-
Notifications
You must be signed in to change notification settings - Fork 2
/
main.tf
122 lines (98 loc) · 2.93 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
locals {
instance_name = var.instance_name
network_tag = "cloudsql-proxy"
}
resource "google_service_account" "main" {
account_id = "sa-${local.instance_name}"
display_name = "Cloud SQL Proxy sa for VM ${local.instance_name}"
project = var.project
description = "Used by the VM ${local.instance_name}"
}
resource "google_project_iam_member" "cloudsql_instance_user_role_to_main_service_account" {
role = "roles/cloudsql.instanceUser"
member = "serviceAccount:${google_service_account.main.email}"
project = var.project
}
resource "google_project_iam_member" "cloudsql_instance_client_role_to_main_service_account" {
role = "roles/cloudsql.client"
member = "serviceAccount:${google_service_account.main.email}"
project = var.project
}
module "gce_container_sqlproxy" {
source = "terraform-google-modules/container-vm/google"
version = "~> 3.0"
cos_image_family = var.cos_image_family
container = {
image = var.container_image
command = var.container_command
args = var.container_args
}
restart_policy = "Always"
}
resource "google_project_iam_member" "log_writer_to_vm_sa" {
project = var.project
role = "roles/logging.logWriter"
member = "serviceAccount:${google_service_account.main.email}"
}
resource "google_project_iam_member" "metric_writer_to_vm_sa" {
project = var.project
role = "roles/monitoring.metricWriter"
member = "serviceAccount:${google_service_account.main.email}"
}
resource "google_compute_firewall" "inbound" {
name = "allow-${local.instance_name}"
network = var.firewall_network
description = "Allow accessing default container port"
allow {
protocol = "tcp"
ports = ["5432"]
}
source_ranges = var.firewall_source_ranges
target_tags = [local.network_tag]
}
resource "google_compute_instance" "main" {
name = local.instance_name
machine_type = var.vm_machine_type
zone = var.vm_zone
boot_disk {
initialize_params {
image = module.gce_container_sqlproxy.source_image
}
}
network_interface {
network = var.vm_network
subnetwork = var.vm_subnetwork
dynamic "access_config" {
for_each = var.allow_public_ip ? [1] : []
content {
// Ephemeral public IP
}
}
}
allow_stopping_for_update = true
metadata = {
gce-container-declaration = module.gce_container_sqlproxy.metadata_value
google-logging-enabled = "true"
google-logging-use-fluentbit = "true"
google-monitoring-enabled = "true"
block-project-ssh-keys = true
}
labels = merge(
{ container-vm = module.gce_container_sqlproxy.vm_container_label },
var.labels
)
tags = [
local.network_tag
]
service_account {
email = google_service_account.main.email
scopes = [
"https://www.googleapis.com/auth/cloud-platform",
]
}
lifecycle {
ignore_changes = [
boot_disk[0].initialize_params[0].image
]
}
}