Skip to content

Instantly share code, notes, and snippets.

@ibenrodriguez
Created October 20, 2019 11:36
Show Gist options
  • Save ibenrodriguez/9667933cfb2dfec8fd868f09943d854a to your computer and use it in GitHub Desktop.
Save ibenrodriguez/9667933cfb2dfec8fd868f09943d854a to your computer and use it in GitHub Desktop.
attempt to reproduce test 2b
8 commits over 2 days 14 changed files with 170 additions and 73 deletions.
31 terraform/aws_compute.tf
@@ -39,11 +39,9 @@ resource "aws_instance" "vm2a" {
user_data = "${data.template_file.install_ubuntu_deps_vm2a.rendered}"
vpc_security_group_ids = [
"${aws_security_group.aws-allow-icmp.id}",
"${aws_security_group.aws-allow-ssh.id}",
"${aws_security_group.aws-allow-nginx.id}",
"${aws_security_group.aws-allow-icmp-gcp.id}"
"${aws_security_group.aws-allow-icmp-a.id}",
"${aws_security_group.aws-allow-ssh-a.id}",
"${aws_security_group.aws-allow-nginx-a.id}"
]
tags = {
@@ -63,10 +61,9 @@ resource "aws_instance" "vm2b" {
user_data = "${data.template_file.install_ubuntu_deps_vm2b.rendered}"
vpc_security_group_ids = [
"${aws_security_group.aws-allow-icmp.id}",
"${aws_security_group.aws-allow-ssh.id}",
"${aws_security_group.aws-allow-nginx.id}",
"${aws_security_group.aws-allow-icmp-gcp.id}"
"${aws_security_group.aws-allow-icmp-b.id}",
"${aws_security_group.aws-allow-ssh-b.id}",
"${aws_security_group.aws-allow-nginx-b.id}"
]
tags = {
@@ -86,11 +83,9 @@ resource "aws_instance" "vm2c" {
user_data = "${data.template_file.install_centos_deps_vm2c.rendered}"
vpc_security_group_ids = [
"${aws_security_group.aws-allow-icmp.id}",
"${aws_security_group.aws-allow-ssh.id}",
"${aws_security_group.aws-allow-nginx.id}",
"${aws_security_group.aws-allow-icmp-gcp.id}"
"${aws_security_group.aws-allow-icmp-a.id}",
"${aws_security_group.aws-allow-ssh-a.id}",
"${aws_security_group.aws-allow-nginx-a.id}"
]
tags = {
@@ -110,11 +105,9 @@ resource "aws_instance" "vm2d" {
user_data = "${data.template_file.install_centos_deps_vm2d.rendered}"
vpc_security_group_ids = [
"${aws_security_group.aws-allow-icmp.id}",
"${aws_security_group.aws-allow-ssh.id}",
"${aws_security_group.aws-allow-nginx.id}",
"${aws_security_group.aws-allow-icmp-gcp.id}"
"${aws_security_group.aws-allow-icmp-b.id}",
"${aws_security_group.aws-allow-ssh-b.id}",
"${aws_security_group.aws-allow-nginx-b.id}"
]
tags = {
34 terraform/aws_security.tf → terraform/aws_security_a.tf
@@ -1,6 +1,5 @@
resource "aws_security_group" "aws-allow-icmp" {
name = "aws-allow-icmp-${var.instance_id}"
resource "aws_security_group" "aws-allow-icmp-a" {
name = "aws-allow-icmp-a-${var.instance_id}"
description = "Allow icmp access from anywhere"
vpc_id = "${aws_vpc.aws_cluster_network.id}"
@@ -19,29 +18,8 @@ resource "aws_security_group" "aws-allow-icmp" {
}
}
resource "aws_security_group" "aws-allow-icmp-gcp" {
name = "aws-allow-icmp-gcp-${var.instance_id}"
description = "Allow icmp access from anywhere"
vpc_id = "${aws_vpc.aws_cluster_network.id}"
ingress {
from_port = 8
to_port = 0
protocol = "icmp"
cidr_blocks = ["${var.gcp_subnet_vpn}"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["${var.gcp_subnet_vpn}"]
}
}
resource "aws_security_group" "aws-allow-ssh" {
name = "aws-allow-ssh-${var.instance_id}"
resource "aws_security_group" "aws-allow-ssh-a" {
name = "aws-allow-ssh-a-${var.instance_id}"
description = "Allow ssh access from anywhere"
vpc_id = "${aws_vpc.aws_cluster_network.id}"
@@ -60,8 +38,8 @@ resource "aws_security_group" "aws-allow-ssh" {
}
}
resource "aws_security_group" "aws-allow-nginx" {
name = "aws-allow-nginx-${var.instance_id}"
resource "aws_security_group" "aws-allow-nginx-a" {
name = "aws-allow-nginx-a-${var.instance_id}"
description = "Allow nginx access from anywhere"
vpc_id = "${aws_vpc.aws_cluster_network.id}"
59 terraform/aws_security_b.tf
@@ -0,0 +1,59 @@
resource "aws_security_group" "aws-allow-icmp-b" {
name = "aws-allow-icmp-b-${var.instance_id}"
description = "Allow icmp access from anywhere"
vpc_id = "${aws_vpc.aws_cluster_network.id}"
ingress {
from_port = 8
to_port = 0
protocol = "icmp"
cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "aws-allow-ssh-b" {
name = "aws-allow-ssh-b-${var.instance_id}"
description = "Allow ssh access from anywhere"
vpc_id = "${aws_vpc.aws_cluster_network.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
}
}
resource "aws_security_group" "aws-allow-nginx-b" {
name = "aws-allow-nginx-b-${var.instance_id}"
description = "Allow nginx access from anywhere"
vpc_id = "${aws_vpc.aws_cluster_network.id}"
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
}
}
6 terraform/aws_variables.tf
@@ -15,10 +15,6 @@ variable "aws_vms_size" {
default = "t3.micro"
type = "string"
}
variable "aws_subnet_vpn" {
default = "10.242.0.0/16"
type = "string"
}
variable "aws_subnet2a1" {
default = "10.242.1.0/24"
type = "string"
@@ -35,7 +31,7 @@ variable "aws_subnet2b2" {
default = "10.242.4.0/24"
type = "string"
}
variable "aws_vpc_cidr" {
variable "aws_vpc" {
default = "10.242.0.0/16"
type = "string"
}
2 terraform/aws_vpc.tf
@@ -3,7 +3,7 @@ data "aws_availability_zones" "available" {
}
resource "aws_vpc" "aws_cluster_network" {
cidr_block = "${var.aws_vpc_cidr}"
cidr_block = "${var.aws_vpc}"
tags = "${
map(
2 terraform/aws_vpn.tf
@@ -27,7 +27,7 @@ resource "aws_vpn_connection" "aws-vpn-connection1" {
}
resource "aws_vpn_connection_route" "gcp_hybrid_cloud-1" {
destination_cidr_block = "${var.gcp_subnet_vpn}"
destination_cidr_block = "${var.gcp_vpc}"
vpn_connection_id = "${aws_vpn_connection.aws-vpn-connection1.id}"
}
8 terraform/azure_compute.tf
@@ -89,7 +89,7 @@ resource "azurerm_network_interface" "vm3a-nic" {
name = "vm3a-nic-${var.instance_id}"
location = "${azurerm_resource_group.k8s.location}"
resource_group_name = "${azurerm_resource_group.k8s.name}"
network_security_group_id = "${azurerm_network_security_group.azure-security-group.id}"
network_security_group_id = "${azurerm_network_security_group.azure-security-group-a.id}"
ip_configuration {
name = "nic-config"
@@ -107,7 +107,7 @@ resource "azurerm_network_interface" "vm3b-nic" {
name = "vm3b-nic-${var.instance_id}"
location = "${azurerm_resource_group.k8s.location}"
resource_group_name = "${azurerm_resource_group.k8s.name}"
network_security_group_id = "${azurerm_network_security_group.azure-security-group.id}"
network_security_group_id = "${azurerm_network_security_group.azure-security-group-b.id}"
ip_configuration {
name = "nic-config"
@@ -125,7 +125,7 @@ resource "azurerm_network_interface" "vm3c-nic" {
name = "vm3c-nic-${var.instance_id}"
location = "${azurerm_resource_group.k8s.location}"
resource_group_name = "${azurerm_resource_group.k8s.name}"
network_security_group_id = "${azurerm_network_security_group.azure-security-group.id}"
network_security_group_id = "${azurerm_network_security_group.azure-security-group-a.id}"
ip_configuration {
name = "nic-config"
@@ -143,7 +143,7 @@ resource "azurerm_network_interface" "vm3d-nic" {
name = "vm3d-nic-${var.instance_id}"
location = "${azurerm_resource_group.k8s.location}"
resource_group_name = "${azurerm_resource_group.k8s.name}"
network_security_group_id = "${azurerm_network_security_group.azure-security-group.id}"
network_security_group_id = "${azurerm_network_security_group.azure-security-group-b.id}"
ip_configuration {
name = "nic-config"
38 terraform/azure_network.tf
@@ -62,8 +62,8 @@ resource "azurerm_subnet_route_table_association" "vnet_assoc_b" {
subnet_id = "${azurerm_subnet.subnet3b.id}"
route_table_id = "${azurerm_route_table.route_subnet3b.id}"
}
resource "azurerm_network_security_group" "azure-security-group" {
name = "azure-security-group-${var.instance_id}"
resource "azurerm_network_security_group" "azure-security-group-a" {
name = "azure-security-group-a-${var.instance_id}"
location = "${azurerm_resource_group.k8s.location}"
resource_group_name = "${azurerm_resource_group.k8s.name}"
@@ -95,3 +95,37 @@ resource "azurerm_network_security_group" "azure-security-group" {
environment = "Production"
}
}
resource "azurerm_network_security_group" "azure-security-group-b" {
name = "azure-security-group-b-${var.instance_id}"
location = "${azurerm_resource_group.k8s.location}"
resource_group_name = "${azurerm_resource_group.k8s.name}"
security_rule {
name = "ALL-IN"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefixes = ["${var.allowed_ip}", "${var.azure_vpc}", "${var.gcp_vpc}", "${var.aws_vpc}"]
destination_address_prefix = "*"
}
security_rule {
name = "ALL-OUT"
priority = 1001
direction = "Outbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
tags = {
environment = "Production"
}
}
4 terraform/azure_vpn.tf
@@ -7,7 +7,7 @@ resource "azurerm_local_network_gateway" "gcp-test-gw" {
resource_group_name = "${azurerm_resource_group.k8s.name}"
gateway_address = "${google_compute_address.gcp-vpn-ip.address}"
address_space = ["${var.gcp_subnet_vpn}"]
address_space = ["${var.gcp_vpc}"]
}
resource "azurerm_local_network_gateway" "aws-test-gw" {
name = "aws-test-gw"
@@ -16,7 +16,7 @@ resource "azurerm_local_network_gateway" "aws-test-gw" {
resource_group_name = "${azurerm_resource_group.k8s.name}"
gateway_address = "${aws_vpn_connection.aws-vpn-connection2.tunnel1_address}"
address_space = ["${var.aws_subnet_vpn}"]
address_space = ["${var.aws_vpc}"]
}
4 terraform/gcp_compute.tf
@@ -80,6 +80,7 @@ resource "google_compute_address" "vm1d-ipv4" {
resource "google_compute_instance" "vm1a" {
name = "vm1a-${var.instance_id}"
machine_type = "${var.gcp_vms_size}"
tags = ["instance-a"]
zone = "${data.google_compute_zones.available.names[0]}"
@@ -106,6 +107,7 @@ resource "google_compute_instance" "vm1a" {
resource "google_compute_instance" "vm1b" {
name = "vm1b-${var.instance_id}"
tags = ["instance-b"]
machine_type = "${var.gcp_vms_size}"
zone = "${data.google_compute_zones.available.names[0]}"
@@ -134,6 +136,7 @@ resource "google_compute_instance" "vm1b" {
resource "google_compute_instance" "vm1c" {
name = "vm1c-${var.instance_id}"
machine_type = "${var.gcp_vms_size}"
tags = ["instance-a"]
zone = "${data.google_compute_zones.available.names[0]}"
boot_disk {
@@ -160,6 +163,7 @@ resource "google_compute_instance" "vm1c" {
resource "google_compute_instance" "vm1d" {
name = "vm1d-${var.instance_id}"
machine_type = "${var.gcp_vms_size}"
tags = ["instance-b"]
zone = "${data.google_compute_zones.available.names[0]}"
boot_disk {
39 terraform/gcp_security.tf
@@ -1,5 +1,5 @@
resource "google_compute_firewall" "debug" {
name = "debug-firewall-${var.instance_id}"
resource "google_compute_firewall" "allow-a" {
name = "allow-a-firewall-${var.instance_id}"
network = "${google_compute_network.gcp-network.name}"
allow {
@@ -8,12 +8,36 @@ resource "google_compute_firewall" "debug" {
allow {
protocol = "tcp"
ports = ["22"]
}
source_tags = ["ssh"]
target_tags = ["instance-a"]
source_ranges = ["0.0.0.0/0"]
}
resource "google_compute_firewall" "allow-b" {
name = "allow-b-firewall-${var.instance_id}"
network = "${google_compute_network.gcp-network.name}"
allow {
protocol = "icmp"
}
allow {
protocol = "tcp"
ports = ["22"]
}
target_tags = ["instance-b"]
source_ranges = [
"${var.allowed_ip}",
"${var.gcp_vpc}",
"${var.aws_vpc}",
"${var.azure_vpc}"
]
priority = 100
}
resource "google_compute_firewall" "gcp-allow-vpn" {
name = "${google_compute_network.gcp-network.name}-gcp-allow-vpn-${var.instance_id}"
network = "${google_compute_network.gcp-network.name}"
@@ -27,12 +51,17 @@ resource "google_compute_firewall" "gcp-allow-vpn" {
protocol = "udp"
ports = ["0-65535"]
}
allow {
protocol = "icmp"
}
allow {
protocol = "all"
}
source_ranges = [
"${var.aws_subnet_vpn}",
"${var.gcp_vpc}",
"${var.aws_vpc}",
"${var.azure_vpc}"
]
}
2 terraform/gcp_variables.tf
@@ -2,7 +2,7 @@ variable "gcp_region" {
default = "europe-north1"
type = "string"
}
variable "gcp_subnet_vpn" {
variable "gcp_vpc" {
default = "10.241.0.0/16"
type = "string"
}
8 terraform/gcp_vpn.tf
@@ -47,8 +47,8 @@ resource "google_compute_vpn_tunnel" "gcp-tunnel1" {
ike_version = 1
target_vpn_gateway = "${google_compute_vpn_gateway.gcp-vpn-gw.self_link}"
local_traffic_selector = ["${var.gcp_subnet_vpn}"]
remote_traffic_selector = ["${var.aws_subnet_vpn}"]
local_traffic_selector = ["${var.gcp_vpc}"]
remote_traffic_selector = ["${var.aws_vpc}"]
depends_on = [
"google_compute_forwarding_rule.fr_esp",
@@ -59,7 +59,7 @@ resource "google_compute_vpn_tunnel" "gcp-tunnel1" {
resource "google_compute_route" "aws1" {
name = "aws-route1-${var.instance_id}"
dest_range = "${var.aws_subnet_vpn}"
dest_range = "${var.aws_vpc}"
network = "${google_compute_network.gcp-network.self_link}"
next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.gcp-tunnel1.self_link}"
priority = 100
@@ -80,7 +80,7 @@ resource "google_compute_vpn_tunnel" "gcp-tunnel2" {
target_vpn_gateway = "${google_compute_vpn_gateway.gcp-vpn-gw.self_link}"
local_traffic_selector = ["${var.gcp_subnet_vpn}"]
local_traffic_selector = ["${var.gcp_vpc}"]
remote_traffic_selector = ["${var.azure_vpc}"]
depends_on = [
6 terraform/variables.tf
@@ -10,4 +10,8 @@ variable "private_ssh_key" {
variable "instance_id" {
type = "string"
}
}
variable "allowed_ip" {
type = "string"
default = ""
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment