Feat/Wiregurad Vpn Tmp

[asadaaron]

This PR introduces changes from the feat/wiregurad-vpn-tmp branch.

📝 Summary

📁 Files Changed ( 41 files)

.gitignore
terraform/infrastructure/envs/dev/main.tf
terraform/infrastructure/envs/dev/outputs.tf
terraform/infrastructure/envs/dev/variables.tf
terraform/infrastructure/envs/prd/main.tf
terraform/infrastructure/envs/prd/outputs.tf
terraform/infrastructure/envs/prd/variables.tf
terraform/infrastructure/envs/stg/main.tf
terraform/infrastructure/envs/stg/outputs.tf
terraform/infrastructure/envs/stg/variables.tf
terraform/infrastructure/main.tf
terraform/infrastructure/modules/kubernetes/azure/main.tf
terraform/infrastructure/modules/kubernetes/azure/outputs.tf
terraform/infrastructure/modules/kubernetes/azure/variables.tf
terraform/infrastructure/modules/kubernetes/gcp/cluster.tf
terraform/infrastructure/modules/kubernetes/gcp/firewall.tf
terraform/infrastructure/modules/kubernetes/gcp/main.tf
terraform/infrastructure/modules/kubernetes/gcp/node_pool.tf
terraform/infrastructure/modules/kubernetes/gcp/outputs.tf
terraform/infrastructure/modules/kubernetes/gcp/service_account.tf
terraform/infrastructure/modules/kubernetes/gcp/variables.tf
terraform/infrastructure/modules/network/gcp/firewall.tf
terraform/infrastructure/modules/network/gcp/main.tf
terraform/infrastructure/modules/network/gcp/nat.tf
terraform/infrastructure/modules/network/gcp/outputs.tf
terraform/infrastructure/modules/network/gcp/subnets.tf
terraform/infrastructure/modules/wireguard/azure/main.tf
terraform/infrastructure/modules/wireguard/gcp/cloud-init.tf
terraform/infrastructure/modules/wireguard/gcp/firewall.tf
terraform/infrastructure/modules/wireguard/gcp/keys.tf
terraform/infrastructure/modules/wireguard/gcp/main.tf
terraform/infrastructure/modules/wireguard/gcp/outputs.tf
terraform/infrastructure/modules/wireguard/gcp/templates/client-config.tpl
terraform/infrastructure/modules/wireguard/gcp/templates/cloud-init.yaml.tpl
terraform/infrastructure/modules/wireguard/gcp/templates/wg0.conf.tpl
terraform/infrastructure/modules/wireguard/gcp/variables.tf
terraform/infrastructure/modules/wireguard/gcp/vm.tf
terraform/infrastructure/outputs.tf
terraform/infrastructure/scripts/test-wireguard-complete.sh
terraform/infrastructure/terraform.tfvars.example
terraform/infrastructure/variables.tf

📋 Commit Details

6f44f1c2 - implemen-state-management-using-gcs-bucket (Md Asaduzzaman Miah, 2026-02-16 10:26)
584b7334 - peering example (Md Asaduzzaman Miah, 2026-02-13 17:06)
c93e6d15 - implemented wireguard and test script (Md Asaduzzaman Miah, 2026-02-13 14:39)
ae6884d0 - fix: include tfplan into the gitignore. (Md Asaduzzaman Miah, 2026-02-10 13:26)
54778ab6 - fix: All cluster resources were brought up, but: only 0 nodes out of 3 have registered. (Md Asaduzzaman Miah, 2026-02-10 10:56)
b8fd8b17 - kubernetes private cluster (Md Asaduzzaman Miah, 2026-02-09 16:43)

✅ Checklist

• Code follows the project's style guidelines
• Self-review of code has been performed
• Code is commented, particularly in hard-to-understand areas
• Corresponding changes to documentation have been made
• Tests have been added/updated for new functionality
• All tests pass locally

🧪 Testing

📸 Screenshots (if applicable)

🔗 Related Issues

[peqy]

Found a couple of blockers around firewall rule validity and the WireGuard tunnel CIDR conflicting with the VPC subnet. Also flagged a couple of items that will cause churn/confusion (external key generation + unused state bucket var).

Found 5 issues (3 critical, 2 improvements).

[peqy]

Critical WireGuard tunnel CIDR overlaps the VM’s VPC subnet

Address = ${server_ip}/24 will try to add a 10.0.0.0/24 route via wg0, which conflicts with the instance’s existing 10.0.0.0/24 route on its primary NIC (since the WireGuard VPC subnet is also 10.0.0.0/24). wg-quick up will typically fail with “RTNETLINK answers: File exists”, or routing becomes ambiguous.

Fix: use a dedicated tunnel CIDR that does not overlap the VPC subnet (preferred), or set the WireGuard interface address to /32 and route peers via AllowedIPs (and keep the VPC subnet on a different range).

[peqy]

Critical destination_ranges requires direction = "EGRESS"

This rule is currently defaulting to INGRESS, but sets destination_ranges. GCP/Terraform rejects this combination.

Fix: set direction = "EGRESS" and add target_tags = ["gke-${var.environment}"] (or drop the rule entirely since egress is currently allowed by default).

[peqy]

Critical destination_ranges on an ingress firewall rule

gke_wireguard_to_master defaults to INGRESS but sets destination_ranges, which isn’t valid for ingress firewall rules.

Fix: remove destination_ranges (and accept that this becomes a network-wide allow from wireguard_cidr to tcp/443), or replace this approach with something that can actually scope to the control-plane endpoint (often master authorized networks is sufficient).

[peqy]

Improvement Key generation via data.external will churn and requires local deps

This runs wg + jq on the machine running Terraform and (because it’s a data source) will typically produce new keys on refresh/plan, forcing perpetual diffs and potentially recreating the VM / peer configs.

Fix: generate keys once and pass them in (tfvars/Secret Manager), or persist them (e.g., local_file + read-back), or use a provider/resource designed for stable key material rather than an always-changing external data source.

[peqy]

Improvement terraform_state_bucket is currently unused

Terraform backend config can’t reference var.terraform_state_bucket, so this variable will never affect where state is stored.

Fix: either remove it, or document clearly that the bucket must be provided via terraform init -backend-config=bucket=... (and don’t suggest it’s controlled by tfvars).