2

starting with Terraform recently with GCP, I would like finish a exercice:

  • Create a new VPC network with a single subnet.
  • Create a firewall rule that allows external RDP traffic to the bastion host system.
  • Deploy two Windows servers that are connected to both the VPC network and the default network.
  • Create a virtual machine that points to the startup script.
  • Configure a firewall rule to allow HTTP access to the virtual machine.

Here is my solution:

  1. Create a new VPC network called securenetwork, then create a new VPC subnet inside securenetwork. Once the network and subnet have been configured, configure a firewall rule that allows inbound RDP traffic (TCP port 3389) from the internet to the bastion host. 
# Create the securenetwork network
resource "google_compute_network" "securenetwork" {
  name                    = "securenetwork"
  auto_create_subnetworks = false
}

# Create securesubnet-us subnetwork
resource "google_compute_subnetwork" "securesubnet-eu" {
  name          = "securesubnet-eu"
  region        = "europe-west1"
  network       = "${google_compute_network.securenetwork.self_link}"
  ip_cidr_range = "10.130.0.0/20"
}

# Create a firewall rule to allow HTTP, SSH, RDP and ICMP traffic on securenetwork
resource "google_compute_firewall" "securenetwork-allow-http-ssh-rdp-icmp" {
  name    = "securenetwork-allow-http-ssh-rdp-icmp"
  network = "${google_compute_network.securenetwork.self_link}"

  allow {
    protocol = "tcp"
    ports    = ["3389"]
  }

  allow {
    protocol = "icmp"
  }
}

# Create the vm-securehost instance
module "vm-securehost" {
  source              = "./instance/securehost"
  instance_name       = "vm-securehost"
  instance_zone       = "europe-west1-d"
  instance_subnetwork = "${google_compute_subnetwork.securesubnet-eu.self_link}"
  instance_network = "${google_compute_network.securenetwork.self_link}"
}

# Create the vm-bastionhost instance
module "vm-bastionhost" {
  source              = "./instance/bastionhost"
  instance_name       = "vm-bastionhost"
  instance_zone       = "europe-west1-d"
  instance_subnetwork = "${google_compute_subnetwork.securesubnet-eu.self_link}"
  instance_network = "${google_compute_network.securenetwork.self_link}"
}

  1. Deploy Windows instances

    • a Windows 2016 server instance called vm-securehost with two network interfaces. Configure the first network interface with an internal only connection to the new VPC subnet, and the second network interface with an internal only connection to the default VPC network. This is the secure server.
variable "instance_name" {}
variable "instance_zone" {}

variable "instance_type" {
  default = "n1-standard-1"
}

variable "instance_subnetwork" {}
variable "instance_network" {}

resource "google_compute_instance" "vm_instance" {
  name         = "${var.instance_name}"
  zone         = "${var.instance_zone}"
  machine_type = "${var.instance_type}"

  boot_disk {
    initialize_params {
      image = "windows-cloud/windows-2016"
    }
  }

  network_interface {
    subnetwork = "${var.instance_subnetwork}"
    access_config {
      # Allocate a one-to-one NAT IP to the instance
    }
  }
}
  • a second Windows 2016 server instance called vm-bastionhost with two network interfaces. Configure the first network interface to connect to the new VPC subnet with an ephemeral public (external NAT) address, and the second network interface with an internal only connection to the default VPC network. This is the jump box or bastion host.
variable "instance_name" {}
variable "instance_zone" {}

variable "instance_type" {
  default = "n1-standard-1"
}

variable "instance_subnetwork" {}
variable "instance_network" {}

resource "google_compute_address" "default" {
  name = "default"
  region = "europe-west1"
}

resource "google_compute_instance" "vm_instance" {
  name         = "${var.instance_name}"
  zone         = "${var.instance_zone}"
  machine_type = "${var.instance_type}"

  boot_disk {
    initialize_params {
      image = "windows-cloud/windows-2016"
    }
  }

  network_interface {
    subnetwork = "${var.instance_subnetwork}"
    network = "${var.instance_network}"
    access_config {
      # Allocate a one-to-one NAT IP to the instance
      nat_ip = "${google_compute_address.default.address}"
    }
  }
}

My question:

  • how to config the Windows compute instance called vm-securehost that does not have a public ip-address?
  • how to config the Windows compute instance called vm-securehost that run Microsoft IIS web server software on startup?
  • Thanks for any comment for the solution
minh-hieu.pham
  • 1,029
  • 2
  • 12
  • 21

1 Answers1

1

To create a vm without any external ip address, omit the ‘access config’ argument in your terraform script, as it’s the one responsible for creation of external ip address.

To run Microsoft IIS web server software on your vm while startup, add the following argument in your vm creation block (exclude quotation marks) - 'metadata_startup_script = import-module servermanager && add-windowsfeature web-server -includeallsubfeature'

Please refer to following links for detailed information on the issue -

https://cloud.google.com/compute/docs/tutorials/basic-webserver-iis

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#metadata_startup_script

Anant Swaraj
  • 173
  • 6