ibenrodriguez/aws_azure_gcp_security.tf

## aws_azure_gcp_security.tf
8 commits over 2 days 14 changed files  with 170 additions and 73 deletions.
  31  terraform/aws_compute.tf

 @@ -39,11 +39,9 @@ resource "aws_instance" "vm2a" {
  user_data                   = "${data.template_file.install_ubuntu_deps_vm2a.rendered}"

  vpc_security_group_ids = [
    "${aws_security_group.aws-allow-icmp.id}",
    "${aws_security_group.aws-allow-ssh.id}",
    "${aws_security_group.aws-allow-nginx.id}",
    "${aws_security_group.aws-allow-icmp-gcp.id}"

    "${aws_security_group.aws-allow-icmp-a.id}",
    "${aws_security_group.aws-allow-ssh-a.id}",
    "${aws_security_group.aws-allow-nginx-a.id}"
  ]

  tags = {
 @@ -63,10 +61,9 @@ resource "aws_instance" "vm2b" {
  user_data                   = "${data.template_file.install_ubuntu_deps_vm2b.rendered}"

  vpc_security_group_ids = [
    "${aws_security_group.aws-allow-icmp.id}",
    "${aws_security_group.aws-allow-ssh.id}",
    "${aws_security_group.aws-allow-nginx.id}",
    "${aws_security_group.aws-allow-icmp-gcp.id}"
    "${aws_security_group.aws-allow-icmp-b.id}",
    "${aws_security_group.aws-allow-ssh-b.id}",
    "${aws_security_group.aws-allow-nginx-b.id}"
  ]

  tags = {
 @@ -86,11 +83,9 @@ resource "aws_instance" "vm2c" {
  user_data                   = "${data.template_file.install_centos_deps_vm2c.rendered}"

  vpc_security_group_ids = [
    "${aws_security_group.aws-allow-icmp.id}",
    "${aws_security_group.aws-allow-ssh.id}",
    "${aws_security_group.aws-allow-nginx.id}",
    "${aws_security_group.aws-allow-icmp-gcp.id}"

    "${aws_security_group.aws-allow-icmp-a.id}",
    "${aws_security_group.aws-allow-ssh-a.id}",
    "${aws_security_group.aws-allow-nginx-a.id}"
  ]

  tags = {
 @@ -110,11 +105,9 @@ resource "aws_instance" "vm2d" {
  user_data                   = "${data.template_file.install_centos_deps_vm2d.rendered}"

  vpc_security_group_ids = [
    "${aws_security_group.aws-allow-icmp.id}",
    "${aws_security_group.aws-allow-ssh.id}",
    "${aws_security_group.aws-allow-nginx.id}",
    "${aws_security_group.aws-allow-icmp-gcp.id}"

    "${aws_security_group.aws-allow-icmp-b.id}",
    "${aws_security_group.aws-allow-ssh-b.id}",
    "${aws_security_group.aws-allow-nginx-b.id}"
  ]

  tags = {
  34  terraform/aws_security.tf → terraform/aws_security_a.tf

@@ -1,6 +1,5 @@

resource "aws_security_group" "aws-allow-icmp" {
  name        = "aws-allow-icmp-${var.instance_id}"
resource "aws_security_group" "aws-allow-icmp-a" {
  name        = "aws-allow-icmp-a-${var.instance_id}"
  description = "Allow icmp access from anywhere"
  vpc_id      = "${aws_vpc.aws_cluster_network.id}"

 @@ -19,29 +18,8 @@ resource "aws_security_group" "aws-allow-icmp" {
  }
}

resource "aws_security_group" "aws-allow-icmp-gcp" {
  name        = "aws-allow-icmp-gcp-${var.instance_id}"
  description = "Allow icmp access from anywhere"
  vpc_id      = "${aws_vpc.aws_cluster_network.id}"

  ingress {
    from_port   = 8
    to_port     = 0
    protocol    = "icmp"
    cidr_blocks = ["${var.gcp_subnet_vpn}"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["${var.gcp_subnet_vpn}"]
  }
}


resource "aws_security_group" "aws-allow-ssh" {
  name        = "aws-allow-ssh-${var.instance_id}"
resource "aws_security_group" "aws-allow-ssh-a" {
  name        = "aws-allow-ssh-a-${var.instance_id}"
  description = "Allow ssh access from anywhere"
  vpc_id      = "${aws_vpc.aws_cluster_network.id}"

 @@ -60,8 +38,8 @@ resource "aws_security_group" "aws-allow-ssh" {
  }
}

resource "aws_security_group" "aws-allow-nginx" {
  name        = "aws-allow-nginx-${var.instance_id}"
resource "aws_security_group" "aws-allow-nginx-a" {
  name        = "aws-allow-nginx-a-${var.instance_id}"
  description = "Allow nginx access from anywhere"
  vpc_id      = "${aws_vpc.aws_cluster_network.id}"

  59  terraform/aws_security_b.tf

@@ -0,0 +1,59 @@
resource "aws_security_group" "aws-allow-icmp-b" {
  name        = "aws-allow-icmp-b-${var.instance_id}"
  description = "Allow icmp access from anywhere"
  vpc_id      = "${aws_vpc.aws_cluster_network.id}"

  ingress {
    from_port   = 8
    to_port     = 0
    protocol    = "icmp"
    cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_security_group" "aws-allow-ssh-b" {
  name        = "aws-allow-ssh-b-${var.instance_id}"
  description = "Allow ssh access from anywhere"
  vpc_id      = "${aws_vpc.aws_cluster_network.id}"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
  }
}

resource "aws_security_group" "aws-allow-nginx-b" {
  name        = "aws-allow-nginx-b-${var.instance_id}"
  description = "Allow nginx access from anywhere"
  vpc_id      = "${aws_vpc.aws_cluster_network.id}"

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
  }
}
  6  terraform/aws_variables.tf

 @@ -15,10 +15,6 @@ variable "aws_vms_size" {
  default = "t3.micro"
  type    = "string"
}
variable "aws_subnet_vpn" {
  default = "10.242.0.0/16"
  type    = "string"
}
variable "aws_subnet2a1" {
  default = "10.242.1.0/24"
  type    = "string"
 @@ -35,7 +31,7 @@ variable "aws_subnet2b2" {
  default = "10.242.4.0/24"
  type    = "string"
}
variable "aws_vpc_cidr" {
variable "aws_vpc" {
  default = "10.242.0.0/16"
  type    = "string"
}
  2  terraform/aws_vpc.tf

 @@ -3,7 +3,7 @@ data "aws_availability_zones" "available" {
}

resource "aws_vpc" "aws_cluster_network" {
  cidr_block = "${var.aws_vpc_cidr}"
  cidr_block = "${var.aws_vpc}"

  tags = "${
    map(
  2  terraform/aws_vpn.tf

 @@ -27,7 +27,7 @@ resource "aws_vpn_connection" "aws-vpn-connection1" {
}

resource "aws_vpn_connection_route" "gcp_hybrid_cloud-1" {
  destination_cidr_block = "${var.gcp_subnet_vpn}"
  destination_cidr_block = "${var.gcp_vpc}"
  vpn_connection_id      = "${aws_vpn_connection.aws-vpn-connection1.id}"
}

  8  terraform/azure_compute.tf

 @@ -89,7 +89,7 @@ resource "azurerm_network_interface" "vm3a-nic" {
  name                      = "vm3a-nic-${var.instance_id}"
  location                  = "${azurerm_resource_group.k8s.location}"
  resource_group_name       = "${azurerm_resource_group.k8s.name}"
  network_security_group_id = "${azurerm_network_security_group.azure-security-group.id}"
  network_security_group_id = "${azurerm_network_security_group.azure-security-group-a.id}"

  ip_configuration {
    name                          = "nic-config"
 @@ -107,7 +107,7 @@ resource "azurerm_network_interface" "vm3b-nic" {
  name                      = "vm3b-nic-${var.instance_id}"
  location                  = "${azurerm_resource_group.k8s.location}"
  resource_group_name       = "${azurerm_resource_group.k8s.name}"
  network_security_group_id = "${azurerm_network_security_group.azure-security-group.id}"
  network_security_group_id = "${azurerm_network_security_group.azure-security-group-b.id}"

  ip_configuration {
    name                          = "nic-config"
 @@ -125,7 +125,7 @@ resource "azurerm_network_interface" "vm3c-nic" {
  name                      = "vm3c-nic-${var.instance_id}"
  location                  = "${azurerm_resource_group.k8s.location}"
  resource_group_name       = "${azurerm_resource_group.k8s.name}"
  network_security_group_id = "${azurerm_network_security_group.azure-security-group.id}"
  network_security_group_id = "${azurerm_network_security_group.azure-security-group-a.id}"

  ip_configuration {
    name                          = "nic-config"
 @@ -143,7 +143,7 @@ resource "azurerm_network_interface" "vm3d-nic" {
  name                      = "vm3d-nic-${var.instance_id}"
  location                  = "${azurerm_resource_group.k8s.location}"
  resource_group_name       = "${azurerm_resource_group.k8s.name}"
  network_security_group_id = "${azurerm_network_security_group.azure-security-group.id}"
  network_security_group_id = "${azurerm_network_security_group.azure-security-group-b.id}"

  ip_configuration {
    name                          = "nic-config"
  38  terraform/azure_network.tf

 @@ -62,8 +62,8 @@ resource "azurerm_subnet_route_table_association" "vnet_assoc_b" {
  subnet_id      = "${azurerm_subnet.subnet3b.id}"
  route_table_id = "${azurerm_route_table.route_subnet3b.id}"
}
resource "azurerm_network_security_group" "azure-security-group" {
  name                = "azure-security-group-${var.instance_id}"
resource "azurerm_network_security_group" "azure-security-group-a" {
  name                = "azure-security-group-a-${var.instance_id}"
  location            = "${azurerm_resource_group.k8s.location}"
  resource_group_name = "${azurerm_resource_group.k8s.name}"

 @@ -95,3 +95,37 @@ resource "azurerm_network_security_group" "azure-security-group" {
    environment = "Production"
  }
}

resource "azurerm_network_security_group" "azure-security-group-b" {
  name                = "azure-security-group-b-${var.instance_id}"
  location            = "${azurerm_resource_group.k8s.location}"
  resource_group_name = "${azurerm_resource_group.k8s.name}"

  security_rule {
    name                       = "ALL-IN"
    priority                   = 1001
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefixes    = ["${var.allowed_ip}", "${var.azure_vpc}", "${var.gcp_vpc}", "${var.aws_vpc}"]
    destination_address_prefix = "*"
  }

  security_rule {
    name                       = "ALL-OUT"
    priority                   = 1001
    direction                  = "Outbound"
    access                     = "Allow"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }

  tags = {
    environment = "Production"
  }
}
  4  terraform/azure_vpn.tf

 @@ -7,7 +7,7 @@ resource "azurerm_local_network_gateway" "gcp-test-gw" {
  resource_group_name = "${azurerm_resource_group.k8s.name}"

  gateway_address = "${google_compute_address.gcp-vpn-ip.address}"
  address_space   = ["${var.gcp_subnet_vpn}"]
  address_space   = ["${var.gcp_vpc}"]
}
resource "azurerm_local_network_gateway" "aws-test-gw" {
  name = "aws-test-gw"
 @@ -16,7 +16,7 @@ resource "azurerm_local_network_gateway" "aws-test-gw" {
  resource_group_name = "${azurerm_resource_group.k8s.name}"

  gateway_address = "${aws_vpn_connection.aws-vpn-connection2.tunnel1_address}"
  address_space   = ["${var.aws_subnet_vpn}"]
  address_space   = ["${var.aws_vpc}"]
}


  4  terraform/gcp_compute.tf

 @@ -80,6 +80,7 @@ resource "google_compute_address" "vm1d-ipv4" {
resource "google_compute_instance" "vm1a" {
  name         = "vm1a-${var.instance_id}"
  machine_type = "${var.gcp_vms_size}"
  tags         = ["instance-a"]
  zone         = "${data.google_compute_zones.available.names[0]}"


 @@ -106,6 +107,7 @@ resource "google_compute_instance" "vm1a" {

resource "google_compute_instance" "vm1b" {
  name         = "vm1b-${var.instance_id}"
  tags         = ["instance-b"]
  machine_type = "${var.gcp_vms_size}"
  zone         = "${data.google_compute_zones.available.names[0]}"

 @@ -134,6 +136,7 @@ resource "google_compute_instance" "vm1b" {
resource "google_compute_instance" "vm1c" {
  name         = "vm1c-${var.instance_id}"
  machine_type = "${var.gcp_vms_size}"
  tags         = ["instance-a"]
  zone         = "${data.google_compute_zones.available.names[0]}"

  boot_disk {
 @@ -160,6 +163,7 @@ resource "google_compute_instance" "vm1c" {
resource "google_compute_instance" "vm1d" {
  name         = "vm1d-${var.instance_id}"
  machine_type = "${var.gcp_vms_size}"
  tags         = ["instance-b"]
  zone         = "${data.google_compute_zones.available.names[0]}"

  boot_disk {
  39  terraform/gcp_security.tf

@@ -1,5 +1,5 @@
resource "google_compute_firewall" "debug" {
  name    = "debug-firewall-${var.instance_id}"
resource "google_compute_firewall" "allow-a" {
  name    = "allow-a-firewall-${var.instance_id}"
  network = "${google_compute_network.gcp-network.name}"

  allow {
 @@ -8,12 +8,36 @@ resource "google_compute_firewall" "debug" {

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  source_tags   = ["ssh"]
  target_tags   = ["instance-a"]
  source_ranges = ["0.0.0.0/0"]
}

resource "google_compute_firewall" "allow-b" {
  name    = "allow-b-firewall-${var.instance_id}"
  network = "${google_compute_network.gcp-network.name}"

  allow {
    protocol = "icmp"
  }

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  target_tags = ["instance-b"]

  source_ranges = [
    "${var.allowed_ip}",
    "${var.gcp_vpc}",
    "${var.aws_vpc}",
    "${var.azure_vpc}"
  ]
  priority = 100
}

resource "google_compute_firewall" "gcp-allow-vpn" {
  name    = "${google_compute_network.gcp-network.name}-gcp-allow-vpn-${var.instance_id}"
  network = "${google_compute_network.gcp-network.name}"
 @@ -27,12 +51,17 @@ resource "google_compute_firewall" "gcp-allow-vpn" {
    protocol = "udp"
    ports    = ["0-65535"]
  }
  allow {
    protocol = "icmp"
  }

  allow {
    protocol = "all"
  }

  source_ranges = [
    "${var.aws_subnet_vpn}",
    "${var.gcp_vpc}",
    "${var.aws_vpc}",
    "${var.azure_vpc}"
  ]
}
  2  terraform/gcp_variables.tf

 @@ -2,7 +2,7 @@ variable "gcp_region" {
  default = "europe-north1"
  type    = "string"
}
variable "gcp_subnet_vpn" {
variable "gcp_vpc" {
  default = "10.241.0.0/16"
  type    = "string"
}
  8  terraform/gcp_vpn.tf

 @@ -47,8 +47,8 @@ resource "google_compute_vpn_tunnel" "gcp-tunnel1" {
  ike_version   = 1

  target_vpn_gateway      = "${google_compute_vpn_gateway.gcp-vpn-gw.self_link}"
  local_traffic_selector  = ["${var.gcp_subnet_vpn}"]
  remote_traffic_selector = ["${var.aws_subnet_vpn}"]
  local_traffic_selector  = ["${var.gcp_vpc}"]
  remote_traffic_selector = ["${var.aws_vpc}"]

  depends_on = [
    "google_compute_forwarding_rule.fr_esp",
 @@ -59,7 +59,7 @@ resource "google_compute_vpn_tunnel" "gcp-tunnel1" {

resource "google_compute_route" "aws1" {
  name                = "aws-route1-${var.instance_id}"
  dest_range          = "${var.aws_subnet_vpn}"
  dest_range          = "${var.aws_vpc}"
  network             = "${google_compute_network.gcp-network.self_link}"
  next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.gcp-tunnel1.self_link}"
  priority            = 100
 @@ -80,7 +80,7 @@ resource "google_compute_vpn_tunnel" "gcp-tunnel2" {

  target_vpn_gateway = "${google_compute_vpn_gateway.gcp-vpn-gw.self_link}"

  local_traffic_selector  = ["${var.gcp_subnet_vpn}"]
  local_traffic_selector  = ["${var.gcp_vpc}"]
  remote_traffic_selector = ["${var.azure_vpc}"]

  depends_on = [
  6  terraform/variables.tf

 @@ -10,4 +10,8 @@ variable "private_ssh_key" {

variable "instance_id" {
  type = "string"
}
}
variable "allowed_ip" {
  type    = "string"
  default = ""
}
	8 commits over 2 days 14 changed files with 170 additions and 73 deletions.
	31 terraform/aws_compute.tf

	@@ -39,11 +39,9 @@ resource "aws_instance" "vm2a" {
	user_data = "${data.template_file.install_ubuntu_deps_vm2a.rendered}"

	vpc_security_group_ids = [
	"${aws_security_group.aws-allow-icmp.id}",
	"${aws_security_group.aws-allow-ssh.id}",
	"${aws_security_group.aws-allow-nginx.id}",
	"${aws_security_group.aws-allow-icmp-gcp.id}"

	"${aws_security_group.aws-allow-icmp-a.id}",
	"${aws_security_group.aws-allow-ssh-a.id}",
	"${aws_security_group.aws-allow-nginx-a.id}"
	]

	tags = {
	@@ -63,10 +61,9 @@ resource "aws_instance" "vm2b" {
	user_data = "${data.template_file.install_ubuntu_deps_vm2b.rendered}"

	vpc_security_group_ids = [
	"${aws_security_group.aws-allow-icmp.id}",
	"${aws_security_group.aws-allow-ssh.id}",
	"${aws_security_group.aws-allow-nginx.id}",
	"${aws_security_group.aws-allow-icmp-gcp.id}"
	"${aws_security_group.aws-allow-icmp-b.id}",
	"${aws_security_group.aws-allow-ssh-b.id}",
	"${aws_security_group.aws-allow-nginx-b.id}"
	]

	tags = {
	@@ -86,11 +83,9 @@ resource "aws_instance" "vm2c" {
	user_data = "${data.template_file.install_centos_deps_vm2c.rendered}"

	vpc_security_group_ids = [
	"${aws_security_group.aws-allow-icmp.id}",
	"${aws_security_group.aws-allow-ssh.id}",
	"${aws_security_group.aws-allow-nginx.id}",
	"${aws_security_group.aws-allow-icmp-gcp.id}"

	"${aws_security_group.aws-allow-icmp-a.id}",
	"${aws_security_group.aws-allow-ssh-a.id}",
	"${aws_security_group.aws-allow-nginx-a.id}"
	]

	tags = {
	@@ -110,11 +105,9 @@ resource "aws_instance" "vm2d" {
	user_data = "${data.template_file.install_centos_deps_vm2d.rendered}"

	vpc_security_group_ids = [
	"${aws_security_group.aws-allow-icmp.id}",
	"${aws_security_group.aws-allow-ssh.id}",
	"${aws_security_group.aws-allow-nginx.id}",
	"${aws_security_group.aws-allow-icmp-gcp.id}"

	"${aws_security_group.aws-allow-icmp-b.id}",
	"${aws_security_group.aws-allow-ssh-b.id}",
	"${aws_security_group.aws-allow-nginx-b.id}"
	]

	tags = {
	34 terraform/aws_security.tf → terraform/aws_security_a.tf

	@@ -1,6 +1,5 @@

	resource "aws_security_group" "aws-allow-icmp" {
	name = "aws-allow-icmp-${var.instance_id}"
	resource "aws_security_group" "aws-allow-icmp-a" {
	name = "aws-allow-icmp-a-${var.instance_id}"
	description = "Allow icmp access from anywhere"
	vpc_id = "${aws_vpc.aws_cluster_network.id}"

	@@ -19,29 +18,8 @@ resource "aws_security_group" "aws-allow-icmp" {
	}
	}

	resource "aws_security_group" "aws-allow-icmp-gcp" {
	name = "aws-allow-icmp-gcp-${var.instance_id}"
	description = "Allow icmp access from anywhere"
	vpc_id = "${aws_vpc.aws_cluster_network.id}"

	ingress {
	from_port = 8
	to_port = 0
	protocol = "icmp"
	cidr_blocks = ["${var.gcp_subnet_vpn}"]
	}

	egress {
	from_port = 0
	to_port = 0
	protocol = "-1"
	cidr_blocks = ["${var.gcp_subnet_vpn}"]
	}
	}


	resource "aws_security_group" "aws-allow-ssh" {
	name = "aws-allow-ssh-${var.instance_id}"
	resource "aws_security_group" "aws-allow-ssh-a" {
	name = "aws-allow-ssh-a-${var.instance_id}"
	description = "Allow ssh access from anywhere"
	vpc_id = "${aws_vpc.aws_cluster_network.id}"

	@@ -60,8 +38,8 @@ resource "aws_security_group" "aws-allow-ssh" {
	}
	}

	resource "aws_security_group" "aws-allow-nginx" {
	name = "aws-allow-nginx-${var.instance_id}"
	resource "aws_security_group" "aws-allow-nginx-a" {
	name = "aws-allow-nginx-a-${var.instance_id}"
	description = "Allow nginx access from anywhere"
	vpc_id = "${aws_vpc.aws_cluster_network.id}"

	59 terraform/aws_security_b.tf

	@@ -0,0 +1,59 @@
	resource "aws_security_group" "aws-allow-icmp-b" {
	name = "aws-allow-icmp-b-${var.instance_id}"
	description = "Allow icmp access from anywhere"
	vpc_id = "${aws_vpc.aws_cluster_network.id}"

	ingress {
	from_port = 8
	to_port = 0
	protocol = "icmp"
	cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
	}

	egress {
	from_port = 0
	to_port = 0
	protocol = "-1"
	cidr_blocks = ["0.0.0.0/0"]
	}
	}

	resource "aws_security_group" "aws-allow-ssh-b" {
	name = "aws-allow-ssh-b-${var.instance_id}"
	description = "Allow ssh access from anywhere"
	vpc_id = "${aws_vpc.aws_cluster_network.id}"

	ingress {
	from_port = 22
	to_port = 22
	protocol = "tcp"
	cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
	}

	egress {
	from_port = 0
	to_port = 0
	protocol = "-1"
	cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
	}
	}

	resource "aws_security_group" "aws-allow-nginx-b" {
	name = "aws-allow-nginx-b-${var.instance_id}"
	description = "Allow nginx access from anywhere"
	vpc_id = "${aws_vpc.aws_cluster_network.id}"

	ingress {
	from_port = 80
	to_port = 80
	protocol = "tcp"
	cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
	}

	egress {
	from_port = 0
	to_port = 0
	protocol = "-1"
	cidr_blocks = ["${var.allowed_ip}", "${var.gcp_vpc}", "${var.azure_vpc}", "${var.aws_vpc}"]
	}
	}
	6 terraform/aws_variables.tf

	@@ -15,10 +15,6 @@ variable "aws_vms_size" {
	default = "t3.micro"
	type = "string"
	}
	variable "aws_subnet_vpn" {
	default = "10.242.0.0/16"
	type = "string"
	}
	variable "aws_subnet2a1" {
	default = "10.242.1.0/24"
	type = "string"
	@@ -35,7 +31,7 @@ variable "aws_subnet2b2" {
	default = "10.242.4.0/24"
	type = "string"
	}
	variable "aws_vpc_cidr" {
	variable "aws_vpc" {
	default = "10.242.0.0/16"
	type = "string"
	}
	2 terraform/aws_vpc.tf

	@@ -3,7 +3,7 @@ data "aws_availability_zones" "available" {
	}

	resource "aws_vpc" "aws_cluster_network" {
	cidr_block = "${var.aws_vpc_cidr}"
	cidr_block = "${var.aws_vpc}"

	tags = "${
	map(
	2 terraform/aws_vpn.tf

	@@ -27,7 +27,7 @@ resource "aws_vpn_connection" "aws-vpn-connection1" {
	}

	resource "aws_vpn_connection_route" "gcp_hybrid_cloud-1" {
	destination_cidr_block = "${var.gcp_subnet_vpn}"
	destination_cidr_block = "${var.gcp_vpc}"
	vpn_connection_id = "${aws_vpn_connection.aws-vpn-connection1.id}"
	}

	8 terraform/azure_compute.tf

	@@ -89,7 +89,7 @@ resource "azurerm_network_interface" "vm3a-nic" {
	name = "vm3a-nic-${var.instance_id}"
	location = "${azurerm_resource_group.k8s.location}"
	resource_group_name = "${azurerm_resource_group.k8s.name}"
	network_security_group_id = "${azurerm_network_security_group.azure-security-group.id}"
	network_security_group_id = "${azurerm_network_security_group.azure-security-group-a.id}"

	ip_configuration {
	name = "nic-config"
	@@ -107,7 +107,7 @@ resource "azurerm_network_interface" "vm3b-nic" {
	name = "vm3b-nic-${var.instance_id}"
	location = "${azurerm_resource_group.k8s.location}"
	resource_group_name = "${azurerm_resource_group.k8s.name}"
	network_security_group_id = "${azurerm_network_security_group.azure-security-group.id}"
	network_security_group_id = "${azurerm_network_security_group.azure-security-group-b.id}"

	ip_configuration {
	name = "nic-config"
	@@ -125,7 +125,7 @@ resource "azurerm_network_interface" "vm3c-nic" {
	name = "vm3c-nic-${var.instance_id}"
	location = "${azurerm_resource_group.k8s.location}"
	resource_group_name = "${azurerm_resource_group.k8s.name}"
	network_security_group_id = "${azurerm_network_security_group.azure-security-group.id}"
	network_security_group_id = "${azurerm_network_security_group.azure-security-group-a.id}"

	ip_configuration {
	name = "nic-config"
	@@ -143,7 +143,7 @@ resource "azurerm_network_interface" "vm3d-nic" {
	name = "vm3d-nic-${var.instance_id}"
	location = "${azurerm_resource_group.k8s.location}"
	resource_group_name = "${azurerm_resource_group.k8s.name}"
	network_security_group_id = "${azurerm_network_security_group.azure-security-group.id}"
	network_security_group_id = "${azurerm_network_security_group.azure-security-group-b.id}"

	ip_configuration {
	name = "nic-config"
	38 terraform/azure_network.tf

	@@ -62,8 +62,8 @@ resource "azurerm_subnet_route_table_association" "vnet_assoc_b" {
	subnet_id = "${azurerm_subnet.subnet3b.id}"
	route_table_id = "${azurerm_route_table.route_subnet3b.id}"
	}
	resource "azurerm_network_security_group" "azure-security-group" {
	name = "azure-security-group-${var.instance_id}"
	resource "azurerm_network_security_group" "azure-security-group-a" {
	name = "azure-security-group-a-${var.instance_id}"
	location = "${azurerm_resource_group.k8s.location}"
	resource_group_name = "${azurerm_resource_group.k8s.name}"

	@@ -95,3 +95,37 @@ resource "azurerm_network_security_group" "azure-security-group" {
	environment = "Production"
	}
	}

	resource "azurerm_network_security_group" "azure-security-group-b" {
	name = "azure-security-group-b-${var.instance_id}"
	location = "${azurerm_resource_group.k8s.location}"
	resource_group_name = "${azurerm_resource_group.k8s.name}"

	security_rule {
	name = "ALL-IN"
	priority = 1001
	direction = "Inbound"
	access = "Allow"
	protocol = "*"
	source_port_range = "*"
	destination_port_range = "*"
	source_address_prefixes = ["${var.allowed_ip}", "${var.azure_vpc}", "${var.gcp_vpc}", "${var.aws_vpc}"]
	destination_address_prefix = "*"
	}

	security_rule {
	name = "ALL-OUT"
	priority = 1001
	direction = "Outbound"
	access = "Allow"
	protocol = "*"
	source_port_range = "*"
	destination_port_range = "*"
	source_address_prefix = "*"
	destination_address_prefix = "*"
	}

	tags = {
	environment = "Production"
	}
	}
	4 terraform/azure_vpn.tf

	@@ -7,7 +7,7 @@ resource "azurerm_local_network_gateway" "gcp-test-gw" {
	resource_group_name = "${azurerm_resource_group.k8s.name}"

	gateway_address = "${google_compute_address.gcp-vpn-ip.address}"
	address_space = ["${var.gcp_subnet_vpn}"]
	address_space = ["${var.gcp_vpc}"]
	}
	resource "azurerm_local_network_gateway" "aws-test-gw" {
	name = "aws-test-gw"
	@@ -16,7 +16,7 @@ resource "azurerm_local_network_gateway" "aws-test-gw" {
	resource_group_name = "${azurerm_resource_group.k8s.name}"

	gateway_address = "${aws_vpn_connection.aws-vpn-connection2.tunnel1_address}"
	address_space = ["${var.aws_subnet_vpn}"]
	address_space = ["${var.aws_vpc}"]
	}


	4 terraform/gcp_compute.tf

	@@ -80,6 +80,7 @@ resource "google_compute_address" "vm1d-ipv4" {
	resource "google_compute_instance" "vm1a" {
	name = "vm1a-${var.instance_id}"
	machine_type = "${var.gcp_vms_size}"
	tags = ["instance-a"]
	zone = "${data.google_compute_zones.available.names[0]}"


	@@ -106,6 +107,7 @@ resource "google_compute_instance" "vm1a" {

	resource "google_compute_instance" "vm1b" {
	name = "vm1b-${var.instance_id}"
	tags = ["instance-b"]
	machine_type = "${var.gcp_vms_size}"
	zone = "${data.google_compute_zones.available.names[0]}"

	@@ -134,6 +136,7 @@ resource "google_compute_instance" "vm1b" {
	resource "google_compute_instance" "vm1c" {
	name = "vm1c-${var.instance_id}"
	machine_type = "${var.gcp_vms_size}"
	tags = ["instance-a"]
	zone = "${data.google_compute_zones.available.names[0]}"

	boot_disk {
	@@ -160,6 +163,7 @@ resource "google_compute_instance" "vm1c" {
	resource "google_compute_instance" "vm1d" {
	name = "vm1d-${var.instance_id}"
	machine_type = "${var.gcp_vms_size}"
	tags = ["instance-b"]
	zone = "${data.google_compute_zones.available.names[0]}"

	boot_disk {
	39 terraform/gcp_security.tf

	@@ -1,5 +1,5 @@
	resource "google_compute_firewall" "debug" {
	name = "debug-firewall-${var.instance_id}"
	resource "google_compute_firewall" "allow-a" {
	name = "allow-a-firewall-${var.instance_id}"
	network = "${google_compute_network.gcp-network.name}"

	allow {
	@@ -8,12 +8,36 @@ resource "google_compute_firewall" "debug" {

	allow {
	protocol = "tcp"
	ports = ["22"]
	}

	source_tags = ["ssh"]
	target_tags = ["instance-a"]
	source_ranges = ["0.0.0.0/0"]
	}

	resource "google_compute_firewall" "allow-b" {
	name = "allow-b-firewall-${var.instance_id}"
	network = "${google_compute_network.gcp-network.name}"

	allow {
	protocol = "icmp"
	}

	allow {
	protocol = "tcp"
	ports = ["22"]
	}

	target_tags = ["instance-b"]

	source_ranges = [
	"${var.allowed_ip}",
	"${var.gcp_vpc}",
	"${var.aws_vpc}",
	"${var.azure_vpc}"
	]
	priority = 100
	}

	resource "google_compute_firewall" "gcp-allow-vpn" {
	name = "${google_compute_network.gcp-network.name}-gcp-allow-vpn-${var.instance_id}"
	network = "${google_compute_network.gcp-network.name}"
	@@ -27,12 +51,17 @@ resource "google_compute_firewall" "gcp-allow-vpn" {
	protocol = "udp"
	ports = ["0-65535"]
	}
	allow {
	protocol = "icmp"
	}

	allow {
	protocol = "all"
	}

	source_ranges = [
	"${var.aws_subnet_vpn}",
	"${var.gcp_vpc}",
	"${var.aws_vpc}",
	"${var.azure_vpc}"
	]
	}
	2 terraform/gcp_variables.tf

	@@ -2,7 +2,7 @@ variable "gcp_region" {
	default = "europe-north1"
	type = "string"
	}
	variable "gcp_subnet_vpn" {
	variable "gcp_vpc" {
	default = "10.241.0.0/16"
	type = "string"
	}
	8 terraform/gcp_vpn.tf

	@@ -47,8 +47,8 @@ resource "google_compute_vpn_tunnel" "gcp-tunnel1" {
	ike_version = 1

	target_vpn_gateway = "${google_compute_vpn_gateway.gcp-vpn-gw.self_link}"
	local_traffic_selector = ["${var.gcp_subnet_vpn}"]
	remote_traffic_selector = ["${var.aws_subnet_vpn}"]
	local_traffic_selector = ["${var.gcp_vpc}"]
	remote_traffic_selector = ["${var.aws_vpc}"]

	depends_on = [
	"google_compute_forwarding_rule.fr_esp",
	@@ -59,7 +59,7 @@ resource "google_compute_vpn_tunnel" "gcp-tunnel1" {

	resource "google_compute_route" "aws1" {
	name = "aws-route1-${var.instance_id}"
	dest_range = "${var.aws_subnet_vpn}"
	dest_range = "${var.aws_vpc}"
	network = "${google_compute_network.gcp-network.self_link}"
	next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.gcp-tunnel1.self_link}"
	priority = 100
	@@ -80,7 +80,7 @@ resource "google_compute_vpn_tunnel" "gcp-tunnel2" {

	target_vpn_gateway = "${google_compute_vpn_gateway.gcp-vpn-gw.self_link}"

	local_traffic_selector = ["${var.gcp_subnet_vpn}"]
	local_traffic_selector = ["${var.gcp_vpc}"]
	remote_traffic_selector = ["${var.azure_vpc}"]

	depends_on = [
	6 terraform/variables.tf

	@@ -10,4 +10,8 @@ variable "private_ssh_key" {

	variable "instance_id" {
	type = "string"
	}
	}
	variable "allowed_ip" {
	type = "string"
	default = ""
	}