-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
139 lines (127 loc) · 4.05 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "4.51.0"
}
google-beta = {
source = "hashicorp/google-beta"
version = "4.51.0"
}
}
backend "gcs" {
bucket = "cloud-build-static-ip-tf-state"
prefix = "terraform/state"
}
}
provider "google" {
project = var.project_id
region = var.region
zone = var.zone
}
provider "google-beta" {
project = var.project_id
region = var.region
zone = var.zone
}
// Step 1
resource "google_project_service" "enable_cloud_build" {
project = var.project_id
service = "cloudbuild.googleapis.com"
disable_dependent_services = true
}
resource "google_project_service" "enable_service_networking" {
project = var.project_id
service = "servicenetworking.googleapis.com"
disable_dependent_services = true
}
// Step 2
resource "google_compute_network" "vpc_network" {
project = var.project_id
name = var.vpc_network_name
auto_create_subnetworks = false
mtu = 1460
}
// Step 3
resource "google_compute_global_address" "named_private_ip" {
provider = google-beta
name = var.named_private_ip_name
project = var.project_id
purpose = "VPC_PEERING"
address_type = "INTERNAL"
network = google_compute_network.vpc_network.name
address = var.named_private_ip
prefix_length = var.named_private_ip_prefix_length
}
// Step 4
resource "google_service_networking_connection" "service_producer_connection" {
network = "projects/${var.project_id}/global/networks/${google_compute_network.vpc_network.name}"
service = "servicenetworking.googleapis.com"
reserved_peering_ranges = [google_compute_global_address.named_private_ip.name]
}
// Step 5
resource "google_cloudbuild_worker_pool" "private_worker_pool" {
name = var.private_worker_pool_name
location = var.region
project = var.project_id
worker_config {
disk_size_gb = 100
machine_type = "e2-medium"
no_external_ip = true
}
network_config {
peered_network = "projects/${var.project_id}/global/networks/${google_compute_network.vpc_network.name}"
}
depends_on = [google_service_networking_connection.service_producer_connection, google_project_service.enable_cloud_build]
}
// Step 6
resource "google_compute_subnetwork" "proxy_subnet" {
name = "${google_compute_network.vpc_network.name}-proxy-subnet"
ip_cidr_range = var.vm_subnet_range
network = google_compute_network.vpc_network.name
region = var.region
private_ip_google_access = false
project = var.project_id
}
// Step 7
resource "google_compute_address" "static_ip" {
name = var.static_ip_name
project = var.project_id
region = var.region
address_type = "EXTERNAL"
network_tier = "STANDARD"
}
// Step 8
resource "google_compute_instance" "proxy_vm" {
name = "proxy-vm"
project = var.project_id
zone = var.zone
machine_type = "n1-standard-1"
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
tags = ["proxy-srv"]
metadata_startup_script = file("setup_proxy.sh")
network_interface {
subnetwork = google_compute_subnetwork.proxy_subnet.name
network_ip = var.vm_ip_address
access_config {
nat_ip = google_compute_address.static_ip.address
network_tier = "STANDARD"
}
}
}
// Step 9
resource "google_compute_firewall" "proxy_ingress" {
name = "allow-proxy-ingress"
network = google_compute_network.vpc_network.name
# Source range is the range we used to peer into the service produces network. i.e. named_private_ip
source_ranges = ["${var.named_private_ip}/${var.named_private_ip_prefix_length}"]
allow {
protocol = "tcp"
ports = ["9231"] # If you change this, make sure you're also changing it inside setup_proxy.sh
}
target_tags = ["proxy-srv"]
}