external-access.tf 2.26 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
##################################
#
#  DR
#
#################################

resource "google_compute_firewall" "allow-dr-postgres" {
  name        = "allow-dr-postgres"
  description = "Allows postgres traffic from our DR environment into gprd"
  network     = "${var.environment}"

  allow {
    protocol = "tcp"

    ports = [
      "5432",
    ]
  }

  source_ranges = [
    "10.251.9.0/24",
  ]

  target_tags = [
    "patroni",
  ]
}

resource "google_service_account" "dr-sa" {
  account_id = "disaster-recovery"
}

data "google_iam_policy" "dr-sa-access" {
  binding {
    role = "roles/storage.objectViewer"

    members = [
      "serviceAccount:${google_service_account.dr-sa.email}",
    ]
  }
}

##################################
#
#  gitlab-analysis
#
#################################

49 50
resource "google_compute_network_peering" "peering-gitlab-analysis-default" {
  name         = "peering-gitlab-analysis-default"
51 52 53
  network      = "${var.network_env}"
  peer_network = "https://www.googleapis.com/compute/v1/projects/gitlab-analysis/global/networks/default"
}
54

55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
resource "google_compute_network_peering" "peering-gitlab-analysis-gitlab-analysis-vpc" {
  name         = "peering-gitlab-analysis-gitlab-analysis-vpc"
  network      = "${var.network_env}"
  peer_network = "https://www.googleapis.com/compute/v1/projects/gitlab-analysis/global/networks/gitlab-analysis-vpc"
}

resource "google_compute_firewall" "allow-postgres-gitlab-analysis-default" {
  name        = "allow-postgres-gitlab-analysis-default"
  description = "allow gitlab-analysis network default to access gprd network"
  network     = "${var.network_env}"

  source_ranges = [
    "10.52.0.0/14", # only from us-west1 default subnet
  ]

  target_tags = [
    "postgres-dr-archive",
  ]

  allow {
    protocol = "tcp"
    ports    = ["5432"]
  }
}

resource "google_compute_firewall" "allow-postgres-gitlab-analysis-gitlab-analysis-vpc" {
  name        = "allow-postgres-gitlab-analysis-gitlab-analysis-vpc"
  description = "allow gitlab-analysis network gitlab-analysis-vpc to access gprd network"
83 84 85
  network     = "${var.network_env}"

  source_ranges = [
86
    "10.160.0.0/14", # only from us-west1 default subnet
87
  ]
88

89 90 91 92 93 94 95 96 97
  target_tags = [
    "postgres-dr-archive",
  ]

  allow {
    protocol = "tcp"
    ports    = ["5432"]
  }
}