Skip to content

Commit

Permalink
GCP: Remove firewall rules when providing network project id
Browse files Browse the repository at this point in the history
** Added the Network Project ID data to gcp terraform vars
** Added checks to GCP terraform to set count to 0 for firewall rules when
the Network Project ID is available.

CORS 2039
Requires #6166

** Added a default value for the terraform value for network_project_id
  • Loading branch information
barbacbd committed Aug 22, 2022
1 parent e781753 commit 6315658
Show file tree
Hide file tree
Showing 7 changed files with 25 additions and 4 deletions.
1 change: 1 addition & 0 deletions data/data/gcp/bootstrap/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ resource "google_compute_address" "bootstrap" {
}

resource "google_compute_firewall" "bootstrap_ingress_ssh" {
count = var.gcp_network_project_id != "" ? 0 : 1
name = "${var.cluster_id}-bootstrap-in-ssh"
network = var.network
description = local.description
Expand Down
1 change: 1 addition & 0 deletions data/data/gcp/cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ module "network" {
cluster_network = var.gcp_cluster_network
master_subnet = var.gcp_control_plane_subnet
worker_subnet = var.gcp_compute_subnet
network_project_id = var.gcp_network_project_id
}

module "dns" {
Expand Down
6 changes: 6 additions & 0 deletions data/data/gcp/cluster/network/firewall.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
resource "google_compute_firewall" "api" {
count = var.network_project_id != "" ? 0 : 1
name = "${var.cluster_id}-api"
network = local.cluster_network
description = local.description
Expand All @@ -14,6 +15,7 @@ resource "google_compute_firewall" "api" {
}

resource "google_compute_firewall" "health_checks" {
count = var.network_project_id != "" ? 0 : 1
name = "${var.cluster_id}-health-checks"
network = local.cluster_network
description = local.description
Expand All @@ -29,6 +31,7 @@ resource "google_compute_firewall" "health_checks" {
}

resource "google_compute_firewall" "etcd" {
count = var.network_project_id != "" ? 0 : 1
name = "${var.cluster_id}-etcd"
network = local.cluster_network
description = local.description
Expand All @@ -44,6 +47,7 @@ resource "google_compute_firewall" "etcd" {
}

resource "google_compute_firewall" "control_plane" {
count = var.network_project_id != "" ? 0 : 1
name = "${var.cluster_id}-control-plane"
network = local.cluster_network
description = local.description
Expand Down Expand Up @@ -74,6 +78,7 @@ resource "google_compute_firewall" "control_plane" {
}

resource "google_compute_firewall" "internal_network" {
count = var.network_project_id != "" ? 0 : 1
name = "${var.cluster_id}-internal-network"
network = local.cluster_network
description = local.description
Expand All @@ -97,6 +102,7 @@ resource "google_compute_firewall" "internal_network" {
}

resource "google_compute_firewall" "internal_cluster" {
count = var.network_project_id != "" ? 0 : 1
name = "${var.cluster_id}-internal-cluster"
network = local.cluster_network
description = local.description
Expand Down
5 changes: 5 additions & 0 deletions data/data/gcp/cluster/network/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,8 @@ variable "public_endpoints" {
type = bool
description = "If the bootstrap instance should have externally accessible resources."
}

variable "network_project_id" {
type = string
description = "The project that the network and subnets exist in when they are not in the main ProjectID."
}
6 changes: 6 additions & 0 deletions data/data/gcp/variables-gcp.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,12 @@ variable "gcp_project_id" {
description = "The target GCP project for the cluster."
}

variable "gcp_network_project_id" {
type = string
description = "The project that the network and subnets exist in when they are not in the main ProjectID."
default = null
}

variable "gcp_service_account" {
type = string
description = "The service account for authenticating with GCP APIs."
Expand Down
5 changes: 3 additions & 2 deletions pkg/asset/cluster/tfvars.go
Original file line number Diff line number Diff line change
Expand Up @@ -379,8 +379,9 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
return err
}
auth := gcptfvars.Auth{
ProjectID: installConfig.Config.GCP.ProjectID,
ServiceAccount: string(sess.Credentials.JSON),
ProjectID: installConfig.Config.GCP.ProjectID,
NetworkProjectID: installConfig.Config.GCP.NetworkProjectID,
ServiceAccount: string(sess.Credentials.JSON),
}

masters, err := mastersAsset.Machines()
Expand Down
5 changes: 3 additions & 2 deletions pkg/tfvars/gcp/gcp.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,9 @@ const (

// Auth is the collection of credentials that will be used by terrform.
type Auth struct {
ProjectID string `json:"gcp_project_id,omitempty"`
ServiceAccount string `json:"gcp_service_account,omitempty"`
ProjectID string `json:"gcp_project_id,omitempty"`
NetworkProjectID string `json:"gcp_network_project_id,omitempty"`
ServiceAccount string `json:"gcp_service_account,omitempty"`
}

type config struct {
Expand Down

0 comments on commit 6315658

Please sign in to comment.