This module handles opinionated Google Cloud Platform Cloud NAT creation and configuration.
NOTE: It is recommended to use the Cloud Router module instead of this module. The Cloud Router module is more flexible and can be used to manage resources in addition to NATs such as interconnects.
This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v1.4.0.
There are multiple examples included in the examples folder but simple usage is as follows:
module "cloud-nat" {
source = "terraform-google-modules/cloud-nat/google"
version = "~> 1.2"
project_id = var.project_id
region = var.region
router = google_compute_router.router.name
}
Then perform the following commands on the root folder:
terraform init
to get the pluginsterraform plan
to see the infrastructure planterraform apply
to apply the infrastructure buildterraform destroy
to destroy the built infrastructure
Name | Description | Type | Default | Required |
---|---|---|---|---|
create_router | Create router instead of using an existing one, uses 'router' variable for new resource name. | bool |
false |
no |
enable_endpoint_independent_mapping | Specifies if endpoint independent mapping is enabled. | bool |
null |
no |
icmp_idle_timeout_sec | Timeout (in seconds) for ICMP connections. Defaults to 30s if not set. Changing this forces a new NAT to be created. | string |
"30" |
no |
log_config_enable | Indicates whether or not to export logs | bool |
false |
no |
log_config_filter | Specifies the desired filtering of logs on this NAT. Valid values are: "ERRORS_ONLY", "TRANSLATIONS_ONLY", "ALL" | string |
"ALL" |
no |
min_ports_per_vm | Minimum number of ports allocated to a VM from this NAT config. Defaults to 64 if not set. Changing this forces a new NAT to be created. | string |
"64" |
no |
name | Defaults to 'cloud-nat-RANDOM_SUFFIX'. Changing this forces a new NAT to be created. | string |
"" |
no |
nat_ip_allocate_option | Value inferred based on nat_ips. If present set to MANUAL_ONLY, otherwise AUTO_ONLY. | string |
"false" |
no |
nat_ips | List of self_links of external IPs. Changing this forces a new NAT to be created. | list(string) |
[] |
no |
network | VPN name, only if router is not passed in and is created by the module. | string |
"" |
no |
project_id | The project ID to deploy to | any |
n/a | yes |
region | The region to deploy to | any |
n/a | yes |
router | The name of the router in which this NAT will be configured. Changing this forces a new NAT to be created. | any |
n/a | yes |
router_asn | Router ASN, only if router is not passed in and is created by the module. | string |
"64514" |
no |
source_subnetwork_ip_ranges_to_nat | Defaults to ALL_SUBNETWORKS_ALL_IP_RANGES. How NAT should be configured per Subnetwork. Valid values include: ALL_SUBNETWORKS_ALL_IP_RANGES, ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, LIST_OF_SUBNETWORKS. Changing this forces a new NAT to be created. | string |
"ALL_SUBNETWORKS_ALL_IP_RANGES" |
no |
subnetworks | n/a | list(object({ |
[] |
no |
tcp_established_idle_timeout_sec | Timeout (in seconds) for TCP established connections. Defaults to 1200s if not set. Changing this forces a new NAT to be created. | string |
"1200" |
no |
tcp_transitory_idle_timeout_sec | Timeout (in seconds) for TCP transitory connections. Defaults to 30s if not set. Changing this forces a new NAT to be created. | string |
"30" |
no |
udp_idle_timeout_sec | Timeout (in seconds) for UDP connections. Defaults to 30s if not set. Changing this forces a new NAT to be created. | string |
"30" |
no |
Name | Description |
---|---|
name | Name of the Cloud NAT |
nat_ip_allocate_option | NAT IP allocation mode |
region | Cloud NAT region |
router_name | Cloud NAT router name |
Before this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:
- Terraform and kubectl are installed on the machine where Terraform is executed.
- The Service Account you execute the module with has the right permissions.
- The APIs are active on the project you will launch the cluster in.
- If you are using a Shared VPC, the APIs must also be activated on the Shared VPC host project and your service account needs the proper permissions there.
- Terraform >= 0.13.0
- terraform-provider-google plugin v3.52.0
In order to execute this module you must have a Service Account with the following project roles:
In order to operate with the Service Account you must activate the following APIs on the project where the Service Account was created:
- Compute Engine API - compute.googleapis.com
Refer to the contribution guidelines for information on contributing to this module.