英文:
How control access to subnets in a shared VPC using Terraform in GCP
问题
我尝试让只有特定的项目能访问生产子网,我该如何做?我只能通过策略来限制访问吗?我知道在GUI/仪表板/网站上,我们可以选择我想要在共享VPC中共享的子网,是否有一种通过terraform来做这个的方法?
设置如下:
# 共享网络
resource "google_compute_network" "vpc-network" {
name = "vpc-network"
auto_create_subnetworks = false
project = var.host-project
}
# 共享子网
resource "google_compute_subnetwork" "development" {
name = "development"
network = google_compute_network.vpc-network.self_link
ip_cidr_range = ""
region = ""
}
resource "google_compute_subnetwork" "production" {
name = "production"
network = google_compute_network.vpc-network.self_link
ip_cidr_range = ""
region = ""
}
# 在主机项目中启用共享VPC
resource "google_compute_shared_vpc_host_project" "host" {
project = var.host-project
}
# 将服务项目附加到主机项目
resource "google_compute_shared_vpc_service_project" "services" {
for_each = var.service-projects
depends_on = [google_compute_shared_vpc_host_project.host]
host_project = google_compute_shared_vpc_host_project.host.project
service_project = each.key
}
# 路由器
resource "google_compute_router" "router" {
name = "shared-router"
network = google_compute_network.vpc-network.id
}
# 云NAT网关
resource "google_compute_router_nat" "nat_gateway" {
name = "shared-nat-gateway"
region = ""
router = google_compute_router.router.name
nat_ip_allocate_option = "AUTO_ONLY"
source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
log_config {
enable = true
filter = "ERRORS_ONLY"
}
}
英文:
I am trying have it so that only certain projects can access the production subnet, how do I do this? Can I only limit access through policies? I know using the GUI/dashboard/website we can pick which subnet I want to share in my shared VPC, is there a way to do it through terraform?
The setup
# Shared Network to attach
resource "google_compute_network" "vpc-network" {
name = "vpc-network"
auto_create_subnetworks = false
project = var.host-project
}
# Shared Sub-Networks to attach
resource "google_compute_subnetwork" "development" {
name = "development"
network = google_compute_network.vpc-network.self_link
ip_cidr_range = ""
region = ""
}
resource "google_compute_subnetwork" "production" {
name = "production"
network = google_compute_network.vpc-network.self_link
ip_cidr_range = ""
region = ""
}
# Enable A Shared VPC in the host project
resource "google_compute_shared_vpc_host_project" "host" {
project = var.host-project
}
# Attach service projects with host project
resource "google_compute_shared_vpc_service_project" "services" {
for_each = var.service-projects
depends_on = [ google_compute_shared_vpc_host_project.host ]
host_project = google_compute_shared_vpc_host_project.host.project
service_project = each.key
}
#Router
resource "google_compute_router" "router" {
name = "shared-router"
network = google_compute_network.vpc-network.id
}
#Cloud NAT Gateway
resource "google_compute_router_nat" "nat_gateway" {
name = "shared-nat-gateway"
region = ""
router = google_compute_router.router.name
nat_ip_allocate_option = "AUTO_ONLY"
source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
log_config {
enable = true
filter = "ERRORS_ONLY"
}
}
答案1
得分: 0
根据文档(https://cloud.google.com/vpc/docs/shared-vpc):
> 您可以在项目、文件夹或组织级别指定服务项目可以访问的共享 VPC 子网。此约束适用于在指定子网中创建新资源时,不影响现有资源。
所以是的,您需要使用组织策略,但它们可以应用在低于组织节点的级别。
Terraform 组织策略的文档应该会有所帮助:
https://registry.terraform.io/modules/terraform-google-modules/org-policy/google/latest
英文:
As per the documentation (https://cloud.google.com/vpc/docs/shared-vpc):
> You can specify the Shared VPC subnets that a service project can access at the project, folder, or organization level. The constraint applies when you create new resources in the specified subnets and doesn't affect existing resources.
So yes, you need to use org policies, but they can be applied at lower levels than the organization node.
The terraform documentation for org policies should help:
https://registry.terraform.io/modules/terraform-google-modules/org-policy/google/latest
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论