This module makes it easy to set up a new VPC Network in GCP by defining your network and subnet ranges in a concise syntax.
It supports creating:
Sub modules are provided for creating individual vpc, subnets, routes, firewall rules, network firewall policies, hierarchical firewall policy, serverless vpc access connector and network connectivity center. See the modules directory for the various sub modules usage.
This module is meant for use with Terraform 1.3+. If you find incompatibilities using Terraform >=1.3, please open an issue.
Comprehensive examples are available in examples folder. Simple usage:
module "vpc" {
source = "terraform-google-modules/network/google"
version = "~> 11.1"
project_id = "<PROJECT ID>"
network_name = "example-vpc"
routing_mode = "GLOBAL"
subnets = [
{
subnet_name = "subnet-01"
subnet_ip = "10.10.10.0/24"
subnet_region = "us-west1"
},
{
subnet_name = "subnet-02"
subnet_ip = "10.10.20.0/24"
subnet_region = "us-west1"
subnet_private_access = "true"
subnet_flow_logs = "true"
description = "This subnet has a description"
},
{
subnet_name = "subnet-03"
subnet_ip = "10.10.30.0/24"
subnet_region = "us-west1"
subnet_flow_logs = "true"
subnet_flow_logs_interval = "INTERVAL_10_MIN"
subnet_flow_logs_sampling = 0.7
subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA"
}
]
secondary_ranges = {
subnet-01 = [
{
range_name = "subnet-01-secondary-01"
ip_cidr_range = "192.168.64.0/24"
},
]
subnet-02 = []
}
routes = [
{
name = "egress-internet"
description = "route through IGW to access internet"
destination_range = "0.0.0.0/0"
tags = "egress-inet"
next_hop_internet = "true"
},
{
name = "app-proxy"
description = "route through proxy to reach app"
destination_range = "10.50.10.0/24"
tags = "app-proxy"
next_hop_instance = "app-proxy-instance"
next_hop_instance_zone = "us-west1-a"
},
]
}
Then perform the following commands on the root folder:
terraform init to get the pluginsterraform plan to see the infrastructure planterraform apply to apply the infrastructure buildterraform destroy to destroy the built infrastructurebool false no bgp_always_compare_med If set to true, the Cloud Router will use MED values from the peer even if the AS paths differ. Default is false. bool false no bgp_best_path_selection_mode Specifies the BGP best path selection mode. Valid values are STANDARD or LEGACY. Default is LEGACY. string "LEGACY" no bgp_inter_region_cost Specifies the BGP inter-region cost mode. Valid values are DEFAULT or ADD_COST_TO_MED. string null no delete_default_internet_gateway_routes If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted bool false no description An optional description of this resource. The resource must be recreated to modify this field. string "" no egress_rules List of egress rules. This will be ignored if variable 'rules' is non-empty
list(object({
name = string
description = optional(string, null)
disabled = optional(bool, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string)) allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
}))[] no enable_ipv6_ula Enabled IPv6 ULA, this is a permanent change and cannot be undone! (default 'false') bool false no firewall_rules This is DEPRECATED and available for backward compatibility. Use ingress_rules and egress_rules variables. List of firewall rules
list(object({
name = string
description = optional(string, null)
direction = optional(string, "INGRESS")
disabled = optional(bool, null)
priority = optional(number, null)
ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string)) allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
}))[] no ingress_rules List of ingress rules. This will be ignored if variable 'rules' is non-empty
list(object({
name = string
description = optional(string, null)
disabled = optional(bool, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string)) allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
}))[] no internal_ipv6_range When enabling IPv6 ULA, optionally, specify a /48 from fd20::/20 (default null) string null no mtu The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively. number 0 no network_firewall_policy_enforcement_order Set the order that Firewall Rules and Firewall Policies are evaluated. Valid values are BEFORE_CLASSIC_FIREWALL and AFTER_CLASSIC_FIREWALL. (default null or equivalent to AFTER_CLASSIC_FIREWALL) string null no network_name The name of the network being created string n/a yes network_profile "A full or partial URL of the network profile to apply to this network.
string null no project_id The ID of the project where this VPC will be created string n/a yes routes List of routes being created in this VPC list(map(string)) [] no routing_mode The network routing mode (default 'GLOBAL') string "GLOBAL" no secondary_ranges Secondary ranges that will be used in some of the subnets map(list(object({ range_name = string, ip_cidr_range = string }))) {} no shared_vpc_host Makes this project a Shared VPC host if 'true' (default 'false') bool false no subnets The list of subnets being created
list(object({
subnet_name = string
subnet_ip = string
subnet_region = string
subnet_private_access = optional(string)
subnet_private_ipv6_access = optional(string)
subnet_flow_logs = optional(string)
subnet_flow_logs_interval = optional(string)
subnet_flow_logs_sampling = optional(string)
subnet_flow_logs_metadata = optional(string)
subnet_flow_logs_filter = optional(string)
subnet_flow_logs_metadata_fields = optional(list(string))
description = optional(string)
purpose = optional(string)
role = optional(string)
stack_type = optional(string)
ipv6_access_type = optional(string)
}))n/a yes Name Description network The created network network_id The ID of the VPC being created network_name The name of the VPC being created network_self_link The URI of the VPC being created project_id VPC project id route_names The route names associated with this VPC subnets A map with keys of form subnet_region/subnet_name and values being the outputs of the google_compute_subnetwork resources used to create corresponding subnets. subnets_flow_logs Whether the subnets will have VPC flow logs enabled subnets_ids The IDs of the subnets being created subnets_ips The IPs and CIDRs of the subnets being created subnets_names The names of the subnets being created subnets_private_access Whether the subnets will have access to Google API's without a public IP subnets_regions The region where the subnets will be created subnets_secondary_ranges The secondary ranges associated with these subnets subnets_self_links The self-links of subnets being created
The subnets list contains maps, where each object represents a subnet. Each map has the following inputs (please see examples folder for additional references):
Name Description Type Default Required subnet_name The name of the subnet being created string - yes subnet_ip The IP and CIDR range of the subnet being created string - yes subnet_region The region where the subnet will be created string - yes subnet_private_access Whether this subnet will have private Google access enabled string"false" no subnet_private_ipv6_access The private IPv6 google access type for the VMs in this subnet string - no subnet_flow_logs Whether the subnet will record and send flow log data to logging string "false" no subnet_flow_logs_interval If subnet_flow_logs is true, sets the aggregation interval for collecting flow logs string "INTERVAL_5_SEC" no subnet_flow_logs_sampling If subnet_flow_logs is true, set the sampling rate of VPC flow logs within the subnetwork string "0.5" no subnet_flow_logs_metadata If subnet_flow_logs is true, configures whether metadata fields should be added to the reported VPC flow logs string "INCLUDE_ALL_METADATA" no subnet_flow_logs_filter Export filter defining which VPC flow logs should be logged, see https://cloud.google.com/vpc/docs/flow-logs#filtering for formatting details string "true" no subnet_flow_logs_metadata_fields List of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM_METADATA. any - no description An optional description of this resource. Provide this property when you create the resource. This field can be set only at resource creation time string - no purpose The purpose of the subnet usage. Whether it is to be used as a regular subnet or for proxy or loadbalacing purposes, see https://cloud.google.com/vpc/docs/subnets#purpose for more details string "PRIVATE" no role The role of the subnet when using it as a proxy or loadbalancer network. Whether it is to be used as the active or as a backup subnet, see https://cloud.google.com/load-balancing/docs/proxy-only-subnets#proxy_only_subnet_create for more details string - no stack_type IPV4_ONLY or IPV4_IPV6 for dual-stack networking string - no ipv6_access_type INTERNAL or EXTERNAL. INTERNAL requires ULA be enabled on the VPC string - no
The routes list contains maps, where each object represents a route. For the next_hop_* inputs, only one is possible to be used in each route. Having two next_hop_* inputs will produce an error. Each map has the following inputs (please see examples folder for additional references):
Name Description Type Default Required name The name of the route being created string - no description The description of the route being created string - no tags The network tags assigned to this route. This is a list in string format. Eg. "tag-01,tag-02" string - yes destination_range The destination range of outgoing packets that this route applies to. Only IPv4 is supported string - yes next_hop_internet Whether the next hop to this route will the default internet gateway. Use "true" to enable this as next hop string"false" yes next_hop_ip Network IP address of an instance that should handle matching packets string - yes next_hop_instance URL or name of an instance that should handle matching packets. If just name is specified "next_hop_instance_zone" is required string - yes next_hop_instance_zone The zone of the instance specified in next_hop_instance. Only required if next_hop_instance is specified as a name string - no next_hop_vpn_tunnel URL to a VpnTunnel that should handle matching packets string - yes priority The priority of this route. Priority is used to break ties in cases where there is more than one matching route of equal prefix length. In the case of two routes with equal prefix length, the one with the lowest-numbered priority value wins string "1000" yes
In order to execute this module you must have a Service Account with the following roles:
If you are going to manage a Shared VPC, you must have either:
In order to operate with the Service Account you must activate the following API on the project where the Service Account was created:
Refer to the contribution guidelines for information on contributing to this module.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4