Commit f54fc630 authored by Adam Robinson's avatar Adam Robinson
Browse files

rework to work along side gcp-at-um-customer

parent c6eec606
locals {
folder = {
its = "folders/120222398674"
campus = "folders/1013928641872"
michigan_medicine = "folders/332243639992"
}
}
\ No newline at end of file
...@@ -2,19 +2,25 @@ ...@@ -2,19 +2,25 @@
# write to DB # write to DB
resource "random_id" "id" { resource "random_id" "id" {
byte_length = 2 byte_length = 2
} }
locals{ locals{
project_name_string = substr(lower(replace(var.project_name, "/\\s/", "-")), 0, 25) project_name_string = substr(lower(replace(var.project_name, "/\\s/", "-")), 0, 25)
filter_string = "logName=\"projects/${google_project.gcp_project.project_id}/logs/cloudaudit.googleapis.com%2Factivity\""
default_cidr = "10.255.0.0/16"
default_subnets = {for x in var.vpc_regions : x => cidrsubnet(local.default_cidr,4,index(var.vpc_regions, x))}
pods_cidr = "10.255.128.0/17"
pods_range = {for x in var.vpc_regions : x => cidrsubnet(local.pods_cidr,3,index(var.vpc_regions, x))}
services_cidr = "10.255.224.0/19"
services_range = {for x in var.vpc_regions : x => cidrsubnet(local.services_cidr,3,index(var.vpc_regions, x))}
} }
resource "google_project" "gcp_project" { resource "google_project" "gcp_project" {
name = var.project_name name = var.project_name
project_id = var.project_id == "" ? "${local.project_name_string}-${random_id.id.hex}" : var.project_id project_id = var.project_id == "" ? "${local.project_name_string}-${random_id.id.hex}" : var.project_id
folder_id = var.folder_id == "" ? local.folder[var.division] : var.folder_id folder_id = var.folder_id
billing_account = var.billing_id billing_account = var.billing_id
auto_create_network = false auto_create_network = false
labels = { labels = {
...@@ -25,13 +31,12 @@ resource "google_project" "gcp_project" { ...@@ -25,13 +31,12 @@ resource "google_project" "gcp_project" {
resource "google_project_iam_member" "project_iam" { resource "google_project_iam_member" "project_iam" {
project = google_project.gcp_project.project_id project = google_project.gcp_project.project_id
role = "roles/editor" role = "roles/editor"
member = "group:${var.project_mcomm}" member = "group:${var.mcomm_group_email}"
} }
resource "google_project_service" "compute_api" {
locals{ project = google_project.gcp_project.project_id
# filter_string = "resource.type=\"project\"\nresource.labels.project_id=\"${google_project.gcp_project.project_id}\" \nlogName=\"projects/${google_project.gcp_project.project_id}/logs/cloudaudit.googleapis.com%2Factivity\"" service = "compute.googleapis.com"
filter_string = "logName=\"projects/${google_project.gcp_project.project_id}/logs/cloudaudit.googleapis.com%2Factivity\""
} }
resource "google_project_service" "pubsub_api" { resource "google_project_service" "pubsub_api" {
...@@ -49,31 +54,16 @@ resource "google_logging_project_sink" "log_export" { ...@@ -49,31 +54,16 @@ resource "google_logging_project_sink" "log_export" {
} }
# Give unique writer permission to publish/write to pub/sub topic # Give unique writer permission to publish/write to pub/sub topic
resource google_pubsub_topic_iam_member "publisher" { resource "google_pubsub_topic_iam_member" "publisher" {
project = "vci-mcloud-service" # should make this a var project = "vci-mcloud-service" # should make this a var
topic = var.log_export_destination topic = var.log_export_destination
role = "roles/pubsub.publisher" role = "roles/pubsub.publisher"
member = google_logging_project_sink.log_export.writer_identity member = google_logging_project_sink.log_export.writer_identity
} }
resource "google_project_service" "compute-api" {
project = google_project.gcp_project.project_id
service = "compute.googleapis.com"
# disable_dependent_services = true
}
locals {
default_cidr = "10.255.0.0/16"
default_regions = ["us-central1", "us-east1", "us-east4", "us-west1"]
