-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
123 lines (102 loc) · 4.35 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
terraform {
required_version = ">= 0.15.3, < 2.0"
}
provider "google" {
project = local.project_id
region = local.region1
}
provider "google-beta" {
project = local.project_id
region = local.region1
}
# ----------------------------------------------------------------------------------------------------------------
# Local variables
# ----------------------------------------------------------------------------------------------------------------
locals {
prefix = var.prefix != null && var.prefix != "" ? "${var.prefix}-" : ""
project_id = var.project_id
public_key_path = var.public_key_path
mgmt_allow_ips = var.mgmt_allow_ips
create_workload_vms = true
vmseries_machine_type = var.vmseries_machine_type
vmseries_image = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/${var.vmseries_image}"
fw_asn = 65001
cr_asn = 65000
region1 = var.region1
region1_cidr_mgmt = var.region1_cidr_mgmt
region1_cidr_untrust = var.region1_cidr_untrust
region1_cidr_vpc1 = var.region1_cidr_vpc1
region1_fw_ip_vpc1 = cidrhost(local.region1_cidr_vpc1, 2)
region1_cr_vpc1_peer0 = cidrhost(local.region1_cidr_vpc1, 10)
region1_cr_vpc1_peer1 = cidrhost(local.region1_cidr_vpc1, 11)
region2 = var.region2
region2_cidr_mgmt = var.region2_cidr_mgmt
region2_cidr_untrust = var.region2_cidr_untrust
region2_cidr_vpc1 = var.region2_cidr_vpc1
region2_fw_ip_vpc1 = cidrhost(local.region2_cidr_vpc1, 2)
region2_cr_vpc1_peer0 = cidrhost(local.region2_cidr_vpc1, 10)
region2_cr_vpc1_peer1 = cidrhost(local.region2_cidr_vpc1, 11)
}
# ----------------------------------------------------------------------------------------------------------------
# Create NCC Hub.
# ----------------------------------------------------------------------------------------------------------------
resource "google_network_connectivity_hub" "main" {
name = "${local.prefix}hub"
}
# ----------------------------------------------------------------------------------------------------------------
# Create VPC networks.
# ----------------------------------------------------------------------------------------------------------------
resource "google_compute_network" "mgmt" {
name = "${local.prefix}mgmt"
auto_create_subnetworks = false
routing_mode = "GLOBAL"
}
resource "google_compute_network" "untrust" {
name = "${local.prefix}untrust"
auto_create_subnetworks = false
routing_mode = "GLOBAL"
}
resource "google_compute_network" "vpc1" {
name = "${local.prefix}vpc1"
auto_create_subnetworks = false
routing_mode = "GLOBAL"
delete_default_routes_on_create = true
}
# ----------------------------------------------------------------------------------------------------------------
# Create an ingress firewall rules in each VPC.
# ----------------------------------------------------------------------------------------------------------------
resource "google_compute_firewall" "mgmt" {
name = "${google_compute_network.mgmt.name}-ingress"
network = google_compute_network.mgmt.name
source_ranges = local.mgmt_allow_ips
allow {
protocol = "tcp"
ports = ["443", "22", "3978"]
}
}
resource "google_compute_firewall" "untrust" {
name = "${google_compute_network.untrust.name}-ingress"
network = google_compute_network.untrust.name
source_ranges = ["0.0.0.0/0"]
allow {
protocol = "all"
ports = []
}
}
resource "google_compute_firewall" "vpc1" {
name = "${google_compute_network.vpc1.name}-ingress"
network = google_compute_network.vpc1.name
source_ranges = ["0.0.0.0/0"]
allow {
protocol = "all"
ports = []
}
}
# ----------------------------------------------------------------------------------------------------------------
# Create service account for vmseries firewalls
# ----------------------------------------------------------------------------------------------------------------
module "iam_service_account" {
source = "PaloAltoNetworks/vmseries-modules/google//modules/iam_service_account/"
service_account_id = "${local.prefix}vmseries-sa"
project_id = local.project_id
}