Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/memes/terraform-google-multi-region-private-network
Terraform module to create a private global VPC network with subnets in the specified regions, with each subnet receiving a CIDR of specified size.
https://github.com/memes/terraform-google-multi-region-private-network
Last synced: 7 days ago
JSON representation
Terraform module to create a private global VPC network with subnets in the specified regions, with each subnet receiving a CIDR of specified size.
- Host: GitHub
- URL: https://github.com/memes/terraform-google-multi-region-private-network
- Owner: memes
- License: apache-2.0
- Created: 2023-02-12T01:41:08.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2024-10-28T22:08:37.000Z (3 months ago)
- Last Synced: 2024-10-28T23:19:27.511Z (3 months ago)
- Language: Ruby
- Size: 164 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
# Multi-region VPC network module
[](CODE_OF_CONDUCT.md)
This Terraform module creates an opinionated private global VPC network that spans
the regions provided, with each subnet receiving a calculated CIDR of requested
size from the network CIDR.
The default configuration will create a VPC network with the following properties:
* For each region, a `/24` subnet from `172.16.0.0/12`, with no secondary ranges
* Private by default
* Default route to internet (0.0.0.0/0) is deleted
* Private Google API access is enabled to support VPC Service Controls
* Private connectivity route is added to support VPC Service Controls
> NOTE: Private Cloud DNS zones and bastions are not managed by this module;
> see [restricted-apis-dns] and [private-bastion] for those.
Optionally, a Cloud NAT gateway can be added to each region to allow for controlled
egress traffic, and IPv6 ULA addressing enabled.
## Opinions
1. The network should be defined as a CIDR; the module will allocate sub-CIDRs to
regions as needed.
2. The network will be **private** by default
3. Module consumers can override CIDRs, and option flags, but must explicitly set
all the `cidrs` and/or `options` fields. Nothing is inferred by omission.
4. Firewall rules, additional routes, and other per-application settings should
not be managed by this module.
> NOTE: The intent of this module is to easily repeat common VPC network patterns
> I use to deploy in Google Cloud; it is not a general purpose VPC network creation
> tool. Use Google's [network] module for that purpose.
## Examples
### East-west dual region private VPC network
|Item|Enabled/managed by module|Description|
|----|-----------------|-----------|
|Regions|✓|`us-east1` and `us-west1`|
|Primary IPv4 CIDR|✓|`172.16.0.0/12` (`/24` per region)|
|Primary IPv6 CIDR||Not enabled|
|Secondary IPv4 CIDRs||None added|
|VPC routing mode|✓|GLOBAL|
|Default internet route|✓|Deleted; VPC will not route to internet|
|Restricted API route|✓|A route for restricted Google API endpoints is added|
|Private API route||None added|
|MTU|✓|1460|
|Cloud NAT|||
|*Restricted Google API DNS zone(s)*||*Not managed by this module; see [restricted-apis-dns]*|
|*Bastion*||*Not managed by this module; see [private-bastion]*|
```hcl
module "vpc" {
source = "memes/multi-region-private-network/google"
version = "3.0.0"
project_id = "my-project-id"
name = "internal-us"
regions = ["us-east1", "us-west1"]
}
```
### East-west dual region private VPC network, with primary subnet offset and steps
|Item|Enabled/managed by module|Description|
|----|-----------------|-----------|
|Regions|✓|`us-east1` and `us-west1`|
|Primary IPv4 CIDR|✓|`172.16.0.0/12` (as `172.16.10.0/16`, `172.16.20.0/16`)|
|Primary IPv6 CIDR||Not enabled|
|Secondary IPv4 CIDRs||None added|
|VPC routing mode|✓|GLOBAL|
|Default internet route|✓|Deleted; VPC will not route to internet|
|Restricted API route|✓|A route for restricted Google API endpoints is added|
|Private API route||None added|
|MTU|✓|1460|
|Cloud NAT|||
|*Restricted Google API DNS zone(s)*||*Not managed by this module; see [restricted-apis-dns]*|
|*Bastion*||*Not managed by this module; see [private-bastion]*|
```hcl
module "vpc" {
source = "memes/multi-region-private-network/google"
version = "3.0.0"
project_id = "my-project-id"
name = "internal-us"
regions = ["us-east1", "us-west1"]
cidrs = {
primary_ipv4_cidr = "172.16.0.0/12"
primary_ipv4_subnet_size = 24
primary_ipv4_subnet_offset = 10
primary_ipv4_subnet_step = 10
primary_ipv6_cidr = null
secondaries = {}
}
}
```
### East-west dual region with secondary ranges for GKE
|Item|Enabled/managed by module|Description|
|----|-----------------|-----------|
|Regions|✓|`us-east1` and `us-west1`|
|Primary IPv4 CIDR|✓|`172.16.0.0/12` (`/24` per region)|
|Primary IPv6 CIDR||Not enabled|
|Secondary IPv4 CIDRs|✓|• `pods` CIDR `10.x.0.0/16` per region
• `services` CIDR `10.100.x.0/24` per region|
|VPC routing mode|✓|GLOBAL|
|Default internet route|✓|Deleted; VPC will not route to internet|
|Restricted API route|✓|A route for restricted Google API endpoints is added|
|Private API route||None added|
|MTU|✓|1460|
|Cloud NAT||Not enabled|
|*Restricted Google API DNS zone(s)*||*Not managed by this module; see [restricted-apis-dns]*|
|*Bastion*||*Not managed by this module; see [private-bastion]*|
```hcl
module "vpc" {
source = "memes/multi-region-private-network/google"
version = "3.0.0"
project_id = "my-project-id"
regions = ["us-east1", "us-west1"]
cidrs = {
primary_ipv4_cidr = "172.16.0.0/12"
primary_ipv4_subnet_size = 24
primary_ipv4_subnet_offset = 0
primary_ipv4_subnet_step = 1
primary_ipv6_cidr = null
secondaries = {
pods = {
ipv4_cidr = "10.0.0.0/8"
ipv4_subnet_size = 16
ipv4_subnet_offset = 0
ipv4_subnet_step = 1
}
services = {
ipv4_cidr = "10.100.0.0/16"
ipv4_subnet_size = 24
ipv4_subnet_offset = 0
ipv4_subnet_step = 1
}
}
}
}
```
### East-west dual region with Cloud NAT
|Item|Managed by module|Description|
|----|-----------------|-----------|
|Regions|✓|`us-east1` and `us-west1`|
|Primary IPv4 CIDR|✓|`172.16.0.0/12` (`/24` per region)|
|Primary IPv6 CIDR||Not enabled|
|Secondary IPv4 CIDRs||None added|
|VPC routing mode|✓|GLOBAL|
|Default internet route|✓|Not deleted - Cloud NAT requires a default internet route be in place|
|Restricted API route|✓|A route for restricted Google API endpoints is added|
|Private API route||None added|
|MTU|✓|1460|
|Cloud NAT|✓|A Cloud Router and Cloud NAT will be created in each region|
|*Restricted Google API DNS zone(s)*||*Not managed by this module; see [restricted-apis-dns]*|
|*Bastion*||*Not managed by this module; see [private-bastion]*|
```hcl
module "vpc" {
source = "memes/multi-region-private-network/google"
version = "3.0.0"
project_id = "my-project-id"
regions = ["us-east1", "us-west1"]
options = {
mtu = 1460
delete_default_routes = false
restricted_apis = true
private_apis = false
routing_mode = "GLOBAL"
nat = true
nat_tags = null
flow_logs = null
nat_logs = null
ipv6_ula = false
}
}
```
### East-west dual region with auto-allocated IPv6 CIDR
|Item|Enable/managed by module|Description|
|----|-----------------|-----------|
|Regions|✓|`us-east1` and `us-west1`|
|Primary IPv4 CIDR|✓|`172.16.0.0/12` (`/24` per region)|
|Primary IPv6 CIDR|✓|Auto-allocated `/48` from `fd20::/20` (`/64` per region)|
|Secondary IPv4 CIDRs||None added|
|VPC routing mode|✓|GLOBAL|
|Default internet route|✓|Deleted; VPC will not route to internet|
|Restricted API route|✓|A route for restricted Google API endpoints is added|
|Private API route||None added|
|MTU|✓|1460|
|Cloud NAT||Not enabled|
|*Restricted Google API DNS zone(s)*||*Not managed by this module; see [restricted-apis-dns]*|
|*Bastion*||*Not managed by this module; see [private-bastion]*|
```hcl
module "vpc" {
source = "memes/multi-region-private-network/google"
version = "3.0.0"
project_id = "my-project-id"
regions = ["us-east1", "us-west1"]
options = {
mtu = 1460
delete_default_routes = true
restricted_apis = true
private_apis = false
routing_mode = "GLOBAL"
nat = true
nat_tags = null
flow_logs = null
nat_logs = null
ipv6_ula = true
}
}
```
### East-west dual region with explicit IPv6 CIDR
|Item|Enable/managed by module|Description|
|----|-----------------|-----------|
|Regions|✓|`us-east1` and `us-west1`|
|Primary IPv4 CIDR|✓|`172.16.0.0/12` (`/24` per region)|
|Primary IPv6 CIDR|✓|`fd20:0:0309:0:0:0:0:0/48` (`/64` per region)|
|Secondary IPv4 CIDRs||None added|
|VPC routing mode|✓|GLOBAL|
|Default internet route|✓|Deleted; VPC will not route to internet|
|Restricted API route|✓|A route for restricted Google API endpoints is added|
restricted_apis = true
|MTU|✓|1460|
|Cloud NAT||Not enabled|
|*Restricted Google API DNS zone(s)*||*Not managed by this module; see [restricted-apis-dns]*|
|*Bastion*||*Not managed by this module; see [private-bastion]*|
```hcl
module "vpc" {
source = "memes/multi-region-private-network/google"
version = "3.0.0"
project_id = "my-project-id"
regions = ["us-east1", "us-west1"]
cidrs = {
primary_ipv4_cidr = "172.16.0.0/12"
primary_ipv4_subnet_size = 24
primary_ipv4_subnet_offset = 0
primary_ipv4_subnet_step = 1
primary_ipv6_cidr = "fd20:0:0309:0:0:0:0:0/48"
secondaries = {}
}
options = {
mtu = 1460
delete_default_routes = true
restricted_apis = true
private_apis = false
routing_mode = "GLOBAL"
nat = true
nat_tags = null
flow_logs = null
nat_logs = null
ipv6_ula = true
}
}
```
### East-west dual region with Private Google APIs access
|Item|Enabled/managed by module|Description|
|----|-----------------|-----------|
|Regions|✓|`us-east1` and `us-west1`|
|Primary IPv4 CIDR|✓|`172.16.0.0/12` (`/24` per region)|
|Primary IPv6 CIDR||Not enabled|
|Secondary IPv4 CIDRs||Not enabled|
|VPC routing mode|✓|GLOBAL|
|Default internet route|✓|Deleted; VPC will not route to internet|
|Restricted API route||None added|
|Private API route|✓|A route for private Google API endpoints is added|
|MTU|✓|1460|
|Cloud NAT||Not enabled|
|*Private Google API DNS zone(s)*||*Not managed by this module; see [restricted-apis-dns]*|
|*Bastion*||*Not managed by this module; see [private-bastion]*|
```hcl
module "vpc" {
source = "memes/multi-region-private-network/google"
version = "3.0.0"
project_id = "my-project-id"
regions = ["us-east1", "us-west1"]
cidrs = {
primary_ipv4_cidr = "172.16.0.0/12"
primary_ipv4_subnet_size = 24
primary_ipv4_subnet_offset = 0
primary_ipv4_subnet_step = 1
primary_ipv6_cidr = null
secondaries = {}
}
options = {
mtu = 1460
delete_default_routes = true
restricted_apis = false
private_apis = true
routing_mode = "GLOBAL"
nat = false
nat_tags = null
flow_logs = null
nat_logs = null
ipv6_ula = false
}
}
```
### East-west dual region with Private and Restricted Google APIs access
|Item|Enabled/managed by module|Description|
|----|-----------------|-----------|
|Regions|✓|`us-east1` and `us-west1`|
|Primary IPv4 CIDR|✓|`172.16.0.0/12` (`/24` per region)|
|Primary IPv6 CIDR||Not enabled|
|Secondary IPv4 CIDRs||Not enabled|
|VPC routing mode|✓|GLOBAL|
|Default internet route|✓|Deleted; VPC will not route to internet|
|Restricted API route|✓|A route for restricted Google API endpoints is added|
|Private API route|✓|A route for private Google API endpoints is added|
|MTU|✓|1460|
|Cloud NAT||Not enabled|
|*Restricted and Private Google API DNS zone(s)*||*Not managed by this module; see [restricted-apis-dns]*|
|*Bastion*||*Not managed by this module; see [private-bastion]*|
```hcl
module "vpc" {
source = "memes/multi-region-private-network/google"
version = "3.0.0"
project_id = "my-project-id"
regions = ["us-east1", "us-west1"]
cidrs = {
primary_ipv4_cidr = "172.16.0.0/12"
primary_ipv4_subnet_size = 24
primary_ipv4_subnet_offset = 0
primary_ipv4_subnet_step = 1
primary_ipv6_cidr = null
secondaries = {}
}
options = {
mtu = 1460
delete_default_routes = true
restricted_apis = false
private_apis = true
routing_mode = "GLOBAL"
nat = false
nat_tags = null
flow_logs = null
nat_logs = null
ipv6_ula = false
}
}
```
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.2 |
| [google](#requirement\_google) | >= 4.42 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [regions](#module\_regions) | memes/region-detail/google | 1.1.6 |
## Resources
| Name | Type |
|------|------|
| [google-beta_google_compute_subnetwork.subnet](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_compute_subnetwork) | resource |
| [google_compute_network.network](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network) | resource |
| [google_compute_route.private_apis](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource |
| [google_compute_route.restricted_apis](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource |
| [google_compute_route.tagged_nat](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource |
| [google_compute_router.nat](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_router) | resource |
| [google_compute_router_nat.nat](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_router_nat) | resource |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [project\_id](#input\_project\_id) | The GCP project identifier where the VPC network will be created. | `string` | n/a | yes |
| [regions](#input\_regions) | The list of Compute Engine regions in which to create the VPC subnetworks. | `list(string)` | n/a | yes |
| [cidrs](#input\_cidrs) | Sets the primary IPv4 CIDR and regional subnet size to use with the network,
an optional IPv6 ULA CIDR to use with the network, and any optional secondary
IPv4 CIDRs and sizes. |
object({
primary_ipv4_cidr = string
primary_ipv4_subnet_size = number
primary_ipv4_subnet_offset = number
primary_ipv4_subnet_step = number
primary_ipv6_cidr = string
secondaries = map(object({
ipv4_cidr = string
ipv4_subnet_size = number
ipv4_subnet_offset = number
ipv4_subnet_step = number
}))
}) | {
"primary_ipv4_cidr": "172.16.0.0/12",
"primary_ipv4_subnet_offset": 0,
"primary_ipv4_subnet_size": 24,
"primary_ipv4_subnet_step": 1,
"primary_ipv6_cidr": null,
"secondaries": {}
} | no |
| [description](#input\_description) | A descriptive value to apply to the VPC network. Default value is 'custom vpc'. | `string` | `"custom vpc"` | no |
| [name](#input\_name) | The name to use when naming resources managed by this module. Must be RFC1035
compliant and between 1 and 55 characters in length, inclusive. | `string` | `"restricted"` | no |
| [options](#input\_options) | The set of options to use when creating the VPC network. | object({
mtu = number
delete_default_routes = bool
restricted_apis = bool
routing_mode = string
nat = bool
nat_tags = set(string)
flow_logs = bool
nat_logs = bool
ipv6_ula = bool
private_apis = bool
}) | {
"delete_default_routes": true,
"flow_logs": false,
"ipv6_ula": false,
"mtu": 1460,
"nat": false,
"nat_logs": false,
"nat_tags": null,
"private_apis": false,
"restricted_apis": true,
"routing_mode": "GLOBAL"
} | no |
## Outputs
| Name | Description |
|------|-------------|
| [self\_link](#output\_self\_link) | The fully-qualified self-link URI of the created VPC network. |
| [subnets\_by\_name](#output\_subnets\_by\_name) | A map of subnet name to region, self\_link, and CIDRs. |
| [subnets\_by\_region](#output\_subnets\_by\_region) | A map of subnet region to name, self\_link, and CIDRs. |
[network]: https://registry.terraform.io/modules/terraform-google-modules/network/google/latest?tab=readme
[restricted-apis-dns]: https://registry.terraform.io/modules/memes/restricted-apis-dns/google/latest?tab=readme
[private-bastion]: https://registry.terraform.io/modules/memes/private-bastion/google/latest?tab=readme