From 0b00b5c557a20a790f524e4dda7bebd1bc03b5a0 Mon Sep 17 00:00:00 2001 From: new23d Date: Sun, 29 Jan 2023 22:13:57 +0000 Subject: [PATCH] sync from -staging (#10) --- README.md | 4 ++-- discriminat.tf | 23 +++++++++++++++++++---- examples/google_network/eip.tf | 10 ++++++++-- examples/retrofit/eip.tf | 15 ++++++++++++--- 4 files changed, 41 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 1c2f627..c789867 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ discrimiNAT enforces the use of contemporary encryption standards such as TLS 1. * Utilises Google's [Internal TCP/UDP load balancers as next hops](https://cloud.google.com/load-balancing/docs/internal/ilb-next-hop-overview) technology. * Provides rapid, seamless high-availability for the NAT and egress filtering function. -* Can accommodate pre-allocated external IPs for use with the NAT function. Just label allocated External IPs with the key `discriminat` and any value. +* Can accommodate pre-allocated external IPs for use with the NAT function. Just label allocated External IPs with the key `discriminat`. * The internal load balancer for discrimiNAT instances is set as the default route to the Internet for the entire VPC network. * Opt-out of this default routing is possible by tagging the VMs with `bypass-discriminat` network tag. * VMs _without_ public IPs will need firewall rules specifying what egress FQDNs and protocols are to be allowed. Default behaviour is to deny everything. @@ -35,7 +35,7 @@ discrimiNAT enforces the use of contemporary encryption standards such as TLS 1. ## External IPs -If a Public IP is not found attached to a discrimiNAT instance, it will look for any allocated but unassociated External IPs that have a label-key named `discriminat` (set to any value.) One of such External IPs will be attempted to be associated with itself then. +If a Public IP is not found attached to a discrimiNAT instance, it will look for any allocated but unassociated External IPs that have a label-key named `discriminat` – the value which should be set to the value of the variable `custom_deployment_id` in this module, if that was set, else anything but blank. One of such External IPs will be attempted to be associated with itself then. >This allows you to have a stable set of static IPs to share with your partners, who may wish to allowlist/whitelist them. diff --git a/discriminat.tf b/discriminat.tf index 48b80a6..d7cfee1 100644 --- a/discriminat.tf +++ b/discriminat.tf @@ -25,6 +25,12 @@ variable "zones_names" { default = [] } +variable "only_route_tags" { + type = list(string) + description = "Restrict automatically created default route (to the Internet) to VMs with these network tags only. Especially useful in the case of multiple, distinct DiscrimiNAT deployments in the same VPC Network, where each deployment caters to a subset of VMs in that network. For example, a VPC Network may span multiple regions and the default route for each region must be scoped to the DiscrimiNAT deployment of the same region. Default is to route all traffic regardless of any criteria via this deployment – which may clash with another such deployment's default route, and route egress traffic in a deterministic but most likely via a suboptimal gateway (DiscrimiNAT)." + default = null +} + variable "client_cidrs" { type = list(string) description = "Additional CIDR blocks of clients which should be able to connect to, and hence route via, discrimiNAT instances." @@ -37,6 +43,12 @@ variable "labels" { default = {} } +variable "custom_deployment_id" { + type = string + description = "Override the randomly generated Deployment ID for this deployment. This is a unique identifier for this deployment that may help with naming, labelling and associating other objects (such as External IPs) to only this set of DiscrimiNAT instances – earmarking from other, parallel deployments." + default = null +} + variable "machine_type" { type = string description = "The default of e2-small should suffice for light to medium levels of usage. Anything less than 2 CPU cores and 2 GB of RAM is not recommended. For faster access to the Internet and for projects with a large number of VMs, you may want to choose a machine type with more CPU cores." @@ -167,7 +179,7 @@ resource "google_compute_health_check" "discriminat" { resource "google_compute_region_instance_group_manager" "discriminat" { name = "discriminat-${local.suffix}" - base_instance_name = "discriminat" + base_instance_name = "discriminat-${local.suffix}" distribution_policy_zones = local.zones target_size = length(local.zones) * var.instances_per_zone @@ -239,6 +251,8 @@ resource "google_compute_route" "discriminat" { network = data.google_compute_subnetwork.context.network next_hop_ilb = google_compute_forwarding_rule.discriminat.id priority = 200 + + tags = var.only_route_tags } resource "google_compute_route" "bypass_discriminat" { @@ -334,14 +348,15 @@ resource "random_pet" "deployment_id" { } locals { - suffix = random_pet.deployment_id.id + suffix = var.custom_deployment_id != null ? var.custom_deployment_id : random_pet.deployment_id.id } locals { labels = merge( { "product" : "discriminat", - "vendor" : "chasersystems_com" + "vendor" : "chasersystems_com", + "discriminat" : local.suffix }, var.labels ) @@ -380,7 +395,7 @@ output "opt_out_network_tag" { } output "deployment_id" { - value = random_pet.deployment_id.id + value = local.suffix description = "The unique identifier, forming a part of various resource names, for this deployment." } diff --git a/examples/google_network/eip.tf b/examples/google_network/eip.tf index c4da894..20c69f2 100644 --- a/examples/google_network/eip.tf +++ b/examples/google_network/eip.tf @@ -9,7 +9,10 @@ resource "google_compute_address" "nat_a" { project = var.project_id labels = { - "discriminat" = "some-comment" + # set the value of label 'discriminat' to custom_deployment_id as passed to + # the discriminat module if pinning this External IP to that particular + # fleet of DiscrimiNAT's is desired + "discriminat" = "some-comment_or_custom-deployment-id" } lifecycle { @@ -28,7 +31,10 @@ resource "google_compute_address" "nat_b" { project = var.project_id labels = { - "discriminat" = "any-remark" + # set the value of label 'discriminat' to custom_deployment_id as passed to + # the discriminat module if pinning this External IP to that particular + # fleet of DiscrimiNAT's is desired + "discriminat" = "any-remark_or_custom-deployment-id" } lifecycle { diff --git a/examples/retrofit/eip.tf b/examples/retrofit/eip.tf index 3984953..3ba4192 100644 --- a/examples/retrofit/eip.tf +++ b/examples/retrofit/eip.tf @@ -9,7 +9,10 @@ resource "google_compute_address" "nat_a" { project = var.project_id labels = { - "discriminat" = "some-comment" + # set the value of label 'discriminat' to custom_deployment_id as passed to + # the discriminat module if pinning this External IP to that particular + # fleet of DiscrimiNAT's is desired + "discriminat" = "some-comment_or_custom-deployment-id" } lifecycle { @@ -28,7 +31,10 @@ resource "google_compute_address" "nat_b" { project = var.project_id labels = { - "discriminat" = "any-remark" + # set the value of label 'discriminat' to custom_deployment_id as passed to + # the discriminat module if pinning this External IP to that particular + # fleet of DiscrimiNAT's is desired + "discriminat" = "any-remark_or_custom-deployment-id" } lifecycle { @@ -47,7 +53,10 @@ resource "google_compute_address" "nat_c" { project = var.project_id labels = { - "discriminat" = "whatsoever" + # set the value of label 'discriminat' to custom_deployment_id as passed to + # the discriminat module if pinning this External IP to that particular + # fleet of DiscrimiNAT's is desired + "discriminat" = "whatsoever_or_custom-deployment-id" } lifecycle {