v6.2.0/examples/shared-vpc/main.tf - terraform-provider-google-beta - Git at Google

 # https://cloud.google.com/vpc/docs/shared-vpc

 provider "google" {
   region      = var.region
   credentials = file(var.credentials_file_path)
 }

 provider "random" {
 }

 resource "random_id" "host_project_name" {
   byte_length = 8
 }

 resource "random_id" "service_project_1_name" {
   byte_length = 8
 }

 resource "random_id" "service_project_2_name" {
   byte_length = 8
 }

 resource "random_id" "standalone_project_name" {
   byte_length = 8
 }

 # The project which owns the VPC.
 resource "google_project" "host_project" {
   name            = "Host Project"
   project_id      = "tf-vpc-${random_id.host_project_name.hex}"
   org_id          = var.org_id
   billing_account = var.billing_account_id
 }

 # One project which will use the VPC.
 resource "google_project" "service_project_1" {
   name            = "Service Project 1"
   project_id      = "tf-vpc-${random_id.service_project_1_name.hex}"
   org_id          = var.org_id
   billing_account = var.billing_account_id
 }

 # The other project which will use the VPC.
 resource "google_project" "service_project_2" {
   name            = "Service Project 2"
   project_id      = "tf-vpc-${random_id.service_project_2_name.hex}"
   org_id          = var.org_id
   billing_account = var.billing_account_id
 }

 # A project which will not use the VPC, for the sake of demonstration.
 resource "google_project" "standalone_project" {
   name            = "Standalone Project"
   project_id      = "tf-vpc-${random_id.standalone_project_name.hex}"
   org_id          = var.org_id
   billing_account = var.billing_account_id
 }

 # Compute service needs to be enabled for all four new projects.
 resource "google_project_service" "host_project" {
   project = google_project.host_project.project_id
   service = "compute.googleapis.com"
 }

 resource "google_project_service" "service_project_1" {
   project = google_project.service_project_1.project_id
   service = "compute.googleapis.com"
 }

 resource "google_project_service" "service_project_2" {
   project = google_project.service_project_2.project_id
   service = "compute.googleapis.com"
 }

 resource "google_project_service" "standalone_project" {
   project = google_project.standalone_project.project_id
   service = "compute.googleapis.com"
 }

 # Enable shared VPC hosting in the host project.
 resource "google_compute_shared_vpc_host_project" "host_project" {
   project    = google_project.host_project.project_id
   depends_on = [google_project_service.host_project]
 }

 # Enable shared VPC in the two service projects - explicitly depend on the host
 # project enabling it, because enabling shared VPC will fail if the host project
 # is not yet hosting.
 resource "google_compute_shared_vpc_service_project" "service_project_1" {
   host_project    = google_project.host_project.project_id
   service_project = google_project.service_project_1.project_id

   depends_on = [
     google_compute_shared_vpc_host_project.host_project,
     google_project_service.service_project_1,
   ]
 }

 resource "google_compute_shared_vpc_service_project" "service_project_2" {
   host_project    = google_project.host_project.project_id
   service_project = google_project.service_project_2.project_id

   depends_on = [
     google_compute_shared_vpc_host_project.host_project,
     google_project_service.service_project_2,
   ]
 }

 # Create the hosted network.
 resource "google_compute_network" "shared_network" {
   name                    = "shared-network"
   auto_create_subnetworks = "true"
   project                 = google_compute_shared_vpc_host_project.host_project.project

   depends_on = [
     google_compute_shared_vpc_service_project.service_project_1,
     google_compute_shared_vpc_service_project.service_project_2,
   ]
 }

 # Allow the hosted network to be hit over ICMP, SSH, and HTTP.
 resource "google_compute_firewall" "shared_network" {
   name    = "allow-ssh-and-icmp"
   network = google_compute_network.shared_network.self_link
   project = google_compute_network.shared_network.project

   allow {
     protocol = "icmp"
   }

   allow {
     protocol = "tcp"
     ports    = ["22", "80"]
   }
 }

 # Create a standalone network with the same firewall rules.
 resource "google_compute_network" "standalone_network" {
   name                    = "standalone-network"
   auto_create_subnetworks = "true"
   project                 = google_project.standalone_project.project_id
   depends_on              = [google_project_service.standalone_project]
 }

 resource "google_compute_firewall" "standalone_network" {
   name    = "allow-ssh-and-icmp"
   network = google_compute_network.standalone_network.self_link

