truefoundry · dunefro · Sep 13, 2023 · Sep 12, 2023 · Sep 12, 2023
diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml
@@ -0,0 +1,40 @@
+name: Lint
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  tflint:
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+
+    steps:
+    - uses: actions/checkout@v3
+      name: Checkout source code
+
+    - uses: actions/cache@v3
+      name: Cache plugin dir
+      with:
+        path: ~/.tflint.d/plugins
+        key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
+
+    - uses: terraform-linters/setup-tflint@v3
+      name: Setup TFLint
+      with:
+        tflint_version: v0.47.0
+
+    - name: Show version
+      run: tflint --version
+
+    - name: Init TFLint
+      run: tflint --init
+      env:
+        # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+        GITHUB_TOKEN: ${{ github.token }}
+
+    - name: Run TFLint
+      run: tflint --minimum-failure-severity=error -f compact
diff --git a/README.md b/README.md
@@ -1,2 +1,54 @@
 # terraform-google-truefoundry-network
 Truefoundry Google Cloud Network Module
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | 4.81.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | 4.81.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cloud_router"></a> [cloud\_router](#module\_cloud\_router) | terraform-google-modules/cloud-router/google | 6.0.1 |
+| <a name="module_network"></a> [network](#module\_network) | terraform-google-modules/network/google | 7.3.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_compute_network.gcn](https://registry.terraform.io/providers/hashicorp/google/4.81.0/docs/data-sources/compute_network) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster | `string` | n/a | yes |
+| <a name="input_enable_flow_logs"></a> [enable\_flow\_logs](#input\_enable\_flow\_logs) | Enable flow logs for subnets | `bool` | `false` | no |
+| <a name="input_enable_private_access"></a> [enable\_private\_access](#input\_enable\_private\_access) | Private access for subnets | `bool` | `true` | no |
+| <a name="input_network_name"></a> [network\_name](#input\_network\_name) | SHIM: network name | `string` | n/a | yes |
+| <a name="input_network_vpc_secondary_ranges"></a> [network\_vpc\_secondary\_ranges](#input\_network\_vpc\_secondary\_ranges) | List of secondary ranges | <pre>list(object({<br>    range_name    = string<br>    ip_cidr_range = string<br>  }))</pre> | n/a | yes |
+| <a name="input_private_subnet_cidr"></a> [private\_subnet\_cidr](#input\_private\_subnet\_cidr) | CIDR range for private subnet | `string` | n/a | yes |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Project ID in which clusters are deployed | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | Region to deploy your cluster in | `string` | n/a | yes |
+| <a name="input_routing_mode"></a> [routing\_mode](#input\_routing\_mode) | Routing mode for the network | `string` | `"GLOBAL"` | no |
+| <a name="input_shim"></a> [shim](#input\_shim) | If true will not create the network and forward the input values to the same outputs. | `bool` | `false` | no |
+| <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id) | SHIM: Subnetwork ID | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_network_id"></a> [network\_id](#output\_network\_id) | n/a |
+| <a name="output_network_name"></a> [network\_name](#output\_network\_name) | n/a |
+| <a name="output_subnet_id"></a> [subnet\_id](#output\_subnet\_id) | n/a |
+<!-- END_TF_DOCS -->
diff --git a/gcn.tf b/gcn.tf
@@ -1,58 +1,107 @@
-resource "google_compute_network" "this" {
-  count                   = var.shim == true ? 0 : 1
-  name                    = "${var.cluster_name}-vpc"
-  auto_create_subnetworks = "false"
-  routing_mode            = "GLOBAL"
+# Create a VPC network
+data "google_compute_network" "gcn" {
+  count = var.shim ? 1 : 0
+  name  = var.network_name
 }
 
-resource "google_compute_subnetwork" "cluster" {
-  count         = var.shim == true ? 0 : 1
-  name          = "${var.cluster_name}-vpc"
-  ip_cidr_range = var.network_vpc_cidr
-  network       = google_compute_network.this[0].id
-  region        = var.region
+module "network" {
+  count                   = var.shim ? 0 : 1
+  source                  = "terraform-google-modules/network/google"
+  version                 = "7.3.0"
+  description             = "Truefoundry network for ${var.cluster_name}"
+  project_id              = var.project_id
+  network_name            = local.network_name
+  routing_mode            = var.routing_mode
+  auto_create_subnetworks = false
 
-  secondary_ip_range = var.network_vpc_secondary_ranges
-
-  private_ip_google_access = true
-}
-
-resource "google_compute_address" "cluster" {
-  count  = var.shim == true ? 0 : 1
-  name   = "${var.cluster_name}-address"
-  region = var.region
-}
-
-resource "google_compute_router" "cluster" {
-  count   = var.shim == true ? 0 : 1
-  name    = "${var.cluster_name}-router"
-  network = google_compute_network.this[0].id
-}
-
-resource "google_compute_router_nat" "cluster" {
-  count                              = var.shim == true ? 0 : 1
-  router                             = google_compute_router.cluster[0].name
-  name                               = "${var.cluster_name}-nat"
-  nat_ip_allocate_option             = "MANUAL_ONLY"
-  nat_ips                            = [google_compute_address.cluster[0].self_link]
-  source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
-  subnetwork {
-    name                    = google_compute_subnetwork.cluster[0].id
-    source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
+  subnets = [
+    {
+      subnet_name           = local.private_subnet_name
+      subnet_ip             = var.private_subnet_cidr
+      subnet_region         = var.region
+      subnet_private_access = var.enable_private_access
+      subnet_flow_logs      = var.enable_flow_logs
+    }
+  ]
+  secondary_ranges = {
+    # has to be passed in interpolation otherwise it give error
+    "${local.private_subnet_name}" = var.network_vpc_secondary_ranges
   }
-  depends_on = [google_compute_address.cluster[0]]
+  ingress_rules = [
+    {
+      name          = "ingress-allow-http-https"
+      description   = "Allow port 80 and 443"
+      source_ranges = ["0.0.0.0/0"]
+      allow = [
+        {
+          protocol = "tcp"
+          ports    = ["80", "443"]
+        }
+      ]
+    },
+    {
+      name          = "ingress-allow-internal"
+      description   = "Allow all ports inside a subnet"
+      source_ranges = [var.private_subnet_cidr]
+      allow = [
+        {
+          protocol = "tcp"
+        }
+      ]
+    }
+  ]
+  egress_rules = [
+    {
+      name               = "egress-allow-all"
+      description        = "Allow egress"
+      source_ranges      = ["0.0.0.0/0"]
+      destination_ranges = ["0.0.0.0/0"]
+      allow = [
+        {
+          protocol = "tcp"
+        },
+        {
+          protocol = "udp"
+        }
+      ]
+    },
+  ]
+  routes = [
+    {
+      name              = "egress-internet"
+      description       = "Route through IGW to access internet"
+      destination_range = "0.0.0.0/0"
+      tags              = "egress-inet"
+      next_hop_internet = "true"
+    },
+  ]
+  shared_vpc_host = false
 }
 
-resource "google_compute_firewall" "cluster_allow_all" {
-  count   = var.shim == true ? 0 : 1
-  name    = "${var.cluster_name}-cluster-allow-all"
-  network = google_compute_network.this[0].name
-
-  allow {
-    protocol = "tcp"
-  }
-
-  priority = 1000
-
-  source_ranges = ["0.0.0.0/0"]
+module "cloud_router" {
+  count       = var.shim ? 0 : 1
+  source      = "terraform-google-modules/cloud-router/google"
+  version     = "6.0.1"
+  description = "Truefoundry NAT router for ${var.cluster_name}"
+  name        = local.router_name
+  project     = var.project_id
+  region      = var.region
+  network     = module.network[0].network_name
+  nats = [
+    {
+      name                               = local.nat_name
+      nat_ip_allocate_option             = "AUTO_ONLY"
+      source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
+      subnetworks = [
+        {
+          name                    = local.private_subnet_name
+          source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
+        }
+      ]
+      log_config = {
+        enabled = true
+        filter  = "ERRORS_ONLY"
+      }
+    }
+  ]
 }
diff --git a/locals.tf b/locals.tf
@@ -0,0 +1,13 @@
+locals {
+  network_name        = "${var.cluster_name}-vpc"
+  router_name         = "${var.cluster_name}-router"
+  private_subnet_name = "${local.network_name}-private"
+  nat_name            = "${local.router_name}-nat"
+  # tags = merge({
+  #   "terraform-module" = "gcp"
+  #   "terraform"        = "true"
+  #   "cluster-name"     = var.cluster_name
+  #   },
+  #   var.tags
+  # )
+}
diff --git a/outputs.tf b/outputs.tf
@@ -1,7 +1,11 @@
 output "network_name" {
-  value = var.shim == true ? var.network_name : google_compute_network.this[0].name
+  value = var.shim ? var.network_name : module.network[0].network_name
 }
 
-output "subnetwork_id" {
-  value = var.shim == true ? var.subnetwork_id : google_compute_subnetwork.cluster[0].id
-}
+output "network_id" {
+  value = var.shim ? data.google_compute_network.gcn[0].id : module.network[0].network_id
+}
+
+output "subnet_id" {
+  value = var.shim ? var.subnet_id : module.network[0].subnets_ids[0]
+} 
diff --git a/variables.tf b/variables.tf
@@ -1,4 +1,24 @@
-# From https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/variables.tf
+################################################################################
+# Project
+################################################################################
+
+variable "project_id" {
+  description = "Project ID in which clusters are deployed"
+  type        = string
+}
+variable "region" {
+  description = "Region to deploy your cluster in"
+  type        = string
+}
+variable "cluster_name" {
+  description = "Name of the cluster"
+  type        = string
+}
+# variable "tags" {
+#   description = "A map of tags to add to all resources"
+#   type        = map(string)
+#   default     = {}
+# }
 
 ################################################################################
 # Network
@@ -8,51 +28,48 @@ variable "shim" {
   type        = bool
   default     = false
 }
-### Shim
 
+################################################################################
+# Network SHIM
+################################################################################
 variable "network_name" {
   description = "SHIM: network name"
   type        = string
 }
-variable "subnetwork_id" {
+variable "subnet_id" {
   description = "SHIM: Subnetwork ID"
   type        = string
 }
 
-### Non shim
-
+################################################################################
+# Network NON-SHIM
+################################################################################
 
-variable "cluster_name" {
-  description = "Name of the cluster"
+variable "routing_mode" {
+  description = "Routing mode for the network"
+  type        = string
+  default     = "GLOBAL"
+}
+variable "private_subnet_cidr" {
+  description = "CIDR range for private subnet"
   type        = string
 }
-
 variable "network_vpc_secondary_ranges" {
   description = "List of secondary ranges"
-  type        = list(any)
-}
-
-variable "network_vpc_cidr" {
-  description = "VPC CIDR"
-}
-
-################################################################################
-# Generic
-################################################################################
-
-
-variable "tags" {
-  description = "A map of tags to add to all resources"
-  type        = map(string)
-  default     = {}
+  type = list(object({
+    range_name    = string
+    ip_cidr_range = string
+  }))
 }
 
-variable "region" {
-  description = "region"
-  type        = string
+variable "enable_private_access" {
+  description = "Private access for subnets"
+  type        = bool
+  default     = true
 }
 
-variable "project" {
-  description = "GCP Project"
-  type        = string
+variable "enable_flow_logs" {
+  description = "Enable flow logs for subnets"
+  type        = bool
+  default     = false
 }