Add an example of use of shared VPC networking. #810
Conversation
Brings up four projects: - one to host the VPC - two to use the VPC - one which is outside the VPC This is based on the diagram in https://cloud.google.com/vpc/docs/shared-vpc and uses the names there where possible for clarity.
- Add an output so that it's visible to the user. - Add scripts to output which VM is being accessed on VM1 and Standalone. - Add a script to generate the demonstration page on VM2.
|
@danawillow - looks like I can't set assignee. |
examples/shared-vpc/README.md
Outdated
|
|
||
| It is based on the diagram in the overview at [https://cloud.google.com/vpc/docs/shared-vpc](https://cloud.google.com/vpc/docs/shared-vpc). | ||
|
|
||
| This example creates projects within an organization - to run it, you will need to have an Organization ID. To get started using Organizations, read the quickstart [here](https://cloud.google.com/resource-manager/docs/quickstart-organizations). Since it uses organizations, project-specific credentials won't work, and consequently this example is configured to use [application default credentials](https://developers.google.com/identity/protocols/application-default-credentials). Ensure that the application default credentials have permission to create and manage projects and Shared VPCs (sometimes called 'XPN'). |
There was a problem hiding this comment.
It is possible to grant organization-level permissions to project-specific credentials such as a service account.
In the UI, select your org in the top dropdown menu, visit Iam & Admin > Iam. Then click the +Add button at the top to add new members. In the members field, you can put a service account email.
examples/shared-vpc/README.md
Outdated
|
|
||
| Since projects require globally unique names, you will need to provide a `project_base_id` variable. Since project names can't be too long, make sure it's short - if it is too long, Terraform won't be able to create the project. | ||
|
|
||
| The example allows you to specify a billing account, if you want to ensure that the charges (which are minor) are grouped together. |
There was a problem hiding this comment.
I think billing account is mandatory to be able to create a VM.
examples/shared-vpc/README.md
Outdated
| -var="region=us-central1" \ | ||
| -var="region_zone=us-central1-f" \ | ||
| -var="org_id=1234567" \ | ||
| -var="project_base_id=unique_string" |
There was a problem hiding this comment.
You can use the random provider instead and support full destroy.
See: https://www.terraform.io/docs/providers/random/index.html
|
I agree with all of @rosbo's comments. |
|
Great, I'll make those changes. Thanks for the pointer to the random provider, that makes this a lot nicer. :) |
|
Made those changes, tested locally. The service account credentials were kind of a hassle to set up on the Console, but that's probably just my lack of familiarity with the credentials system in Cloud generally. |
|
It is not only you :) They are a hassle. @paddycarver made a screencast to explain how because many people had issues with this. An easier way to do it is to use Terraform instead of the console for that: |
|
Thanks for the review! :) |
Signed-off-by: Modular Magician <[email protected]>
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked and limited conversation to collaborators
The example brings up four projects:
This is based on the diagram in https://cloud.google.com/vpc/docs/shared-vpc and uses the names from there (where possible) for clarity.
It eventually outputs an IP address - on that page you can see a demonstration that one of the VMs on the VPC can ping another VM on the same VPC (but in a different project) using the internal IP.
The page looks like this:
This is my first contribution to this project, so please let me know if I'm missing something. I've run
terraform fmtand I've tested this on my account, but that's about it. :)