Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

Commit fe019933 authored by Kenny Moore's avatar Kenny Moore
Browse files

Merge branch 'cleaning_up' into 'master'

UM_Billing User plus PubSub API

See merge request !6
parents e04efaf2 51c6690d
# Still need:
# billing
# ip_space - get from bluecat provider (terraform)
# VPN (BGP)
# write to DB
# ADD PROJECT IAM (EDITOR)
resource "random_id" "id" {
byte_length = 2
......@@ -14,31 +12,37 @@ locals{
}
resource "google_project" "gcp_project" {
name = "${var.project_name}"
name = var.project_name
project_id = var.project_id == "" ? "${local.project_name_string}-${random_id.id.hex}" : var.project_id
folder_id = local.folder[var.division]
folder_id = var.folder_id == "" ? local.folder[var.division] : var.folder_id
billing_account = var.billing_id
auto_create_network = false
labels = {
"shortcode" = var.shortcode
}
}
}
resource "google_project_iam_member" "project_iam" {
project = "${google_project.gcp_project.project_id}"
project = google_project.gcp_project.project_id
role = "roles/editor"
member = "group:${var.project_mcomm}"
}
}
locals{
filter_string = "resource.type=\"project\"\nresource.labels.project_id=\"${google_project.gcp_project.project_id}\" \nlogName=\"projects/${google_project.gcp_project.project_id}/logs/cloudaudit.googleapis.com%2Factivity\""
# filter_string = "resource.type=\"project\"\nresource.labels.project_id=\"${google_project.gcp_project.project_id}\" \nlogName=\"projects/${google_project.gcp_project.project_id}/logs/cloudaudit.googleapis.com%2Factivity\""
filter_string = "logName=\"projects/${google_project.gcp_project.project_id}/logs/cloudaudit.googleapis.com%2Factivity\""
}
resource "google_project_service" "pubsub_api" {
project = project = google_project.gcp_project.project_id
service = "pubsub.googleapis.com.googleapis.com"
}
resource "google_logging_project_sink" "log_export" {
project = "${google_project.gcp_project.project_id}"
project = google_project.gcp_project.project_id
name = "${google_project.gcp_project.project_id}-log-export"
destination = "${var.log_export_destination}"
destination = var.log_export_destination
# filter = "projects/${google_project.gcp_project.project_id}/logs/cloudaudit.googleapis.com%2Factivity" # Need this
filter = local.filter_string
unique_writer_identity = true
......@@ -47,13 +51,13 @@ resource "google_logging_project_sink" "log_export" {
# Give unique writer permission to publish/write to pub/sub topic
resource google_pubsub_topic_iam_member "publisher" {
project = "vci-mcloud-service" # should make this a var
topic = "${var.log_export_destination}"
topic = var.log_export_destination
role = "roles/pubsub.publisher"
member = google_logging_project_sink.log_export.writer_identity
}
resource "google_project_service" "compute-api" {
project = "${google_project.gcp_project.project_id}"
project = google_project.gcp_project.project_id
service = "compute.googleapis.com"
# disable_dependent_services = true
}
......@@ -61,10 +65,14 @@ locals {
default_cidr = "10.255.0.0/16"
default_regions = ["us-central1", "us-east1", "us-east4", "us-west1"]
default_subnets = {for x in local.default_regions : x => cidrsubnet(local.default_cidr,4,index(local.default_regions, x))}
pods_cidr = "10.255.128.0/17"
pods_range = {for x in local.default_regions : x => cidrsubnet(local.pods_cidr,3,index(local.default_regions, x))}
services_cidr = "10.255.224.0/19"
services_range = {for x in local.default_regions : x => cidrsubnet(local.services_cidr,3,index(local.default_regions, x))}
}
resource "google_compute_network" "default_vpc" {
project = "${google_project.gcp_project.project_id}"
project = google_project.gcp_project.project_id
name = "${var.prefix}-default-vpc"
routing_mode = "GLOBAL"
auto_create_subnetworks = false
......@@ -72,9 +80,10 @@ resource "google_compute_network" "default_vpc" {
resource "google_compute_subnetwork" "default_subnet" {
for_each = local.default_subnets
project = "${google_project.gcp_project.project_id}"
