3-networks-dual-svpc/modules/restricted_shared

/** * Copyright 2021 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ locals { vpc_name = "${var.environment_code}-shared-restricted" network_name = "vpc-${local.vpc_name}" restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip } /****************************************** Shared VPC configuration *****************************************/ module "main" { source = "terraform-google-modules/network/google" version = "~> 8.0" project_id = var.project_id network_name = local.network_name shared_vpc_host = "true" delete_default_internet_gateway_routes = "true" subnets = var.subnets secondary_ranges = var.secondary_ranges routes = concat( var.nat_enabled ? [ { name = "rt-${local.vpc_name}-1000-egress-internet-default" description = "Tag based route through IGW to access internet" destination_range = "0.0.0.0/0" tags = "egress-internet" next_hop_internet = "true" priority = "1000" } ] : [], var.windows_activation_enabled ? [ { name = "rt-${local.vpc_name}-1000-all-default-windows-kms" description = "Route through IGW to allow Windows KMS activation for GCP." destination_range = "35.190.247.13/32" next_hop_internet = "true" priority = "1000" } ] : [] ) } /*************************************************************** Configure Service Networking for Cloud SQL & future services. **************************************************************/ resource "google_compute_global_address" "private_service_access_address" { count = var.private_service_cidr != null ? 1 : 0 name = "ga-${local.vpc_name}-vpc-peering-internal" project = var.project_id purpose = "VPC_PEERING" address_type = "INTERNAL" address = element(split("/", var.private_service_cidr), 0) prefix_length = element(split("/", var.private_service_cidr), 1) network = module.main.network_self_link } resource "google_service_networking_connection" "private_vpc_connection" { count = var.private_service_cidr != null ? 1 : 0 network = module.main.network_self_link service = "servicenetworking.googleapis.com" reserved_peering_ranges = [google_compute_global_address.private_service_access_address[0].name] } /************************************ Router to advertise shared VPC subnetworks and Google Restricted API ************************************/ module "region1_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 4.0" name = "cr-${local.vpc_name}-${var.default_region1}-cr5" project = var.project_id network = module.main.network_name region = var.default_region1 bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }] } } module "region1_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 4.0" name = "cr-${local.vpc_name}-${var.default_region1}-cr6" project = var.project_id network = module.main.network_name region = var.default_region1 bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }] } } module "region2_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 4.0" name = "cr-${local.vpc_name}-${var.default_region2}-cr7" project = var.project_id network = module.main.network_name region = var.default_region2 bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }] } } module "region2_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 4.0" name = "cr-${local.vpc_name}-${var.default_region2}-cr8" project = var.project_id network = module.main.network_name region = var.default_region2 bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }] } }

3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf (133 lines of code) (raw):