-
- Presentation Subnetwork (public)
- Application Subnetwork (private)
- Database Subnetwork (private)
-
- Public Subnet open to all externall traffic (for "public" tagged resource)
- Application Subnet receive traffic from private IPs originating from the Public Subnet (to resource tagged "application")
- Database Subnet receive traffic from private IPs originating from the Application Subnet (to resource tagged "database")
provider "google" {
project = var.project_id
region = var.region
zone = var.zone
credentials = file(var.credentials_file)
}
module "network" {
source = "./network"
delete_default_routes_on_create = true
subnets = [
{
subnet_name = "presentation-subnet"
subnet_ip_range = "10.0.1.0/24"
subnet_region = "us-central1"
},
{
subnet_name = "application-subnet"
subnet_ip_range = "10.0.2.0/24"
subnet_region = "us-central1"
subnet_private_access = true
},
{
subnet_name = "database-subnet"
subnet_ip_range = "10.0.3.0/24"
subnet_region = "us-central1"
subnet_private_access = true
},
]
routes = [
{
name = "igw-route"
destination_range = "0.0.0.0/0"
tags = "public"
next_hop_internet = "true"
}
]
firewall_rules = [
{
name = "presentation-firewall-rule"
direction = "INGRESS"
ranges = ["10.0.1.0/24"]
target_tags = ["public"]
source_tags = null
allow = [ {
protocol = "all"
ports = null
}]
deny = []
},
{
name = "application-firewall-rule"
direction = "INGRESS"
ranges = ["10.0.2.0/24"]
target_tags = ["application"]
source_tags = null
allow = [{
protocol = "all"
ports = null
}]
deny = []
},
{
name = "database-firewall-rule"
direction = "INGRESS"
ranges = ["10.0.3.0/24"]
source_tags = null
target_tags = ["database"]
allow = [{
protocol = "all"
ports = null
}]
deny = []
},
]
}
Then perform the following commands on the root folder:
terraform initterraofrm initializationterraform planto see the infrastructure plantherraform applyto apply infastructure buildterraform destroyto destroy the build infastructure
| Name | Description | Type |
|---|---|---|
| project_id | Write to "default" the project name where the resource will created | string |
| credentials_file | Write to "default" the path to your credentials file | string |
| region | Write to "default" the region where by default your resource will created | string |
| zone | Write to "default" the zone where by default your resource will will created | string |
| Name | Description | Type |
|---|---|---|
| gcp_vpc_name | The name of created VPC | string |
| auto_create_subnetworks | It will create a subnet for each region automatically accross the CIDR-block range, if it is "true" | bool |
| routing_mode | The network routing mode | string |
| delete_default_routes_on_create | If set "true", default routes (0.0.0.0/0) will be deleted immediately after network creation. | bool |
| Name | Description | Type |
|---|---|---|
| subnet_name | The name of the subnet being created | string |
| subnet_ip_range | The IP and CIDR range of the subnet being created | string |
| subnet_region | The region where the subnet will be created | string |
| subnet_private_access | Whether this subnet will have private Google access enabled | string |
| Name | Description | Type |
|---|---|---|
| name | The name of the route being created | string |
| tags | The network tags assigned to this route. This is a list in string format. Eg. "tag-01,tag-02" | string |
| destination_range | The destination range of outgoing packets that this route applies to. Only IPv4 is supported | string |
| next_hop_insternet | Whether the next hop to this route will the default internet gateway. Use "true" to enable this as next hop | string |
| next_hop_ip | Network IP address of an instance that sould handle matching packets | string |
| next_hop_instance | URL or name of an instance that should handle matching packets. If just name is specified "next_hop_instance_zone" is required | string |
| next_hop_instance_zone | The zone of the instance specified in next_hop_instance. Only required if next_hop_instance is specified as a name | string |
| next_hop_vpc_tunnel | URL to a VpnTunnel that should handle matching packets | string |
| priority | The priority of this route. Priority is used to break ties in cases where there is more than one matching route of equal prefix length. In the case of two routes with equal prefix length, the one with the lowest-numbered priority value wins | string |
| Name | Description | Type |
|---|---|---|
| name | The name of the firewall rule being created | string |
| direction | Direction of traffic to which this firewall applies; default is INGRESS. | string |
| ranges | source_ranges if direction is INGRESS and destination_ranges if direction is EGRESS |
list(string) |
| source_tags | If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags | list(string) |
| target_tags | A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed | list(string) |
| allow | The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection | list(object) |
| deny | The list of DENY rules specified by this firewall | list(object) |
| protocol | The IP protocol to which this rule applies | string |
| ports | An optional list of ports to which this rule applies | list(string) |