sync from -staging (#10)

ChaserSystems · Jan 29, 2023 · 0b00b5c · 0b00b5c
1 parent a492415
commit 0b00b5c
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@ discrimiNAT enforces the use of contemporary encryption standards such as TLS 1.
 
 * Utilises Google's [Internal TCP/UDP load balancers as next hops](https://cloud.google.com/load-balancing/docs/internal/ilb-next-hop-overview) technology.
 * Provides rapid, seamless high-availability for the NAT and egress filtering function.
-* Can accommodate pre-allocated external IPs for use with the NAT function. Just label allocated External IPs with the key `discriminat` and any value.
+* Can accommodate pre-allocated external IPs for use with the NAT function. Just label allocated External IPs with the key `discriminat`.
 * The internal load balancer for discrimiNAT instances is set as the default route to the Internet for the entire VPC network.
 * Opt-out of this default routing is possible by tagging the VMs with `bypass-discriminat` network tag.
 * VMs _without_ public IPs will need firewall rules specifying what egress FQDNs and protocols are to be allowed. Default behaviour is to deny everything.
@@ -35,7 +35,7 @@ discrimiNAT enforces the use of contemporary encryption standards such as TLS 1.
 
 ## External IPs
 
-If a Public IP is not found attached to a discrimiNAT instance, it will look for any allocated but unassociated External IPs that have a label-key named `discriminat` (set to any value.) One of such External IPs will be attempted to be associated with itself then.
+If a Public IP is not found attached to a discrimiNAT instance, it will look for any allocated but unassociated External IPs that have a label-key named `discriminat` – the value which should be set to the value of the variable `custom_deployment_id` in this module, if that was set, else anything but blank. One of such External IPs will be attempted to be associated with itself then.
 
 >This allows you to have a stable set of static IPs to share with your partners, who may wish to allowlist/whitelist them.
 

diff --git a/discriminat.tf b/discriminat.tf
@@ -25,6 +25,12 @@ variable "zones_names" {
   default     = []
 }
 
+variable "only_route_tags" {
+  type        = list(string)
+  description = "Restrict automatically created default route (to the Internet) to VMs with these network tags only. Especially useful in the case of multiple, distinct DiscrimiNAT deployments in the same VPC Network, where each deployment caters to a subset of VMs in that network. For example, a VPC Network may span multiple regions and the default route for each region must be scoped to the DiscrimiNAT deployment of the same region. Default is to route all traffic regardless of any criteria via this deployment – which may clash with another such deployment's default route, and route egress traffic in a deterministic but most likely via a suboptimal gateway (DiscrimiNAT)."
+  default     = null
+}
+
 variable "client_cidrs" {
   type        = list(string)
   description = "Additional CIDR blocks of clients which should be able to connect to, and hence route via, discrimiNAT instances."
@@ -37,6 +43,12 @@ variable "labels" {
   default     = {}
 }
 
+variable "custom_deployment_id" {
+  type        = string
+  description = "Override the randomly generated Deployment ID for this deployment. This is a unique identifier for this deployment that may help with naming, labelling and associating other objects (such as External IPs) to only this set of DiscrimiNAT instances – earmarking from other, parallel deployments."
+  default     = null
+}
+
 variable "machine_type" {
   type        = string
   description = "The default of e2-small should suffice for light to medium levels of usage. Anything less than 2 CPU cores and 2 GB of RAM is not recommended. For faster access to the Internet and for projects with a large number of VMs, you may want to choose a machine type with more CPU cores."
@@ -167,7 +179,7 @@ resource "google_compute_health_check" "discriminat" {
 
 resource "google_compute_region_instance_group_manager" "discriminat" {
   name                      = "discriminat-${local.suffix}"
-  base_instance_name        = "discriminat"
+  base_instance_name        = "discriminat-${local.suffix}"
   distribution_policy_zones = local.zones
   target_size               = length(local.zones) * var.instances_per_zone
 
@@ -239,6 +251,8 @@ resource "google_compute_route" "discriminat" {
   network      = data.google_compute_subnetwork.context.network
   next_hop_ilb = google_compute_forwarding_rule.discriminat.id
   priority     = 200
+
+  tags = var.only_route_tags
 }
 
 resource "google_compute_route" "bypass_discriminat" {
@@ -334,14 +348,15 @@ resource "random_pet" "deployment_id" {
 }
 
 locals {
-  suffix = random_pet.deployment_id.id
+  suffix = var.custom_deployment_id != null ? var.custom_deployment_id : random_pet.deployment_id.id
 }
 
 locals {
   labels = merge(
     {
       "product" : "discriminat",
-      "vendor" : "chasersystems_com"
+      "vendor" : "chasersystems_com",
+      "discriminat" : local.suffix
     },
     var.labels
   )
@@ -380,7 +395,7 @@ output "opt_out_network_tag" {
 }
 
 output "deployment_id" {
-  value       = random_pet.deployment_id.id
+  value       = local.suffix
   description = "The unique identifier, forming a part of various resource names, for this deployment."
 }
 

diff --git a/examples/google_network/eip.tf b/examples/google_network/eip.tf
@@ -9,7 +9,10 @@ resource "google_compute_address" "nat_a" {
   project = var.project_id
 
   labels = {
-    "discriminat" = "some-comment"
+    # set the value of label 'discriminat' to custom_deployment_id as passed to
+    # the discriminat module if pinning this External IP to that particular
+    # fleet of DiscrimiNAT's is desired
+    "discriminat" = "some-comment_or_custom-deployment-id"
   }
 
   lifecycle {
@@ -28,7 +31,10 @@ resource "google_compute_address" "nat_b" {
   project = var.project_id
 
   labels = {
-    "discriminat" = "any-remark"
+    # set the value of label 'discriminat' to custom_deployment_id as passed to
+    # the discriminat module if pinning this External IP to that particular
+    # fleet of DiscrimiNAT's is desired
+    "discriminat" = "any-remark_or_custom-deployment-id"
   }
 
   lifecycle {

diff --git a/examples/retrofit/eip.tf b/examples/retrofit/eip.tf
@@ -9,7 +9,10 @@ resource "google_compute_address" "nat_a" {
   project = var.project_id
 
   labels = {
-    "discriminat" = "some-comment"
+    # set the value of label 'discriminat' to custom_deployment_id as passed to
+    # the discriminat module if pinning this External IP to that particular
+    # fleet of DiscrimiNAT's is desired
+    "discriminat" = "some-comment_or_custom-deployment-id"
   }
 
   lifecycle {
@@ -28,7 +31,10 @@ resource "google_compute_address" "nat_b" {
   project = var.project_id
 
   labels = {
-    "discriminat" = "any-remark"
+    # set the value of label 'discriminat' to custom_deployment_id as passed to
+    # the discriminat module if pinning this External IP to that particular
+    # fleet of DiscrimiNAT's is desired
+    "discriminat" = "any-remark_or_custom-deployment-id"
   }
 
   lifecycle {
@@ -47,7 +53,10 @@ resource "google_compute_address" "nat_c" {
   project = var.project_id
 
   labels = {
-    "discriminat" = "whatsoever"
+    # set the value of label 'discriminat' to custom_deployment_id as passed to
+    # the discriminat module if pinning this External IP to that particular
+    # fleet of DiscrimiNAT's is desired
+    "discriminat" = "whatsoever_or_custom-deployment-id"
   }
 
   lifecycle {