restrict ephemeral[external] Ips for the compute engines [VMs] created in the subnet

[NagarajGoud]

Hi,
We have a setup with one vpc network with two subnets (private, public)
vms created in public subnet can have external ip where as in private subnet cannot have.

I have a use case such that any vm created in private-subnet should not be getting ephemeral[external] Ips by default.

Initially I thought of tweaking any org policy related to external IP would serve my purpose but i didnt see any such policy so far.

After spending time in exploration landed up here which says to remove access_config block from the network_interface block of instance template.

What im looking for?

1. Any policy that can be enforced at project/network/subnet level in which any instance created either by script or console in that subnet will have no external ip.
2. Any attributes we can add/remove at subnet level which will serve the purpose.

Thanks in advance.

[Chupaka]

The policy you're looking for is "constraints/compute.vmExternalIpAccess" and it has nothing to do with Terraform.

[NagarajGoud]

Yes, I have used this constraint "constraints/compute.vmExternalIpAccess" but we can apply at org/project/vm level but not at subnet level.

My use case: no external ip for vms created in particular subnet.

Please let me know if we can achieve this or any other alternatives for the same. Thanks!

[edwardmedia]

@NagarajGoud there is no direct control in Terraform at subnet level you can use to achieve this. But you can build some logic to dynamically add access_config based on the type of your subnetwork. Basically you could first output a list type "control" to the state from the TF code that builds your network/subnetwork. When your subnet is public, it is a single element in the list while it is empty list for private. Then in your google_compute_instance, you will have something like below:

network_interface {
    subnetwork = "${data.terraform_remote_state.network.outputs.subnetwork-private.name}"
    network = "${data.terraform_remote_state.network.outputs.network.name}"
    dynamic "access_config" {
      for_each = "${data.terraform_remote_state.network.outputs.subnetwork-control}"
      content {
        network_tier = "PREMIUM"
      }
    }
  }

[edwardmedia]

@NagarajGoud does that help? I am closing this question. Please feel free to reopen it if you need further assistance.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!