forked from apigee/terraform-modules
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.tf
More file actions
114 lines (106 loc) · 3.73 KB
/
main.tf
File metadata and controls
114 lines (106 loc) · 3.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
/**
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "project" {
source = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/project?ref=v16.0.0"
name = var.project_id
parent = var.project_parent
billing_account = var.billing_account
project_create = var.project_create
services = [
"apigee.googleapis.com",
"cloudkms.googleapis.com",
"compute.googleapis.com",
"servicenetworking.googleapis.com"
]
}
module "vpc" {
source = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-vpc?ref=v16.0.0"
project_id = module.project.project_id
name = var.network
subnets = [var.firewall_appliance_subnet]
psa_config = {
ranges = {
apigee-range = var.peering_range
apigee-support-range = var.support_range
}
routes = {
export = true
import = false
}
}
}
module "apigee-x-core" {
source = "../../modules/apigee-x-core"
project_id = module.project.project_id
apigee_environments = var.apigee_environments
ax_region = var.ax_region
apigee_envgroups = var.apigee_envgroups
network = module.vpc.network.id
apigee_instances = var.apigee_instances
}
module "nat" {
source = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-cloudnat?ref=v16.0.0"
project_id = module.project.project_id
region = var.firewall_appliance_subnet.region
name = "nat"
router_network = module.vpc.name
}
resource "google_compute_route" "egress_via_firewall" {
project = module.project.project_id
name = "egress-via-fw"
dest_range = "0.0.0.0/0"
network = module.vpc.name
next_hop_instance = module.mock-firewall.instance.id
priority = 800
}
resource "google_compute_route" "firewall_to_internet" {
project = module.project.project_id
name = "egress-for-fw-only"
dest_range = "0.0.0.0/0"
network = module.vpc.name
next_hop_gateway = "default-internet-gateway"
tags = var.firewall_appliance_tags
priority = 750
}
module "mock-firewall" {
source = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/compute-vm?ref=v16.0.0"
project_id = module.project.project_id
zone = var.firewall_appliance_zone
can_ip_forward = true
name = "mock-fw"
network_interfaces = [{
network = module.vpc.name
subnetwork = module.vpc.subnet_self_links["${var.firewall_appliance_subnet.region}/${var.firewall_appliance_subnet.name}"]
nat = false
addresses = null
}]
tags = var.firewall_appliance_tags
service_account_create = true
metadata = {
startup-script = "sysctl -w net.ipv4.ip_forward=1 && iptables -t nat -A POSTROUTING -j MASQUERADE"
}
}
resource "google_compute_firewall" "allow_glb_to_mig_bridge" {
name = "egress-fw-http-internal"
project = module.project.project_id
network = module.vpc.name
source_ranges = [var.peering_range]
target_tags = var.firewall_appliance_tags
allow {
protocol = "tcp"
ports = ["443", "80"]
}
}