如何使用Terraform在GCP中控制对共享VPC中子网的访问权限

huangapple go评论81阅读模式
英文:

How control access to subnets in a shared VPC using Terraform in GCP

问题

我尝试让只有特定的项目能访问生产子网,我该如何做?我只能通过策略来限制访问吗?我知道在GUI/仪表板/网站上,我们可以选择我想要在共享VPC中共享的子网,是否有一种通过terraform来做这个的方法?

设置如下:

# 共享网络
resource "google_compute_network" "vpc-network" {
  name                   = "vpc-network"
  auto_create_subnetworks = false
  project                = var.host-project
}

# 共享子网
resource "google_compute_subnetwork" "development" {
  name          = "development"
  network       = google_compute_network.vpc-network.self_link
  ip_cidr_range = ""
  region        = ""
}

resource "google_compute_subnetwork" "production" {
  name          = "production"
  network       = google_compute_network.vpc-network.self_link
  ip_cidr_range = ""
  region        = ""
}

# 在主机项目中启用共享VPC
resource "google_compute_shared_vpc_host_project" "host" {
  project = var.host-project
}

# 将服务项目附加到主机项目
resource "google_compute_shared_vpc_service_project" "services" {
  for_each = var.service-projects

  depends_on      = [google_compute_shared_vpc_host_project.host]
  host_project    = google_compute_shared_vpc_host_project.host.project
  service_project = each.key
}

# 路由器
resource "google_compute_router" "router" {
  name    = "shared-router"
  network = google_compute_network.vpc-network.id
}

# 云NAT网关
resource "google_compute_router_nat" "nat_gateway" {
  name                  = "shared-nat-gateway"
  region                = ""
  router                = google_compute_router.router.name
  nat_ip_allocate_option = "AUTO_ONLY"

  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"

  log_config {
    enable = true
    filter = "ERRORS_ONLY"
  }
}
英文:

I am trying have it so that only certain projects can access the production subnet, how do I do this? Can I only limit access through policies? I know using the GUI/dashboard/website we can pick which subnet I want to share in my shared VPC, is there a way to do it through terraform?

The setup

    # Shared Network to attach 
resource "google_compute_network" "vpc-network" {
name    = "vpc-network"
auto_create_subnetworks = false
project = var.host-project
}
# Shared Sub-Networks to attach 
resource "google_compute_subnetwork" "development" {
name    = "development"
network       = google_compute_network.vpc-network.self_link
ip_cidr_range = ""
region        = ""
}
resource "google_compute_subnetwork" "production" {
name    = "production"
network       = google_compute_network.vpc-network.self_link
ip_cidr_range = ""
region        = ""
}
# Enable A Shared VPC in the host project
resource "google_compute_shared_vpc_host_project" "host" {
project = var.host-project 
}
# Attach service projects with host project 
resource "google_compute_shared_vpc_service_project" "services" {
for_each = var.service-projects
depends_on = [ google_compute_shared_vpc_host_project.host ]
host_project    = google_compute_shared_vpc_host_project.host.project
service_project = each.key
}
#Router
resource "google_compute_router" "router" {
name    = "shared-router"
network = google_compute_network.vpc-network.id
}
#Cloud NAT Gateway
resource "google_compute_router_nat" "nat_gateway" {
name                  = "shared-nat-gateway"
region                = ""
router                = google_compute_router.router.name
nat_ip_allocate_option = "AUTO_ONLY"
source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
log_config {
enable = true
filter = "ERRORS_ONLY"
}
}

答案1

得分: 0

根据文档(https://cloud.google.com/vpc/docs/shared-vpc):

> 您可以在项目、文件夹或组织级别指定服务项目可以访问的共享 VPC 子网。此约束适用于在指定子网中创建新资源时,不影响现有资源。

所以是的,您需要使用组织策略,但它们可以应用在低于组织节点的级别。

Terraform 组织策略的文档应该会有所帮助:
https://registry.terraform.io/modules/terraform-google-modules/org-policy/google/latest

英文:

As per the documentation (https://cloud.google.com/vpc/docs/shared-vpc):

> You can specify the Shared VPC subnets that a service project can access at the project, folder, or organization level. The constraint applies when you create new resources in the specified subnets and doesn't affect existing resources.

So yes, you need to use org policies, but they can be applied at lower levels than the organization node.

The terraform documentation for org policies should help:
https://registry.terraform.io/modules/terraform-google-modules/org-policy/google/latest

huangapple
  • 本文由 发表于 2023年7月20日 10:58:25
  • 转载请务必保留本文链接:https://go.coder-hub.com/76726405.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定