-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.tf
107 lines (91 loc) · 2.61 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#
# Nimbus
# Terraform Deployment: Google Cloud Platform
#
locals {
allow_ssh_tag = "allow-ssh"
warp_disk_id = "warp-disk"
}
terraform {
required_version = ">=1.1.0, <1.3.0"
required_providers {
google = {
source = "hashicorp/google"
version = ">=4.22.0, <4.23.0"
}
}
# terraform cloud workspace to store terraform state
# https://learn.hashicorp.com/tutorials/terraform/cloud-migrate?in=terraform/state
cloud {
organization = "mrzzy-co"
workspaces {
name = "nimbus"
}
}
}
provider "google" {
project = "mrzzy-sandbox"
region = "asia-southeast1"
zone = "asia-southeast1-c"
}
# custom VPC with hardened firewall rules (as compared to default VPC)
resource "google_compute_network" "sandbox" {
name = "sandbox"
description = "Hardend VPC Network to attach GCE resources to."
auto_create_subnetworks = "true"
}
# allow SSH traffic to instances tagged with "allow-ssh" tag.
resource "google_compute_firewall" "sandbox" {
name = "allow-ssh"
network = google_compute_network.sandbox.self_link
description = "allow SSH traffic to instances tagged with 'allow-ssh' tag."
direction = "INGRESS"
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["0.0.0.0/0"]
target_tags = [local.allow_ssh_tag]
}
# enroll project-wide ssh key for ssh access to VMs
resource "google_compute_project_metadata_item" "ssh_keys" {
key = "ssh-keys"
value = "mrzzy:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBrfd982D9iQVTe2VecUncbgysh/XsZb4YyOhCSSAAtr mrzzy"
}
# Deploy WARP Box development VM
# https://github.com/mrzzy/warp
data "google_compute_image" "warp_box" {
name = var.warp_image
}
# disk for persistent storage when using the ephemeral development VM
resource "google_compute_disk" "warp_disk" {
name = "warp-box-disk"
size = var.warp_disk_size_gb
}
resource "google_compute_instance" "wrap_vm" {
count = var.has_warp_vm ? 1 : 0
name = "warp-box-vm"
machine_type = "e2-standard-2"
tags = [local.allow_ssh_tag]
boot_disk {
initialize_params {
image = data.google_compute_image.warp_box.self_link
}
}
attached_disk {
source = google_compute_disk.warp_disk.self_link
// accessible via /dev/disk/by-id/google- prefix
device_name = local.warp_disk_id
}
network_interface {
network = google_compute_network.sandbox.self_link
access_config {
network_tier = "STANDARD"
}
}
metadata = {
user-data = templatefile("templates/warp_cloud_init.yaml", {
"warp_disk_device" : "/dev/disk/by-id/google-${local.warp_disk_id}"
})
}
}