Skip to main content

VPC Network Module for GCP

A Terraform module for deploying a VPC and associated subnetworks and firewall rules in GCP.

One advantage of this module over the terraform-google-network module is that this module lets you use existing VPC networks and subnetworks to support brownfield deployments.

GitHub Logo Terraform Logo

Reference

Requirements

NameVersion
terraform>= 1.3, < 2.0
google~> 4.54

Providers

NameVersion
google~> 4.54

Modules

No modules.

Resources

NameType
google_compute_firewall.thisresource
google_compute_network.thisresource
google_compute_subnetwork.thisresource
google_compute_network.thisdata source
google_compute_subnetwork.thisdata source

Inputs

NameDescriptionTypeDefaultRequired
create_networkA flag to indicate the creation or import of a VPC network.
Setting this to true will create a new network managed by Terraform.
Setting this to false will try to read the existing network identified by name and project variables.
booltrueno
delete_default_routes_on_createA flag to indicate the deletion of the default routes at VPC creation.
Setting this to true the default route 0.0.0.0/0 will be deleted upon network creation.
Setting this to false the default route 0.0.0.0/0 will be not be deleted upon network creation.
boolfalseno
firewall_rulesA map containing each firewall rule configuration.
Action of the firewall rule is always allow.
The only possible direction of the firewall rule is INGRESS.

List of available attributes of each firewall rule entry:
- name : Name of the firewall rule.
- source_ranges : (Optional) A list of strings containing the source IP ranges to be allowed on the firewall rule.
- source_tags : (Optional) A list of strings containing the source network tags to be allowed on the firewall rule.
- source_service_accounts : (Optional) A list of strings containg the source servce accounts to be allowed on the firewall rule.
- target_service_accounts : (Optional) A list of strings containing the service accounts for which the firewall rule applies to.
- target_tags : (Optional) A list of strings containing the network tags for which the firewall rule applies to.
- allowed_protocol : The protocol type to match in the firewall rule. Possible values are: tcp, udp, icmp, esp, ah, sctp, ipip, all.
- ports : A list of strings containing TCP or UDP port numbers to match in the firewall rule. This type of setting can only be configured if allowing TCP and UDP as protocols.
- priority : (Optional) A priority value for the firewall rule. The lower the number - the more preferred the rule is.
- log_metadata : (Optional) This field denotes whether to include or exclude metadata for firewall logs. Possible values are: EXCLUDE_ALL_METADATA, INCLUDE_ALL_METADATA.

Example :firewall_rules = {
firewall-rule-1 = {
name = "first-rule"
source_ranges = ["10.10.10.0/24", "1.1.1.0/24"]
priority = "2000"
target_tags = ["vmseries-firewalls"]
allowed_protocol = "TCP"
allowed_ports = ["443", "22"]
}
}
map(object({
name = string
source_ranges = optional(list(string))
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
allowed_protocol = string
allowed_ports = list(string)
priority = optional(string)
target_service_accounts = optional(list(string))
target_tags = optional(list(string))
log_metadata = optional(string)
}))
{}no
mtuMTU value for VPC Network. Acceptable values are between 1300 and 8896.number1460no
nameThe name of the created or already existing VPC Network.stringn/ayes
project_idProject in which to create or look for VPCs and subnetsstringnullno
routing_modeType of network-wide routing mode to use. Possible types are: REGIONAL and GLOBAL.
REGIONAL routing mode will set the cloud routers to only advertise subnetworks within the same region as the router.
GLOBAL routing mode will set the cloud routers to advertise all the subnetworks that belong to this network.
string"REGIONAL"no
subnetworksA map containing subnetworks configuration. Subnets can belong to different regions.
List of available attributes of each subnetwork entry:
- name : Name of the subnetwork.
- create_subnetwork : Boolean value to control the creation or reading of the subnetwork. If set to true - this will create the subnetwork. If set to false - this will read a subnet with provided information.
- ip_cidr_range : A string that contains the subnetwork to create. Only IPv4 format is supported.
- region : Region where to configure or import the subnet.

Example:subnetworks = {
my-sub = {
name = "my-sub"
create_subnetwork = true
ip_cidr_range = "192.168.0.0/24"
region = "us-east1"
}
}
map(object({
name = string
create_subnetwork = optional(bool, true)
ip_cidr_range = string
region = string
}))
{}no

Outputs

NameDescription
networkCreated or read network attributes.
subnetworksMap containing key, value pairs of created or read subnetwork attributes.