changed to TF MX files back

Author: linoy-zoaretz

old-tf-files/init.tf init.tfold-tf-files/init.tf renamed to init.tf

@@ -1,98 +1,162 @@
-terraform {
-  required_providers {
-    google = {
-      source  = "hashicorp/google"
-      version = "~> 5.0"
-    }
-  }
+locals {
+  resource_prefix = var.deployment_name != "" ? var.deployment_name : random_string.resource_prefix[0].result
+  waf_image_url = "${module.commons.constants.gcp.image_url_prefix}${module.commons.builds[var.waf_version]}"
+  mgt_network   = var.vpc_network
+  mx_tag        = "${local.resource_prefix}-mx"
+  mx_fw_rules = merge(
+    length(var.ui_access_source_ranges) > 0 ? {
+      UI = {  
+        name          = "${local.resource_prefix}-mx-ui-access"
+        direction     = "INGRESS"
+        network       = local.mgt_network
+        source_ranges = var.ui_access_source_ranges
+        source_tags   = []
+        target_tags = [
+          local.mx_tag
+        ]
+        allow = [
+          {
+            protocol = "tcp"
+            ports = [
+              "8083"
+            ]
+          }
+        ]
+      }
+    } : {},
+    length(var.ssh_access_source_ranges) > 0 ? {
+      SSH = {
+        name          = "${local.resource_prefix}-mx-ssh-access"
+        direction     = "INGRESS"
+        network       = local.mgt_network
+        source_ranges = var.ssh_access_source_ranges
+        source_tags   = []
+        target_tags = [
+          local.mx_tag
+        ]
+        allow = [
+          {
+            protocol = "tcp"
+            ports = [
+              "22"
+            ]
+          }
+        ]
+      }
+    } : {}
+  )
+  mx_secret_id  = google_secret_manager_secret.mx_admin_secret.secret_id
+  management_ip = google_compute_instance.mx_instance.network_interface[0].network_ip
 }
 
-provider "google" {
-  project = var.project_id
-  region  = var.region
-  zone    = var.zone
-}
-
-# Create a simple VM instance
-resource "google_compute_instance" "vm_instance" {
-  name         = var.instance_name
-  machine_type = var.instance_type
-  zone         = var.zone
-
-  boot_disk {
-    initialize_params {
-      image = "debian-cloud/debian-11"
-      size  = 20
-    }
-  }
-
-  network_interface {
-    network    = var.vpc_network
-    subnetwork = var.subnet_name
-
-    access_config {
-      # Ephemeral public IP
-    }
-  }
-
-  tags = ["http-server", "https-server"]
-}
+data "google_client_config" "this" {}
 
-# Variables
-variable "project_id" {
-  description = "GCP Project ID"
-  type        = string
+data "google_compute_subnetwork" "data_mx_subnet" {
+  name   = var.subnet_name
+  region = data.google_client_config.this.region
 }
 
-variable "region" {
-  description = "GCP Region"
-  type        = string
-  default     = "us-central1"
+module "commons" {
+  source = "imperva/wafgateway-commons/google"
+  version = "1.2.2"
 }
 
-variable "zone" {
-  description = "GCP Zone"
-  type        = string
-  default     = "us-central1-a"
+resource "random_string" "resource_prefix" {
+  count = var.deployment_name != "" ? 0 : 1
+  length  = 4
+  special = false
+  upper = false
+  numeric = false
 }
 
-variable "instance_name" {
-  description = "Name of the VM instance"
-  type        = string
-  default     = "test-vm-instance"
+resource "google_service_account" "deployment_service_account" {
+  account_id = "${local.resource_prefix}-mx-svc-acc"
 }
 
-variable "instance_type" {
-  description = "Machine type for the instance"
-  type        = string
-  default     = "e2-medium"
+resource "google_secret_manager_secret" "mx_admin_secret" {
+  secret_id = "${local.resource_prefix}-mx-secret"
+  replication {
+    auto {}
+  }
 }
 
-variable "vpc_network" {
-  description = "VPC Network name"
-  type        = string
-  default     = "default"
+resource "google_secret_manager_secret_version" "mx_admin_secret_version" {
+  secret      = google_secret_manager_secret.mx_admin_secret.id
+  secret_data = var.mx_password
 }
 
-variable "subnet_name" {
-  description = "Subnet name"
-  type        = string
-  default     = "default"
+resource "google_secret_manager_secret_iam_member" "mx_admin_secret_iam_member" {
+  secret_id = local.mx_secret_id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.deployment_service_account.email}"
 }
 
-
-# Outputs
-output "instance_name" {
-  description = "Name of the created instance"
-  value       = google_compute_instance.vm_instance.name
+resource "google_compute_instance" "mx_instance" {
+  depends_on = [
+    google_secret_manager_secret_version.mx_admin_secret_version
+  ]
+  name                = "${local.resource_prefix}-mx"
+  description         = "Imperva WAF Management Server (Deployment ID: ${local.resource_prefix})"
+  zone                = var.zone
+  deletion_protection = var.enable_termination_protection
+  tags = [
+    local.mx_tag
+  ]
+  machine_type = var.instance_type
+  boot_disk {
+    initialize_params {
+      image = local.waf_image_url
+    }
+  }
+  network_interface {
+    subnetwork = var.subnet_name
+    network_ip = var.private_ip_address
+    dynamic "access_config" {
+      for_each = var.external_ip_address != "" || var.external_ip_network_tier != "" ? [1] : []
+      content {
+        nat_ip   = var.external_ip_address
+        network_tier = var.external_ip_network_tier
+      }
+    }
+  }
+  metadata = {
+    startup-script         = data.template_cloudinit_config.mx_gcp_deploy.rendered
+    block-project-ssh-keys = var.block_project_ssh_keys
+  }
+  service_account {
+    email = google_service_account.deployment_service_account.email
+    scopes = [
+      "cloud-platform"
+    ]
+  }
+  lifecycle {
+    precondition {
+      condition = data.google_compute_subnetwork.data_mx_subnet.private_ip_google_access
+      error_message = module.commons.validation.gcp.subnet.private_google_access.error_message
+    }
+  }
 }
 
-output "instance_ip" {
-  description = "Public IP address of the instance"
-  value       = google_compute_instance.vm_instance.network_interface[0].access_config[0].nat_ip
+resource "time_sleep" "await_mx_ftl" {
+  depends_on = [
+    google_compute_instance.mx_instance
+  ]
+  create_duration = "20m"
 }
 
-output "instance_internal_ip" {
-  description = "Internal IP address of the instance"
-  value       = google_compute_instance.vm_instance.network_interface[0].network_ip
-}
+resource "google_compute_firewall" "mx_firewall" {
+  for_each      = local.mx_fw_rules
+  name          = each.value.name
+  network       = each.value.network
+  direction     = each.value.direction
+  source_ranges = each.value.source_ranges
+  source_tags   = each.value.source_tags
+  target_tags   = each.value.target_tags
+  dynamic "allow" {
+    for_each = each.value.allow
+    content {
+      protocol = allow.value.protocol
+      ports    = allow.value.ports
+    }
+  }
+}

main.tf

@@ -0,0 +1,98 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "google" {
+  project = var.project_id
+  region  = var.region
+  zone    = var.zone
+}
+
+# Create a simple VM instance
+resource "google_compute_instance" "vm_instance" {
+  name         = var.instance_name
+  machine_type = var.instance_type
+  zone         = var.zone
+
+  boot_disk {
+    initialize_params {
+      image = "debian-cloud/debian-11"
+      size  = 20
+    }
+  }
+
+  network_interface {
+    network    = var.vpc_network
+    subnetwork = var.subnet_name
+
+    access_config {
+      # Ephemeral public IP
+    }
+  }
+
+  tags = ["http-server", "https-server"]
+}
+
+# Variables
+variable "project_id" {
+  description = "GCP Project ID"
+  type        = string
+}
+
+variable "region" {
+  description = "GCP Region"
+  type        = string
+  default     = "us-central1"
+}
+
+variable "zone" {
+  description = "GCP Zone"
+  type        = string
+  default     = "us-central1-a"
+}
+
+variable "instance_name" {
+  description = "Name of the VM instance"
+  type        = string
+  default     = "test-vm-instance"
+}
+
+variable "instance_type" {
+  description = "Machine type for the instance"
+  type        = string
+  default     = "e2-medium"
+}
+
+variable "vpc_network" {
+  description = "VPC Network name"
+  type        = string
+  default     = "default"
+}
+
+variable "subnet_name" {
+  description = "Subnet name"
+  type        = string
+  default     = "default"
+}
+
+
+# Outputs
+output "instance_name" {
+  description = "Name of the created instance"
+  value       = google_compute_instance.vm_instance.name
+}
+
+output "instance_ip" {
+  description = "Public IP address of the instance"
+  value       = google_compute_instance.vm_instance.network_interface[0].access_config[0].nat_ip
+}
+
+output "instance_internal_ip" {
+  description = "Internal IP address of the instance"
+  value       = google_compute_instance.vm_instance.network_interface[0].network_ip
+}