Open codeangler opened 1 month ago
here's what our TF SME guided me to, focus on the "dynamic" block
resource "google_compute_instance" "vmseries" {
name = "palo-vmseries-${var.availablity_zone}-${var.env}-${var.env_state}-${var.random_hex}"
machine_type = var.vmseries_machine_type
project = var.project_id_hub_one
zone = var.availablity_zone
can_ip_forward = true
allow_stopping_for_update = true
tags = ["palo-fw"]
boot_disk {
initialize_params {
image = var.vmseries_image
type = "pd-standard"
}
}
metadata = {
mgmt-interface-swap = "enable"
serial-port-enable = true
ssh-keys = "admin:${var.public_key}"
vmseries-bootstrap-gce-storagebucket = module.bootstrap.bucket_name
}
// nic0 - untrust nic
network_interface {
subnetwork = google_compute_subnetwork.dmz.self_link
dynamic "access_config" {
for_each = var.dmz_public_ip ? ["prod-live"] : []
content {}
}
}
// nic1 - mgnt
network_interface {
subnetwork = google_compute_subnetwork.mgnt.self_link
}
// nic2 - hub_one
network_interface {
subnetwork = google_compute_subnetwork.hub_one.self_link
network_ip = var.palo.fw_ip_hub_one
}
service_account {
email = var.palo_sa_vm_email
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write"
]
}
depends_on = [
module.bootstrap
]
}
we pass into the module
dmz_public_ip = terraform.workspace == "default" ? true : false
Is your feature request related to a problem?
Some (many?) organization security policies block VM deployments with public IP.
This code deploys two of multi nic* using public IP.
Describe the solution you'd like
add
Describe alternatives you've considered
Pleading with org security to get exceptions.
Additional context