Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VMs should not have public IP enabled by default. #1

Open
codeangler opened this issue Oct 9, 2024 · 2 comments
Open

VMs should not have public IP enabled by default. #1

codeangler opened this issue Oct 9, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@codeangler
Copy link

Is your feature request related to a problem?

Some (many?) organization security policies block VM deployments with public IP.

This code deploys two of multi nic* using public IP.

Describe the solution you'd like

add

# access_config {}  # remove comment to have a public IP

Describe alternatives you've considered

Pleading with org security to get exceptions.

Additional context
@codeangler codeangler added the enhancement New feature or request label Oct 9, 2024
@codeangler
Copy link
Author

codeangler commented Nov 8, 2024
edited
Loading

here's what our TF SME guided me to, focus on the "dynamic" block

resource "google_compute_instance" "vmseries" {
  name                      = "palo-vmseries-${var.availablity_zone}-${var.env}-${var.env_state}-${var.random_hex}"
  machine_type              = var.vmseries_machine_type
  project                   = var.project_id_hub_one
  zone                      = var.availablity_zone
  can_ip_forward            = true
  allow_stopping_for_update = true
  tags                      = ["palo-fw"]

  boot_disk {
    initialize_params {
      image = var.vmseries_image
      type  = "pd-standard"
    }
  }
  metadata = {
    mgmt-interface-swap                  = "enable"
    serial-port-enable                   = true
    ssh-keys                             = "admin:${var.public_key}"
    vmseries-bootstrap-gce-storagebucket = module.bootstrap.bucket_name
  }

  // nic0 - untrust nic
  network_interface {
    subnetwork = google_compute_subnetwork.dmz.self_link
    dynamic "access_config" {
      for_each = var.dmz_public_ip ? ["prod-live"] : []
      content {}
    }
  }
  // nic1 - mgnt
  network_interface {
    subnetwork = google_compute_subnetwork.mgnt.self_link
  }
  // nic2 - hub_one
  network_interface {
    subnetwork = google_compute_subnetwork.hub_one.self_link
    network_ip = var.palo.fw_ip_hub_one
  }
  service_account {
    email = var.palo_sa_vm_email

    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write"
    ]
  }

  depends_on = [
    module.bootstrap
  ]
}

@codeangler
Copy link
Author

we pass into the module

  dmz_public_ip                = terraform.workspace == "default" ? true : false

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@codeangler