google-compute-instance

tailscale-dev · Sep 17, 2024 · cbca157 · cbca157
1 parent c80fdc4
commit cbca157
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 59 deletions.
diff --git a/terraform/google/google-compute-instance/main.tf b/terraform/google/google-compute-instance/main.tf
@@ -1,31 +1,54 @@
 locals {
-
   name = "example-${basename(path.cwd)}"
 
-  metadata = {
+  google_metadata = {
     Name = local.name
   }
-  tags = []
+
+  tailscale_acl_tags = [
+    "tag:example-infra",
+    "tag:example-exitnode",
+    "tag:example-subnetrouter",
+    "tag:example-appconnector",
+  ]
+  tailscale_set_preferences = [
+    "--auto-update",
+    "--ssh",
+    "--advertise-connector",
+    "--advertise-exit-node",
+    "--advertise-routes=${join(",", coalescelist(
+      local.vpc_cidr_block,
+    ))}",
+  ]
+
+  // Modify these to use your own VPC
+  project_id     = var.project_id
+  region         = var.region
+  zone           = var.zone
+  vpc_cidr_block = module.vpc.subnets_ips
+  subnet_id      = module.vpc.subnets_ids[0]
+  instance_type  = "e2-medium"
+  instance_tags  = ["tailscale-instance"]
 }
 
 module "vpc" {
   source = "../internal-modules/google-vpc"
 
-  project_id = var.project_id
-  region     = var.region
+  project_id = local.project_id
+  region     = local.region
 
   name = local.name
 
   subnets = [
     {
-      subnet_name   = "subnet-${var.region}-10-0-121"
+      subnet_name   = "subnet-${local.region}-10-0-121"
       subnet_ip     = "10.0.121.0/24"
-      subnet_region = var.region
+      subnet_region = local.region
     },
     {
-      subnet_name   = "subnet-${var.region}-10-0-122"
+      subnet_name   = "subnet-${local.region}-10-0-122"
       subnet_ip     = "10.0.122.0/24"
-      subnet_region = var.region
+      subnet_region = local.region
     }
   ]
 }
@@ -35,37 +58,56 @@ resource "tailscale_tailnet_key" "main" {
   preauthorized       = true
   reusable            = true
   recreate_if_invalid = "always"
-  tags = [
-    "tag:example-infra",
-    "tag:example-exitnode",
-    "tag:example-subnetrouter",
-    "tag:example-appconnector",
-  ]
+  tags                = local.tailscale_acl_tags
 }
 
 module "tailscale_instance" {
   source = "../internal-modules/google-compute-instance"
 
-  zone         = var.zone
+  zone         = local.zone
   machine_name = local.name
-  machine_type = "e2-medium"
-  subnet       = module.vpc.subnets_ids[0]
+  machine_type = local.instance_type
+  subnet       = local.subnet_id
 
-  instance_metadata = local.metadata
-  instance_tags     = local.tags
+  instance_metadata = local.google_metadata
+  instance_tags     = local.instance_tags
 
   # Variables for Tailscale resources
-  tailscale_hostname = local.name
-  tailscale_auth_key = tailscale_tailnet_key.main.key
-  tailscale_set_preferences = [
-    "--auto-update",
-    "--ssh",
-    "--advertise-connector",
-    "--advertise-exit-node",
-    "--advertise-routes=${join(",", module.vpc.subnets_ips)}",
-  ]
+  tailscale_hostname        = local.name
+  tailscale_auth_key        = tailscale_tailnet_key.main.key
+  tailscale_set_preferences = local.tailscale_set_preferences
 
   depends_on = [
     module.vpc.nat_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets
   ]
 }
+
+resource "google_compute_firewall" "tailscale_ingress_ipv4" {
+  name    = "${local.name}-tailscale-ingress-ipv4"
+  network = module.vpc.vpc_id
+
+  allow {
+    protocol = "udp"
+    ports    = ["41641"]
+  }
+
+  source_ranges = [
+    "0.0.0.0/0",
+  ]
+  target_tags = local.instance_tags
+}
+
+resource "google_compute_firewall" "tailscale_ingress_ipv6" {
+  name    = "${local.name}-tailscale-ingress-ipv6"
+  network = module.vpc.vpc_id
+
+  allow {
+    protocol = "udp"
+    ports    = ["41641"]
+  }
+
+  source_ranges = [
+    "::/0",
+  ]
+  target_tags = local.instance_tags
+}
diff --git a/terraform/google/internal-modules/google-compute-instance/main.tf b/terraform/google/internal-modules/google-compute-instance/main.tf
@@ -13,36 +13,6 @@ data "google_compute_subnetwork" "selected" {
   self_link = "https://www.googleapis.com/compute/v1/${var.subnet}" # requires full URL - https://github.com/hashicorp/terraform-provider-google/issues/9919
 }
 
-resource "google_compute_firewall" "tailscale_ingress_ipv4" {
-  name    = "tailscale-ingress-ipv4"
-  network = data.google_compute_subnetwork.selected.network
-
-  allow {
-    protocol = "udp"
-    ports    = ["41641"]
-  }
-
-  source_ranges = [
-    "0.0.0.0/0",
-  ]
-  target_tags = var.instance_tags
-}
-
-resource "google_compute_firewall" "tailscale_ingress_ipv6" {
-  name    = "tailscale-ingress-ipv6"
-  network = data.google_compute_subnetwork.selected.network
-
-  allow {
-    protocol = "udp"
-    ports    = ["41641"]
-  }
-
-  source_ranges = [
-    "::/0",
-  ]
-  target_tags = var.instance_tags
-}
-
 data "google_compute_image" "ubuntu" {
   project = "ubuntu-os-cloud"
   family  = "ubuntu-2404-lts-amd64"