Skip to content

Feat/Wiregurad Vpn Tmp#1353

Draft
asadaaron wants to merge 6 commits intomainfrom
feat/wiregurad-vpn-tmp
Draft

Feat/Wiregurad Vpn Tmp#1353
asadaaron wants to merge 6 commits intomainfrom
feat/wiregurad-vpn-tmp

Conversation

@asadaaron
Copy link
Collaborator

This PR introduces changes from the feat/wiregurad-vpn-tmp branch.

📝 Summary

📁 Files Changed ( 41 files)

.gitignore
terraform/infrastructure/envs/dev/main.tf
terraform/infrastructure/envs/dev/outputs.tf
terraform/infrastructure/envs/dev/variables.tf
terraform/infrastructure/envs/prd/main.tf
terraform/infrastructure/envs/prd/outputs.tf
terraform/infrastructure/envs/prd/variables.tf
terraform/infrastructure/envs/stg/main.tf
terraform/infrastructure/envs/stg/outputs.tf
terraform/infrastructure/envs/stg/variables.tf
terraform/infrastructure/main.tf
terraform/infrastructure/modules/kubernetes/azure/main.tf
terraform/infrastructure/modules/kubernetes/azure/outputs.tf
terraform/infrastructure/modules/kubernetes/azure/variables.tf
terraform/infrastructure/modules/kubernetes/gcp/cluster.tf
terraform/infrastructure/modules/kubernetes/gcp/firewall.tf
terraform/infrastructure/modules/kubernetes/gcp/main.tf
terraform/infrastructure/modules/kubernetes/gcp/node_pool.tf
terraform/infrastructure/modules/kubernetes/gcp/outputs.tf
terraform/infrastructure/modules/kubernetes/gcp/service_account.tf
terraform/infrastructure/modules/kubernetes/gcp/variables.tf
terraform/infrastructure/modules/network/gcp/firewall.tf
terraform/infrastructure/modules/network/gcp/main.tf
terraform/infrastructure/modules/network/gcp/nat.tf
terraform/infrastructure/modules/network/gcp/outputs.tf
terraform/infrastructure/modules/network/gcp/subnets.tf
terraform/infrastructure/modules/wireguard/azure/main.tf
terraform/infrastructure/modules/wireguard/gcp/cloud-init.tf
terraform/infrastructure/modules/wireguard/gcp/firewall.tf
terraform/infrastructure/modules/wireguard/gcp/keys.tf
terraform/infrastructure/modules/wireguard/gcp/main.tf
terraform/infrastructure/modules/wireguard/gcp/outputs.tf
terraform/infrastructure/modules/wireguard/gcp/templates/client-config.tpl
terraform/infrastructure/modules/wireguard/gcp/templates/cloud-init.yaml.tpl
terraform/infrastructure/modules/wireguard/gcp/templates/wg0.conf.tpl
terraform/infrastructure/modules/wireguard/gcp/variables.tf
terraform/infrastructure/modules/wireguard/gcp/vm.tf
terraform/infrastructure/outputs.tf
terraform/infrastructure/scripts/test-wireguard-complete.sh
terraform/infrastructure/terraform.tfvars.example
terraform/infrastructure/variables.tf

📋 Commit Details

6f44f1c2 - implemen-state-management-using-gcs-bucket (Md Asaduzzaman Miah, 2026-02-16 10:26)
584b7334 - peering example (Md Asaduzzaman Miah, 2026-02-13 17:06)
c93e6d15 - implemented wireguard and test script (Md Asaduzzaman Miah, 2026-02-13 14:39)
ae6884d0 - fix: include tfplan into the gitignore. (Md Asaduzzaman Miah, 2026-02-10 13:26)
54778ab6 - fix: All cluster resources were brought up, but: only 0 nodes out of 3 have registered. (Md Asaduzzaman Miah, 2026-02-10 10:56)
b8fd8b17 - kubernetes private cluster (Md Asaduzzaman Miah, 2026-02-09 16:43)

✅ Checklist

  • Code follows the project's style guidelines
  • Self-review of code has been performed
  • Code is commented, particularly in hard-to-understand areas
  • Corresponding changes to documentation have been made
  • Tests have been added/updated for new functionality
  • All tests pass locally

🧪 Testing

📸 Screenshots (if applicable)

🔗 Related Issues

@asadaaron asadaaron self-assigned this Feb 16, 2026
@asadaaron asadaaron marked this pull request as draft February 16, 2026 09:55
Copy link

@peqy peqy bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found a couple of blockers around firewall rule validity and the WireGuard tunnel CIDR conflicting with the VPC subnet. Also flagged a couple of items that will cause churn/confusion (external key generation + unused state bucket var).

Found 5 issues (3 critical, 2 improvements).

@@ -0,0 +1,33 @@
[Interface]
Address = ${server_ip}/24
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical WireGuard tunnel CIDR overlaps the VM’s VPC subnet

Address = ${server_ip}/24 will try to add a 10.0.0.0/24 route via wg0, which conflicts with the instance’s existing 10.0.0.0/24 route on its primary NIC (since the WireGuard VPC subnet is also 10.0.0.0/24). wg-quick up will typically fail with “RTNETLINK answers: File exists”, or routing becomes ambiguous.

Fix: use a dedicated tunnel CIDR that does not overlap the VPC subnet (preferred), or set the WireGuard interface address to /32 and route peers via AllowedIPs (and keep the VPC subnet on a different range).

}

source_ranges = [var.node_cidr, var.pod_cidr]
destination_ranges = [var.master_cidr]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical destination_ranges requires direction = "EGRESS"

This rule is currently defaulting to INGRESS, but sets destination_ranges. GCP/Terraform rejects this combination.

Fix: set direction = "EGRESS" and add target_tags = ["gke-${var.environment}"] (or drop the rule entirely since egress is currently allowed by default).

}

source_ranges = [var.wireguard_cidr]
destination_ranges = [var.master_cidr]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical destination_ranges on an ingress firewall rule

gke_wireguard_to_master defaults to INGRESS but sets destination_ranges, which isn’t valid for ingress firewall rules.

Fix: remove destination_ranges (and accept that this becomes a network-wide allow from wireguard_cidr to tcp/443), or replace this approach with something that can actually scope to the control-plane endpoint (often master authorized networks is sufficient).


# Generate server key pair via wg genkey
data "external" "server_key" {
program = ["bash", "-c", "priv=$(wg genkey); pub=$(echo \"$priv\" | wg pubkey); jq -n --arg p \"$priv\" --arg b \"$pub\" '{private_key: $p, public_key: $b}'"]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Improvement Key generation via data.external will churn and requires local deps

This runs wg + jq on the machine running Terraform and (because it’s a data source) will typically produce new keys on refresh/plan, forcing perpetual diffs and potentially recreating the VM / peer configs.

Fix: generate keys once and pass them in (tfvars/Secret Manager), or persist them (e.g., local_file + read-back), or use a provider/resource designed for stable key material rather than an always-changing external data source.

type = string
}

variable "terraform_state_bucket" {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Improvement terraform_state_bucket is currently unused

Terraform backend config can’t reference var.terraform_state_bucket, so this variable will never affect where state is stored.

Fix: either remove it, or document clearly that the bucket must be provided via terraform init -backend-config=bucket=... (and don’t suggest it’s controlled by tfvars).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant