-
Notifications
You must be signed in to change notification settings - Fork 5
/
foundation_private_google_access.tf
130 lines (107 loc) · 4.15 KB
/
foundation_private_google_access.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
## Useful Links
// Private Google Access
//// Google Cloud - https://cloud.google.com/vpc/docs/private-google-access
//// Configuring - https://cloud.google.com/vpc/docs/configure-private-google-access
// Cloud DNS - Managed Zones
//// Terraform - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone
// Cloud DNS - Record Set
//// Terraform - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set
resource "random_id" "random_id_pga" {
for_each = local.map_private_google_access
# count = can(local.map_private_google_access["PRIVATE"]) ? 1 : 0
byte_length = 2
}
locals {
private_google_access_domains = [
{
mode = "PRIVATE",
name = "private.googleapis.com.",
cname = "*.googleapis.com.",
domain = "googleapis.com.",
records = ["199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"]
}, {
mode = "PRIVATE",
name = "private.gcr.com.",
cname = "*.gcr.com.",
domain = "gcr.com.",
records = ["199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"]
},
{
mode = "RESTRICTED",
name = "restricted.googleapis.com",
cname = "*.googleapis.com.",
domain = "googleapis.com.",
records = ["199.36.153.4", "199.36.153.5", "199.36.153.6", "199.36.153.7"]
}, {
mode = "RESTRICTED"
name = "restricted.gcr.com.",
cname = "*.gcr.com.",
domain = "gcr.com.",
records = ["199.36.153.4", "199.36.153.5", "199.36.153.6", "199.36.153.7"]
}
]
private_google_access_modes = flatten(distinct(local.private_google_access_domains.*.mode))
private_google_access_configs = [for network in var.network_configs : {
project_id = try(network.project_id, var.project_id)
prefix = try(network.prefix, var.prefix, null)
environment = try(network.environment, var.environment, null)
network = templatefile("${path.module}/templates/network.tftpl", {
attributes = {
name = try(network.name, null),
label = network.label,
prefix = try(network.prefix, var.prefix, null),
environment = try(network.environment, var.environment, null)
} })
mode = network.private_google_access
} if try(contains(local.private_google_access_modes, network.private_google_access), false)
]
map_private_google_access = merge([for config in local.private_google_access_configs : {
for domain in local.private_google_access_domains : format("%s__%s__%s__%s", config.mode, config.network, config.project_id, domain.name) => merge(config, domain, { id = format("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", config.project_id, config.network) }) if config.mode == domain.mode
}]...)
}
resource "google_dns_managed_zone" "managed_zones" {
for_each = local.map_private_google_access
project = each.value.project_id
name = templatefile("${path.module}/templates/cloud_dns_zone.tftpl", {
attributes = {
name = null,
fqdn = each.value.name,
suffix = random_id.random_id_pga[each.key].hex,
} })
dns_name = each.value.domain
visibility = "private"
private_visibility_config {
networks {
network_url = each.value.id
}
}
depends_on = [
google_compute_network.networks
]
}
resource "google_dns_record_set" "dns_record_set_a" {
for_each = local.map_private_google_access
project = each.value.project_id
name = each.value.name
managed_zone = google_dns_managed_zone.managed_zones[each.key].name
type = "A"
ttl = 300
rrdatas = each.value.records
depends_on = [
google_compute_network.networks,
google_dns_managed_zone.managed_zones,
]
}
resource "google_dns_record_set" "dns_record_set_cname" {
for_each = local.map_private_google_access
project = each.value.project_id
name = each.value.cname
managed_zone = google_dns_managed_zone.managed_zones[each.key].name
type = "CNAME"
ttl = 300
rrdatas = [each.value.name]
depends_on = [
google_compute_network.networks,
google_dns_managed_zone.managed_zones,
]
}