Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

Commit f54fc630 authored by Adam Robinson's avatar Adam Robinson
Browse files

rework to work along side gcp-at-um-customer

parent c6eec606
locals {
folder = {
its = "folders/120222398674"
campus = "folders/1013928641872"
michigan_medicine = "folders/332243639992"
}
}
\ No newline at end of file
......@@ -2,19 +2,25 @@
# write to DB
resource "random_id" "id" {
byte_length = 2
}
locals{
project_name_string = substr(lower(replace(var.project_name, "/\\s/", "-")), 0, 25)
project_name_string = substr(lower(replace(var.project_name, "/\\s/", "-")), 0, 25)
filter_string = "logName=\"projects/${google_project.gcp_project.project_id}/logs/cloudaudit.googleapis.com%2Factivity\""
default_cidr = "10.255.0.0/16"
default_subnets = {for x in var.vpc_regions : x => cidrsubnet(local.default_cidr,4,index(var.vpc_regions, x))}
pods_cidr = "10.255.128.0/17"
pods_range = {for x in var.vpc_regions : x => cidrsubnet(local.pods_cidr,3,index(var.vpc_regions, x))}
services_cidr = "10.255.224.0/19"
services_range = {for x in var.vpc_regions : x => cidrsubnet(local.services_cidr,3,index(var.vpc_regions, x))}
}
resource "google_project" "gcp_project" {
name = var.project_name
project_id = var.project_id == "" ? "${local.project_name_string}-${random_id.id.hex}" : var.project_id
folder_id = var.folder_id == "" ? local.folder[var.division] : var.folder_id
folder_id = var.folder_id
billing_account = var.billing_id
auto_create_network = false
labels = {
......@@ -25,13 +31,12 @@ resource "google_project" "gcp_project" {
resource "google_project_iam_member" "project_iam" {
project = google_project.gcp_project.project_id
role = "roles/editor"
member = "group:${var.project_mcomm}"
member = "group:${var.mcomm_group_email}"
}
locals{
# filter_string = "resource.type=\"project\"\nresource.labels.project_id=\"${google_project.gcp_project.project_id}\" \nlogName=\"projects/${google_project.gcp_project.project_id}/logs/cloudaudit.googleapis.com%2Factivity\""
filter_string = "logName=\"projects/${google_project.gcp_project.project_id}/logs/cloudaudit.googleapis.com%2Factivity\""
resource "google_project_service" "compute_api" {
project = google_project.gcp_project.project_id
service = "compute.googleapis.com"
}
resource "google_project_service" "pubsub_api" {
......@@ -49,31 +54,16 @@ resource "google_logging_project_sink" "log_export" {
}
# Give unique writer permission to publish/write to pub/sub topic
resource google_pubsub_topic_iam_member "publisher" {
resource "google_pubsub_topic_iam_member" "publisher" {
project = "vci-mcloud-service" # should make this a var
topic = var.log_export_destination
role = "roles/pubsub.publisher"
member = google_logging_project_sink.log_export.writer_identity
}
resource "google_project_service" "compute-api" {
project = google_project.gcp_project.project_id
service = "compute.googleapis.com"
# disable_dependent_services = true
}
locals {
default_cidr = "10.255.0.0/16"
default_regions = ["us-central1", "us-east1", "us-east4", "us-west1"]
default_subnets = {for x in local.default_regions : x => cidrsubnet(local.default_cidr,4,index(local.default_regions, x))}
pods_cidr = "10.255.128.0/17"
pods_range = {for x in local.default_regions : x => cidrsubnet(local.pods_cidr,3,index(local.default_regions, x))}
services_cidr = "10.255.224.0/19"
services_range = {for x in local.default_regions : x => cidrsubnet(local.services_cidr,3,index(local.default_regions, x))}
}
resource "google_compute_network" "default_vpc" {
project = google_project.gcp_project.project_id
name = "${var.prefix}-default-vpc"
name = "${var.vpc_prefix}-default-vpc"
routing_mode = "GLOBAL"
auto_create_subnetworks = false
}
......@@ -85,5 +75,18 @@ resource "google_compute_subnetwork" "default_subnet" {
region = each.key
ip_cidr_range = each.value
network = google_compute_network.default_vpc.self_link
secondary_ip_range = var.gke ? [{range_name = "${each.key}-pods", ip_cidr_range = local.pods_range[each.key]},{range_name = "${each.key}-services", ip_cidr_range = local.services_range[each.key]}] : []