default_subnets = {for x in local.default_regions : x => cidrsubnet(local.default_cidr,4,index(local.default_regions, x))}
pods_cidr = "10.255.128.0/17"
pods_range = {for x in local.default_regions : x => cidrsubnet(local.pods_cidr,3,index(local.default_regions, x))}
services_cidr = "10.255.224.0/19"
services_range = {for x in local.default_regions : x => cidrsubnet(local.services_cidr,3,index(local.default_regions, x))}
}
resource "google_compute_network" "default_vpc" { resource "google_compute_network" "default_vpc" {
project = google_project.gcp_project.project_id project = google_project.gcp_project.project_id
name = "${var.prefix}-default-vpc" name = "${var.vpc_prefix}-default-vpc"
routing_mode = "GLOBAL" routing_mode = "GLOBAL"
auto_create_subnetworks = false auto_create_subnetworks = false
} }
...@@ -85,5 +75,18 @@ resource "google_compute_subnetwork" "default_subnet" { ...@@ -85,5 +75,18 @@ resource "google_compute_subnetwork" "default_subnet" {
region = each.key region = each.key
ip_cidr_range = each.value ip_cidr_range = each.value
network = google_compute_network.default_vpc.self_link network = google_compute_network.default_vpc.self_link
secondary_ip_range = var.gke ? [{range_name = "${each.key}-pods", ip_cidr_range = local.pods_range[each.key]},{range_name = "${each.key}-services", ip_cidr_range = local.services_range[each.key]}] : [] secondary_ip_range = var.gke_vpc_ranges ? [{range_name = "${each.key}-pods", ip_cidr_range = local.pods_range[each.key]},{range_name = "${each.key}-services", ip_cidr_range = local.services_range[each.key]}] : []
} }
\ No newline at end of file
module "vpn" {
source = "./modules/terraform-google-gcp-at-um-vpn"
count = var.vpn == true ? 1 : 0
project_id = google_project.gcp_project.project_id
regions = var.vpc_regions
vpc_prefix = var.vpc_prefix
network_size = var.vpn_network_size
bgp_network = var.vpn_bgp_network
cloud_asn = var.vpn_cloud_asn
um_vpn_endpoint = var.um_vpn_endpoint
}
# calculate subnet information; rounds up based on the number regions provided (divided by 2)
locals{
subnets = {for x in var.regions : x => cidrsubnet(bluecat_ip4_network.gcp_network.cidr, ceil(length(var.regions)/2), index(var.regions, x))}
}
data "bluecat_entity" "config" { data "bluecat_entity" "config" {
name = "UMNET" name = "UMNET"
type = "Configuration" type = "Configuration"
...@@ -15,14 +20,14 @@ resource "bluecat_ip4_network" "gcp_network" { ...@@ -15,14 +20,14 @@ resource "bluecat_ip4_network" "gcp_network" {
size = var.network_size size = var.network_size
} }
# calculate subnet information; rounds up based on the number regions provided (divided by 2) resource "random_password" "vpn_password" {
locals{ length = 32
subnets = {for x in var.regions : x => cidrsubnet(bluecat_ip4_network.gcp_network.cidr, ceil(length(var.regions)/2), index(var.regions, x))} special = true
} }
resource "google_compute_network" "vpn_vpc" { resource "google_compute_network" "vpn_vpc" {
project = var.project_id project = var.project_id
name = "${var.prefix}-vpn" name = "${var.vpc_prefix}-vpn"
routing_mode = "GLOBAL" routing_mode = "GLOBAL"
auto_create_subnetworks = false auto_create_subnetworks = false
} }
...@@ -118,7 +123,7 @@ resource "google_compute_vpn_tunnel" "vpn_tunnel" { ...@@ -118,7 +123,7 @@ resource "google_compute_vpn_tunnel" "vpn_tunnel" {
name = "bgp-vpn-tunnel${count.index}" # need a count name = "bgp-vpn-tunnel${count.index}" # need a count
project = var.project_id project = var.project_id
peer_ip = var.um_vpn_endpoint[count.index].ip # supply in var peer_ip = var.um_vpn_endpoint[count.index].ip # supply in var
shared_secret = var.VPN_PASSWORD shared_secret = random_password.vpn_password.result
target_vpn_gateway = "${google_compute_vpn_gateway.vpn_gw.self_link}" target_vpn_gateway = "${google_compute_vpn_gateway.vpn_gw.self_link}"
router = "${google_compute_router.vpn_router.self_link}" router = "${google_compute_router.vpn_router.self_link}"
......
