Support deployment to shared VPC with allow_public_egress

Question

Support deployment to shared VPC with allow_public_egress

Closed this issue a year ago · 0 comments

TL;DR

Most of the implementation seems to work with shared VPC except for the NAT resources when alllow_public_egress is true. To support shared VPC the resources vault-router (google_compute_router) and vault-nat (google_compute_router_nat and google_compute_address) would need to be created in the shared VPC host project (see here). This can be implemented by adding a new variable (host_project_id) that when set indicates a shared VPC deployment and would be used in the creation of the mentioned resources

Terraform Resources

resource "google_compute_address" "vault-nat" {
  count   = var.allow_public_egress ? 2 : 0
  project = var.project_id
  name    = "vault-nat-external-${count.index}"
  region  = var.region

  depends_on = [google_project_service.service]
}

resource "google_compute_router" "vault-router" {
  count   = var.allow_public_egress ? 1 : 0
  name    = "vault-router"
  project = var.project_id
  region  = var.region
  network = local.network

  bgp {
    asn = 64514
  }

  depends_on = [google_project_service.service]
}

resource "google_compute_router_nat" "vault-nat" {
  count   = var.allow_public_egress ? 1 : 0
  name    = "vault-nat-1"
  project = var.project_id
  router  = google_compute_router.vault-router[0].name
  region  = var.region

  nat_ip_allocate_option = "MANUAL_ONLY"
  nat_ips                = google_compute_address.vault-nat.*.self_link

  source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"

  subnetwork {
    name                    = local.subnet
    source_ip_ranges_to_nat = ["PRIMARY_IP_RANGE"]
  }

  depends_on = [google_project_service.service]
}

Detailed design

No response

Additional information

No response