atward/example-dev-memcache.tf

## example-dev-memcache.tf
# add memcache (Memorystore) example to development
resource "google_memcache_instance" "cache_dev" {
  provider                = google-beta
  project                 = google_project.development.project_id
  name                    = "cache-dev"
  region                  = var.region
  authorized_network      = google_service_networking_connection.private_service_connection.network

  node_config {
    cpu_count      = 1
    memory_size_mb = 1024
  }
  node_count = 1
  memcache_version = "MEMCACHE_1_5"

  depends_on = [
    google_service_networking_connection.private_service_connection,
    google_project_service.memcache_development
  ]
}

## example-dev-net.tf
# service projects

# dev
resource "google_project" "development" {
  name       = "development"
  project_id = "development-${random_id.shared_random_id.hex}"
  folder_id  = google_folder.non_production.name

  billing_account = var.billing_account_id

  labels = { "dept" : "engineering", "env" : "non-production", "product" : "x" }
}

resource "google_project_service" "compute_development" {
  project = google_project.development.project_id
  service = "compute.googleapis.com"
}

resource "google_project_service" "container_development" {
  project = google_project.development.project_id
  service = "container.googleapis.com"
}

resource "google_project_service" "servicenetworking_development" {
  project = google_project.development.project_id
  service = "servicenetworking.googleapis.com"
}

resource "google_project_service" "memcache_development" {
  project = google_project.development.project_id
  service = "memcache.googleapis.com"
}

resource "google_compute_shared_vpc_service_project" "service_dev" {
  host_project    = google_compute_shared_vpc_host_project.host_nonprod.project
  service_project = google_project.development.project_id
}

# add IAM role to link project to shared subnet
resource "google_compute_subnetwork_iam_member" "member_development" {
  project = google_project.shared_nw_nonprod.project_id
  region = google_compute_subnetwork.subnet_dev_k8s.region
  subnetwork = google_compute_subnetwork.subnet_dev_k8s.name
  role = "roles/compute.networkUser"
  member = format("serviceAccount:service-%s@container-engine-robot.iam.gserviceaccount.com", google_project.development.number)
}

## example-org.tf
# folders
resource "google_folder" "demo_org" {
  display_name = "demo-org"
  parent       = var.root_folder
}


resource "google_folder" "shared_services" {
  display_name = "shared-services"
  parent       = google_folder.demo_org.name
}

resource "google_folder" "engineering" {
  display_name = "engineering"
  parent       = google_folder.demo_org.name
}

resource "google_folder" "product_x" {
  display_name = "product-x"
  parent       = google_folder.engineering.name
}

resource "google_folder" "non_production" {
  display_name = "non-production"
  parent       = google_folder.product_x.name
}


# audit config
resource "google_folder_iam_audit_config" "audit_root_folder" {
  folder  = google_folder.demo_org.folder_id
  service = "allServices"
  audit_log_config {
    log_type = "ADMIN_READ"
  }
  audit_log_config {
    log_type = "DATA_READ"
  }
}

# policies
resource "google_folder_organization_policy" "default_network_policy" {
  folder     = google_folder.demo_org.id
  constraint = "compute.skipDefaultNetworkCreation"

  boolean_policy {
    enforced = true
  }
}

resource "google_folder_organization_policy" "service_acct_key_policy" {
  folder     = google_folder.demo_org.id
  constraint = "iam.disableServiceAccountKeyCreation"

  boolean_policy {
    enforced = true
  }
}

resource "google_folder_organization_policy" "shielded_vm_policy" {
  folder     = google_folder.demo_org.id
  constraint = "compute.requireShieldedVm"

  boolean_policy {
    enforced = true
  }
}

resource "google_folder_organization_policy" "restrict_vm_external_ip_policy" {
  folder     = google_folder.demo_org.id
  constraint = "compute.vmExternalIpAccess"
  list_policy {
    deny {
      all = true
    }
  }
}

## example-shared-net.tf
resource "google_compute_network" "vpc_devops" {
  name                    = "devops-10-19-0-0"
  routing_mode            = "REGIONAL"
  auto_create_subnetworks = false
  project                 = google_project.shared_nw_nonprod.project_id
  depends_on              = [google_project_service.compute_shared_nw_nonprod]
}

resource "google_compute_subnetwork" "subnet_devops_k8s" {
  name                     = "k8s-nodes-devops"
  ip_cidr_range            = "10.19.0.0/22"
  region                   = var.region
  private_ip_google_access = true
  project                  = google_project.shared_nw_nonprod.project_id
  network                  = google_compute_network.vpc_devops.id
  secondary_ip_range {
    range_name    = "k8s-pods-devops"
    ip_cidr_range = "10.89.0.0/18"
  }
  secondary_ip_range {
    range_name    = "k8s-svcs-devops"
    ip_cidr_range = "10.89.64.0/22"
  }
}

resource "google_compute_subnetwork" "subnet_devops_bastion" {
  name                     = "bastion-devops"
  ip_cidr_range            = "10.19.64.0/29"
  region                   = var.region
  private_ip_google_access = true
  project                  = google_project.shared_nw_nonprod.project_id
  network                  = google_compute_network.vpc_devops.id
}

resource "google_compute_subnetwork" "subnet_devops_vms" {
  name                     = "vms-devops"
  ip_cidr_range            = "10.19.65.0/24"
  region                   = var.region
  private_ip_google_access = true
  project                  = google_project.shared_nw_nonprod.project_id
  network                  = google_compute_network.vpc_devops.id
}

resource "google_compute_subnetwork" "subnet_devops_dbs" {
  name                     = "databases-devops"
  ip_cidr_range            = "10.19.70.0/24"
  region                   = var.region
  private_ip_google_access = true
  project                  = google_project.shared_nw_nonprod.project_id
  network                  = google_compute_network.vpc_devops.id
}

resource "google_compute_network" "vpc_development" {
  name                    = "dev-10-12-0-0"
  routing_mode            = "REGIONAL"
  auto_create_subnetworks = false
  project                 = google_project.shared_nw_nonprod.project_id
  depends_on              = [google_project_service.compute_shared_nw_nonprod]
}

resource "google_compute_subnetwork" "subnet_dev_k8s" {
  name                     = "k8s-nodes-dev"
  ip_cidr_range            = "10.12.0.0/22"
  region                   = var.region
  project                  = google_project.shared_nw_nonprod.project_id
  private_ip_google_access = true
  network                  = google_compute_network.vpc_development.id
  secondary_ip_range {
    range_name    = "k8s-pods-dev"
    ip_cidr_range = "10.82.0.0/18"
  }
  secondary_ip_range {
    range_name    = "k8s-svcs-dev"
    ip_cidr_range = "10.82.64.0/22"
  }
}

resource "google_compute_global_address" "service_range" {
  provider = google-beta
  name                    = "devrange-${random_id.shared_random_id.hex}"
  project                 = google_project.shared_nw_nonprod.project_id
  purpose                 = "VPC_PEERING"
  address_type            = "INTERNAL"
  prefix_length           = 16
  network                 = google_compute_network.vpc_development.id
}

resource "google_service_networking_connection" "private_service_connection" {
  provider                = google-beta
  network                 = google_compute_network.vpc_development.id
  service                 = "servicenetworking.googleapis.com"
  reserved_peering_ranges = [google_compute_global_address.service_range.name]
}

resource "google_compute_subnetwork" "subnet_dev_bastion" {
  name                     = "bastion-dev"
  ip_cidr_range            = "10.12.64.0/29"
  region                   = var.region
  private_ip_google_access = true
  project                  = google_project.shared_nw_nonprod.project_id
  network                  = google_compute_network.vpc_development.id
}

resource "google_compute_subnetwork" "subnet_dev_vms" {
  name                     = "vms-dev"
  ip_cidr_range            = "10.12.65.0/24"
  region                   = var.region
  private_ip_google_access = true
  project                  = google_project.shared_nw_nonprod.project_id
  network                  = google_compute_network.vpc_development.id
}

resource "google_compute_subnetwork" "subnet_dev_dbs" {
  name                     = "databases-dev"
  ip_cidr_range            = "10.12.70.0/24"
  region                   = var.region
  private_ip_google_access = true
  project                  = google_project.shared_nw_nonprod.project_id
  network                  = google_compute_network.vpc_development.id
}

## example-shared.tf
# shared projects
resource "random_id" "shared_random_id" {
  byte_length = 4
}

# host projects

# nonprod
resource "google_project" "shared_nw_nonprod" {
  name       = "shared-nw-nonprod"
  project_id = "shared-nw-nonprod-${random_id.shared_random_id.hex}"
  folder_id  = google_folder.shared_services.name

  billing_account = var.billing_account_id

  labels = { "dept" : "network", "env" : "non-production" }
}

resource "google_project_service" "compute_shared_nw_nonprod" {
  project = google_project.shared_nw_nonprod.project_id
  service = "compute.googleapis.com"
}

resource "google_project_service" "container_shared_nw_nonprod" {
  project = google_project.shared_nw_nonprod.project_id
  service = "container.googleapis.com"
}

resource "google_project_service" "servicenetworking_shared_nw_nonprod" {
  project = google_project.shared_nw_nonprod.project_id
  service = "servicenetworking.googleapis.com"
}

resource "google_compute_shared_vpc_host_project" "host_nonprod" {
  project    = google_project.shared_nw_nonprod.project_id
  depends_on = [google_project_service.compute_shared_nw_nonprod]
}

## main.tf
terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = ">= 3.48.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = ">= 3.48.0"
    }
  }
}

provider "google" {
  region  = var.region
  zone    = var.zone
}

provider "google-beta" {
  region  = var.region
  zone    = var.zone
}

## variables.tf
variable "zone" {
  type = string
  default = "australia-southeast1-a"
}

variable "region" {
  type = string
  default = "australia-southeast1"
}

variable "root_folder" {
  type = string
  default = "folders/NNNNNNNN"
}

variable "org_account_id" {
  type = number
  default = NNNNNNN
}

# gcloud beta billing accounts list
variable "billing_account_id" {
  type = string
  default = "012345-67890A-BCDEFG"
}
	# add memcache (Memorystore) example to development
	resource "google_memcache_instance" "cache_dev" {
	provider = google-beta
	project = google_project.development.project_id
	name = "cache-dev"
	region = var.region
	authorized_network = google_service_networking_connection.private_service_connection.network

	node_config {
	cpu_count = 1
	memory_size_mb = 1024
	}
	node_count = 1
	memcache_version = "MEMCACHE_1_5"

	depends_on = [
	google_service_networking_connection.private_service_connection,
	google_project_service.memcache_development
	]
	}
	# service projects

	# dev
	resource "google_project" "development" {
	name = "development"
	project_id = "development-${random_id.shared_random_id.hex}"
	folder_id = google_folder.non_production.name

	billing_account = var.billing_account_id

	labels = { "dept" : "engineering", "env" : "non-production", "product" : "x" }
	}

	resource "google_project_service" "compute_development" {
	project = google_project.development.project_id
	service = "compute.googleapis.com"
	}

	resource "google_project_service" "container_development" {
	project = google_project.development.project_id
	service = "container.googleapis.com"
	}

	resource "google_project_service" "servicenetworking_development" {
	project = google_project.development.project_id
	service = "servicenetworking.googleapis.com"
	}

	resource "google_project_service" "memcache_development" {
	project = google_project.development.project_id
	service = "memcache.googleapis.com"
	}

	resource "google_compute_shared_vpc_service_project" "service_dev" {
	host_project = google_compute_shared_vpc_host_project.host_nonprod.project
	service_project = google_project.development.project_id
	}

	# add IAM role to link project to shared subnet
	resource "google_compute_subnetwork_iam_member" "member_development" {
	project = google_project.shared_nw_nonprod.project_id
	region = google_compute_subnetwork.subnet_dev_k8s.region
	subnetwork = google_compute_subnetwork.subnet_dev_k8s.name
	role = "roles/compute.networkUser"
	member = format("serviceAccount:service-%s@container-engine-robot.iam.gserviceaccount.com", google_project.development.number)
	}
	# folders
	resource "google_folder" "demo_org" {
	display_name = "demo-org"
	parent = var.root_folder
	}


	resource "google_folder" "shared_services" {
	display_name = "shared-services"
	parent = google_folder.demo_org.name
	}

	resource "google_folder" "engineering" {
	display_name = "engineering"
	parent = google_folder.demo_org.name
	}

	resource "google_folder" "product_x" {
	display_name = "product-x"
	parent = google_folder.engineering.name
	}

	resource "google_folder" "non_production" {
	display_name = "non-production"
	parent = google_folder.product_x.name
	}


	# audit config
	resource "google_folder_iam_audit_config" "audit_root_folder" {
	folder = google_folder.demo_org.folder_id
	service = "allServices"
	audit_log_config {
	log_type = "ADMIN_READ"
	}
	audit_log_config {
	log_type = "DATA_READ"
	}
	}

	# policies
	resource "google_folder_organization_policy" "default_network_policy" {
	folder = google_folder.demo_org.id
	constraint = "compute.skipDefaultNetworkCreation"

	boolean_policy {
	enforced = true
	}
	}

	resource "google_folder_organization_policy" "service_acct_key_policy" {
	folder = google_folder.demo_org.id
	constraint = "iam.disableServiceAccountKeyCreation"

	boolean_policy {
	enforced = true
	}
	}

	resource "google_folder_organization_policy" "shielded_vm_policy" {
	folder = google_folder.demo_org.id
	constraint = "compute.requireShieldedVm"

	boolean_policy {
	enforced = true
	}
	}

	resource "google_folder_organization_policy" "restrict_vm_external_ip_policy" {
	folder = google_folder.demo_org.id
	constraint = "compute.vmExternalIpAccess"
	list_policy {
	deny {
	all = true
	}
	}
	}
	resource "google_compute_network" "vpc_devops" {
	name = "devops-10-19-0-0"
	routing_mode = "REGIONAL"
	auto_create_subnetworks = false
	project = google_project.shared_nw_nonprod.project_id
	depends_on = [google_project_service.compute_shared_nw_nonprod]
	}

	resource "google_compute_subnetwork" "subnet_devops_k8s" {
	name = "k8s-nodes-devops"
	ip_cidr_range = "10.19.0.0/22"
	region = var.region
	private_ip_google_access = true
	project = google_project.shared_nw_nonprod.project_id
	network = google_compute_network.vpc_devops.id
	secondary_ip_range {
	range_name = "k8s-pods-devops"
	ip_cidr_range = "10.89.0.0/18"
	}
	secondary_ip_range {
	range_name = "k8s-svcs-devops"
	ip_cidr_range = "10.89.64.0/22"
	}
	}

	resource "google_compute_subnetwork" "subnet_devops_bastion" {
	name = "bastion-devops"
	ip_cidr_range = "10.19.64.0/29"
	region = var.region
	private_ip_google_access = true
	project = google_project.shared_nw_nonprod.project_id
	network = google_compute_network.vpc_devops.id
	}

	resource "google_compute_subnetwork" "subnet_devops_vms" {
	name = "vms-devops"
	ip_cidr_range = "10.19.65.0/24"
	region = var.region
	private_ip_google_access = true
	project = google_project.shared_nw_nonprod.project_id
	network = google_compute_network.vpc_devops.id
	}

	resource "google_compute_subnetwork" "subnet_devops_dbs" {
	name = "databases-devops"
	ip_cidr_range = "10.19.70.0/24"
	region = var.region
	private_ip_google_access = true
	project = google_project.shared_nw_nonprod.project_id
	network = google_compute_network.vpc_devops.id
	}

	resource "google_compute_network" "vpc_development" {
	name = "dev-10-12-0-0"
	routing_mode = "REGIONAL"
	auto_create_subnetworks = false
	project = google_project.shared_nw_nonprod.project_id
	depends_on = [google_project_service.compute_shared_nw_nonprod]
	}

	resource "google_compute_subnetwork" "subnet_dev_k8s" {
	name = "k8s-nodes-dev"
	ip_cidr_range = "10.12.0.0/22"
	region = var.region
	project = google_project.shared_nw_nonprod.project_id
	private_ip_google_access = true
	network = google_compute_network.vpc_development.id
	secondary_ip_range {
	range_name = "k8s-pods-dev"
	ip_cidr_range = "10.82.0.0/18"
	}
	secondary_ip_range {
	range_name = "k8s-svcs-dev"
	ip_cidr_range = "10.82.64.0/22"
	}
	}

	resource "google_compute_global_address" "service_range" {
	provider = google-beta
	name = "devrange-${random_id.shared_random_id.hex}"
	project = google_project.shared_nw_nonprod.project_id
	purpose = "VPC_PEERING"
	address_type = "INTERNAL"
	prefix_length = 16
	network = google_compute_network.vpc_development.id
	}

	resource "google_service_networking_connection" "private_service_connection" {
	provider = google-beta
	network = google_compute_network.vpc_development.id
	service = "servicenetworking.googleapis.com"
	reserved_peering_ranges = [google_compute_global_address.service_range.name]
	}

	resource "google_compute_subnetwork" "subnet_dev_bastion" {
	name = "bastion-dev"
	ip_cidr_range = "10.12.64.0/29"
	region = var.region
	private_ip_google_access = true
	project = google_project.shared_nw_nonprod.project_id
	network = google_compute_network.vpc_development.id
	}

	resource "google_compute_subnetwork" "subnet_dev_vms" {
	name = "vms-dev"
	ip_cidr_range = "10.12.65.0/24"
	region = var.region
	private_ip_google_access = true
	project = google_project.shared_nw_nonprod.project_id
	network = google_compute_network.vpc_development.id
	}

	resource "google_compute_subnetwork" "subnet_dev_dbs" {
	name = "databases-dev"
	ip_cidr_range = "10.12.70.0/24"
	region = var.region
	private_ip_google_access = true
	project = google_project.shared_nw_nonprod.project_id
	network = google_compute_network.vpc_development.id
	}
	# shared projects
	resource "random_id" "shared_random_id" {
	byte_length = 4
	}

	# host projects

	# nonprod
	resource "google_project" "shared_nw_nonprod" {
	name = "shared-nw-nonprod"
	project_id = "shared-nw-nonprod-${random_id.shared_random_id.hex}"
	folder_id = google_folder.shared_services.name

	billing_account = var.billing_account_id

	labels = { "dept" : "network", "env" : "non-production" }
	}

	resource "google_project_service" "compute_shared_nw_nonprod" {
	project = google_project.shared_nw_nonprod.project_id
	service = "compute.googleapis.com"
	}

	resource "google_project_service" "container_shared_nw_nonprod" {
	project = google_project.shared_nw_nonprod.project_id
	service = "container.googleapis.com"
	}

	resource "google_project_service" "servicenetworking_shared_nw_nonprod" {
	project = google_project.shared_nw_nonprod.project_id
	service = "servicenetworking.googleapis.com"
	}

	resource "google_compute_shared_vpc_host_project" "host_nonprod" {
	project = google_project.shared_nw_nonprod.project_id
	depends_on = [google_project_service.compute_shared_nw_nonprod]
	}
	terraform {
	required_providers {
	google = {
	source = "hashicorp/google"
	version = ">= 3.48.0"
	}
	google-beta = {
	source = "hashicorp/google-beta"
	version = ">= 3.48.0"
	}
	}
	}

	provider "google" {
	region = var.region
	zone = var.zone
	}

	provider "google-beta" {
	region = var.region
	zone = var.zone
	}
	variable "zone" {
	type = string
	default = "australia-southeast1-a"
	}

	variable "region" {
	type = string
	default = "australia-southeast1"
	}

	variable "root_folder" {
	type = string
	default = "folders/NNNNNNNN"
	}

	variable "org_account_id" {
	type = number
	default = NNNNNNN
	}

	# gcloud beta billing accounts list
	variable "billing_account_id" {
	type = string
	default = "012345-67890A-BCDEFG"
	}