output "vpn_password" {
sensitive = true
value = random_password.vpn_password.result
}
output "vpn_cidr" {
value = bluecat_ip4_network.gcp_network.cidr
}
\ No newline at end of file
variable "regions" { variable "regions" {
default = ["us-central1","us-east1"] #, "us-west1"] type = list(string)
}
variable "supernet" {
}
variable "vpn_tunnel_count" {
default = 0
} }
variable "network_size" { variable "network_size" {
type = number
default = 256 default = 256
} }
variable "bgp_network" { variable "bgp_network" {
default = [] type = list(string)
} }
variable "cloud_asn" { variable "cloud_asn" {
default = "" type = string
}
variable "project_id" {
} }
variable "prefix" { variable "project_id" {
type = string
} }
variable "VPN_PASSWORD" { variable "vpc_prefix" {
type = string
} }
variable "um_vpn_endpoint" { variable "um_vpn_endpoint" {
......
...@@ -25,4 +25,13 @@ output "default_vpc_id"{ ...@@ -25,4 +25,13 @@ output "default_vpc_id"{
output "default_subnets"{ output "default_subnets"{
value = {for k, v in google_compute_subnetwork.default_subnet : k => v.name} value = {for k, v in google_compute_subnetwork.default_subnet : k => v.name}
# value = values(google_compute_subnetwork.default_subnet)[*]["name"] # value = values(google_compute_subnetwork.default_subnet)[*]["name"]
} }
\ No newline at end of file
output "vpn_password" {
sensitive = true
value = var.vpn == true ? module.vpn[0].vpn_password : ""
}
output "vpn_cidr" {
value = var.vpn == true ? module.vpn[0].vpn_cidr : ""
}
variable "prefix" {
default = "um"
}
variable "project_name" { variable "project_name" {
default = "" type = string
description = "The display name of the project."
} }
variable "project_id" { variable "project_id" {
default = "" type = string
default = ""
description = "The Project ID for the project. Should not be specified unless bringing in an existing project. Once set, cannot be changed."
} }
variable "folder_id" { variable "folder_id" {
default = "" type = string
} description = "The Folder ID of the customer's GCP at U-M folder."
variable "division" {
default = ""
} }
variable "project_mcomm" { variable "mcomm_group_email" {
default = "" type = string
description = "The MCommunity Group to be given permission to the GCP Project"
} }
variable "billing_id" { variable "billing_id" {
default = "" type = string
description = "The Billing Account ID of the customer's GCP at U-M billing account."
} }
# variable "billing_contact" {}
variable "security_contact" { variable "security_contact" {
default = "" type = string
description = "A contact to use for security questions about the GCP Project"
} }
variable "egress_waiver" { variable "egress_waiver" {
default = "" type = bool
description = "Would you like to participate in the Data Egress Waiver? Should be true as long as you are not using this account for Massive Open Online Course (MOOC), video streaming, or hosting a web site hosting service."
default = true
} }
variable "redhat_image" {
default = "" variable "red_hat_byol" {
type = bool
description = "Would you like access to Red Hat images that leverage our campus license?"
default = false
} }
variable "log_export_destination" { variable "log_export_destination" {
# default = "projects/vci-mcloud-service/topics/vci-service-project-logs-export" type = string
default = "pubsub.googleapis.com/projects/vci-mcloud-service/topics/vci-service-project-logs-export" description = "The pub/sub topic that logs will be sent to. This is not a customer facing setting."
default = "pubsub.googleapis.com/projects/vci-mcloud-service/topics/vci-service-project-logs-export"
} }
variable "requestor"{ variable "requestor" {
default = "" type = string
} description = "The person that made the initial request for the GCP Project"
variable "shortcode" {
} }
variable "network" { variable "shortcode" {
description = "Does the customer require routable 10.238.x.x network space?" type = string
default = true description = "The default shortcode to associate with the GCP Project"
} }
variable "vpn" { variable "vpn" {
default = true type = bool
description = "Does the GCP project require a VPN?"
default = false
}
variable "vpn_network_size" {
type = number
description = "The size of the network used for the VPN. Defaults to 256 which creates a /24."
default = 256
} }
variable "gke" { variable "vpn_bgp_network" {
type = list(string)
description = "The /30 BGP network allocated from UMnet. This is from NetBox (and should go away as a var at some point)."
}
variable "vpn_cloud_asn" {
type = string
description = "The ASN number allocated from UMnet. This is from NetBox (and should go away as a var at some point)."
}
variable "um_vpn_endpoint" {
type = list(object({
ip = string
asn = string
}))
description = "The UMnet VPN endpoints."
}
variable "gke_vpc_ranges" {
type = bool
description = "If set to true, will create secondary IP address ranges in the first network in the region list" description = "If set to true, will create secondary IP address ranges in the first network in the region list"
type = bool default = false
default = false }
}
variable "vpc_prefix" {
type = string
# variable "sensitiveData" { default = "um-"
# dictionary? }
# }
# # # Separate Module for VPN/Network? # # # variable "region" {
# variable "vpn" { type = string
# default = false description = "Google regions to provision VPC resources in. Defaults to [ \"us-central1\", \"us-east1\", \"us-east4\", \"us-west1\" ]."
# } default = [
# variable "network" { "us-central1",
# default = false "us-east1",
# } "us-east4",
\ No newline at end of file "us-west1",
]
}
variable "dt_phi" {
type = bool
description = "Does or will the GCP project contain Protected Health Information (ePHI, HIPAA)?"
default = false
}
variable "dt_ferpa" {
type = bool
description = "Does or will the GCP project contain Student Education Records (FERPA)?"
default = false
}
variable "dt_glba" {
type = bool
description = "Does or will the GCP project contain Student Loan Application Information (GLBA)?"
default = false
}
variable "dt_hsr" {
type = bool
description = "Does or will the GCP project contain Human Subject Research (HSR)?"
default = false
}
variable "dt_ssn" {
type = bool
description = "Does or will the GCP project contain Social Security Numbers (SSN)?"
default = false
}
variable "dt_acp" {
type = bool
description = "Does or will the GCP project contain Attorney/Client Privileged Information?"
default = false
}
variable "dt_pii" {
type = bool
description = "Does or will the GCP project contain Personally Identifiable Information (PII)?"
default = false
}
variable "dt_it_sec_info" {
type = bool
description = "Does or will the GCP project contain IT Security Information?"
default = false
}
variable "dt_pci" {
type = bool
description = "Does or will the GCP project contain Credit Card/Payment Card Information (PCI)?"
default = false
}
variable "dt_itar" {
type = bool
description = "Does or will the GCP project contain Export Controlled Research (ITAR, EAR)?"
default = false
}
variable "dt_fisma" {
type = bool
description = "Does or will the GCP project contain Federal Information Security Management Act Data (FISMA)?"
default = false
}
variable "dt_other_data" {
type = bool
description = "Does or will the GCP project contain Other Sensitive Data? If so, specify in dt_other_data_info."
default = false
}
variable "dt_other_data_info" {
type = string
description = "A description of the Other Sensitive Data"
default = ""
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment