How to add the `default-allow-http` - google-cloud-platform

How to add the default-allow-http firewall rule in a terraform script to a Google Cloud Compute Instance?
provider "google" {
credentials = file("CREDENTIAL_FILE")
project = "gitlab-project"
region = var.region
}
resource "google_compute_instance" "gitlab" {
name = var.machine_specs.name
machine_type = var.machine_type.emicro
zone = var.zone
boot_disk {
initialize_params {
image = var.machine_specs.os
size = var.machine_specs.size
}
}
network_interface {
# A default network is created for all GCP projects
network = "default"
access_config {
nat_ip = google_compute_address.static.address
}
}
// Add the SSH key
metadata = {
ssh-keys = "martin:${file("~/.ssh/id_rsa.pub")}"
}
}
// A variable for extracting the external ip of the instance
output "ip" {
value = "${google_compute_instance.gitlab.network_interface.0.access_config.0.nat_ip}"
}
resource "google_compute_address" "static" {
name = "ipv4-address"
address_type = "EXTERNAL"
address = "XXX.XXX.XXX.XXX"
}
resource "google_compute_firewall" "allow-http" {
name = "default-allow-http"
network =
allow{
protocol = "tcp"
ports = ["80"]
}
}

You can use tags argument available in google_compute_instance resource.
it would look something like:
resource "google_compute_instance" "gitlab" {
name = var.machine_specs.name
machine_type = var.machine_type.emicro
zone = var.zone
tags = ["http-server"]
http-server tag is for default-allow-http firewall rule.
If you need default-allow-https then simply append https-server to the tag list.
Hope this helps.

You need to add the tags ["http-server", "https-server"] to your resource group google_compute_instance like so:
[...]
resource "google_compute_instance" "gitlab" {
name = var.machine_specs.name
machine_type = var.machine_type.emicro
zone = var.zone
tags = ["http-server", "https-server"]
[...]

Simply add the tags http-server and https-server to your google_cloud_instance resource gruop.
The tags can be found in the Firewall-settings in your GCloud-Console.

Related

associate a fixed private ip address on gcp compute machine with terraform

i have this terraform to use to assign a static private ip address to a new machine
i run this terraform but i still see
Error: Error creating instance: googleapi: Error 400: Invalid value
for field 'resource.networkInterfaces[0].networkIP':
'192.168.128.206'. IP address
'projects/prj-xxxxx/regions/europe-xxx/addresses/demo-xxxx-nodoa-c'
(192.168.128.206') is reserved by another project., invalid
this i the code used
resource "google_compute_address" "static-ip" {
for_each = toset(var.zones)
name = "${local.infra_id}-nodoa-${each.key}"
project = var.host_project.project_id
address_type = "INTERNAL"
region = var.region
purpose = "GCE_ENDPOINT"
subnetwork = var.host_project.nodoa_subnet_name
}
resource "google_compute_instance" "nodoa" {
for_each = toset(var.zones)
project = var.service_project.project_id
name = "${local.infra_id}-nodoa-${each.key}"
hostname = "${local.infra_id}-nodoa-${each.key}.${local.subdomain}"
machine_type = "xxx"
zone = "${var.region}-${each.key}"
network_interface {
subnetwork = var.host_project.nodoa_subnet_name
subnetwork_project = var.host_project.project_id
network_ip = google_compute_address.static-ip[each.key].address
}
boot_disk {
initialize_params {
image = var.rhcos_gcp_image
size = var.install_config_params.disk_size
type = "pd-ssd"
}
kms_key_self_link = ecr
}
#cava cavamagie I guess you need to specify 'network_ip' block inside access_config block.
access_config {
nat_ip = google_compute_address.static-ip[each.key].address
}
So in general your resource block for "google_compute_instance" should look like below
resource "google_compute_instance" "nodoa" {
for_each = toset(var.zones)
project = var.service_project.project_id
name = "${local.infra_id}-nodoa-${each.key}"
hostname = "${local.infra_id}-nodoa-${each.key}.${local.subdomain}"
machine_type = "xxx"
zone = "${var.region}-${each.key}"
network_interface {
subnetwork = var.host_project.nodoa_subnet_name
subnetwork_project = var.host_project.project_id
access_config {
nat_ip = google_compute_address.static-ip[each.key].address
}
}
boot_disk {
initialize_params {
image = var.rhcos_gcp_image
size = var.install_config_params.disk_size
type = "pd-ssd"
}
kms_key_self_link = ecr
}
Reference : How to map static IP to terraform google compute engine instance?

Terraform Shared VPC on GCP - Static Internal IP address

I am attempting to write automation to deploy instances in a shared VPC on GCP. I have a host network project and a service project. I can create a static internal IP address resource in the host project (resource "google_compute_address" "internal") in which I specify the VPC host project (NET_HUB_PROJ) but I am unable to use it when creating the instance. I receive the following error:
google_compute_instance.compute: Error creating instance: googleapi:
Error 400: Invalid value for field
'resource.networkInterfaces[0].networkIP': '10.128.0.10'. IP address
'projects/prototype-network-hub/regions/us-central1/addresses/bh-int-
ip' (10.128.0.10) is reserved by another project., invalid
My compute module:
data "google_compute_image" "image" {
name = "${var.IMAGE_NAME}"
project = "${var.IMAGE_PROJECT}"
}
resource "google_compute_address" "internal" {
name = "${var.NAME}-int-ip"
address_type = "INTERNAL"
address = "${var.PRIVATE_IP}"
subnetwork = "${var.NET_HUB_SUBNETWORK}"
region = "${var.NET_HUB_REGION}"
project = "${var.NET_HUB_PROJ}"
}
resource "google_compute_address" "external" {
count = "${var.EXT_IP_CREATE ? 1 : 0}"
name = "${var.NAME}-ext-ip"
address_type = "EXTERNAL"
region = "${var.REGION}"
}
resource "google_compute_instance" "compute" {
depends_on = ["google_compute_address.external"]
name = "${var.NAME}"
machine_type = "${var.MACHINE_TYPE}"
zone = "${var.ZONE}"
can_ip_forward = "${var.CAN_IP_FORWARD}"
deletion_protection ="${var.DELETION_PROTECTION}"
allow_stopping_for_update = "${var.ALLOW_STOPPING_FOR_UPDATE}"
tags = ["allow-ssh"]
metadata = {
"network" = "${var.NETWORK}"
"env" = "${var.ENV}"
"role" = "${var.ROLE}"
"region" = "${var.REGION}"
"zone" = "${var.ZONE}"
}
labels = {
"network" = "${var.NETWORK}"
"env" = "${var.ENV}"
"role" = "${var.ROLE}"
"region" = "${var.REGION}"
"zone" = "${var.ZONE}"
}
boot_disk {
device_name = "${var.NAME}"
auto_delete = "${var.BOOT_DISK_AUTO_DELETE}"
initialize_params {
size = "${var.BOOT_DISK_SIZE}"
type = "${var.BOOT_DISK_TYPE}"
image = "${data.google_compute_image.image.self_link}"
}
}
network_interface {
network_ip = "${google_compute_address.internal.address}"
subnetwork_project = "${var.NET_HUB_PROJ}"
subnetwork = "projects/prototype-network-hub/regions/us-central1/subnetworks/custom"
access_config {
nat_ip = "${element(concat(google_compute_address.external.*.address, list("")), 0)}"
}
}
service_account {
scopes = ["service-control", "service-management", "logging-write", "monitoring-write", "storage-ro", "https://www.googleapis.com/auth/trace.append" ]
}
}
The end goal would be to accomplish the following:
EDIT (new answer):
Per the GCP documentation, the static internal IP must belong to the service project (not the host network project as in your code) if you're looking to reserve internal IP on a shared VPC in a different project. See here:
https://cloud.google.com/vpc/docs/provisioning-shared-vpc#reserve_internal_ip
Seeing as a shared-vpc is unlikely to be found in your TF codebase, you'll have to use data to get the self_link of the subnetwork to use for google_compute_address. Something like the following:
data "google_compute_subnetwork" "subnet" {
name = "${var.NET_HUB_SUBNETWORK}"
project = "${var.NET_HUB_PROJ}"
region = "${var.NET_HUB_REGION}"
}
resource "google_compute_address" "internal" {
name = "${var.NAME}-int-ip"
address_type = "INTERNAL"
address = "${var.PRIVATE_IP}"
subnetwork = "${data.google_compute_subnetwork.subnet.self_link}"
}
This should create the resource under your service project, yet with an address within the designated subnet.
When you deploy your instance you should see it referenced under the internal_ip column on your VM instances tab for the assigned instance.
(old answer for posterity):
Unfortunately, google_compute_address doesn't contain a subnetwork_project like google_compute_instance. A fix around this is to provide a full URL to the subnetwork field in google_compute_address. Something like the following:
resource "google_compute_address" "internal" {
name = "${var.NAME}-int-ip"
address_type = "INTERNAL"
address = "${var.PRIVATE_IP}"
subnetwork = "https://www.googleapis.com/compute/v1/projects/${var.NET_HUB_PROJ}/regions/${var.NET_HUB_REGION}/subnetworks/${var.NET_HUB_SUBNETWORK}"
}
Adding my solution below:-
resource "google_compute_address" "internal_ip" {
count = 1
name = "${local.cluster_name}-int-ip-${count.index}"
project = <service project id>
subnetwork = <host project subnet self_link>
address_type = "INTERNAL"
region = "asia-northeast1"
purpose = "GCE_ENDPOINT"
}
output "internal_ipaddr_info" {
value = google_compute_address.internal_ip
}
resource "google_compute_instance" "test" {
project = module.gcp_service_project.project_id
name = "eps-gce-vm-d-swmgr-ane1-test"
machine_type = "n1-standard-1"
zone = "asia-northeast1-a"
can_ip_forward = true
boot_disk {
initialize_params {
image = "centos7"
}
}
network_interface {
subnetwork = <host project subnet self_link>
network_ip = google_compute_address.internal_ip[0].self_link
}
}