}
\ No newline at end of file
secondary_ip_range = var.gke_vpc_ranges ? [{range_name = "${each.key}-pods", ip_cidr_range = local.pods_range[each.key]},{range_name = "${each.key}-services", ip_cidr_range = local.services_range[each.key]}] : []
}
module "vpn" {
source = "./modules/terraform-google-gcp-at-um-vpn"
count = var.vpn == true ? 1 : 0
project_id = google_project.gcp_project.project_id
regions = var.vpc_regions
vpc_prefix = var.vpc_prefix
network_size = var.vpn_network_size
bgp_network = var.vpn_bgp_network
cloud_asn = var.vpn_cloud_asn
um_vpn_endpoint = var.um_vpn_endpoint
}
# calculate subnet information; rounds up based on the number regions provided (divided by 2)
locals{
subnets = {for x in var.regions : x => cidrsubnet(bluecat_ip4_network.gcp_network.cidr, ceil(length(var.regions)/2), index(var.regions, x))}
}
data "bluecat_entity" "config" {
name = "UMNET"
type = "Configuration"
......@@ -15,14 +20,14 @@ resource "bluecat_ip4_network" "gcp_network" {
size = var.network_size
}
# calculate subnet information; rounds up based on the number regions provided (divided by 2)
locals{
subnets = {for x in var.regions : x => cidrsubnet(bluecat_ip4_network.gcp_network.cidr, ceil(length(var.regions)/2), index(var.regions, x))}
resource "random_password" "vpn_password" {
length = 32
special = true
}
resource "google_compute_network" "vpn_vpc" {
project = var.project_id
name = "${var.prefix}-vpn"
name = "${var.vpc_prefix}-vpn"
routing_mode = "GLOBAL"
auto_create_subnetworks = false
}
......@@ -118,7 +123,7 @@ resource "google_compute_vpn_tunnel" "vpn_tunnel" {
name = "bgp-vpn-tunnel${count.index}" # need a count
project = var.project_id
peer_ip = var.um_vpn_endpoint[count.index].ip # supply in var
shared_secret = var.VPN_PASSWORD
shared_secret = random_password.vpn_password.result
target_vpn_gateway = "${google_compute_vpn_gateway.vpn_gw.self_link}"
router = "${google_compute_router.vpn_router.self_link}"
......
output "vpn_password" {
sensitive = true
value = random_password.vpn_password.result
}
output "vpn_cidr" {
value = bluecat_ip4_network.gcp_network.cidr
}
\ No newline at end of file
variable "regions" {
default = ["us-central1","us-east1"] #, "us-west1"]
}
variable "supernet" {
}
variable "vpn_tunnel_count" {
default = 0
type = list(string)
}
variable "network_size" {
type = number
default = 256
}
variable "bgp_network" {
default = []
type = list(string)
}
variable "cloud_asn" {
default = ""
}
variable "project_id" {
type = string
}
variable "prefix" {
variable "project_id" {
type = string
}
variable "VPN_PASSWORD" {
variable "vpc_prefix" {
type = string
}
variable "um_vpn_endpoint" {
......
......@@ -25,4 +25,13 @@ output "default_vpc_id"{
output "default_subnets"{
value = {for k, v in google_compute_subnetwork.default_subnet : k => v.name}
# value = values(google_compute_subnetwork.default_subnet)[*]["name"]
}
\ No newline at end of file
}
output "vpn_password" {
sensitive = true
value = var.vpn == true ? module.vpn[0].vpn_password : ""
}
output "vpn_cidr" {
value = var.vpn == true ? module.vpn[0].vpn_cidr : ""
}
variable "prefix" {
default = "um"
}
variable "project_name" {
default = ""
type = string
description = "The display name of the project."
}
variable "project_id" {
default = ""
type = string
default = ""
description = "The Project ID for the project. Should not be specified unless bringing in an existing project. Once set, cannot be changed."
}
variable "folder_id" {
default = ""
}
variable "division" {
default = ""
type = string
description = "The Folder ID of the customer's GCP at U-M folder."
}
variable "project_mcomm" {
default = ""
variable "mcomm_group_email" {
type = string
description = "The MCommunity Group to be given permission to the GCP Project"
}
variable "billing_id" {
default = ""
type = string
description = "The Billing Account ID of the customer's GCP at U-M billing account."
