foundations

Foundations

This Terraform module creates a set of service accounts and foundational resources that would typically be provided by a Project Factory.

• Client VPC
  • Public egress routes deleted
  • Private GCP API enabled
• DMZ VPC
  • Public egress routes deleted
  • Private GCP API enabled
• Service VPC
  • Public egress routes deleted
  • Private GCP API enabled
• Control VPC
  • Public egress routes present
  • NAT gateway for public internet egress
  • Bastion host with access to all instances attached to control-plane VPC

Setup

1. Create/modify the Terraform environment files with required inputs

2. Execute Terraform to create foundational resources

   terraform init ../env/ENV/foundations.config
   terraform apply ../env/ENV/foundations.tfvars -auto-approve

Cleanup

terraform destroy -var-file ../env/ENV/foundations.tfvars -auto-approve

Requirements

Name	Version
terraform	~> 0.12
google	~> 3.34
google	~> 3.34

Providers

Name	Version
google	~> 3.34 ~> 3.34
google.executor	~> 3.34 ~> 3.34

Inputs

Name	Description	Type	Default	Required
bastion_access_members	An optional list of users/groups/serviceAccounts that can login to the control-plane bastion via IAP tunnelling. Default is an empty list.	list(string)	[]	no
bastion_name_template	The naming template for bastion VMs and service account; default is '%s-bastion'.	string	"%s-bastion"	no
bastion_zone	The zone to use for bastion VM. The subnets will be created in the region for this zone. Default is 'us-central1-f'.	string	"us-central1-f"	no
client_cidr	The CIDR to used for the upstream client subnet created in zone. Default is '172.16.0.0/16'.	string	"172.16.0.0/16"	no
client_network_name_template	The naming template for the upstream client network to create; default is '%s-client'.	string	"%s-client"	no
control_cidr	The CIDR to use for control-plane BIG-IP nics and bastion host.	string	"192.168.0.0/24"	no
control_network_name_template	The naming temaplte for the control-plane network to create; default is '%s-control'.	string	"%s-control"	no
dmz_cidr	The CIDR to use for services subnet created in zone. Default is '172.18.0.0/16'.	string	"172.18.0.0/16"	no
dmz_network_name_template	The naming template for the services network to create; default is '%s-dmz'.	string	"%s-dmz"	no
nat_name_template	The naming template for Cloud NAT and Router; default is '%s-control-nat'.	string	"%s-control-nat"	no
nonce	The name of the upstream client network to create; default is 'client'.	string	n/a	yes
project_id	The existing project id that will host the resources. E.g. project_id = "example-project-id"	string	n/a	yes
service_cidr	The CIDR to use for services subnet created in zone. Default is '172.17.0.0/16'.	string	"172.17.0.0/16"	no
service_network_name_template	The naming template for the services network to create; default is '%s-service'.	string	"%s-service"	no
tf_sa_email	The fully-qualified email address of the Terraform service account to use for resource creation. E.g. tf_sa_email = "terraform@PROJECT_ID.iam.gserviceaccount.com"	string	n/a	yes
tf_sa_token_lifetime_secs	The expiration duration for the service account token, in seconds. This value should be high enough to prevent token timeout issues during resource creation, but short enough that the token is useless replayed later. Default value is 1200.	number	1200	no

Outputs

Name	Description
bastion_name	The name of the bastion VM.
bigip_sa	The fully-qualified email address of BIG-IP service account.
client_network	The client network self-link.
client_sa	The fully-qualified email address of client dmz account.
client_subnet	The client subnet self-link.
control_network	The control network self-link.
control_subnet	The control subnet self-link.
dmz_network	The DMZ network self-link.
dmz_subnet	The DMZ subnet self-link.
service_network	The service network self-link.
service_sa	The fully-qualified email address of service service account.
service_subnet	The service subnet self-link.