Skip to content

adamgft/tf-gcp-network-service

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
build
build
 
 
examples
examples
 
 
modules
modules
 
 
test
test
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

tf-gcp-network-service

Module overview

Terraform module for creating networking resources on Google Cloud Platform (GCP).

It deploys the following resources into a given GCP project:

  • VPC network
  • Subnets
  • Cloud NAT
  • Network Firewall
  • Routes (optional)

Usage

Refer to the examples under examples/ directory.

Requirements

Name Version
terraform >=0.14.2,<0.15
google <4.0,>= 2.12

Providers

Name Version
google <4.0,>= 2.12

Inputs

Name Description Type Default Required
auto_create_subnetworks When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources bool false no
create_router Create router instead of using an existing one, uses 'router' variable for new resource name bool true no
delete_default_internet_gateway_routes If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted bool false no
description An optional description of this resource. The resource must be recreated to modify this field string "" no
firewall_custom_rules List of custom rule definitions 
map(object({
    description          = string
    direction            = string
    action               = string
    ranges               = list(string)
    sources              = list(string)
    targets              = list(string)
    use_service_accounts = bool
    rules = list(object({
      protocol = string
      ports    = list(string)
    }))
    extra_attributes = map(string)
  }))
 
{
  "allow-iap-ingress": {
    "action": "allow",
    "description": "Allow inbound connections from Identity-Aware Proxy",
    "direction": "INGRESS",
    "extra_attributes": {},
    "ranges": [
      "35.235.240.0/20"
    ],
    "rules": [
      {
        "ports": [],
        "protocol": "tcp"
      }
    ],
    "sources": null,
    "targets": null,
    "use_service_accounts": false
  }
}
 no
http_source_ranges List of IP CIDR ranges for tag-based HTTP rule list(string) [] no
http_target_tags List of target tags for tag-based HTTP rule any null no
https_source_ranges List of IP CIDR ranges for tag-based HTTPS rule list(string) [] no
https_target_tags List of target tags for tag-based HTTPS rule, defaults to https-server list(string) null no
log_config_enable Indicates whether or not to export logs bool true no
log_config_filter Specifies the desired filtering of logs on this NAT. Valid values are: "ERRORS_ONLY", "TRANSLATIONS_ONLY", "ALL" string "ALL" no
mtu The network MTU. Must be a value between 1460 and 1500 inclusive. If set to 0 (meaning MTU is unset), the network will default to 1460 automatically number 0 no
nat_ip_allocate_option Value inferred based on nat_ips. If present set to MANUAL_ONLY, otherwise AUTO_ONLY string "false" no
nat_ips List of self_links of external IPs. Changing this forces a new NAT to be created list(string) [] no
network_name The name of the network being created string n/a yes
project_id Identifier of the host project where the VPC will be created string n/a yes
region The region to deploy to string n/a yes
router_name Router name string "cr-nat-router" no
router_nat_name Name for the router NAT gateway string "rn-nat-gateway" no
routes List of routes being created in this VPC list(map(string)) [] no
routing_mode The network routing mode string "REGIONAL" no
secondary_ranges Secondary ranges that will be used in some of the subnets 
map(list(object({
    range_name    = string
    ip_cidr_range = string
  })))
 {} no
shared_vpc_host Makes this project a Shared VPC host if 'true' bool false no
source_subnetwork_ip_ranges_to_nat How NAT should be configured per Subnetwork string "ALL_SUBNETWORKS_ALL_IP_RANGES" no
ssh_source_ranges List of IP CIDR ranges for tag-based SSH rule list(string) [] no
ssh_target_tags List of target tags for tag-based SSH rule any null no
subnets The list of subnets being created list(map(string)) n/a yes

Subnet Inputs

See registry examples folder for additional references:

Name Description Type Default Required
subnet_name The name of the subnet being created string - yes
subnet_ip The IP and CIDR range of the subnet being created string - yes
subnet_region The region where the subnet will be created string - yes
subnet_private_access Whether this subnet will have private Google access enabled string "false" no
subnet_flow_logs Whether the subnet will record and send flow log data to logging string "false" no

Route Inputs

See registry examples folder for additional references:

Name Description Type Default Required
name The name of the route being created string - no
description The description of the route being created string - no
tags The network tags assigned to this route. This is a list in string format. Eg. "tag-01,tag-02" string - yes
destination_range The destination range of outgoing packets that this route applies to. Only IPv4 is supported string - yes
next_hop_internet Whether the next hop to this route will the default internet gateway. Use "true" to enable this as next hop string "false" yes
next_hop_ip Network IP address of an instance that should handle matching packets string - yes
next_hop_instance URL or name of an instance that should handle matching packets. If just name is specified "next_hop_instance_zone" is required string - yes
next_hop_instance_zone The zone of the instance specified in next_hop_instance. Only required if next_hop_instance is specified as a name string - no
next_hop_vpn_tunnel URL to a VpnTunnel that should handle matching packets string - yes
priority The priority of this route. Priority is used to break ties in cases where there is more than one matching route of equal prefix length. In the case of two routes with equal prefix length, the one with the lowest-numbered priority value wins string "1000" yes

Outputs

Name Description
network The created network
network_name Name of VPC
network_self_link VPC network self link
project_id VPC project id
route_names The route names associated with this VPC
subnets A map with keys of form subnet_region/subnet_name and values being the outputs of the google_compute_subnetwork resources used to create corresponding subnets
subnets_flow_logs Whether the subnets will have VPC flow logs enabled
subnets_ips The IPs and CIDRs of the subnets being created
subnets_names The names of the subnets being created
subnets_private_access Whether the subnets will have access to Google API's without a public IP
subnets_regions The region where the subnets will be created
subnets_secondary_ranges The secondary ranges associated with these subnets
subnets_self_links The self-links of subnets being created

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages