README.md

This Terraform example will create a Windows 2019 Server bastion host to manage your Google Cloud VMware Engine (GCVE) environment. Identity-Aware Proxy will be used to access the bastion host via RDP. Using IAP means that the bastion host will be accessible without having to configure a VPN or expose the bastion host to the internet.

To use this example you should have the following:

• An existing GCVE cluster
• A VPC peered with your GCVE environment (example Terraform code here)
• A Terraform environment that is configured to work with your GCP project

You can find more information about this example here: https://networkbrouhaha.com/2021/03/gcve-bastion/

Objectives

This Terraform code will do the following:

• Create a service account, which will be associated with the bastion host
• Create Windows 2019 Server instance, which will be used as a bastion host
• Create firewall rules for accessing the bastion host via IAP, and accessing resources from the bastion host
• Assign IAM roles needed for IAP
• Set a password on the bastion host using the gcloud tool

After configuration is completed by Terraform, you will be able to use the gcloud tool to enable TCP forwarding for port 3389 (RDP). Once connected to the bastion host, you will be able to log into your GCVE-based vSphere portal. Additional information on using IAP for TCP forwarding is available at https://cloud.google.com/iap/docs/using-tcp-forwarding.

Costs

This tutorial uses billable components of Google Cloud, including the following:

• Google Cloud VMware Engine
• VPC
• VM instances
• Windows Server licensing

Use the pricing calculator to generate a cost estimate based on your projected usage.

Before you begin

This tutorial assumes that you have a basic understanding of Terraform, GCP, and GCVE, and that you have already deployed a GCVE environment.

IAM permissions

Unless you are using an account with roles/owner permissions, you will need the following roles assigned to your account to use this example:

• Compute Admin (roles/compute.admin)
• Service Account Admin (roles/iam.serviceAccountAdmin)
• Service Account User (roles/iam.serviceAccountUser)
• IAP Policy Admin (roles/iap.admin)
• IAP settings Admin (roles/iap.settingsAdmin)
• IAP-secured Tunnel User (roles/iap.tunnelResourceAccessor)
• Service Networking Admin (roles/servicenetworking.networksAdmin)
• Project IAM Admin (roles/resourcemanager.projectIamAdmin)

Usage

To use this example, you will need to provide values for several variables, after which you can run Terraform.

Variables Used

• project: The project ID to deploy to
• region: The region to use. Default value is us-west2.
• zone: The zone to use. Default value is us-west2-a.
• members: List of accounts to allow access to the bastion host
• network_name: Name of the VPC network that will contain the bastion host.
• subnet_name: Name of the subnet that will contain the bastion host.
• image: Source image to use for the bastion host. Default value is gce-uefi-images/windows-2019.
• machine_type: Instance type for the bastion host. Default value is n1-standard-1.
• tag: Network tag to apply to bastion host, which is used in firewall rules. Default value is bastion.
• labels: Key-value map of labels to assign to the bastion host.
• metadata: Key-value map of additional metadata to assign to the bastion host. This can be used to supply a startup script for the bastion host. See https://cloud.google.com/compute/docs/startupscript for details.
• name: Name of the bastion host instance. Default value is bastion-host.
• username: Username of the account to create on the bastion host. Default value is bastionuser.
• service_account_name: Account name for the service account. Default value is bastion.
• scopes: List of scopes to attach to the bastion host. Default value is cloud-platform.
• fw_name_allow_mgmt_from_bastion: Firewall rule name for allowing management traffic from bastion host. Default value is allow-mgmt-from-bastion.
• fw_name_allow_iap_to_bastion: Firewall rule name for allowing IAP traffic to bastion host. Default value is allow-iap-to-bastion.
• service_account_roles: List of IAM roles to assign to the service account. Default value is a list containing these strings:
  • roles/logging.logWriter
  • roles/monitoring.metricWriter
  • roles/monitoring.viewer
  • roles/compute.osLogin

Outputs

• bastion_username: Bastion host username
• bastion_password: Bastion host password

Initialize and Run Terraform

1. Edit terraform.tfvars to specify values for the requried variables
2. Run terraform init and ensure no errors are displayed
3. Run terraform plan and review the changes that Terraform will perform
4. Run terraform apply to apply the proposed configuration changes

Accessing the Bastion Host with IAP

Now, you should have a fresh Windows 2019 Server running in Google Cloud to serve as a bastion host. Use this command to create a tunnel to the bastion host:

gcloud compute start-iap-tunnel [bastion-host-name] 3389 --zone [zone]

You will see a message that says Listening on port [random number]. This random high port is proxied to your bastion host port 3389. Fire up your favorite RDP client and connect to localhost:[random number]. Login with the credentials that were output from running Terraform. Once you’re able to connect to the bastion host, install the vSphere-compatible browser of your choice, along with any other management tools you may need.

If you’re a Windows user, there is an IAP-enabled RDP client available here.

Accessing GCVE Resources from the Bastion Host

Open the GCVE portal, browse to Resources, and click on your SDDC, then vSphere Management Network. This will display the hostnames for your vCenter, NSX and HCX instances. Copy the hostname for vCenter and paste it into a browser in your bastion host to verify you can access your SDDC.

Access to GCVE from your VPC is made possible by private service access and a DNS forwarding configuration in Cloud DNS. The DNS forwarding configuration enables name resolution from your VPC for resources in GCVE. It is automatically created in Cloud DNS when private service access is configured between your VPC and GCVE. This is a relatively new feature and a nice improvement. Previously, name resolution for GCVE required manually changing resolvers on your bastion host or configuring a standalone DNS server.

Cleaning up

To remove the resources created by this example, run terraform destroy and answer yes when prompted to continue. This will only remove the VPC network and related configuration created by Terraform. Your GCVE environment will have to be deleted using these instructions, if desired.

Helpful Links

• Google Provider Configuration Reference
• google_compute_network Data Source
• google_compute_subnetwork Data Source
• google_service_account Resource
• google_compute_instance Resource
• google_compute_firewall Resource
• google_iap_tunnel_instance_iam_binding Resource
• google_service_account_iam_binding Resource
• google_project_iam_member Resource
• time_sleep Resource
• external Data Source