Refactor the onprem module (#55)

* move onprem to cos-container

* compute-vm: fix external addresses output

* folders-unit: update README

* update onprem module, add new fields to cos-container test instance

* coredns: process corefile as a template

* onprem: fixes

* modules/cos-container: rename to cloud-config-container infra/onprem: remove test output

* Update README.md

* update CHANGELOG for v1.1.0

* fix cloud config modules tests

* Update main.tf

* add container nginx module

CHANGELOG.md

@@ -4,10 +4,18 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+## [1.1.0] - 2020-03-27
+
+- rename the `cos-container` suite of modules to `cloud-config-container`
+- refactor the `onprem-in-a-box` module to only manage the `cloud-config` configuration, and make it part of the `cloud-config-container` suite of modules
+- update the `onprem-google-access-dns` example to use the refactored `onprem` module
+- fix the `external_addresses` output in the `compute-vm` module
+- small tweaks and fixes to the `cloud-config-container` modules
+
 ## [1.0.0] - 2020-03-27
 
 - merge development branch with suite of new modules and end-to-end examples
 
-
 [Unreleased]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v1.0.0...HEAD
+[1.1.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v1.0.0...v1.1.0
 [1.0.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v0.1...v1.0

README.md

@@ -34,8 +34,8 @@ Currently available modules:
 
 - **foundational** - [folders](./modules/folders), [log sinks](./modules/logging-sinks), [project](./modules/project), [service accounts](./modules/iam-service-accounts)
 - **networking** - [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), VPN ([static](./modules/net-vpn-static), [dynamic](./modules/net-vpn-dynamic), [HA](./modules/net-vpn-ha)), [NAT](./modules/net-cloudnat), [address reservation](./modules/net-address), [DNS](./modules/dns)
-- **compute** - [VM/VM group](./modules/compute-vm), [GKE cluster](./modules/gke-cluster), [GKE nodepool](./modules/gke-nodepool), [COS container](./modules/compute-vm-cos-coredns)
+- **compute** - [VM/VM group](./modules/compute-vm), [GKE cluster](./modules/gke-cluster), [GKE nodepool](./modules/gke-nodepool), [COS container](./modules/cos-container)
 - **data** - [GCS](./modules/gcs), [BigQuery dataset](./modules/bigquery)
-- **other** - [KMS](./modules/kms), [on-premises in Docker](./modules/on-prem-in-a-box)
+- **security** - [KMS](./modules/kms)
 
 For more information and usage examples see each module's README file.

infrastructure/onprem-google-access-dns/README.md

@@ -96,12 +96,13 @@ sudo docker exec -it onprem_bird_1 ip route |grep bird
 10.0.0.0/24 via 169.254.1.1 dev vti0  proto bird  src 10.0.16.2
 35.199.192.0/19 via 169.254.1.1 dev vti0  proto bird  src 10.0.16.2
 199.36.153.4/30 via 169.254.1.1 dev vti0  proto bird  src 10.0.16.2
+199.36.153.8/30 via 169.254.1.1 dev vti0  proto bird  src 10.0.16.2
 
 # get a shell on the toolbox container
 sudo docker exec -it onprem_toolbox_1 sh
 
 # test forwarding from CoreDNS via the Cloud DNS inbound policy
-dig test-1.gcp.example.com +short
+dig test-1.gcp.example.org +short
 10.0.0.3
 
 # test that Private Access is configured correctly
@@ -124,8 +125,8 @@ gcloud compute instances list
 gcloud compute ssh test-1
 
 # test forwarding from Cloud DNS to onprem CoreDNS (address may differ)
-dig gw.onprem.example.com +short
-10.0.16.2
+dig gw.onprem.example.org +short
+10.0.16.1
 
