terraform-google-modules · rjerrems · Sep 29, 2020 · Sep 18, 2020 · Sep 18, 2020 · Sep 21, 2020
@@ -8,11 +8,15 @@
 | alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | list(number) | `<list>` | no |
 | billing\_account | The ID of the billing account to associated this project with | string | n/a | yes |
 | budget\_amount | The amount to use as the budget | number | `"1000"` | no |
+| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | bool | `"true"` | no |
+| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | bool | `"false"` | no |
 | org\_id | The organization id for the associated services | string | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | string | `""` | no |
+| peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `<list>` | no |
 | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes |
 | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no |
 | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes |
+| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | bool | `"false"` | no |
 
 ## Outputs
 
@@ -21,6 +25,9 @@
 | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
 | base\_shared\_vpc\_project | Project sample base project. |
 | floating\_project | Project sample floating project. |
+| peering\_complete | Output to be used as a module dependency. |
+| peering\_network | Peer network peering resource. |
+| peering\_project | Project sample peering project id. |
 | restricted\_enabled\_apis | Activated APIs. |
 | restricted\_shared\_vpc\_project | Project sample restricted project id. |
 | restricted\_shared\_vpc\_project\_number | Project sample restricted project. |

@@ -0,0 +1,252 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+data "google_projects" "projects" {
+  filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=development lifecycleState=ACTIVE"
+}
+
+data "google_compute_network" "shared_vpc" {
+  name    = "vpc-d-shared-base"
+  project = data.google_projects.projects.projects[0].project_id
+}
+
+data "google_netblock_ip_ranges" "legacy_health_checkers" {
+  range_type = "legacy-health-checkers"
+}
+
+data "google_netblock_ip_ranges" "health_checkers" {
+  range_type = "health-checkers"
+}
+
+data "google_netblock_ip_ranges" "iap_forwarders" {
+  range_type = "iap-forwarders"
+}
+
+module "peering_project" {
+  source                      = "../../modules/single_project"
+  impersonate_service_account = var.terraform_service_account
+  org_id                      = var.org_id
+  billing_account             = var.billing_account
+  folder_id                   = data.google_active_folder.env.name
+  skip_gcloud_download        = var.skip_gcloud_download
+  environment                 = "development"
+
+  # Metadata
+  project_prefix    = "sample-peering"
+  application_name  = "bu1-sample-peering"
+  billing_code      = "1234"
+  primary_contact   = "example@example.com"
+  secondary_contact = "example2@example.com"
+  business_code     = "bu1"
+}
+
+module "peering_network" {
+  source                                 = "terraform-google-modules/network/google"
+  version                                = "~> 2.0"
+  project_id                             = module.peering_project.project_id
+  network_name                           = "vpc-d-peering-base"
+  shared_vpc_host                        = "false"
+  delete_default_internet_gateway_routes = "true"
+  subnets                                = []
+}
+
+module "peering" {
+  source = "terraform-google-modules/network/google//modules/network-peering"
+
+  prefix        = "bu1-d"
+  local_network = module.peering_network.network_self_link
+  peer_network  = data.google_compute_network.shared_vpc.self_link
+
+  module_depends_on = var.peering_module_depends_on
+}
+
+/******************************************
+  Mandatory firewall rules
+ *****************************************/
+
+resource "google_compute_firewall" "deny_all_egress" {
+  name      = "fw-d-peering-base-65535-e-d-all-all-tcp-udp"
+  network   = module.peering_network.network_name
+  project   = module.peering_project.project_id
+  direction = "EGRESS"
+  priority  = 65535
+
+  dynamic "log_config" {
+    for_each = var.firewall_enable_logging == true ? [{
+      metadata = "INCLUDE_ALL_METADATA"
+    }] : []
+
+    content {
+      metadata = log_config.value.metadata
+    }
+  }
+
+  deny {
+    protocol = "tcp"
+  }
+
+  deny {
+    protocol = "udp"
+  }
+
+  destination_ranges = ["0.0.0.0/0"]
+}
+
+
+resource "google_compute_firewall" "allow_private_api_egress" {
+  name      = "fw-d-peering-base-65534-e-a-allow-google-apis-all-tcp-443"
+  network   = module.peering_network.network_name
+  project   = module.peering_project.project_id
+  direction = "EGRESS"
+  priority  = 65534
+
+  dynamic "log_config" {
+    for_each = var.firewall_enable_logging == true ? [{
+      metadata = "INCLUDE_ALL_METADATA"
+    }] : []
+
+    content {
+      metadata = log_config.value.metadata
+    }
+  }
+
+  allow {
+    protocol = "tcp"
+    ports    = ["443"]
+  }
+
+  destination_ranges = ["199.36.153.8/30"]
+
+  target_tags = ["allow-google-apis"]
+}
+
+
+/******************************************
+  Optional firewall rules
+ *****************************************/
+
+// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads.
+resource "google_compute_firewall" "allow_iap_ssh" {
+  count   = var.optional_fw_rules_enabled ? 1 : 0
+  name    = "fw-d-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22"
+  network = module.peering_network.network_name
+  project = module.peering_project.project_id
+
+  dynamic "log_config" {
+    for_each = var.firewall_enable_logging == true ? [{
+      metadata = "INCLUDE_ALL_METADATA"
+    }] : []
+
+    content {
+      metadata = log_config.value.metadata
+    }
+  }
+
+  // Cloud IAP's TCP forwarding netblock
+  source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4)
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22"]
+  }
+
+  target_tags = ["allow-iap-ssh"]
+}
+
+// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads.
+resource "google_compute_firewall" "allow_iap_rdp" {
+  count   = var.optional_fw_rules_enabled ? 1 : 0
+  name    = "fw-d-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389"
+  network = module.peering_network.network_name
+  project = module.peering_project.project_id
+
+  dynamic "log_config" {
+    for_each = var.firewall_enable_logging == true ? [{
+      metadata = "INCLUDE_ALL_METADATA"
+    }] : []
+
+    content {
+      metadata = log_config.value.metadata
+    }
+  }
+
+  // Cloud IAP's TCP forwarding netblock
+  source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4)
+
+  allow {
+    protocol = "tcp"
+    ports    = ["3389"]
+  }
+
+  target_tags = ["allow-iap-rdp"]
+}
+
+// Allow access to kms.windows.googlecloud.com for Windows license activation
+resource "google_compute_firewall" "allow_windows_activation" {
+  count     = var.windows_activation_enabled ? 1 : 0
+  name      = "fw-d-peering-base-0-e-a-allow-win-activation-all-tcp-1688"
+  network   = module.peering_network.network_name
+  project   = module.peering_project.project_id
+  direction = "EGRESS"
+  priority  = 0
+
+  dynamic "log_config" {
+    for_each = var.firewall_enable_logging == true ? [{
+      metadata = "INCLUDE_ALL_METADATA"
+    }] : []
+
+    content {
+      metadata = log_config.value.metadata
+    }
+  }
+
+  allow {
+    protocol = "tcp"
+    ports    = ["1688"]
+  }
+
+  destination_ranges = ["35.190.247.13/32"]
+
+  target_tags = ["allow-win-activation"]
+}
+
+// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges.
+resource "google_compute_firewall" "allow_lb" {
+  count   = var.optional_fw_rules_enabled ? 1 : 0
+  name    = "fw-d-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443"
+  network = module.peering_network.network_name
+  project = module.peering_project.project_id
+
+  dynamic "log_config" {
+    for_each = var.firewall_enable_logging == true ? [{
+      metadata = "INCLUDE_ALL_METADATA"
+    }] : []
+
+    content {
+      metadata = log_config.value.metadata
+    }
+  }
+
+  source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4)
+
+  // Allow common app ports by default.
+  allow {
+    protocol = "tcp"
+    ports    = ["80", "8080", "443"]
+  }
+
+  target_tags = ["allow-lb"]
+}
@@ -24,6 +24,16 @@ output "floating_project" {
   value       = module.floating_project.project_id
 }
 
