-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
127 lines (111 loc) · 2.98 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
locals {
prefix = "qwiklab"
}
data "google_client_config" "main" {}
data "google_compute_zones" "main" {
project = data.google_client_config.main.project
region = var.region
}
# Create mgmt VPC
module "vpc_mgmt" {
source = "terraform-google-modules/network/google"
version = "~> 4.0"
project_id = var.project_id
network_name = "${local.prefix}-mgmt-vpc"
routing_mode = "GLOBAL"
subnets = [
{
subnet_name = "${local.prefix}-${var.region}-mgmt"
subnet_ip = var.cidr_mgmt
subnet_region = var.region
}
]
firewall_rules = [
{
name = "${local.prefix}-vmseries-mgmt"
direction = "INGRESS"
priority = "100"
description = "Allow ingress access to VM-Series management interface"
ranges = var.allowed_sources
allow = [
{
protocol = "tcp"
ports = ["22", "443", "3978"]
}
]
}
]
}
# Create untrust VPC
module "vpc_untrust" {
source = "terraform-google-modules/network/google"
version = "~> 4.0"
project_id = var.project_id
network_name = "${local.prefix}-untrust-vpc"
routing_mode = "GLOBAL"
subnets = [
{
subnet_name = "${local.prefix}-${var.region}-untrust"
subnet_ip = var.cidr_untrust
subnet_region = var.region
}
]
firewall_rules = [
{
name = "${local.prefix}-allow-all-untrust"
direction = "INGRESS"
priority = "100"
ranges = ["0.0.0.0/0"]
allow = [
{
protocol = "all"
ports = []
}
]
}
]
}
# Create trust VPC
module "vpc_trust" {
source = "terraform-google-modules/network/google"
version = "~> 4.0"
project_id = var.project_id
network_name = "${local.prefix}-trust-vpc"
routing_mode = "GLOBAL"
delete_default_internet_gateway_routes = true
subnets = [
{
subnet_name = "${local.prefix}-${var.region}-trust"
subnet_ip = var.cidr_trust
subnet_region = var.region
}
]
firewall_rules = [
{
name = "${local.prefix}-allow-all-trust"
direction = "INGRESS"
priority = "100"
ranges = ["0.0.0.0/0"]
allow = [
{
protocol = "all"
ports = []
}
]
}
]
}
# Create IAM service account for VM-Series instances
module "iam_service_account" {
source = "PaloAltoNetworks/vmseries-modules/google//modules/iam_service_account"
service_account_id = "${local.prefix}-vmseries-mig-sa"
}
# Create storage bucket to bootstrap VM-Series instances
module "bootstrap" {
source = "PaloAltoNetworks/vmseries-modules/google//modules/bootstrap"
service_account = module.iam_service_account.email
files = {
"bootstrap_files/init-cfg.txt" = "config/init-cfg.txt"
"bootstrap_files/bootstrap.xml" = "config/bootstrap.xml"
}
}