diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..9ce300b1 --- /dev/null +++ b/.gitignore @@ -0,0 +1,45 @@ +# OSX leaves these everywhere on SMB shares +._* + +# OSX trash +.DS_Store + +# Python +*.pyc + +# Emacs save files +*~ +\#*\# +.\#* + +# Vim-related files +[._]*.s[a-w][a-z] +[._]s[a-w][a-z] +*.un~ +Session.vim +.netrwhist + +### https://raw.github.com/github/gitignore/90f149de451a5433aebd94d02d11b0e28843a1af/Terraform.gitignore + +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Kitchen files +**/inspec.lock +**/.kitchen +**/kitchen.local.yml +**/Gemfile.lock + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +**/*.tfvars + +credentials.json diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..c0a0790f --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,17 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on +[Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to +[Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] + +### Fixed +### [0.1.0] - 2019-08-02 + +- Initial release + +[0.1.0]: https://github.com/terraform-google-modules/terraform-google-bastion-host/releases/tag/v0.1.0 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 00000000..43e610e6 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,110 @@ +# Contributing + +This document provides guidelines for contributing to the module. + +## Generating Documentation for Inputs and Outputs + +The Inputs and Outputs tables in the READMEs of the root module, +submodules, and example modules are automatically generated based on +the `variables` and `outputs` of the respective modules. These tables +must be refreshed if the module interfaces are changed. + +### Dependencies + +The following dependencies must be installed on the development system: + +- [make] +- [terraform-docs] v0.6.0 + +### Execution + +Run `make generate_docs` to generate new Inputs and Outputs tables. + +## Integration Testing + +Integration tests are used to verify the behaviour of the root module, +submodules, and example modules. Additions, changes, and fixes should +be accompanied with tests. + +The integration tests are run using [Kitchen][kitchen], +[Kitchen-Terraform][kitchen-terraform], and [InSpec][inspec]. These +tools are packaged within a Docker image for convenience. + +The general strategy for these tests is to verify the behaviour of the +[example modules](./examples), thus ensuring that the root module, +submodules, and example modules are all functionally correct. + +### Dependencies + +The following dependencies must be installed on the development system: + +- [Docker Engine][docker-engine] +- [Google Cloud SDK][google-cloud-sdk] +- [make] + +### Inputs + +Test instances are defined in the +[Kitchen configuration file](./kitchen.yml). The inputs of each Kitchen +instance may be configured with the `driver.variables` key in a +local Kitchen configuration file located at `./kitchen.local.yml` or in +a Terraform variables file located at +`./test/fixtures//variables.tfvars`. + +### Credentials + +Download the key of a Service Account with the +[required roles][required-roles] to `./credentials.json`. + +### Interactive Execution + +1. Run `make docker_run` to start the testing Docker container in + interactive mode. + +1. Run `kitchen create ` to initialize the working + directory for an example module. + +1. Run `kitchen converge ` to apply the example module. + +1. Run `kitchen verify ` to test the example module. + +1. Run `kitchen destroy ` to destroy the example module + state. + +### Noninteractive Execution + +Run `make test_integration_docker` to test all of the example modules +noninteractively. + +## Linting and Formatting + +Many of the files in the repository can be linted or formatted to +maintain a standard of quality. + +### Dependencies + +The following dependencies must be installed on the development system: + +- [flake8] +- [gofmt] +- [hadolint] +- [make] +- [shellcheck] +- [Terraform][terraform] v0.11 + +### Execution + +Run `make check`. + +[docker-engine]: https://www.docker.com/products/docker-engine +[flake8]: http://flake8.pycqa.org/en/latest/ +[gofmt]: https://golang.org/cmd/gofmt/ +[google-cloud-sdk]: https://cloud.google.com/sdk/install +[hadolint]: https://github.com/hadolint/hadolint +[inspec]: https://inspec.io/ +[kitchen-terraform]: https://github.com/newcontext-oss/kitchen-terraform +[kitchen]: https://kitchen.ci/ +[make]: https://en.wikipedia.org/wiki/Make_(software) +[shellcheck]: https://www.shellcheck.net/ +[terraform-docs]: https://github.com/segmentio/terraform-docs +[terraform]: https://terraform.io/ diff --git a/LICENSE b/LICENSE index 261eeb9e..d6456956 100644 --- a/LICENSE +++ b/LICENSE @@ -1,3 +1,4 @@ + Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ diff --git a/README.md b/README.md new file mode 100644 index 00000000..eb8225ab --- /dev/null +++ b/README.md @@ -0,0 +1,68 @@ +# terraform-google-bastion-host + +This module will generate a bastion host vm compatible with [OS Login](https://cloud.google.com/compute/docs/oslogin/) and [IAP Tunneling](https://cloud.google.com/iap/) that can be used to access internal VMs. + +This module will: + +- Create a dedicated service account for the bastion host +- Create a GCE instance to be the bastion host +- Create a firewall rule to allow TCP:22 SSH access from the IAP to the bastion +- Necessary IAM bindings to allow IAP and OS Logins from specified members + +## Usage + +Basic usage of this module is as follows: + +```hcl +module "iap_bastion" { + source = "terraform-google-modules/bastion-host/google" + version = 0.1.0 + + project = var.project + region = var.region + zone = var.zone + network = google_compute_network.net.self_link + subnet = google_compute_subnetwork.net.self_link + members = [ + "group:devs@example.com", + "user:me@example.com", + ] +} +``` + +Functional example is included in the +[examples](./examples/) directory. + +## Requirements + +These sections describe requirements for using this module. + +### Software + +The following dependencies must be available: + +- [Terraform][terraform] v0.12 +- [Terraform Provider for GCP][terraform-provider-gcp] + +### APIs + +A project with the following APIs enabled must be used to host the +resources of this module: + +- Google Cloud Storage JSON API: `storage-api.googleapis.com` +- Compute Engine API: `compute.googleapis.com` +- Cloud Identity-Aware Proxy API: `iap.googleapis.com` +- OS Login API: `oslogin.googleapis.com` + +The [Project Factory module][project-factory-module] can be used to +provision a project with the necessary APIs enabled. + +## Contributing + +Refer to the [contribution guidelines](./CONTRIBUTING.md) for +information on contributing to this module. + +[iam-module]: https://registry.terraform.io/modules/terraform-google-modules/iam/google +[project-factory-module]: https://registry.terraform.io/modules/terraform-google-modules/project-factory/google +[terraform-provider-gcp]: https://www.terraform.io/docs/providers/google/index.html +[terraform]: https://www.terraform.io/downloads.html diff --git a/examples/simple_example/README.md b/examples/simple_example/README.md new file mode 100644 index 00000000..c14c82c5 --- /dev/null +++ b/examples/simple_example/README.md @@ -0,0 +1,31 @@ +# Simple Example + +This example will not set up the target hosts like the [Two Service Example](../two_service_example) but it will set up a basic network, subnet and bastion host for you to log into using IAP and OS Login. You'll notice that we create a firewall rule that allows the bastion to talk to the rest of the network on port 22 using the output of the bastion service account email for simplicity. This can and should be scoped down to allow access to specific hosts. + +## Deploy + +Create a `terraform.tfvars` file with required variables similar to: + +``` +members = ["user:me@example.com"] +project = "my-project" +``` + +Run the apply + +``` +terraform apply -var-file terraform.tfvars +``` + +## Usage + +``` +gcloud auth login +gcloud compute ssh bastion-vm +``` + +You should now be logged in as a user that looks like `ext_me_example_com` with the prefix of `ext` indicating you have logged in with OS Login. You should also notice the following line in standard out that indicates you are tunnelling through IAP instead of the public internet: + +``` +External IP address was not found; defaulting to using IAP tunneling. +``` \ No newline at end of file diff --git a/examples/simple_example/main.tf b/examples/simple_example/main.tf new file mode 100644 index 00000000..953aa988 --- /dev/null +++ b/examples/simple_example/main.tf @@ -0,0 +1,37 @@ +module "iap_bastion" { + source = "../.." + project = var.project + zone = var.zone + network = google_compute_network.network.self_link + subnet = google_compute_subnetwork.subnet.self_link + members = var.members +} + +resource "google_compute_network" "network" { + project = var.project + name = "test-network" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "subnet" { + project = var.project + name = "test-subnet" + region = var.region + ip_cidr_range = "10.127.0.0/20" + network = google_compute_network.network.self_link + private_ip_google_access = true +} + +resource "google_compute_firewall" "allow_access_from_bastion" { + project = var.project + name = "allow-bastion-ssh" + network = google_compute_network.network.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + # Allow SSH only from IAP Bastion + source_service_accounts = [module.iap_bastion.service_account] +} diff --git a/examples/simple_example/variables.tf b/examples/simple_example/variables.tf new file mode 100644 index 00000000..dcb4112e --- /dev/null +++ b/examples/simple_example/variables.tf @@ -0,0 +1,12 @@ +variable "members" { + default = [] +} +variable "project" {} + +variable "region" { + default = "us-west1" +} + +variable "zone" { + default = "us-west1-a" +} diff --git a/examples/two_service_example/README.md b/examples/two_service_example/README.md new file mode 100644 index 00000000..28ed402d --- /dev/null +++ b/examples/two_service_example/README.md @@ -0,0 +1,70 @@ +# Two Service Example + +This example illustrates how to use the `bastion-host` module. It illustrate an example where there are two services being deployed in a single project. Service A is deployed to two VMS (priv-host-a-1 and priv-host-a-2) and Service B is deployed to a single VM (priv-host-b-1). The bastion host module is deployed that will allow User A to access VM's for Service A, and User B to access Service B through the shared bastion host. You'll notice that we create a firewall rule that allows the bastion to talk to the rest of the network on port 22 using the output of the bastion service account email for simplicity. This can and should be scoped down to allow access to specific hosts. + + +## Deploy + +Create a `terraform.tfvars` file with required variables. Should look something like: + +``` +project = "my-project" +user_a = "user:me@example.com" +user_b = "user:someone@example.com" +network = "projects/my-project/global/networks/default" +subnet = "projects/rcanty-project-0529/regions/us-west1/subnetworks/default" +``` + +Run the apply + +``` +terraform apply -var-file terraform.tfvars +``` + +## Usage + +After this module is deployed, you can test SSHing to the private hosts by following these steps: + +Login as User A: + +``` +gcloud auth login +``` + +If you have existing google_compute_engine ssh keys, ( ~/.ssh/google_compute_engine.pub ) back them up, otherwise skip this step + +``` +cd ~/.ssh # change working directory to ssh directory +mv google_compute_engine.pub google_compute_engine_backup.pub # backup public key +mv google_compute_engine google_compute_engine_backup_backup # backup private key +``` + +Update your gcloud config + +``` +gcloud config set project +gcloud config set compute/region us-west1 +gcloud config set compute/zone us-west1-a +``` + +Generate new google compute engine keys and ssh over to bastion host + +``` +gcloud compute ssh bastion-vm +``` + +Exit out from bastion using `exit`. Then start SSH Agent and add your key to it: + +``` +eval "$(ssh-agent -s)" +ssh-add ~/.ssh/google_compute_engine +``` + +SSH to private VM through bastion host + +``` +gcloud compute ssh bastion-vm --ssh-flag="-A" --command "ssh priv-host-a-1" -- -t +``` + + +You can also try SSHing to the other host, priv-host-a-2. This should work. Try sshing to the B host, (priv-host-b-2) should fail. Try using user B, get another user to follow above steps. If you have access to a test account, you can use that as well, but make sure to backup the ssh keys from the steps above. diff --git a/examples/two_service_example/iam.tf b/examples/two_service_example/iam.tf new file mode 100644 index 00000000..6ce7ee5f --- /dev/null +++ b/examples/two_service_example/iam.tf @@ -0,0 +1,47 @@ +resource "google_service_account" "service_a" { + project = var.project + account_id = "service-a" + display_name = "Service Account for Service A" +} + +resource "google_service_account" "service_b" { + project = var.project + account_id = "service-b" + display_name = "Service Account for Service B" +} + +resource "google_compute_instance_iam_member" "alice_oslogin_1" { + project = var.project + zone = var.zone + instance_name = google_compute_instance.priv_host_a_1.name + role = "roles/compute.osLogin" + member = var.user_a +} + +resource "google_compute_instance_iam_member" "alice_oslogin_2" { + project = var.project + zone = var.zone + instance_name = google_compute_instance.priv_host_a_2.name + role = "roles/compute.osLogin" + member = var.user_a +} + +resource "google_service_account_iam_member" "gce_default_account_iam" { + service_account_id = google_service_account.service_a.id + role = "roles/iam.serviceAccountUser" + member = var.user_a +} + +resource "google_compute_instance_iam_member" "bdole_oslogin" { + project = var.project + zone = var.zone + instance_name = google_compute_instance.priv_host_b_1.name + role = "roles/compute.osLogin" + member = var.user_b +} + +resource "google_service_account_iam_member" "bdole_use_sa" { + service_account_id = google_service_account.service_b.id + role = "roles/iam.serviceAccountUser" + member = var.user_b +} diff --git a/examples/two_service_example/instances.tf b/examples/two_service_example/instances.tf new file mode 100644 index 00000000..4dc8168d --- /dev/null +++ b/examples/two_service_example/instances.tf @@ -0,0 +1,77 @@ +resource "google_compute_instance" "priv_host_a_1" { + project = var.project + zone = var.zone + name = "priv-host-a-1" + machine_type = "n1-standard-1" + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + network_interface { + subnetwork = var.subnet + } + + service_account { + email = google_service_account.service_a.email + scopes = ["cloud-platform"] + } + + metadata = { + enable-oslogin = "TRUE" + } +} + +resource "google_compute_instance" "priv_host_a_2" { + project = var.project + zone = var.zone + name = "priv-host-a-2" + machine_type = "n1-standard-1" + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + network_interface { + subnetwork = var.subnet + } + + service_account { + email = google_service_account.service_a.email + scopes = ["cloud-platform"] + } + + metadata = { + enable-oslogin = "TRUE" + } +} + +resource "google_compute_instance" "priv_host_b_1" { + project = var.project + zone = var.zone + name = "priv-host-b-1" + machine_type = "n1-standard-1" + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + network_interface { + subnetwork = var.subnet + } + + service_account { + email = google_service_account.service_b.email + scopes = ["cloud-platform"] + } + + metadata = { + enable-oslogin = "TRUE" + } +} diff --git a/examples/two_service_example/main.tf b/examples/two_service_example/main.tf new file mode 100644 index 00000000..44043fbe --- /dev/null +++ b/examples/two_service_example/main.tf @@ -0,0 +1,30 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +provider "google" { +} + +provider "google-beta" { +} + +module "iap_bastion" { + source = "../.." + project = var.project + subnet = var.subnet + network = var.network + zone = var.zone + members = [var.user_a, var.user_b] +} diff --git a/examples/two_service_example/variables.tf b/examples/two_service_example/variables.tf new file mode 100644 index 00000000..6ddbf9cc --- /dev/null +++ b/examples/two_service_example/variables.tf @@ -0,0 +1,42 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project" { + description = "The ID of the project in which to provision resources." + type = string +} + +variable "network" { + description = "Self link for the VPC network" + type = string +} + +variable "subnet" { + description = "Self link for the Subnet within var.network" + type = string +} + +variable "user_a" { + description = "User in the IAM policy format of user:{email}" +} + +variable "user_b" { + description = "User in the IAM policy format of user:{email}" +} + +variable "zone" { + default = "us-west1-a" +} diff --git a/main.tf b/main.tf new file mode 100644 index 00000000..b14cee97 --- /dev/null +++ b/main.tf @@ -0,0 +1,106 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_service_account" "bastion_host" { + project = var.project + account_id = "bastion" + display_name = "Service Account for Bastion" +} + +module "instance_template" { + source = "terraform-google-modules/vm/google//modules/instance_template" + version = "1.1.0" + + project_id = var.project + machine_type = var.machine_type + subnetwork = var.subnet + service_account = { + email = google_service_account.bastion_host.email + scopes = ["cloud-platform"] + } + enable_shielded_vm = true + startup_script = var.startup_script + + metadata = { + enable-oslogin = "TRUE" + } +} + +resource "google_compute_instance_from_template" "bastion_vm" { + name = var.name + project = var.project + zone = var.zone + + network_interface { + subnetwork = var.subnet + } + + source_instance_template = module.instance_template.self_link +} + +resource "google_compute_firewall" "allow_from_iap_to_bastion" { + project = var.project + name = "allow-ssh-from-iap-to-tunnel" + network = var.network + + allow { + protocol = "tcp" + ports = ["22"] + } + + # https://cloud.google.com/iap/docs/using-tcp-forwarding#before_you_begin + # This is the netblock needed to forward to the instances + source_ranges = ["35.235.240.0/20"] + target_service_accounts = [google_service_account.bastion_host.email] +} + +resource "google_iap_tunnel_instance_iam_binding" "enable_iap" { + provider = "google-beta" + project = var.project + zone = var.zone + instance = google_compute_instance_from_template.bastion_vm.name + role = "roles/iap.tunnelResourceAccessor" + members = var.members +} + +resource "google_service_account_iam_binding" "bastion_sa_user" { + service_account_id = google_service_account.bastion_host.id + role = "roles/iam.serviceAccountUser" + members = var.members +} + +resource "google_project_iam_member" "bastion_sa_bindings" { + for_each = toset(compact(concat( + var.service_account_roles, + var.service_account_roles_supplemental, + ["projects/${var.project}/roles/${google_project_iam_custom_role.compute_os_login_viewer.role_id}"] + ))) + + project = var.project + role = each.key + member = "serviceAccount:${google_service_account.bastion_host.email}" +} + +# If you are practicing least privilege, to enable instance level OS Login, you +# still need the compute.projects.get permission on the project level. The other +# predefined roles grant additional permissions that aren't needed +resource "google_project_iam_custom_role" "compute_os_login_viewer" { + project = var.project + role_id = "osLoginProjectGet" + title = "OS Login Project Get Role" + description = "From Terraform: iap-bastion module custom role for more fine grained scoping of permissions" + permissions = ["compute.projects.get"] +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 00000000..dc6c1f67 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,34 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +output "service_account" { + description = "The email for the service account created for the bastion host" + value = google_service_account.bastion_host.email +} + +output "hostname" { + description = "Host name of the bastion" + value = var.name +} + +output "ip_address" { + description = "Internal IP address of the bastion host" + value = google_compute_instance_from_template.bastion_vm.network_interface.0.network_ip +} + +output "self_link" { + description = "Self link of the bastion host" + value = google_compute_instance_from_template.bastion_vm.self_link +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 00000000..b52ab2cd --- /dev/null +++ b/variables.tf @@ -0,0 +1,92 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "image" { + description = "GCE image on which to base the Bastion. This image is supported by Shielded VM" + default = "gce-uefi-images/centos-7" +} + +variable "labels" { + description = "Key-value map of labels to assign to the bastion host" + type = "map" + default = {} +} + +variable "machine_type" { + description = "Instance type for the Bastion host" + default = "n1-standard-1" +} + +variable "members" { + description = "List of IAM resources to allow access to the bastion host" + type = "list" + default = [] +} + +variable "name" { + description = "Name of the Bastion instance" + default = "bastion-vm" +} + +variable "network" { + description = "Self link for the network on which the Bastion should live" +} + +variable "project" { + description = "The project ID to deploy to" +} + +variable "region" { + description = "The primary region where the bastion host will live" + default = "us-central1" +} + +variable "scopes" { + description = "List of scopes to attach to the bastion host" + default = ["cloud-platform"] +} + +variable "service_account_roles" { + description = "List of IAM roles to assign to the service account." + default = [ + "roles/logging.logWriter", + "roles/monitoring.metricWriter", + "roles/monitoring.viewer", + "roles/compute.osLogin", + ] +} +variable "service_account_roles_supplemental" { + description = "An additional list of roles to assign to the bastion if desired" + default = [] +} + +variable "shielded_vm" { + default = true +} + +variable "startup_script" { + description = "Render a startup script with a template." + default = "" +} + +variable "subnet" { + description = "Self link for the subnet on which the Bastion should live. Can be private when using IAP" +} + +variable "zone" { + description = "The primary zone where the bastion host will live" + default = "us-central1-a" +} diff --git a/versions.tf b/versions.tf new file mode 100644 index 00000000..a5e05188 --- /dev/null +++ b/versions.tf @@ -0,0 +1,23 @@ +/* + * Copyright 2019 Google Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = "~> 0.12" + required_providers { + google = "~> 2.17" + google-beta = "~> 2.17" + } +}