project = google_project.gcp_project.project_id
name = "default-${each.key}"
region = each.key
ip_cidr_range = each.value
network = google_compute_network.default_vpc.self_link
network = google_compute_network.default_vpc.self_link
secondary_ip_range = var.gke ? [{range_name = "${each.key}-pods", ip_cidr_range = local.pods_range[each.key]},{range_name = "${each.key}-services", ip_cidr_range = local.services_range[each.key]}] : []
}
\ No newline at end of file
......@@ -9,6 +9,14 @@ resource "google_billing_account_iam_member" "binding" {
member = "group:${var.billing_mcomm}"
}
# Need to add billing contact individuall?
resource "google_billing_account_iam_member" "um_billing_user" {
billing_account_id = var.billing_id
# role = data.um_billing_user.name
role = "organizations/715302536254/roles/UM_billingUser" # should be a var?
member = "group:${var.billing_mcomm}"
}
# EDITOR; nested in billing MCOMM - umich-gcp-project-tf-test@umich.edu
# umich-gcp-project-tf-test-billing@umich.edu
\ No newline at end of file
......@@ -22,7 +22,7 @@ locals{
resource "google_compute_network" "vpn_vpc" {
project = var.project_id
name = "${var.prefix}-vpn-vpc"
name = "${var.prefix}-vpn"
routing_mode = "GLOBAL"
auto_create_subnetworks = false
}
......@@ -81,18 +81,6 @@ resource "google_compute_forwarding_rule" "fr_udp4500" {
target = "${google_compute_vpn_gateway.vpn_gw.self_link}"
}
# VPN BGP Connection Information - U-M Side
locals{
um_vpn_endpoint = [{
ip = "141.213.154.20"
asn = "64900"
},
{
ip = "141.213.154.4"
asn = "64901"
}]
}
resource "google_compute_router" "vpn_router" {
name = "${var.prefix}-bgp-vpn-router"
project = var.project_id
......@@ -121,7 +109,7 @@ resource "google_compute_router_peer" "bgp_peer" {
router = google_compute_router.vpn_router.name
region = var.regions[0]
peer_ip_address = cidrhost(var.bgp_network[count.index],2)
peer_asn = local.um_vpn_endpoint[count.index].asn
peer_asn = var.um_vpn_endpoint[count.index].asn
interface = google_compute_router_interface.bgp_interface[count.index].name
}
......@@ -129,7 +117,7 @@ resource "google_compute_vpn_tunnel" "vpn_tunnel" {
count = length(var.bgp_network)
name = "bgp-vpn-tunnel${count.index}" # need a count
project = var.project_id
peer_ip = local.um_vpn_endpoint[count.index].ip # supply in var
peer_ip = var.um_vpn_endpoint[count.index].ip # supply in var
shared_secret = var.VPN_PASSWORD
target_vpn_gateway = "${google_compute_vpn_gateway.vpn_gw.self_link}"
router = "${google_compute_router.vpn_router.self_link}"
......
variable "regions" {
default = ["us-central1","us-east1"] #, "us-west1"]
}
# variable "subnet_cidr" {
# default = ""
# }
variable "supernet" {
}
variable "vpn_tunnel_count" {
default = 0
}
......@@ -29,7 +29,9 @@ variable "prefix" {
variable "VPN_PASSWORD" {
}
# variable "vpn_connection_info" {
# default = [{}]
# }
\ No newline at end of file
variable "um_vpn_endpoint" {
type = list(object({
ip = string
asn = string
}))
}
\ No newline at end of file
......@@ -8,4 +8,21 @@ output "prefix" {
output "billing_id" {
value = var.billing_id
}
output "default_vpc_name"{
value = google_compute_network.default_vpc.name
}
output "default_vpc_self_link"{
value = google_compute_network.default_vpc.self_link
}
output "default_vpc_id"{
value = google_compute_network.default_vpc.id
}
output "default_subnets"{
value = {for k, v in google_compute_subnetwork.default_subnet : k => v.name}
# value = values(google_compute_subnetwork.default_subnet)[*]["name"]
}
\ No newline at end of file
......@@ -7,6 +7,9 @@ variable "project_name" {
variable "project_id" {
default = ""
}
variable "folder_id" {
default = ""
}
variable "division" {
default = ""
}
......@@ -47,6 +50,11 @@ variable "vpn" {
default = true
}
variable "gke" {
description = "If set to true, will create secondary IP address ranges in the first network in the region list"
type = bool
default = false
}
# variable "sensitiveData" {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment