diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6b0abae --- /dev/null +++ b/.gitignore @@ -0,0 +1,34 @@ +# Local .terraform Directories +**/.terraform/* + +# .tfstate Files +*.tfstate +*.tfstate.* + +# Crash Log Files +crash.log +crash.*.log + +# Exclude All .tfvars Files, which are likely to contain Sensitive Data, such as +# Passwords, Private Keys, and other secrets. These should not be part of Version +# Control as they are Data Points which are potentially sensitive and subject +# to change, depending on the Environment. +*.tfvars +*.tfvars.json + +# Ignore Override Files as they are usually used to override resources locally and so +# are not checked in. +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include Override Files you do wish to add to Version Control using Negated Pattern. +# !example_override.tf + +# Include tfplan Files to ignore the Plan Output of Command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI Configuration Files +.terraformrc +terraform.rc diff --git a/README.md b/README.md new file mode 100644 index 0000000..8687515 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# terraform-google-vpc-network + +Terraform Google VPC Network diff --git a/firewall-rule/main.tf b/firewall-rule/main.tf new file mode 100644 index 0000000..f31b77b --- /dev/null +++ b/firewall-rule/main.tf @@ -0,0 +1,24 @@ +resource "google_compute_firewall" "default" { + provider = google + + name = var.name + description = var.description + + network = var.network + + priority = var.priority + + dynamic "allow" { + for_each = var.allow + + content { + ports = lookup(allow.value, "ports", null) + protocol = allow.value.protocol + } + } + + source_ranges = var.source_ranges + + source_tags = var.source_tags + target_tags = var.target_tags +} diff --git a/firewall-rule/output.tf b/firewall-rule/output.tf new file mode 100644 index 0000000..e69de29 diff --git a/firewall-rule/variables.tf b/firewall-rule/variables.tf new file mode 100644 index 0000000..0fda291 --- /dev/null +++ b/firewall-rule/variables.tf @@ -0,0 +1,49 @@ +variable "name" { + type = string + description = "The name of the firewall rule" +} + +variable "description" { + type = string + description = "The description of the firewall rule" +} + +variable "network" { + type = string + description = "The network this firewall rule applies to" +} + +variable "priority" { + type = string + description = "The firewall rule priority" + + default = "1000" +} + +variable "allow" { + type = list(any) + description = "The protocol and port to allow" + + default = [] +} + +variable "source_ranges" { + type = list(string) + description = "A list of source CIDR ranges that this firewall applies to" + + default = [] +} + +variable "source_tags" { + type = list(any) + description = "A list of source tags for this firewall rule" + + default = [] +} + +variable "target_tags" { + type = list(any) + description = "A list of target tags for this firewall rule" + + default = [] +} diff --git a/firewall-rule/versions.tf b/firewall-rule/versions.tf new file mode 100644 index 0000000..b7fdacb --- /dev/null +++ b/firewall-rule/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = "~> v1.6.2" + + required_providers { + google = { + source = "hashicorp/google" + version = "~> 5.4.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 5.4.0" + } + } +} diff --git a/network/main.tf b/network/main.tf new file mode 100644 index 0000000..53f40d1 --- /dev/null +++ b/network/main.tf @@ -0,0 +1,26 @@ +resource "google_compute_network" "default" { + provider = google + + name = var.name + description = var.description + + auto_create_subnetworks = var.auto_create_subnetworks +} + +# tfsec:ignore:google-compute-no-public-ingress +module "icmp-access" { + source = "../firewall-rule" + + name = "access-${var.name}-icmp" + description = "Access for internet control message protocol" + + network = var.name + + allow = [ + { + protocol = "icmp" + } + ] + + source_ranges = ["0.0.0.0/0"] +} diff --git a/network/output.tf b/network/output.tf new file mode 100644 index 0000000..3099f75 --- /dev/null +++ b/network/output.tf @@ -0,0 +1,7 @@ +output "network" { + value = google_compute_network.default.name +} + +output "network_link" { + value = google_compute_network.default.self_link +} diff --git a/network/variables.tf b/network/variables.tf new file mode 100644 index 0000000..c28ffcd --- /dev/null +++ b/network/variables.tf @@ -0,0 +1,18 @@ +variable "name" { + type = string + description = "Network name" +} + +variable "description" { + type = string + description = "Network description" + + default = "" +} + +variable "auto_create_subnetworks" { + type = bool + description = "Auto create subnetworks" + + default = false +} diff --git a/network/versions.tf b/network/versions.tf new file mode 100644 index 0000000..b7fdacb --- /dev/null +++ b/network/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = "~> v1.6.2" + + required_providers { + google = { + source = "hashicorp/google" + version = "~> 5.4.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 5.4.0" + } + } +} diff --git a/subnetwork/main.tf b/subnetwork/main.tf new file mode 100644 index 0000000..15edfb8 --- /dev/null +++ b/subnetwork/main.tf @@ -0,0 +1,24 @@ +# tfsec:ignore:google-compute-enable-vpc-flow-logs +resource "google_compute_subnetwork" "default" { + provider = google + + name = var.name + description = var.description + + region = var.region + + network = var.network + + private_ip_google_access = true + + ip_cidr_range = var.cidr_range + + dynamic "secondary_ip_range" { + for_each = var.secondary_ip_ranges + + content { + ip_cidr_range = lookup(secondary_ip_range.value, "ip_cidr_range", null) + range_name = lookup(secondary_ip_range.value, "range_name", null) + } + } +} diff --git a/subnetwork/output.tf b/subnetwork/output.tf new file mode 100644 index 0000000..90b922a --- /dev/null +++ b/subnetwork/output.tf @@ -0,0 +1,11 @@ +output "subnetwork" { + value = google_compute_subnetwork.default.name +} + +output "subnetwork_link" { + value = google_compute_subnetwork.default.self_link +} + +output "ip_cidr_range" { + value = google_compute_subnetwork.default.ip_cidr_range +} diff --git a/subnetwork/variables.tf b/subnetwork/variables.tf new file mode 100644 index 0000000..476d5f2 --- /dev/null +++ b/subnetwork/variables.tf @@ -0,0 +1,33 @@ +variable "name" { + type = string + description = "Subnetwork name" +} + +variable "description" { + type = string + description = "Subnetwork description" + + default = "" +} + +variable "region" { + type = string + description = "Subnetwork region" +} + +variable "network" { + type = string + description = "Subnetwork parent network" +} + +variable "cidr_range" { + type = string + description = "Subnetwork ip cidr range" +} + +variable "secondary_ip_ranges" { + type = list(any) + description = "Subnetwork secondary ip cidr ranges" + + default = [] +} diff --git a/subnetwork/versions.tf b/subnetwork/versions.tf new file mode 100644 index 0000000..b7fdacb --- /dev/null +++ b/subnetwork/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = "~> v1.6.2" + + required_providers { + google = { + source = "hashicorp/google" + version = "~> 5.4.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 5.4.0" + } + } +}