Dynamic network interface for Compute Instance module

We've Terraform module that creates compute_instance.
Some instances should get public IP.
Public IP created when you define "access_config {}" property under network_interface:
network_interface {
network = "default"
access_config {
}
}
We try to inject dynamically the network interface and the access_config from
"production/Main.tf" that called to this module:
module "arbiter" {
source = "../modules/compute"
name = "arbiter"
machine_type = "custom-1-2048"
zones = ["europe-west2-a"]
tags = ["mongo-db"]
metadata = {
sshKeys = "${var.ssh_user}:${file("ssh-keys/main.rsa.pub")}"
}
network_interface = { -> this line is worng
network = "default"
}
}
How can we inject a dynamic object to network_interface property?
Is it possible with Terraform if not, What are the alternatives?
In your arbiter module do this:
variable "external_ip" {
description = "Controls if VM gets external IP"
default = false
}
locals {
access_config = {
"0" = []
"1" = [{}]
}
}
resource "google_compute_instance" "arbiter" {
name = "${var.name}"
machine_type = "${var.type}"
zone = "${var.zones}"
tags = "${var.tags}"
metadata = "${var.metadata}"
boot_disk {
initialize_params {
image = "some/image"
}
}
network_interface {
network = "default"
access_config = "${local.access_config[var.external_ip]}"
}
}
Then, when using the module, you can specify external_ip variable to indicate that VM should be accessible from the internet.
module "arbiter" {
source = "../modules/compute"
name = "arbiter"
machine_type = "custom-1-2048"
zones = ["europe-west2-a"]
tags = ["mongo-db"]
metadata = {
sshKeys = "${var.ssh_user}:${file("ssh-keys/main.rsa.pub")}"
}
external_ip = true
}
More details about Terraform and null values tricks: Null values in Terraform v0.11.x

Configuring Terraform GKE Plugin IP Ranges for pods and services

I'm trying to use the Terraform Module for GKE but I'm not sure how to configure the properties ip_range_pods and ip_range_services.
Specifically, I'm not sure how they derived these values:
ip_range_pods = "us-central1-01-gke-01-pods"
ip_range_services = "us-central1-01-gke-01-services"
The ip_range_pods and ip_range_services map to the ip_allocation_policy cluster_secondary_range_name and services_secondary_range_name attributes of the google_container_cluster resource as can be seen in the module source:
resource "google_container_cluster" "zonal_primary" {
# ...
ip_allocation_policy {
cluster_secondary_range_name = "${var.ip_range_pods}"
services_secondary_range_name = "${var.ip_range_services}"
}
}
These need to be existing ranges in a subnetwork such as created by the google_compute_subnetwork resource:
resource "google_compute_subnetwork" "network-with-private-secondary-ip-ranges" {
name = "test-subnetwork"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = "${google_compute_network.custom-test.self_link}"
secondary_ip_range {
range_name = "tf-test-secondary-range-update1"
ip_cidr_range = "192.168.10.0/24"
}
}
resource "google_compute_network" "custom-test" {
name = "test-network"
auto_create_subnetworks = false
}

How to load balance google compute instance using terraform?

In my terraform configuration file, I define my resource like so:
resource "google_compute_instance" "test" {
...
count = 2
}
What I now want is to create load balancer, that will balance between two instances of my google compute instance. Unfortunatelly, I could not find in documentation anything relative to this task. It seems like google_compute_target_pool or google_compute_lb_ip_ranges have nothing to do with my problem.
You would have to use 'forwarding rules' as indicated on this terraform document. To use load balancing and protocol forwarding, you must create a forwarding rule that directs traffic to specific target instances. The use on Cloud Platform of forwarding rules you can find here.
In common cases you can use something like the following:
resource "google_compute_instance" "test" {
name = "nlb-node${count.index}"
zone = "europe-west3-b"
machine_type = "f1-micro"
count = 2
boot_disk {
auto_delete = true
initialize_params {
image = "ubuntu-os-cloud/ubuntu-1604-lts"
size = 10
type = "pd-ssd"
}
}
network_interface {
subnetwork = "default"
access_config {
nat_ip = ""
}
}
service_account {
scopes = ["userinfo-email", "compute-ro", "storage-ro"]
}
}
resource "google_compute_http_health_check" "nlb-hc" {
name = "nlb-health-checks"
request_path = "/"
port = 80
check_interval_sec = 10
timeout_sec = 3
}
resource "google_compute_target_pool" "nlb-target-pool" {
name = "nlb-target-pool"
session_affinity = "NONE"
region = "europe-west3"
instances = [
"${google_compute_instance.test.*.self_link}"
]
health_checks = [
"${google_compute_http_health_check.nlb-hc.name}"
]
}
resource "google_compute_forwarding_rule" "network-load-balancer" {
name = "nlb-test"
region = "europe-west3"
target = "${google_compute_target_pool.nlb-target-pool.self_link}"
port_range = "80"
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
}
You can get load balancer external ip via ${google_compute_forwarding_rule.network-load-balancer.ip_address}
// output.tf
output "network_load_balancer_ip" {
value = "${google_compute_forwarding_rule.network-load-balancer.ip_address}"
}