search

terraform-google-modules / terraform-google-vpc-service-controls

Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments
https://registry.terraform.io/modules/terraform-google-modules/vpc-service-controls/google
Apache License 2.0
59 stars 67 forks source link

VPC Service Controls demo pull request #4

Closed mdgraboski closed 4 years ago

mdgraboski commented 5 years ago

This is my demo for creating a VPC Service Control environment and testing it out. Please follow the steps in the README.md, and let me know what you think.

morgante commented 5 years ago

@Tfmenard are you able to re-review this?

Tfmenard commented 5 years ago

When running the example I got the mentioned errors regarding Compute Engine API. But then I got errors that wasn't listed as an expected error in the README.

Error: Error applying plan:

3 error(s) occurred:

* module.vpc_sc_network.module.regular_service_perimeter_1.google_access_context_manager_service_perimeter.regular_service_perimeter: 1 error(s) occurred:

* google_access_context_manager_service_perimeter.regular_service_perimeter: Error creating ServicePerimeter: googleapi: Error 403: The caller does not have permission
* module.onprem_network.google_compute_instance.windows_jumphost: 1 error(s) occurred:

* google_compute_instance.windows_jumphost: Error creating instance: googleapi: Error 400: Invalid value for field 'resource.networkInterfaces[0].networkIP': '10.138.0.3'. Requested internal IP is outside the subnetwork CIDR range., invalid
* module.onprem_network.google_compute_instance.forward_proxy_instance: 1 error(s) occurred:

* google_compute_instance.forward_proxy_instance: Error creating instance: googleapi: Error 400: Invalid value for field 'resource.networkInterfaces[0].networkIP': '10.138.0.2'. Requested internal IP is outside the subnetwork CIDR range., invalid

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
mdgraboski commented 5 years ago

When running the example I got the mentioned errors regarding Compute Engine API. But then I got errors that wasn't listed as an expected error in the README.

Error: Error applying plan:

3 error(s) occurred:

* module.vpc_sc_network.module.regular_service_perimeter_1.google_access_context_manager_service_perimeter.regular_service_perimeter: 1 error(s) occurred:

* google_access_context_manager_service_perimeter.regular_service_perimeter: Error creating ServicePerimeter: googleapi: Error 403: The caller does not have permission
* module.onprem_network.google_compute_instance.windows_jumphost: 1 error(s) occurred:

* google_compute_instance.windows_jumphost: Error creating instance: googleapi: Error 400: Invalid value for field 'resource.networkInterfaces[0].networkIP': '10.138.0.3'. Requested internal IP is outside the subnetwork CIDR range., invalid
* module.onprem_network.google_compute_instance.forward_proxy_instance: 1 error(s) occurred:

* google_compute_instance.forward_proxy_instance: Error creating instance: googleapi: Error 400: Invalid value for field 'resource.networkInterfaces[0].networkIP': '10.138.0.2'. Requested internal IP is outside the subnetwork CIDR range., invalid

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Just updated examples/onprem_demo/onprem_project/main.tf to fix this error.

Tfmenard commented 5 years ago

@mdgraboski Almost done with this PR :D. One thing that wasn't address is this comment I think we should rethink this example and merge it in another PR.

mdgraboski commented 5 years ago

@Tfmenard I removed the VPC SC Perimeter auto-add example. I also fixed the description field in the variables.tf files, and added a default region.

Tfmenard commented 4 years ago

One last thing is missing that I forgot. The example should have an outputs.tf file to help the user navigate through the example while also giving them the confirmation that example completed sucessfully. Here's a draft outputs.tf file of what I think the outputs.tf file could be. You can make it whatever as you know better, but there should be one. Outputting computed values is usually pretty useful.

examples/onprem_demo/outptus.tf file

/**
 * Copyright 2019 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

output "ip_addr_cloud_vpn_router" {
 description = "some description"
  value = "${module.onprem_network.ip_addr_cloud_vpn_router}"
}

output "ip_addr_onprem_vpn_router" {
 description = "some description"
  value = "${module.onprem_network.ip_addr_onprem_vpn_router}"
}

output "windows_jump_piblic_ip" {
 description = "some description"
value = "${module.onprem_network.windows_jump_public_ip}"
}

For adding the jumphost you would have to modify the onprem_project/outputs.tf file as well. If you have the example already running try adding the outputs.tf file(s) and running terraform apply without running terraform destroy first. the outputs should show up in the logs directly.

mdgraboski commented 4 years ago

I added the requested output file, which displays the external IP address of the Windows jumphost and the internal IP address of the VPC SC-protected Windows VM.