+output "peering_project" {
+  description = "Project sample peering project id."
+  value       = module.peering_project.project_id
+}
+
+output "peering_network" {
+  description = "Peer network peering resource."
+  value       = module.peering.peer_network_peering
+}
+
 output "restricted_shared_vpc_project" {
   description = "Project sample restricted project id."
   value       = module.restricted_shared_vpc_project.project_id
@@ -48,3 +58,8 @@ output "access_context_manager_policy_id" {
   description = "Access Context Manager Policy ID."
   value       = var.access_context_manager_policy_id
 }
+
+output "peering_complete" {
+  description = "Output to be used as a module dependency."
+  value       = module.peering.complete
+}
@@ -51,6 +51,30 @@ variable "perimeter_name" {
   type        = string
 }
 
+variable "peering_module_depends_on" {
+  description = "List of modules or resources peering module depends on."
+  type        = list
+  default     = []
+}
+
+variable "firewall_enable_logging" {
+  type        = bool
+  description = "Toggle firewall logging for VPC Firewalls."
+  default     = true
+}
+
+variable "optional_fw_rules_enabled" {
+  type        = bool
+  description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges."
+  default     = false
+}
+
+variable "windows_activation_enabled" {
+  type        = bool
+  description = "Enable Windows license activation for Windows workloads."
+  default     = false
+}
+
 variable "alert_spent_percents" {
   description = "A list of percentages of the budget to alert on when threshold is exceeded"
   type        = list(number)

@@ -8,11 +8,15 @@
 | alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | list(number) | `<list>` | no |
 | billing\_account | The ID of the billing account to associated this project with | string | n/a | yes |
 | budget\_amount | The amount to use as the budget | number | `"1000"` | no |
+| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | bool | `"true"` | no |
+| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | bool | `"false"` | no |
 | org\_id | The organization id for the associated services | string | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | string | `""` | no |
+| peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `<list>` | no |
 | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes |
 | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no |
 | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes |
+| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | bool | `"false"` | no |
 
 ## Outputs
 
@@ -21,6 +25,9 @@
 | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
 | base\_shared\_vpc\_project | Project sample base project. |
 | floating\_project | Project sample floating project. |
+| peering\_complete | Output to be used as a module dependency. |
+| peering\_network | Peer network peering resource. |
+| peering\_project | Project sample peering project id. |
 | restricted\_enabled\_apis | Activated APIs. |
 | restricted\_shared\_vpc\_project | Project sample restricted project id. |
 | restricted\_shared\_vpc\_project\_number | Project sample restricted project. |