This module creates a new VPC network with 1 or more subnetworks and a Cloud Router for every region with a subnetwork. By default, it will create:
- A Cloud NAT to enable outbound access to the public internet for VMs without public IP addresses; VMs with public IP addresses bypass the NAT to directly access the public internet
- A firewall rule that enables inbound SSH access from Identity-Aware Proxy
- A firewall rule that enables all traffic internal to the network
This behavior is optional and can be configured as described below. This module is based on networking support in the Cloud Foundation Toolkit. We recommend following the documentation for the network module and submodules for more details. In particular, the detailed structure of input variables can be found for:
Additionally, Google Private Access is enabled by default on all subnetworks unless it is explicitly disabled. This setting ensures that all VMs can use Google services such as Cloud Storage even if they do not have public IP addresses or Cloud NAT is disabled.
This creates a new VPC network named cluster-net.
- id: network1
source: modules/network/vpc
settings:
network_name: cluster-netThe variables listed below have been deprecated and will be removed in a future release. Until they are removed,You may continue to use them in Toolkit blueprints with the same functionality as documented in the Toolkit 1.0 release.
- Deprecated variables
var.primary_subnetworkvar.additional_subnetworksvar.subnetwork_size
The following variables have been added to support explicit IP ranges for subnetworks while retaining existing functionality. We advise adopting them even if not using explicit IP ranges . The Toolkit does not support mixing deprecated variables with the new replacements. The new functionality is described in more detail below.
- New variables to adopt
var.subnetworks- A value for this can be generated by merging
var.primary_subnetworkandvar.additional_subnetworksinto a single list
- A value for this can be generated by merging
var.default_primary_subnetwork_size- This variable has been renamed for clarity; its value can be directly
copied from an explicit setting for
var.subnetwork_size; if your blueprint does not have an explicit setting, the default values are the same
- This variable has been renamed for clarity; its value can be directly
copied from an explicit setting for
This module will always provision at least 1 "primary" subnetwork in which most resources are expected to be provisioned. This primary subnetwork is determined by
- The first element of var.subnetworks if it is not the empty list
- A default subnetwork automatically calculated from
If var.subnetworks is provided then the primary subnetwork name is taken
explicitly from it and var.subnetwork_name is ignored.
var.subnetworks behaves identically to the Cloud Foundation Toolkit subnets
module with the lone exception that one can provide one of
the following settings for each subnetwork:
new_bitssubnet_ip
If each subnetwork defines subnet_ip then these are taken to be their explicit
CIDR IP ranges. If each subnetwork defines new_bits, then these are taken to
be the size of the CIDR subnetwork (in bits). IP ranges for each subnetwork are
calculated using var.network_address_range as the base IP, producing the most
compact set of subnetworks possible.
NOTE: we do not presently support the modification of individual subnetworks when using this module to provision more than 1 subnetwork using automatically calculated IP ranges based upon
new_bits. Doing so will cause IP ranges to be recalculated for each subnetwork. We advise appending new subnetworks to the end ofvar.subnetworks.
By default a firewall rule is created to allow inbound SSH access from
Identity-Aware Proxy. A user must have the IAP-Secured Tunnel User
(roles/iap.tunnelResourceAccessor) IAM role to be able to SSH over IAP.
To allow regular SSH access from a known IP address you can add the following
firewall_rules setting to the vpc module:
- id: network1
source: modules/network/vpc
settings:
firewall_rules:
- name: ssh-my-machine
direction: INGRESS
ranges: [<your-ip-address>/32]
allow:
- protocol: tcp
ports: [22]Note: You must populate the above example with the source IP address from which you plan to SSH from. You can use a service like whatismyip.com to determine your IP address.
Copyright 2022 Google LLC
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
| Name | Version |
|---|---|
| terraform | >= 0.15.0 |
| Name | Version |
|---|---|
| terraform | n/a |
| Name | Source | Version |
|---|---|---|
| cloud_router | terraform-google-modules/cloud-router/google | ~> 6.0 |
| nat_ip_addresses | terraform-google-modules/address/google | ~> 4.1 |
| vpc | terraform-google-modules/network/google | ~> 10.0 |
| Name | Type |
|---|---|
| terraform_data.cloud_nat_validation | resource |
| terraform_data.secondary_ranges_validation | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_subnetworks | DEPRECATED: please see https://goo.gle/hpc-toolkit-vpc-deprecation for migration instructions | list(map(string)) |
null |
no |
| allowed_ssh_ip_ranges | A list of CIDR IP ranges from which to allow ssh access | list(string) |
[] |
no |
| default_primary_subnetwork_size | The size, in CIDR bits, of the default primary subnetwork unless explicitly defined in var.subnetworks | number |
15 |
no |
| delete_default_internet_gateway_routes | If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted | bool |
false |
no |
| deployment_name | The name of the current deployment | string |
n/a | yes |
| enable_cloud_nat | Enable the creation of Cloud NATs. | bool |
true |
no |
| enable_cloud_router | Enable the creation of a Cloud Router for your VPC. For more information on Cloud Routers see https://cloud.google.com/network-connectivity/docs/router/concepts/overview | bool |
true |
no |
| enable_iap_rdp_ingress | Enable a firewall rule to allow Windows Remote Desktop Protocol access using IAP tunnels | bool |
false |
no |
| enable_iap_ssh_ingress | Enable a firewall rule to allow SSH access using IAP tunnels | bool |
true |
no |
| enable_iap_winrm_ingress | Enable a firewall rule to allow Windows Remote Management (WinRM) access using IAP tunnels | bool |
false |
no |
| enable_internal_traffic | Enable a firewall rule to allow all internal TCP, UDP, and ICMP traffic within the network | bool |
true |
no |
| extra_iap_ports | A list of TCP ports for which to create firewall rules that enable IAP for TCP forwarding (use dedicated enable_iap variables for standard ports) | list(string) |
[] |
no |
| firewall_log_config | Firewall log configuration for Toolkit firewall rules (var.enable_iap_ssh_ingress and others) | string |
"DISABLE_LOGGING" |
no |
| firewall_rules | List of firewall rules | any |
[] |
no |
| ips_per_nat | The number of IP addresses to allocate for each regional Cloud NAT (set to 0 to disable NAT) | number |
2 |
no |
| labels | Labels to add to network resources that support labels. Key-value pairs of strings. | map(string) |
{} |
no |
| mtu | The network MTU (default: 8896). Recommended values: 0 (use Compute Engine default), 1460 (default outside HPC environments), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively. | number |
8896 |
no |
| network_address_range | IP address range (CIDR) for global network | string |
"10.0.0.0/9" |
no |
| network_description | An optional description of this resource (changes will trigger resource destroy/create) | string |
"" |
no |
| network_name | The name of the network to be created (if unsupplied, will default to "{deployment_name}-net") | string |
null |
no |
| network_profile | A full or partial URL of the network profile to apply to this network. This field can be set only at resource creation time. For example, the following are valid URLs: - https://www.googleapis.com/compute/beta/projects/{projectId}/global/networkProfiles/{network_profile_name} - projects/{projectId}/global/networkProfiles/{network_profile_name}} |
string |
null |
no |
| network_routing_mode | The network routing mode (default "GLOBAL") | string |
"GLOBAL" |
no |
| primary_subnetwork | DEPRECATED: please see https://goo.gle/hpc-toolkit-vpc-deprecation for migration instructions | map(string) |
null |
no |
| project_id | Project in which the HPC deployment will be created | string |
n/a | yes |
| region | The default region for Cloud resources | string |
n/a | yes |
| secondary_ranges | "Secondary ranges associated with the subnets. This will be deprecated in favour of secondary_ranges_list at a later date. Please migrate to using the same." |
map(list(object({ range_name = string, ip_cidr_range = string }))) |
{} |
no |
| secondary_ranges_list | "List of secondary ranges associated with the subnetworks. Each subnetwork must be specified at most once in this list." |
list(object({ |
[] |
no |
| shared_vpc_host | Makes this project a Shared VPC host if 'true' (default 'false') | bool |
false |
no |
| subnetwork_name | The name of the network to be created (if unsupplied, will default to "{deployment_name}-primary-subnet") | string |
null |
no |
| subnetwork_size | DEPRECATED: please see https://goo.gle/hpc-toolkit-vpc-deprecation for migration instructions | number |
null |
no |
| subnetworks | List of subnetworks to create within the VPC. If left empty, it will be replaced by a single, default subnetwork constructed from other parameters (e.g. var.region). In all cases, the first subnetwork in the list is identified by outputs as a "primary" subnetwork. subnet_name (string, required, name of subnet) subnet_region (string, required, region of subnet) subnet_ip (string, mutually exclusive with new_bits, CIDR-formatted IP range for subnetwork) new_bits (number, mutually exclusive with subnet_ip, CIDR bits used to calculate subnetwork range) subnet_private_access (bool, optional, Enable Private Access on subnetwork) subnet_flow_logs (map(string), optional, Configure Flow Logs see terraform-google-network module) description (string, optional, Description of Network) purpose (string, optional, related to Load Balancing) role (string, optional, related to Load Balancing) |
list(map(string)) |
[] |
no |
| Name | Description |
|---|---|
| nat_ips | External IPs of the Cloud NAT from which outbound internet traffic will arrive (empty list if no NAT is used) |
| network_id | ID of the new VPC network |
| network_name | Name of the new VPC network |
| network_self_link | Self link of the new VPC network |
| subnetwork | Primary subnetwork object |
| subnetwork_address | IP address range of the primary subnetwork |
| subnetwork_name | Name of the primary subnetwork |
| subnetwork_self_link | Self link of the primary subnetwork |
| subnetworks | Full list of subnetwork objects belonging to the new VPC network |