feat: Optionally pass additional networks to the instance template (#117

) Co-authored-by: Bharath KKB <[email protected]>
terraform-google-modules · Oct 21, 2022 · 5c601c9 · 5c601c9
1 parent 5dab8d1
commit 5c601c9
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -70,6 +70,7 @@ If the user does not share the same domain as the org the bastion is in, you wil
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | access\_config | Access configs for network, nat\_ip and DNS | <pre>list(object({<br>    network_tier           = string<br>    nat_ip                 = string<br>    public_ptr_domain_name = string<br>  }))</pre> | <pre>[<br>  {<br>    "nat_ip": "",<br>    "network_tier": "PREMIUM",<br>    "public_ptr_domain_name": ""<br>  }<br>]</pre> | no |
+| additional\_networks | Additional network interface details for the instance template, if any. | <pre>list(object({<br>    network            = string<br>    subnetwork         = string<br>    subnetwork_project = string<br>    network_ip         = string<br>    access_config = list(object({<br>      nat_ip       = string<br>      network_tier = string<br>    }))<br>  }))</pre> | `[]` | no |
 | additional\_ports | A list of additional ports/ranges to open access to on the instances from IAP. | `list(string)` | `[]` | no |
 | create\_firewall\_rule | If we need to create the firewall rule or not. | `bool` | `true` | no |
 | create\_instance\_from\_template | Whether to create and instance from the template or not. If false, no instance is created, but the instance template is created and usable by a MIG | `bool` | `true` | no |

diff --git a/main.tf b/main.tf
@@ -46,13 +46,15 @@ module "instance_template" {
   source  = "terraform-google-modules/vm/google//modules/instance_template"
   version = "~> 7.3"
 
-  name_prefix        = var.name_prefix
-  project_id         = var.project
-  machine_type       = var.machine_type
-  disk_size_gb       = var.disk_size_gb
-  disk_type          = var.disk_type
-  subnetwork         = var.subnet
-  subnetwork_project = var.host_project
+  name_prefix         = var.name_prefix
+  project_id          = var.project
+  machine_type        = var.machine_type
+  disk_size_gb        = var.disk_size_gb
+  disk_type           = var.disk_type
+  subnetwork          = var.subnet
+  subnetwork_project  = var.host_project
+  additional_networks = var.additional_networks
+
   service_account = {
     email  = local.service_account_email
     scopes = var.scopes

diff --git a/modules/bastion-group/README.md b/modules/bastion-group/README.md
@@ -73,6 +73,7 @@ provision a project with the necessary APIs enabled.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| additional\_networks | Additional network interface details for the instance template, if any. | <pre>list(object({<br>    network            = string<br>    subnetwork         = string<br>    subnetwork_project = string<br>    network_ip         = string<br>    access_config = list(object({<br>      nat_ip       = string<br>      network_tier = string<br>    }))<br>  }))</pre> | `[]` | no |
 | fw\_name\_allow\_ssh\_from\_health\_check\_cidrs | Firewall rule name for allowing Health Checks | `string` | `"allow-ssh-from-health-check-cidrs"` | no |
 | fw\_name\_allow\_ssh\_from\_iap | Firewall rule name for allowing SSH from IAP | `string` | `"allow-ssh-from-iap-to-bastion-group"` | no |
 | health\_check | Health check config for the mig. | <pre>object({<br>    type                = string<br>    initial_delay_sec   = number<br>    check_interval_sec  = number<br>    healthy_threshold   = number<br>    timeout_sec         = number<br>    unhealthy_threshold = number<br>    response            = string<br>    proxy_header        = string<br>    port                = number<br>    request             = string<br><br>    # Unused fields.<br>    request_path = string<br>    host         = string<br>  })</pre> | <pre>{<br>  "check_interval_sec": 30,<br>  "healthy_threshold": 1,<br>  "host": "",<br>  "initial_delay_sec": 30,<br>  "port": 22,<br>  "proxy_header": "NONE",<br>  "request": "",<br>  "request_path": "",<br>  "response": "",<br>  "timeout_sec": 10,<br>  "type": "tcp",<br>  "unhealthy_threshold": 5<br>}</pre> | no |
@@ -82,12 +83,14 @@ provision a project with the necessary APIs enabled.
 | labels | Key-value map of labels to assign to the bastion host | `map(any)` | `{}` | no |
 | machine\_type | Instance type for the Bastion host | `string` | `"n1-standard-1"` | no |
 | members | List of IAM resources to allow access to the bastion host | `list(string)` | `[]` | no |
+| metadata | Key-value map of additional metadata to assign to the instances | `map(string)` | `{}` | no |
 | name | Name prefix of bastion instances | `string` | `"bastion"` | no |
 | network | Self link for the network on which the Bastion should live | `any` | n/a | yes |
 | project | The project ID to deploy to | `any` | n/a | yes |
 | random\_role\_id | Enables role random id generation. | `bool` | `true` | no |
 | region | The primary region where the bastion host will live | `string` | `"us-central1"` | no |
 | scopes | List of scopes to attach to the bastion host | `list` | <pre>[<br>  "cloud-platform"<br>]</pre> | no |
+| service\_account\_email | If set, the service account and its permissions will not be created. The service account being passed in should have at least the roles listed in the parent module `service_account_roles` variable so that logging and OS Login work as expected. | `string` | `""` | no |
 | service\_account\_name | Account ID for the service account | `string` | `"bastion-group"` | no |
 | service\_account\_roles | List of IAM roles to assign to the service account. | `list` | <pre>[<br>  "roles/logging.logWriter",<br>  "roles/monitoring.metricWriter",<br>  "roles/monitoring.viewer",<br>  "roles/compute.osLogin"<br>]</pre> | no |
 | service\_account\_roles\_supplemental | An additional list of roles to assign to the bastion if desired | `list` | `[]` | no |