 # test a request to the onprem web server
 curl www.onprem.example.com -s |grep h1

infrastructure/onprem-google-access-dns/assets/Corefile

@@ -1,11 +1,11 @@
-onprem.example.com {
+onprem.example.org {
   root /etc/coredns
   hosts onprem.hosts
   log
   errors
 }
-gcp.example.com googleapis.com {
-  forward . ${forwarder_address}
+gcp.example.org googleapis.com {
+  forward . ${dns_forwarder_address}
   log
   errors
 }

infrastructure/onprem-google-access-dns/backend.tf.sample

@@ -0,0 +1,20 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+terraform {
+  backend "gcs" {
+    bucket = ""
+  }
+}

infrastructure/onprem-google-access-dns/main.tf

@@ -18,24 +18,30 @@ locals {
   bgp_interface_gcp    = "${cidrhost(var.bgp_interface_ranges.gcp, 1)}"
   bgp_interface_onprem = "${cidrhost(var.bgp_interface_ranges.gcp, 2)}"
   netblocks = {
-    dns = data.google_netblock_ip_ranges.dns-forwarders.cidr_blocks_ipv4.0
-    api = data.google_netblock_ip_ranges.private-googleapis.cidr_blocks_ipv4.0
+    dns        = data.google_netblock_ip_ranges.dns-forwarders.cidr_blocks_ipv4.0
+    private    = data.google_netblock_ip_ranges.private-googleapis.cidr_blocks_ipv4.0
+    restricted = data.google_netblock_ip_ranges.restricted-googleapis.cidr_blocks_ipv4.0
   }
   vips = {
-    api = [for i in range(4) : cidrhost(local.netblocks.api, i)]
+    private    = [for i in range(4) : cidrhost(local.netblocks.private, i)]
+    restricted = [for i in range(4) : cidrhost(local.netblocks.restricted, i)]
   }
   vm-startup-script = join("\n", [
     "#! /bin/bash",
     "apt-get update && apt-get install -y bash-completion dnsutils kubectl"
   ])
 }
 
+data "google_netblock_ip_ranges" "dns-forwarders" {
+  range_type = "dns-forwarders"
+}
+
 data "google_netblock_ip_ranges" "private-googleapis" {
   range_type = "private-googleapis"
 }
 
-data "google_netblock_ip_ranges" "dns-forwarders" {
-  range_type = "dns-forwarders"
+data "google_netblock_ip_ranges" "restricted-googleapis" {
+  range_type = "restricted-googleapis"
 }
 
 ################################################################################
@@ -80,15 +86,16 @@ module "vpn" {
       bgp_peer_options = {
         advertise_groups = ["ALL_SUBNETS"]
         advertise_ip_ranges = {
-          (local.netblocks.api) = "private-googleapis"
-          (local.netblocks.dns) = "dns-forwarders"
+          (local.netblocks.dns)        = "DNS resolvers"
+          (local.netblocks.private)    = "private.gooogleapis.com"
+          (local.netblocks.restricted) = "restricted.gooogleapis.com"
         }
         advertise_mode = "CUSTOM"
         route_priority = 1000
       }
       bgp_session_range = "${local.bgp_interface_gcp}/30"
       ike_version       = 2
-      peer_ip           = module.on-prem.external_address
+      peer_ip           = module.vm-onprem.external_ips.0
       shared_secret     = ""
     }
   }
@@ -112,7 +119,7 @@ module "dns-gcp" {
   project_id      = var.project_id
   type            = "private"
   name            = "gcp-example"
-  domain          = "gcp.example.com."
+  domain          = "gcp.example.org."
   client_networks = [module.vpc.self_link]
   recordsets = concat(
     [{ name = "localhost", type = "A", ttl = 300, records = ["127.0.0.1"] }],
@@ -131,12 +138,9 @@ module "dns-api" {
   domain          = "googleapis.com."
   client_networks = [module.vpc.self_link]
   recordsets = [
-    {
-      name = "*", type = "CNAME", ttl = 300, records = ["private.googleapis.com."]
-    },
-    {
-      name = "private", type = "A", ttl = 300, records = local.vips.api
-    },
+    { name = "*", type = "CNAME", ttl = 300, records = ["private.googleapis.com."] },
+    { name = "private", type = "A", ttl = 300, records = local.vips.private },
+    { name = "restricted", type = "A", ttl = 300, records = local.vips.restricted },
   ]
 }
 
@@ -145,7 +149,7 @@ module "dns-onprem" {
   project_id      = var.project_id
   type            = "forwarding"
   name            = "onprem-example"
-  domain          = "onprem.example.com."
+  domain          = "onprem.example.org."
   client_networks = [module.vpc.self_link]
   forwarders      = [cidrhost(var.ip_ranges.onprem, 3)]
 }
@@ -198,10 +202,21 @@ module "vm-test" {
 #                                   On prem                                    #
 ################################################################################
 
-data "template_file" "corefile" {
-  template = file("assets/Corefile")
-  vars = {
-    forwarder_address = var.forwarder_address
+module "config-onprem" {
+  source              = "../../modules/cloud-config-container/onprem"
+  config_variables    = { dns_forwarder_address = var.dns_forwarder_address }
+  coredns_config      = "assets/Corefile"
+  local_ip_cidr_range = var.ip_ranges.onprem
+  vpn_config = {
+    peer_ip       = module.vpn.address
+    shared_secret = module.vpn.random_secret
+    type          = "dynamic"
+  }
+  vpn_dynamic_config = {
+    local_bgp_asn     = var.bgp_asn.onprem
+    local_bgp_address = local.bgp_interface_onprem
+    peer_bgp_asn      = var.bgp_asn.gcp
+    peer_bgp_address  = local.bgp_interface_gcp
   }
 }
 
@@ -218,27 +233,28 @@ module "service-account-onprem" {
   }
 }
 
-module "on-prem" {
-  source              = "../../modules/on-prem-in-a-box/"
-  project_id          = var.project_id
-  zone                = "${var.region}-b"
-  network             = module.vpc.name
-  subnet_self_link    = module.vpc.subnet_self_links.default
-  local_ip_cidr_range = var.ip_ranges.onprem
-  coredns_config      = data.template_file.corefile.rendered
-  vpn_config = {
-    peer_ip       = module.vpn.address
-    shared_secret = module.vpn.random_secret
-    type          = "dynamic"
-  }
-  vpn_dynamic_config = {
-    local_bgp_asn     = var.bgp_asn.onprem
-    local_bgp_address = local.bgp_interface_onprem
-    peer_bgp_asn      = var.bgp_asn.gcp
-    peer_bgp_address  = local.bgp_interface_gcp
+module "vm-onprem" {
+  source        = "../../modules/compute-vm"
+  project_id    = var.project_id
+  region        = var.region
+  zone          = "${var.region}-b"
+  instance_type = "f1-micro"
+  name          = "onprem"
+  boot_disk = {
+    image = "ubuntu-os-cloud/ubuntu-1804-lts"
+    type  = "pd-ssd"
+    size  = 10
   }
-  service_account = {
-    email  = module.service-account-onprem.email
-    scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+  metadata = {
+    user-data = module.config-onprem.cloud_config
   }
+  network_interfaces = [{
+    network    = module.vpc.name
+    subnetwork = module.vpc.subnet_self_links.default
+    nat        = true,
+    addresses  = null
+  }]
+  service_account        = module.service-account-onprem.email
+  service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+  tags                   = ["ssh"]
 }

infrastructure/onprem-google-access-dns/outputs.tf

@@ -16,11 +16,11 @@
 
 output "onprem-instance" {
   description = "Onprem instance details."
-  value = join(" ", [
-    module.on-prem.instance_name,
-    module.on-prem.internal_address,
-    module.on-prem.external_address
-  ])
+  value = {
+    external_ip = module.vm-onprem.external_ips.0
+    internal_ip = module.vm-onprem.internal_ips.0
+    name        = module.vm-onprem.names.0
+  }
 }
 
 output "test-instance" {
@@ -30,10 +30,3 @@ output "test-instance" {
     module.vm-test.internal_ips[0]
   ])
 }
-
-output "foo" {
-  value = {
-    dns  = data.google_netblock_ip_ranges.dns-forwarders.cidr_blocks_ipv4
-    apis = data.google_netblock_ip_ranges.private-googleapis.cidr_blocks_ipv4
-  }
-}

infrastructure/onprem-google-access-dns/variables.tf

@@ -31,6 +31,12 @@ variable "bgp_interface_ranges" {
   }
 }
 
+variable "dns_forwarder_address" {
+  description = "Address of the DNS server used to forward queries from on-premises."
+  type        = string
+  default     = "10.0.0.2"
+}
+
 variable "ip_ranges" {
   description = "IP CIDR ranges."
   type        = map(string)

modules/README.md

@@ -31,7 +31,7 @@ Specific modules also offer support for non-authoritative bindings (e.g. `google
 
 ## Compute/Container
 
-- [COS container](./modules/compute-vm-cos-coredns)
+- [COS container](./modules/cos-container) (coredns, mysql, onprem)
 - [GKE cluster](./modules/gke-cluster)
 - [GKE nodepool](./modules/gke-nodepool)
 - [VM/VM group](./modules/compute-vm)
@@ -41,7 +41,6 @@ Specific modules also offer support for non-authoritative bindings (e.g. `google
 - [BigQuery dataset](./modules/bigquery)
 - [GCS](./modules/gcs)
 
-## Other
+## Security
 
 - [Cloud KMS](./modules/kms)
-- [on-premises in Docker](./modules/on-prem-in-a-box)

modules/cos-container/README.md → modules/cloud-config-container/README.md

@@ -1,19 +1,20 @@
-# Container Optimized OS modules
+# Instance Configuration via `cloud-config`
 
-This set of modules creates specialized [cloud-config](https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#starting_a_docker_container_via_cloud-config) configurations for [Container Optimized OS](https://cloud.google.com/container-optimized-os/docs), that are used to quickly spin up containerized services for DNS, HTTP, or databases.
+This set of modules creates specialized [cloud-config](https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#starting_a_docker_container_via_cloud-config) configurations, which are designed for use with [Container Optimized OS](https://cloud.google.com/container-optimized-os/docs) (the [onprem module](./onprem/) is the only exception) but can also be used as a basis for other image types or cloud providers.
 
-It's meant to fullfill different use cases:
+These modules are designed for several use cases:
 
-- when designing, to quickly prototype specialized services (eg MySQL access or HTTP serving)
-- when planning migrations, to emulate production services for core infrastructure or perfomance testing
-- in production, to easily add glue components for services like DNS (eg to work around inbound/outbound forwarding limitations)
-- as a basis to implement cloud-native production deployments that leverage cloud-init for configuration management
+- to quickly prototype specialized services (eg MySQL access or HTTP serving) for prototyping infrastructure
+- to emulate production services for perfomance testing
+- to easily add glue components for services like DNS (eg to work around inbound/outbound forwarding limitations)
+- to implement cloud-native production deployments that leverage cloud-init for configuration management, without the need of a separate tool
 
 ## Available modules
 
 - [CoreDNS](./coredns)
 - [MySQL](./mysql)
-- [ ] Nginx
+- [Nginx](./nginx)
+- [On-prem in Docker](./onprem)
 - [ ] Squid forward proxy
 
 ## Using the modules
@@ -23,3 +24,7 @@ All modules are designed to be as lightweight as possible, so that specialized m
 To use the modules with instances or instance templates, simply set use their `cloud_config` output for the `user-data` metadata. When updating the metadata after a variable change remember to manually restart the instances that use a module's output, or the changes won't effect the running system.
 
 For convenience when developing or prototyping infrastructure, an optional test instance is included in all modules. If it's not needed, the linked `*instance.tf` files can be removed from the modules without harm.
+
+## TODO
+
+- [ ] convert all `xxx_config` variables to use file content instead of path

modules/cos-container/coredns/README.md → modules/cloud-config-container/coredns/README.md

@@ -63,11 +63,8 @@ module "cos-coredns" {
     zone       = "europe-west1-b"
     name       = "cos-coredns"
     type       = "f1-micro"
-    tags       = ["ssh"]
-    metadata   = {}
     network    = "default"
     subnetwork = "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west1/subnetworks/my-subnet"
-    disks      = []
   }
 }
 ```
@@ -82,7 +79,8 @@ module "cos-coredns" {
 | *coredns_config* | CoreDNS configuration path, if null default will be used. | <code title="">string</code> |  | <code title="">null</code> |
 | *file_defaults* | Default owner and permissions for files. | <code title="object&#40;&#123;&#10;owner       &#61; string&#10;permissions &#61; string&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;owner       &#61; &#34;root&#34;&#10;permissions &#61; &#34;0644&#34;&#10;&#125;">...</code> |
 | *files* | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10;content     &#61; string&#10;owner       &#61; string&#10;permissions &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
-| *test_instance* | Test/development instance attributes, leave null to skip creation. | <code title="object&#40;&#123;&#10;project_id &#61; string&#10;zone       &#61; string&#10;name       &#61; string&#10;type &#61; string&#10;tags       &#61; list&#40;string&#41;&#10;metadata   &#61; map&#40;string&#41;&#10;network    &#61; string&#10;subnetwork &#61; string&#10;disks &#61; map&#40;object&#40;&#123;&#10;read_only &#61; bool&#10;size      &#61; number&#10;&#125;&#41;&#41;&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
+| *test_instance* | Test/development instance attributes, leave null to skip creation. | <code title="object&#40;&#123;&#10;project_id &#61; string&#10;zone       &#61; string&#10;name       &#61; string&#10;type &#61; string&#10;network    &#61; string&#10;subnetwork &#61; string&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
+| *test_instance_defaults* | Test/development instance defaults used for optional configuration. | <code title="object&#40;&#123;&#10;disks &#61; map&#40;object&#40;&#123;&#10;read_only &#61; bool&#10;size      &#61; number&#10;&#125;&#41;&#41;&#10;metadata              &#61; map&#40;string&#41;&#10;service_account_roles &#61; list&#40;string&#41;&#10;tags                  &#61; list&#40;string&#41;&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;disks    &#61; &#123;&#125;&#10;metadata &#61; &#123;&#125;&#10;service_account_roles &#61; &#91;&#10;&#34;roles&#47;logging.logWriter&#34;,&#10;&#34;roles&#47;monitoring.metricWriter&#34;&#10;&#93;&#10;tags &#61; &#91;&#34;ssh&#34;&#93;&#10;&#125;">...</code> |
 
 ## Outputs
 

modules/cos-container/coredns/main.tf → modules/cloud-config-container/coredns/main.tf

@@ -16,10 +16,10 @@
 
 locals {
   cloud_config = templatefile(local.template, merge(var.config_variables, {
-    corefile = local.corefile
+    corefile = templatefile(local.corefile, var.config_variables)
     files    = local.files
   }))
-  corefile = file(
+  corefile = (
     var.coredns_config == null ? "${path.module}/Corefile" : var.coredns_config
   )
   files = {

modules/cos-container/coredns/variables.tf → modules/cloud-config-container/coredns/variables.tf

@@ -21,7 +21,7 @@ variable "cloud_config" {
 }
 
 variable "config_variables" {
-  description = "Additional variables used to render the cloud-config template."
+  description = "Additional variables used to render the cloud-config and CoreDNS templates."
   type        = map(any)
   default     = {}
 }