Addressed comments, fmt, and cleaned up two_service_example

README.md

@@ -16,6 +16,8 @@ Basic usage of this module is as follows:
 ```hcl
 module "iap_bastion" {
   source = "terraform-google-modules/bastion-host/google"
+  version = 0.1.0
+
   project = var.project
   region = var.region
   zone = var.zone
@@ -50,6 +52,7 @@ resources of this module:
 - Google Cloud Storage JSON API: `storage-api.googleapis.com`
 - Compute Engine API: `compute.googleapis.com`
 - Cloud Identity-Aware Proxy API: `iap.googleapis.com`
+- OS Login API: `oslogin.googleapis.com`
 
 The [Project Factory module][project-factory-module] can be used to
 provision a project with the necessary APIs enabled.

examples/simple_example/main.tf

@@ -7,55 +7,19 @@ module "iap_bastion" {
   members = var.members
 }
 
-# Address for NATing
-resource "google_compute_address" "nat" {
-  project = var.project
-  region  = var.region
-  name    = "bastion-nat-external"
-}
-
-# Create a NAT router so the nodes can reach the public Internet
-resource "google_compute_router" "router" {
-  name    = "bastion-router"
-  project = var.project
-  region  = var.region
-  network = google_compute_network.network.self_link
-  bgp {
-    asn = 64514
-  }
-}
-
-# NAT on the main subnetwork
-resource "google_compute_router_nat" "nat" {
-  name    = "bastion-nat-1"
-  project = var.project
-  region  = var.region
-  router  = google_compute_router.router.name
-
-  nat_ip_allocate_option = "MANUAL_ONLY"
-  nat_ips                = ["${google_compute_address.nat.self_link}"]
-
-  source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
-
-  subnetwork {
-    name                    = "${google_compute_subnetwork.subnet.self_link}"
-    source_ip_ranges_to_nat = ["PRIMARY_IP_RANGE"]
-  }
-
-}
-
 resource "google_compute_network" "network" {
   project                 = var.project
   name                    = "test-network"
   auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "subnet" {
-  project       = var.project
-  name          = "test-subnet"
-  region        = var.region
-  ip_cidr_range = "10.127.0.0/20"
-  network       = google_compute_network.network.self_link
+  project                  = var.project
+  name                     = "test-subnet"
+  region                   = var.region
+  ip_cidr_range            = "10.127.0.0/20"
+  network                  = google_compute_network.network.self_link
+  private_ip_google_access = true
 }
 
 resource "google_compute_firewall" "allow_access_from_bastion" {
@@ -70,4 +34,4 @@ resource "google_compute_firewall" "allow_access_from_bastion" {
 
   # Allow SSH only from IAP Bastion
   source_service_accounts = [module.iap_bastion.service_account]
-}
+}

examples/simple_example/variables.tf

@@ -1,12 +1,12 @@
-variable "project" {}
-variable "zone" {
-  default = "us-west1-a"
+variable "members" {
+  default = []
 }
+variable "project" {}
 
 variable "region" {
   default = "us-west1"
 }
 
-variable "members" {
-  default = []
+variable "zone" {
+  default = "us-west1-a"
 }

examples/two_service_example/iam.tf

@@ -1,3 +1,15 @@
+resource "google_service_account" "service_a" {
+  project      = var.project
+  account_id   = "service-a"
+  display_name = "Service Account for Service A"
+}
+
+resource "google_service_account" "service_b" {
+  project      = var.project
+  account_id   = "service-b"
+  display_name = "Service Account for Service B"
+}
+
 resource "google_compute_instance_iam_member" "alice_oslogin_1" {
   project       = var.project
   zone          = var.zone
@@ -33,4 +45,3 @@ resource "google_service_account_iam_member" "bdole_use_sa" {
   role               = "roles/iam.serviceAccountUser"
   member             = var.user_b
 }
-

examples/two_service_example/instance.tf → examples/two_service_example/instances.tf

@@ -75,4 +75,3 @@ resource "google_compute_instance" "priv_host_b_1" {
     enable-oslogin = "TRUE"
   }
 }
-

examples/two_service_example/example.tf → examples/two_service_example/main.tf

@@ -28,4 +28,3 @@ module "iap_bastion" {
   zone    = var.zone
   members = [var.user_a, var.user_b]
 }
-

examples/two_service_example/variables.tf

@@ -16,17 +16,17 @@
 
 variable "project" {
   description = "The ID of the project in which to provision resources."
-  type = string
+  type        = string
 }
 
 variable "network" {
   description = "Self link for the VPC network"
-  type = string
+  type        = string
 }
 
 variable "subnet" {
   description = "Self link for the Subnet within var.network"
-  type = string
+  type        = string
 }
 
 variable "user_a" {
@@ -39,4 +39,4 @@ variable "user_b" {
 
 variable "zone" {
   default = "us-west1-a"
-}
+}

main.tf

@@ -14,14 +14,14 @@
  * limitations under the License.
  */
 
-provider "google-beta" {}
-
 resource "google_service_account" "bastion_host" {
   project      = var.project
   account_id   = "bastion"
   display_name = "Service Account for Bastion"
 }
 
+# NOTE: Use the terraform-google-vm module once Shielded VMs are supported
+# https://github.com/terraform-google-modules/terraform-google-vm/pull/38
 resource "google_compute_instance" "bastion_vm" {
   project      = var.project
   zone         = var.zone
@@ -69,7 +69,7 @@ resource "google_compute_firewall" "allow_from_iap_to_bastion" {
 
   # https://cloud.google.com/iap/docs/using-tcp-forwarding#before_you_begin
   # This is the netblock needed to forward to the instances
-  source_ranges = ["35.235.240.0/20"]
+  source_ranges           = ["35.235.240.0/20"]
   target_service_accounts = [google_service_account.bastion_host.email]
 }
 
@@ -89,15 +89,15 @@ resource "google_service_account_iam_binding" "bastion_sa_user" {
 }
 
 resource "google_project_iam_member" "bastion_sa_bindings" {
-  for_each  = toset(compact(concat(
+  for_each = toset(compact(concat(
     var.service_account_roles,
     var.service_account_roles_supplemental,
     ["projects/${var.project}/roles/${google_project_iam_custom_role.compute_os_login_viewer.role_id}"]
   )))
 
-  project   = var.project
-  role      = each.key
-  member   = "serviceAccount:${google_service_account.bastion_host.email}"
+  project = var.project
+  role    = each.key
+  member  = "serviceAccount:${google_service_account.bastion_host.email}"
 }
 
 # If you are practicing least privilege, to enable instance level OS Login, you
@@ -109,4 +109,4 @@ resource "google_project_iam_custom_role" "compute_os_login_viewer" {
   title       = "OS Login Project Get Role"
   description = "From Terraform: iap-bastion module custom role for more fine grained scoping of permissions"
   permissions = ["compute.projects.get"]
-}
+}

outputs.tf

@@ -14,17 +14,21 @@
  * limitations under the License.
  */
 output "service_account" {
-  value = google_service_account.bastion_host.email
+  description = "The email for the service account created for the bastion host"
+  value       = google_service_account.bastion_host.email
 }
 
 output "hostname" {
-  value = var.name
+  description = "Host name of the bastion"
+  value       = var.name
 }
 
 output "ip_address" {
-  value = google_compute_instance.bastion_vm.network_interface.0.network_ip
+  description = "Internal IP address of the bastion host"
+  value       = google_compute_instance.bastion_vm.network_interface.0.network_ip
 }
 
 output "self_link" {
-  value = google_compute_instance.bastion_vm.self_link
-}
+  description = "Self link of the bastion host"
+  value       = google_compute_instance.bastion_vm.self_link
+}

variables.tf

@@ -16,25 +16,29 @@
 
 variable "image" {
   description = "GCE image on which to base the Bastion. This image is supported by Shielded VM"
-  default = "gce-uefi-images/centos-7"
+  default     = "gce-uefi-images/centos-7"
 }
 
 variable "labels" {
-  type = "map"
-  default = {}
+  description = "Key-value map of labels to assign to the bastion host"
+  type        = "map"
+  default     = {}
 }
 
 variable "machine_type" {
-  default = "n1-standard-1"
+  description = "Instance type for the Bastion host"
+  default     = "n1-standard-1"
 }
 
 variable "members" {
-  type = "list"
-  default = []
+  description = "List of IAM resources to allow access to the bastion host"
+  type        = "list"
+  default     = []
 }
+
 variable "name" {
   description = "Name of the Bastion instance"
-  default = "bastion-vm"
+  default     = "bastion-vm"
 }
 
 variable "network" {
@@ -45,9 +49,14 @@ variable "project" {
   description = "The project ID to deploy to"
 }
 
+variable "region" {
+  description = "The primary region where the bastion host will live"
+  default     = "us-central1"
+}
+
 variable "scopes" {
   description = "List of scopes to attach to the bastion host"
-  default = ["cloud-platform"]
+  default     = ["cloud-platform"]
 }
 
 variable "service_account_roles" {
@@ -61,21 +70,23 @@ variable "service_account_roles" {
 }
 variable "service_account_roles_supplemental" {
   description = "An additional list of roles to assign to the bastion if desired"
-  default = []
+  default     = []
 }
 
 variable "shielded_vm" {
   default = true
 }
+
 variable "startup_script" {
   description = "Render a startup script with a template."
-  default = ""
+  default     = ""
 }
 
 variable "subnet" {
   description = "Self link for the subnet on which the Bastion should live. Can be private when using IAP"
 }
+
 variable "zone" {
   description = "The primary zone where the bastion host will live"
-  default = "us-central1-a"
-}
+  default     = "us-central1-a"
+}

versions.tf

@@ -17,7 +17,7 @@
 terraform {
   required_version = "~> 0.12"
   required_providers {
-    google = "~> 2.17"
+    google      = "~> 2.17"
     google-beta = "~> 2.17"
   }
-}
+}