diff --git a/modules/bastion-group/main.tf b/modules/bastion-group/main.tf
@@ -28,15 +28,18 @@ module "iap_bastion" {
   host_project                       = var.host_project
   scopes                             = var.scopes
   service_account_name               = var.service_account_name
+  service_account_email              = var.service_account_email
   service_account_roles              = var.service_account_roles
   service_account_roles_supplemental = var.service_account_roles_supplemental
   shielded_vm                        = var.shielded_vm
   startup_script                     = var.startup_script
   subnet                             = var.subnet
+  additional_networks                = var.additional_networks
   zone                               = var.zone
   random_role_id                     = var.random_role_id
   fw_name_allow_ssh_from_iap         = var.fw_name_allow_ssh_from_iap
   create_instance_from_template      = false
+  metadata                           = var.metadata
 }
 
 module "mig" {

diff --git a/modules/bastion-group/variables.tf b/modules/bastion-group/variables.tf
@@ -135,6 +135,12 @@ variable "service_account_name" {
   default     = "bastion-group"
 }
 
+variable "service_account_email" {
+  description = "If set, the service account and its permissions will not be created. The service account being passed in should have at least the roles listed in the parent module `service_account_roles` variable so that logging and OS Login work as expected."
+  default     = ""
+  type        = string
+}
+
 variable "shielded_vm" {
   description = "Enable shielded VM on the bastion host (recommended)"
   default     = true
@@ -170,3 +176,24 @@ variable "fw_name_allow_ssh_from_iap" {
   description = "Firewall rule name for allowing SSH from IAP"
   default     = "allow-ssh-from-iap-to-bastion-group"
 }
+
+variable "additional_networks" {
+  description = "Additional network interface details for the instance template, if any."
+  default     = []
+  type = list(object({
+    network            = string
+    subnetwork         = string
+    subnetwork_project = string
+    network_ip         = string
+    access_config = list(object({
+      nat_ip       = string
+      network_tier = string
+    }))
+  }))
+}
+
+variable "metadata" {
+  type        = map(string)
+  description = "Key-value map of additional metadata to assign to the instances"
+  default     = {}
+}
diff --git a/variables.tf b/variables.tf
@@ -235,3 +235,19 @@ variable "create_firewall_rule" {
   description = "If we need to create the firewall rule or not."
   default     = true
 }
+
+variable "additional_networks" {
+  description = "Additional network interface details for the instance template, if any."
+  default     = []
+  type = list(object({
+    network            = string
+    subnetwork         = string
+    subnetwork_project = string
+    network_ip         = string
+    access_config = list(object({
+      nat_ip       = string
+      network_tier = string
+    }))
+  }))
+}
+