on_create = var.delete_default_routes_on_create + mtu = var.mtu auto_create_subnetworks = false - routing_mode = try(each.value.routing_mode, "REGIONAL") + routing_mode = var.routing_mode } data "google_compute_subnetwork" "this" { for_each = local.subnetworks_existing - name = each.value.subnetwork_name - project = try(each.value.host_project_id, each.value.project, var.project_id, null) - region = try(each.value.region, var.region, null) + name = each.value.name + project = var.project_id + region = each.value.region } resource "google_compute_subnetwork" "this" { for_each = local.subnetworks_to_create - name = each.value.subnetwork_name + name = each.value.name ip_cidr_range = each.value.ip_cidr_range - network = merge(google_compute_network.this, data.google_compute_network.this)[each.value.name].self_link - region = try(each.value.region, null) - project = try(each.value.host_project_id, var.project_id) + network = try(data.google_compute_network.this[0].self_link, google_compute_network.this[0].self_link) + region = each.value.region + project = var.project_id } resource "google_compute_firewall" "this" { - for_each = { for k, v in local.networks : k => v if can(v.allowed_sources) } - name = "${each.value.name}-ingress" - network = merge(google_compute_network.this, data.google_compute_network.this)[each.key].self_link - direction = "INGRESS" - source_ranges = try(each.value.allowed_sources, null) - project = try(each.value.host_project_id, var.project_id) + for_each = var.firewall_rules + + name = "${each.value.name}-ingress" + network = try(data.google_compute_network.this[0].self_link, google_compute_network.this[0].self_link) + direction = "INGRESS" + source_ranges = each.value.source_ranges + source_tags = each.value.source_tags + source_service_accounts = each.value.source_service_accounts + project = var.project_id + priority = each.value.priority + target_service_accounts = each.value.target_service_accounts + target_tags = each.value.target_tags + allow { - protocol = try(each.value.allowed_protocol, var.allowed_protocol, null) - ports = try(each.value.allowed_ports, var.allowed_ports, null) + protocol = each.value.allowed_protocol + ports = each.value.allowed_ports } dynamic "log_config" { @@ -90,4 +76,4 @@ resource "google_compute_firewall" "this" { metadata = log_config.value } } -} +} \ No newline at end of file diff --git a/modules/vpc/outputs.tf b/modules/vpc/outputs.tf index c71c4ed5..e8b5573a 100644 --- a/modules/vpc/outputs.tf +++ b/modules/vpc/outputs.tf @@ -1,25 +1,11 @@ -output "networks" { - value = { for _, v in var.networks : v.name - => try(data.google_compute_network.this[v.name], google_compute_network.this[v.name], null) - } +output "network" { + description = "Created or read network attributes." + value = try(data.google_compute_network.this[0], google_compute_network.this[0]) } output "subnetworks" { - value = { for _, v in var.networks : v.subnetwork_name - => try(data.google_compute_subnetwork.this[v.subnetwork_name], google_compute_subnetwork.this[v.subnetwork_name], null) - } -} - -output "networks_by_key" { - description = "Map with network objects corresponding to input keys (or index if list was provided) of `networks` variable." - value = { for k, v in var.networks : - k => try(data.google_compute_network.this[v.name], google_compute_network.this[v.name]) + description = "Map containing key, value pairs of created or read subnetwork attributes." + value = { for k, v in var.subnetworks : + k => try(data.google_compute_subnetwork.this[k], google_compute_subnetwork.this[k], null) } -} - -output "subnetworks_by_key" { - description = "Map with subnetwork objects corresponding to input key (or index if list was provided) of `networks` variable." - value = { for k, v in var.networks : - k => try(data.google_compute_subnetwork.this[v.subnetwork_name], google_compute_subnetwork.this[v.subnetwork_name]) - } -} +} \ No newline at end of file diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index 55e135d7..b8844ee3 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -1,87 +1,153 @@ -variable "networks" { - description = <<-EOF - Map of networks, a minimal example: +variable "project_id" { + description = "Project in which to create or look for VPCs and subnets" + default = null + type = string +} - ``` - { - "my-vpc" = { - name = "my-vpc" - subnetwork_name = "my-subnet" - ip_cidr_range = "192.168.1.0/24" - } - } - ``` +variable "name" { + description = "The name of the created or already existing VPC Network." + type = string +} + +variable "create_network" { + description = <<-EOF + A flag to indicate the creation or import of a VPC network. + Setting this to `true` will create a new network managed by Terraform. + Setting this to `false` will try to read the existing network identified by `name` and `project` variables. + EOF + default = true + type = bool +} - An advanced example: +variable "subnetworks" { + description = <<-EOF + A map containing subnetworks configuration. Subnets can belong to different regions. + List of available attributes of each subnetwork entry: + - `name` : Name of the subnetwork. + - `create_subnetwork` : Boolean value to control the creation or reading of the subnetwork. If set to `true` - this will create the subnetwork. If set to `false` - this will read a subnet with provided information. + - `ip_cidr_range` : A string that contains the subnetwork to create. Only IPv4 format is supported. + - `region` : Region where to configure or import the subnet. + Example: ``` - { - "my-vpc" = { - name = "my-vpc" - subnetwork_name = "my-subnet" - ip_cidr_range = "192.168.1.0/24" - allowed_sources = ["209.85.152.0/22"] - log_metadata = "INCLUDE_ALL_METADATA" - mtu = 1500 - routing_mode = "REGIONAL" + subnetworks = { + my-sub = { + name = "my-sub" + create_subnetwork = true + ip_cidr_range = "192.168.0.0/24" + region = "us-east1" } } ``` + EOF + default = {} + type = map(object({ + name = string + create_subnetwork = optional(bool, true) + ip_cidr_range = string + region = string + })) +} - Full example: +variable "firewall_rules" { + description = <<-EOF + A map containing each firewall rule configuration. + Action of the firewall rule is always `allow`. + The only possible direction of the firewall rule is `INGRESS`. - ``` - { - "my-vpc" = { - name = "my-vpc" - subnetwork_name = "my-subnet" - ip_cidr_range = "192.168.1.0/24" - allowed_sources = ["10.0.0.0/8", "98.98.98.0/28"] - allowed_protocol = "UDP" - allowed_ports = ["53", "123-125"] - log_metadata = "EXCLUDE_ALL_METADATA" - routing_mode = "GLOBAL" + List of available attributes of each firewall rule entry: + - `name` : Name of the firewall rule. + - `source_ranges` : (Optional) A list of strings containing the source IP ranges to be allowed on the firewall rule. + - `source_tags` : (Optional) A list of strings containing the source network tags to be allowed on the firewall rule. + - `source_service_accounts` : (Optional) A list of strings containg the source servce accounts to be allowed on the firewall rule. + - `target_service_accounts` : (Optional) A list of strings containing the service accounts for which the firewall rule applies to. + - `target_tags` : (Optional) A list of strings containing the network tags for which the firewall rule applies to. + - `allowed_protocol` : The protocol type to match in the firewall rule. Possible values are: `tcp`, `udp`, `icmp`, `esp`, `ah`, `sctp`, `ipip`, `all`. + - `ports` : A list of strings containing TCP or UDP port numbers to match in the firewall rule. This type of setting can only be configured if allowing TCP and UDP as protocols. + - `priority` : (Optional) A priority value for the firewall rule. The lower the number - the more preferred the rule is. + - `log_metadata` : (Optional) This field denotes whether to include or exclude metadata for firewall logs. Possible values are: `EXCLUDE_ALL_METADATA`, `INCLUDE_ALL_METADATA`. - delete_default_routes_on_create = true - } - "imported-from-hostproject" = { - name = "existing-core-vpc" - subnetwork_name = "existing-subnet" - create_network = false - create_subnetwork = false - host_project_id = "my-core-project-id" + Example : + ``` + firewall_rules = { + firewall-rule-1 = { + name = "first-rule" + source_ranges = ["10.10.10.0/24", "1.1.1.0/24"] + priority = "2000" + target_tags = ["vmseries-firewalls"] + allowed_protocol = "TCP" + allowed_ports = ["443", "22"] } } ``` - - Terraform 0.12.x and 0.13.x limitation: the existing networks/subnetworks names should be static strings and not come from other `resource` objects. - It is allowed from Terraform 0.14 onwards. EOF + default = {} + type = map(object({ + name = string + source_ranges = optional(list(string)) + source_tags = optional(list(string)) + source_service_accounts = optional(list(string)) + allowed_protocol = string + allowed_ports = list(string) + priority = optional(string) + target_service_accounts = optional(list(string)) + target_tags = optional(list(string)) + log_metadata = optional(string) + })) + validation { + condition = length(var.firewall_rules) > 0 ? alltrue([ + for rule in var.firewall_rules : ( + (rule.source_ranges != null && rule.source_tags == null && rule.source_service_accounts == null) || + (rule.source_ranges == null && rule.source_tags != null && rule.source_service_accounts == null) || + (rule.source_ranges == null && rule.source_tags == null && rule.source_service_accounts != null) + ) + ]) : true + error_message = "Only one of the following source types can be selected per firewall rule : source_ranges, source_tags or source_service_accounts ." + } + validation { + condition = length(var.firewall_rules) > 0 ? alltrue([ + for rule in var.firewall_rules : ( + (rule.target_tags != null && rule.target_service_accounts == null) || + (rule.target_tags == null && rule.target_service_accounts != null) || + (rule.target_tags == null && rule.target_service_accounts == null) + ) + ]) : true + error_message = "Only one of the following target types can be selected per firewall rule : target_tags, target_service_accounts or neither (not configuring either of them will apply the firewall rule to all instances in the network)." + } } -variable "region" { +variable "delete_default_routes_on_create" { description = <<-EOF - GCP region for all the created subnetworks and for all the imported subnetworks. Set to null to use a default provider's region. - - To add subnetworks with another region use a separate instance of this module (and specify `create_network=false` to avoid creating a duplicate network). + A flag to indicate the deletion of the default routes at VPC creation. + Setting this to `true` the default route `0.0.0.0/0` will be deleted upon network creation. + Setting this to `false` the default route `0.0.0.0/0` will be not be deleted upon network creation. EOF - default = null - type = string -} - -variable "allowed_protocol" { - description = "A protocol (TCP or UDP) to pass for the `networks` entries that do not have their own `allowed_protocol` attribute." - default = "all" + default = false + type = bool } -variable "allowed_ports" { - description = "A list of ports to pass for the `networks` entries that do not have their own `allowed_ports` attribute. For example [\"22\", \"443\"]. Can also include ranges, for example [\"80\", \"8080-8999\"]. Empty list means to allow all." - default = [] - type = list(string) +variable "mtu" { + description = <<-EOF + MTU value for VPC Network. Acceptable values are between 1300 and 8896. + EOF + default = 1460 + type = number + validation { + condition = var.mtu >= 1300 && var.mtu <= 8896 + error_message = "MTU value must be between 1300 and 8896." + } } -variable "project_id" { - description = "Project in which to create or look for VPCs and subnets" - default = null +variable "routing_mode" { + description = <<-EOF + Type of network-wide routing mode to use. Possible types are: REGIONAL and GLOBAL. + REGIONAL routing mode will set the cloud routers to only advertise subnetworks within the same region as the router. + GLOBAL routing mode will set the cloud routers to advertise all the subnetworks that belong to this network. + EOF + default = "REGIONAL" type = string + validation { + condition = var.routing_mode == "REGIONAL" || var.routing_mode == "GLOBAL" + error_message = "Routing mode must be either 'REGIONAL' or 'GLOBAL'." + } } \ No newline at end of file diff --git a/modules/vpc/versions.tf b/modules/vpc/versions.tf index 8d46e18e..9b00b7d5 100644 --- a/modules/vpc/versions.tf +++ b/modules/vpc/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" required_providers { google = { version = "~> 4.54" diff --git a/modules/vpn/README.md b/modules/vpn/README.md index 4a2b07af..38bee1a4 100644 --- a/modules/vpn/README.md +++ b/modules/vpn/README.md @@ -153,7 +153,7 @@ module "vpn" { | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | +| [terraform](#requirement\_terraform) | >= 1.3, < 2.0 | | [google](#requirement\_google) | >= 4.58 | ### Providers diff --git a/modules/vpn/versions.tf b/modules/vpn/versions.tf index fcbc0254..72f2a35c 100644 --- a/modules/vpn/versions.tf +++ b/modules/vpn/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2, < 2.0" + required_version = ">= 1.3, < 2.0" required_providers { google = { version = ">= 4.58"