}
# variable "billing_contact" {}
variable "security_contact" {
default = ""
type = string
description = "A contact to use for security questions about the GCP Project"
}
variable "egress_waiver" {
default = ""
type = bool
description = "Would you like to participate in the Data Egress Waiver? Should be true as long as you are not using this account for Massive Open Online Course (MOOC), video streaming, or hosting a web site hosting service."
default = true
}
variable "redhat_image" {
default = ""
variable "red_hat_byol" {
type = bool
description = "Would you like access to Red Hat images that leverage our campus license?"
default = false
}
variable "log_export_destination" {
# default = "projects/vci-mcloud-service/topics/vci-service-project-logs-export"
default = "pubsub.googleapis.com/projects/vci-mcloud-service/topics/vci-service-project-logs-export"
type = string
description = "The pub/sub topic that logs will be sent to. This is not a customer facing setting."
default = "pubsub.googleapis.com/projects/vci-mcloud-service/topics/vci-service-project-logs-export"
}
variable "requestor"{
default = ""
}
variable "shortcode" {
variable "requestor" {
type = string
description = "The person that made the initial request for the GCP Project"
}
variable "network" {
description = "Does the customer require routable 10.238.x.x network space?"
default = true
variable "shortcode" {
type = string
description = "The default shortcode to associate with the GCP Project"
}
variable "vpn" {
default = true
type = bool
description = "Does the GCP project require a VPN?"
default = false
}
variable "vpn_network_size" {
type = number
description = "The size of the network used for the VPN. Defaults to 256 which creates a /24."
default = 256
}
variable "gke" {
variable "vpn_bgp_network" {
type = list(string)
description = "The /30 BGP network allocated from UMnet. This is from NetBox (and should go away as a var at some point)."
}
variable "vpn_cloud_asn" {
type = string
description = "The ASN number allocated from UMnet. This is from NetBox (and should go away as a var at some point)."
}
variable "um_vpn_endpoint" {
type = list(object({
ip = string
asn = string
}))
description = "The UMnet VPN endpoints."
}
variable "gke_vpc_ranges" {
type = bool
description = "If set to true, will create secondary IP address ranges in the first network in the region list"
type = bool
default = false
}
# variable "sensitiveData" {
# dictionary?
# }
# # # Separate Module for VPN/Network? # # #
# variable "vpn" {
# default = false
# }
# variable "network" {
# default = false
# }
\ No newline at end of file
default = false
}
variable "vpc_prefix" {
type = string
default = "um-"
}
variable "region" {
type = string
description = "Google regions to provision VPC resources in. Defaults to [ \"us-central1\", \"us-east1\", \"us-east4\", \"us-west1\" ]."
default = [
"us-central1",
"us-east1",
"us-east4",
"us-west1",
]
}
variable "dt_phi" {
type = bool
description = "Does or will the GCP project contain Protected Health Information (ePHI, HIPAA)?"
default = false
}
variable "dt_ferpa" {
type = bool
description = "Does or will the GCP project contain Student Education Records (FERPA)?"
default = false
}
variable "dt_glba" {
type = bool
description = "Does or will the GCP project contain Student Loan Application Information (GLBA)?"
default = false
}
variable "dt_hsr" {
type = bool
description = "Does or will the GCP project contain Human Subject Research (HSR)?"
default = false
}
variable "dt_ssn" {
type = bool
description = "Does or will the GCP project contain Social Security Numbers (SSN)?"
default = false
}
variable "dt_acp" {
type = bool
description = "Does or will the GCP project contain Attorney/Client Privileged Information?"
default = false
}
variable "dt_pii" {
type = bool
description = "Does or will the GCP project contain Personally Identifiable Information (PII)?"
default = false
}
variable "dt_it_sec_info" {
type = bool
description = "Does or will the GCP project contain IT Security Information?"
default = false
}
variable "dt_pci" {
type = bool
description = "Does or will the GCP project contain Credit Card/Payment Card Information (PCI)?"
default = false
}
variable "dt_itar" {
type = bool
description = "Does or will the GCP project contain Export Controlled Research (ITAR, EAR)?"
default = false
}
variable "dt_fisma" {
type = bool
description = "Does or will the GCP project contain Federal Information Security Management Act Data (FISMA)?"
default = false
}
variable "dt_other_data" {
type = bool
description = "Does or will the GCP project contain Other Sensitive Data? If so, specify in dt_other_data_info."
default = false
}
variable "dt_other_data_info" {
type = string
description = "A description of the Other Sensitive Data"
default = ""
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment