antoniordz96/shared-vpc-demo

Example of Deploying a Shared VPC Environment

shared-vpc-demo

The purpose of this repo is to demonstrate how to deploy infrastructure on GCP via Terraform. At a high level we deploy:

1. Shared VPC network (Host Project resides in Management Folder & Service Projects in application folder)
2. 4 subnets (5 total to show how easy to add subnets) in a single region for simplicity
3. Firewall rules to allow internal network connectivity, SSH and Web access from external internet on certain resources.
4. Bastion Host that resides in subnet 01
5. MIG running apache web server that resides in subnet 03 that cannot be accessed via the public internet.
6. HTTP Load balancer that exposes the apache webserver on port 80 and forwards the incoming traffic to the backend server.

Architecture Diagram

TODO(antoniordz96) add architecture diagram

Compatibility

This repo is meant for use with Terraform 0.13.7. You can manage different versions of terraform in the local workstation using tfenv.

Prerequisites and Tools

• Bootstrap a GCP organization, creating all the required GCP resources & permissions to start using the Cloud Foundation Toolkit (CFT). You will be running this through the terraform seed SA
• GCP Organization
• Terraform
• gcloud

Requirements

Name	Version
terraform	~> v0.13.7
google	3.76.0
google-beta	3.76.0
null	3.1.0
random	3.1.0
template	~> 2.2.0

Providers

Name	Version
google	3.76.0
random	3.1.0
template	~> 2.2.0

Modules

Name	Source	Version
host_project	terraform-google-modules/project-factory/google	~> 11.1.0
http-lb	GoogleCloudPlatform/lb-http/google	6.0.1
mig	terraform-google-modules/vm/google//modules/mig	6.2.0
mig_template	terraform-google-modules/vm/google//modules/instance_template	6.2.0
networking	./modules/network	n/a
service-project	terraform-google-modules/project-factory/google//modules/svpc_service_project	~> 11.1.0

Resources

Name	Type
google_compute_instance.instance	resource
google_folder.application	resource
google_folder.management	resource
google_project_iam_member.project	resource
random_id.default	resource
google_compute_image.redhat_image	data source
template_file.application	data source

Inputs

Name	Description	Type	Default	Required
billing_account_id	Billing Account to associate resources to.	string	n/a	yes
organization_id	GCP organization ID.	string	n/a	yes
region	GCP Region to deploy resources.	string	"us-central1"	no

Outputs

Name	Description
application_external_ip	HTTP Load Balancer external IP for reaching Apache Web Server.
host_project	Host Project ID.
service_project	Service Project ID.
subnets	Subnets created in environment.

Usage

# Downloading Repo
git clone https://github.com/antoniordz96/shared-vpc-demo.git
cd shared-vpc-demo

# Configuring Terraform
tfenv install 0.13.7
tfenv use 0.13.7
terraform version

# Configuring gcloud
gcloud auth login

# Using terraform seed project and SA
gcloud config set project $TERRAFORM_SEED_PROJECT
gcloud iam service-accounts keys create key.json --iam-account={terraform-seed-sa}@project-id.iam.gserviceaccount.com
export GOOGLE_APPLICATION_CREDENTIALS=${SERVICE_ACCOUNT_KEY_PATH}

# remember to set input variables. Use terraform.tfvars
touch terraform.tfvars
terraform init
terraform plan
terraform apply

Note: You do not necessarily need to download the seed SA. One can perform service account impersonation and run terraform to deploy the resources. For more info see public docs.