github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enable IPv6, shield VMs, bump Terraform version

Browse Source
This commit is contained in:
Andrew Dryga
2023-09-07 23:45:18 -06:00
parent 8398e3013b
commit 6750f6fd65
7 changed files with 111 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.tool-versions
View File

@@ -3,7 +3,7 @@
nodejs 18.16.0
elixir 1.15.2-otp-26
erlang 26.0.2
terraform 1.5.0
terraform 1.5.6
# Used for static analysis
python 3.9.13

54
terraform/environments/staging/.terraform.lock.hcl generated
View File

@@ -2,40 +2,42 @@
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/google" {
version = "4.66.0"
version = "4.81.0"
constraints = "~> 4.66"
hashes = [
"h1:rN7iHu/t+Xps0D4RUM2ZkgLdXAY6ftey+o/5osP9jKE=",
"zh:141cddc714dec246957a47cb4103b34302222fc93a87b64de88116b22ebb0ea1",
"zh:276ebd75cb7c265d12b2c611a5f8d38fd6b892ef3edec1b845a934721db794e5",
"zh:574ae7b4808c1560b5a55a75ca2ad5d8ff6b5fb9dad6dffce3fae7ff8ccf78a9",
"zh:65309953f79827c23cc800fc093619a1e0e51a53e2429e9b04e537a11012f989",
"zh:6d67d3edea47767a873c38f1ff519d4450d8e1189a971bda7b0ffde9c9c65a86",
"zh:7fb116be869e30ee155c27f122d415f34d1d5de735d1fa9c4280cac71a42e8f4",
"zh:8a95ed92bb4547f4a40c953a6bd1db659b739f67adcacd798b11fafaec55ee67",
"zh:94f0179e84eb74823d8be4781b0a15f7f34ee39a7b158075504c882459f1ab23",
"zh:a58a7c5ace957cb4395f4b3bb11687e3a5c79362a744107f16623118cffc9370",
"zh:ab38b66f3c5c00df64c86fb4e47caef8cf451d5ed1f76845fd8b2c59628dc18a",
"zh:cc6bb1799e38912affc2a5b6f1c52b08f286d3751206532c04482b5ca0418eb6",
"h1:TKydY88LYRsHJ05icwCU0NNy8ANWinWcs5teuSXVF2k=",
"zh:29f5ca33cba63fb8dd96a0074317295bb99708a8d5bc124efe41406f25e967cd",
"zh:3a1fd6da193a62777c2e83d7449df9990f78b3638a9b99ca2410fb678bd2dbba",
"zh:3d251ff3d83b3e877543a7638eb6953fcd4002328e2d32611acc4ca647f3a162",
"zh:4711bc9a2957368de9f333bb458cf85a769fd14313cb34c4bb56c472acaf7cca",
"zh:4f6acd5645b395a7a7f6991b91a2bf8d19a303232dc630fe8e7c7857c980445b",
"zh:54ad3f0745a9ecfb725a1d7627461fc9ec98f4b4f0930011137b828a93fe5c21",
"zh:8134b287fc0b8b88e50b4e082071163f7465077f7433a5ca13b7d2fa68c57f73",
"zh:848d9d30eb8360c993e96e1871b0cfecadfcf6f9669e52c1f3d5d4bc16afbd67",
"zh:851199bde801acbb90e262c01959f721e8c31853e1c8ad6478c70ae326b8544e",
"zh:883102ec2d28193ea036cf3db9f93355b3e2c69dc66eacc40aa958b4a3c30f47",
"zh:c09200ef6722f27e1f12165082c7eb137e622cea60fcf201c21609564d0e91d0",
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
]
}
provider "registry.terraform.io/hashicorp/google-beta" {
version = "4.66.0"
version = "4.81.0"
constraints = "~> 4.66"
hashes = [
"h1:z8dx8fWyjpymy5nzJGhEq9IJ+K8vVaWPawZTOhL7NuU=",
"zh:253391f3b3cc9c6908b9fcbb8704e423071121fef476d5de824a187df76924a0",
"zh:2fb223b4fba1fcccb02cc3d0d5103fdf687a722b461828b3885043dd643f8efd",
"zh:6ca0094c20f4e9f25f11ab016f0b54fcfd62076ea30bb43d4c69d52633a0cfb8",
"zh:757ffff89a521073c8fa7f663cf3d9d20629d6e72b837b74c0221bcf34531cfd",
"zh:7d1459b9b3bd9e0dc887b9c476cfa58e2cbb7d56d5ffdeaec0fdd535a38373d4",
"zh:92ad7a5489cd3f51b69c0136095d94f3092c8c7e0d5c8befe1ff53c18761aade",
"zh:9f477e3dbaac8302160bfcfb9c064de72eb6776130a5671380066ac2e84ceae8",
"zh:d1580b146b16d56ccd18a1bbc4a4cac2607e37ed5baf6290cc929f5c025bf526",
"zh:d30d5b3ebd6c4123a53cef4c7c6606b06d27f1cb798b387b9a65b55f8c7b6b9f",
"zh:e3cdc92f111499702f7a807fe6cf8873714939efc05b774cfbde76b8a199da46",
"zh:f2cd44444b6d7760a8a6deaf54ca67ae3696d3f5640b107ad7be91dde8a60c25",
"h1:ccLmnfXRD7NgTmoezt29Z+Kj46vFfbvJBwlwI+Bv/fE=",
"zh:2177e06b4f6e7ea85bf475bc7c7012f94835f85237b8880fced6ede60279559d",
"zh:28c6e6b214218617273f38174b18ac8950af03908991a05fed860ddcefc16c2d",
"zh:417fa45c9edb1dd77a4360aa092cd47154076647f4e86c2b524ee83c59b22b3b",
"zh:42d56cbb13f1eaccfd681bc0fa6a249a926720334544bd352694888425e41a3c",
"zh:66048b36642eef5d019e58dbdc34b04e0c25cd3636e671d270f6be92d316021c",
"zh:6b2e42a53c04dbeb9519887ffd1da888b5049e774614daf47dd5ff169b323ab7",
"zh:8c9b6d6c58e4a2eec03ab16313c08f5d77f86ffdda5dcd19eaf5b3f619bf66f6",
"zh:ac3fe4990fa43beea23c9743b570c4e6da9b23f3ad73d96eb8c6bb81c534c649",
"zh:c2420e48a7a6d323d9ebc2f184c65734f70e73e2e0ade70ba5ce67f56c26dd41",
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
"zh:f6b3a64d62c1f459a814f9eaccec176a95140b707a9bc0cdc5826086075c571f",
"zh:fc58563042edf6a5fe3f7ce3efed21ae9a532b9b860653368028d6921ab17cdf",
]
}

6
terraform/environments/staging/main.tf
View File

@@ -199,10 +199,14 @@ resource "google_compute_subnetwork" "apps" {
name = "app"
stack_type = "IPV4_IPV6"
ip_cidr_range = "10.128.0.0/20"
region = local.region
network = module.google-cloud-vpc.id
ipv6_access_type = "EXTERNAL"
private_ip_google_access = true
}
@@ -606,8 +610,6 @@ module "relays" {
}
}
vpc_network = "projects/${module.google-cloud-project.project.project_id}/global/networks/default"
container_registry = module.google-artifact-registry.url
image_repo = module.google-artifact-registry.repo

6
terraform/environments/staging/versions.tf
View File

@@ -1,5 +1,5 @@
terraform {
required_version = "1.5.0"
required_version = "1.5.6"
required_providers {
random = {
@@ -14,12 +14,12 @@ terraform {
google = {
source = "hashicorp/google"
version = "~> 4.66"
version = "~> 4.81"
}
google-beta = {
source = "hashicorp/google-beta"
version = "~> 4.66"
version = "~> 4.81"
}
tls = {

27
terraform/modules/elixir-app/main.tf
View File

@@ -146,24 +146,35 @@ resource "google_compute_instance_template" "application" {
network_interface {
subnetwork = var.vpc_subnetwork
stack_type = "IPV4_IPV6"
ipv6_access_config {
network_tier = "PREMIUM"
}
}
service_account {
email = google_service_account.application.email
scopes = [
# Those are copying gke-default scopes
"storage-ro",
"logging-write",
"monitoring",
"service-management",
"service-control",
"trace",
# Those are default scopes
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/trace.append",
# Required to discover the other instances in the Erlang Cluster
"compute-ro",
"https://www.googleapis.com/auth/compute.readonly"
]
}
shielded_instance_config {
enable_integrity_monitoring = true
enable_secure_boot = false
enable_vtpm = true
}
metadata = merge({
gce-container-declaration = yamlencode({
spec = {

70
terraform/modules/relay-app/main.tf
View File

@@ -110,6 +110,37 @@ resource "google_project_iam_member" "cloudtrace" {
member = "serviceAccount:${google_service_account.application.email}"
}
# Create network
resource "google_compute_network" "network" {
project = var.project_id
name = "relays"
routing_mode = "GLOBAL"
auto_create_subnetworks = false
depends_on = [
google_project_service.compute
]
}
resource "google_compute_subnetwork" "subnetwork" {
for_each = var.instances
project = var.project_id
name = "relays-${each.key}"
region = each.key
network = google_compute_network.network.self_link
stack_type = "IPV4_IPV6"
ip_cidr_range = "10.128.0.0/20"
ipv6_access_type = "EXTERNAL"
private_ip_google_access = true
}
# Deploy app
resource "google_compute_instance_template" "application" {
for_each = var.instances
@@ -142,7 +173,14 @@ resource "google_compute_instance_template" "application" {
}
network_interface {
network = var.vpc_network
subnetwork = google_compute_subnetwork.subnetwork[each.key].self_link
stack_type = "IPV4_IPV6"
ipv6_access_config {
network_tier = "PREMIUM"
# Ephimerical IP address
}
access_config {
network_tier = "PREMIUM"
@@ -154,18 +192,22 @@ resource "google_compute_instance_template" "application" {
email = google_service_account.application.email
scopes = [
# Those are copying gke-default scopes
"storage-ro",
"logging-write",
"monitoring",
"service-management",
"service-control",
"trace",
# Required to discover the other instances in the Erlang Cluster
"compute-ro",
# Those are default scopes
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/trace.append",
]
}
shielded_instance_config {
enable_integrity_monitoring = true
enable_secure_boot = false
enable_vtpm = true
}
metadata = merge({
gce-container-declaration = yamlencode({
spec = {
@@ -312,7 +354,7 @@ resource "google_compute_firewall" "stun-turn" {
project = var.project_id
name = "${local.application_name}-firewall-lb-to-instances"
network = var.vpc_network
network = google_compute_network.network.self_link
source_ranges = ["0.0.0.0/0"]
target_tags = ["app-${local.application_name}"]
@@ -333,7 +375,7 @@ resource "google_compute_firewall" "http-health-checks" {
project = var.project_id
name = "${local.application_name}-healthcheck"
network = var.vpc_network
network = google_compute_network.network.self_link
source_ranges = local.google_health_check_ip_ranges
target_tags = ["app-${local.application_name}"]
@@ -349,7 +391,7 @@ resource "google_compute_firewall" "egress-ipv4" {
project = var.project_id
name = "${local.application_name}-egress-ipv4"
network = var.vpc_network
network = google_compute_network.network.self_link
direction = "EGRESS"
target_tags = ["app-${local.application_name}"]
@@ -364,7 +406,7 @@ resource "google_compute_firewall" "egress-ipv6" {
project = var.project_id
name = "${local.application_name}-egress-ipv6"
network = var.vpc_network
network = google_compute_network.network.self_link
direction = "EGRESS"
target_tags = ["app-${local.application_name}"]

9
terraform/modules/relay-app/variables.tf
View File

@@ -23,15 +23,6 @@ variable "instances" {
description = "List deployment locations for the application."
}
################################################################################
## VPC
################################################################################
variable "vpc_network" {
description = "ID of a VPC which will be used to deploy the application."
type = string
}
################################################################################
## Container Registry
################################################################################