   allow {
     protocol = "icmp"
   }

   allow {
     protocol = "tcp"
     ports    = ["22", "80"]
   }

   project = google_project.standalone_project.project_id
 }

 # Create a VM which hosts a web page stating its identity ("VM1")
 resource "google_compute_instance" "project_1_vm" {
   name         = "tf-project-1-vm"
   project      = google_project.service_project_1.project_id
   machine_type = "f1-micro"
   zone         = var.region_zone

   boot_disk {
     initialize_params {
       image = "projects/debian-cloud/global/images/family/debian-8"
     }
   }

   metadata_startup_script = "VM_NAME=VM1\n${file("scripts/install-vm.sh")}"

   network_interface {
     network = google_compute_network.shared_network.self_link

     access_config {
       // Ephemeral IP
     }
   }

   service_account {
     scopes = ["https://www.googleapis.com/auth/compute.readonly"]
   }

   depends_on = [google_project_service.service_project_1]
 }

 # Create a VM which hosts a web page demonstrating the example networking.
 resource "google_compute_instance" "project_2_vm" {
   name         = "tf-project-2-vm"
   machine_type = "f1-micro"
   project      = google_project.service_project_2.project_id
   zone         = var.region_zone

   boot_disk {
     initialize_params {
       image = "projects/debian-cloud/global/images/family/debian-8"
     }
   }

   metadata_startup_script = <<EOF
 VM1_EXT_IP=${google_compute_instance.project_1_vm.network_interface[0].access_config[0].nat_ip}
 ST_VM_EXT_IP=${google_compute_instance.standalone_project_vm.network_interface[0].access_config[0].nat_ip}
 VM1_INT_IP=${google_compute_instance.project_1_vm.network_interface[0].address}
 ST_VM_INT_IP=${google_compute_instance.standalone_project_vm.network_interface[0].address}
 ${file("scripts/install-network-page.sh")}
 EOF


   network_interface {
     network = google_compute_network.shared_network.self_link

     access_config {
       // Ephemeral IP
     }
   }

   service_account {
     scopes = ["https://www.googleapis.com/auth/compute.readonly"]
   }

   depends_on = [google_project_service.service_project_2]
 }

 # Create a VM which hosts a web page stating its identity ("standalone").
 resource "google_compute_instance" "standalone_project_vm" {
   name         = "tf-standalone-vm"
   machine_type = "f1-micro"
   project      = google_project.standalone_project.project_id
   zone         = var.region_zone

   boot_disk {
     initialize_params {
       image = "projects/debian-cloud/global/images/family/debian-8"
     }
   }

   metadata_startup_script = "VM_NAME=standalone\n${file("scripts/install-vm.sh")}"

   network_interface {
     network = google_compute_network.standalone_network.self_link

     access_config {
       // Ephemeral IP
     }
   }

   service_account {
     scopes = ["https://www.googleapis.com/auth/compute.readonly"]
   }

   depends_on = [google_project_service.standalone_project]
 }
	# https://cloud.google.com/vpc/docs/shared-vpc

	provider "google" {
	region = var.region
	credentials = file(var.credentials_file_path)
	}

	provider "random" {
	}

	resource "random_id" "host_project_name" {
	byte_length = 8
	}

	resource "random_id" "service_project_1_name" {
	byte_length = 8
	}

	resource "random_id" "service_project_2_name" {
	byte_length = 8
	}

	resource "random_id" "standalone_project_name" {
	byte_length = 8
	}

	# The project which owns the VPC.
	resource "google_project" "host_project" {
	name = "Host Project"
	project_id = "tf-vpc-${random_id.host_project_name.hex}"
	org_id = var.org_id
	billing_account = var.billing_account_id
	}

	# One project which will use the VPC.
	resource "google_project" "service_project_1" {
	name = "Service Project 1"
	project_id = "tf-vpc-${random_id.service_project_1_name.hex}"
	org_id = var.org_id
	billing_account = var.billing_account_id
	}

	# The other project which will use the VPC.
	resource "google_project" "service_project_2" {
	name = "Service Project 2"
	project_id = "tf-vpc-${random_id.service_project_2_name.hex}"
	org_id = var.org_id
	billing_account = var.billing_account_id
	}

	# A project which will not use the VPC, for the sake of demonstration.
	resource "google_project" "standalone_project" {
	name = "Standalone Project"
	project_id = "tf-vpc-${random_id.standalone_project_name.hex}"
	org_id = var.org_id
	billing_account = var.billing_account_id
	}

	# Compute service needs to be enabled for all four new projects.
	resource "google_project_service" "host_project" {
	project = google_project.host_project.project_id
	service = "compute.googleapis.com"
	}

	resource "google_project_service" "service_project_1" {
	project = google_project.service_project_1.project_id
	service = "compute.googleapis.com"
	}

	resource "google_project_service" "service_project_2" {
	project = google_project.service_project_2.project_id
	service = "compute.googleapis.com"
	}

	resource "google_project_service" "standalone_project" {
	project = google_project.standalone_project.project_id
	service = "compute.googleapis.com"
	}

	# Enable shared VPC hosting in the host project.
	resource "google_compute_shared_vpc_host_project" "host_project" {
	project = google_project.host_project.project_id
	depends_on = [google_project_service.host_project]
	}

	# Enable shared VPC in the two service projects - explicitly depend on the host
	# project enabling it, because enabling shared VPC will fail if the host project
	# is not yet hosting.
	resource "google_compute_shared_vpc_service_project" "service_project_1" {
	host_project = google_project.host_project.project_id
	service_project = google_project.service_project_1.project_id

	depends_on = [
	google_compute_shared_vpc_host_project.host_project,
	google_project_service.service_project_1,
	]
	}

	resource "google_compute_shared_vpc_service_project" "service_project_2" {
	host_project = google_project.host_project.project_id
	service_project = google_project.service_project_2.project_id

	depends_on = [
	google_compute_shared_vpc_host_project.host_project,
	google_project_service.service_project_2,
	]
	}

	# Create the hosted network.
	resource "google_compute_network" "shared_network" {
	name = "shared-network"
	auto_create_subnetworks = "true"
	project = google_compute_shared_vpc_host_project.host_project.project

	depends_on = [
	google_compute_shared_vpc_service_project.service_project_1,
	google_compute_shared_vpc_service_project.service_project_2,
	]
	}

	# Allow the hosted network to be hit over ICMP, SSH, and HTTP.
	resource "google_compute_firewall" "shared_network" {
	name = "allow-ssh-and-icmp"
	network = google_compute_network.shared_network.self_link
	project = google_compute_network.shared_network.project

	allow {
	protocol = "icmp"
	}

	allow {
	protocol = "tcp"
	ports = ["22", "80"]
	}
	}

	# Create a standalone network with the same firewall rules.
	resource "google_compute_network" "standalone_network" {
	name = "standalone-network"
	auto_create_subnetworks = "true"
	project = google_project.standalone_project.project_id
	depends_on = [google_project_service.standalone_project]
	}

	resource "google_compute_firewall" "standalone_network" {
	name = "allow-ssh-and-icmp"
	network = google_compute_network.standalone_network.self_link

	allow {
	protocol = "icmp"
	}

	allow {
	protocol = "tcp"
	ports = ["22", "80"]
	}

	project = google_project.standalone_project.project_id
	}

	# Create a VM which hosts a web page stating its identity ("VM1")
	resource "google_compute_instance" "project_1_vm" {
	name = "tf-project-1-vm"
	project = google_project.service_project_1.project_id
	machine_type = "f1-micro"
	zone = var.region_zone

	boot_disk {
	initialize_params {
	image = "projects/debian-cloud/global/images/family/debian-8"
	}
	}

	metadata_startup_script = "VM_NAME=VM1\n${file("scripts/install-vm.sh")}"

	network_interface {
	network = google_compute_network.shared_network.self_link

	access_config {
	// Ephemeral IP
	}
	}

	service_account {
	scopes = ["https://www.googleapis.com/auth/compute.readonly"]
	}

	depends_on = [google_project_service.service_project_1]
	}

	# Create a VM which hosts a web page demonstrating the example networking.
	resource "google_compute_instance" "project_2_vm" {
	name = "tf-project-2-vm"
	machine_type = "f1-micro"
	project = google_project.service_project_2.project_id
	zone = var.region_zone

	boot_disk {
	initialize_params {
	image = "projects/debian-cloud/global/images/family/debian-8"
	}
	}

	metadata_startup_script = <<EOF
	VM1_EXT_IP=${google_compute_instance.project_1_vm.network_interface[0].access_config[0].nat_ip}
	ST_VM_EXT_IP=${google_compute_instance.standalone_project_vm.network_interface[0].access_config[0].nat_ip}
	VM1_INT_IP=${google_compute_instance.project_1_vm.network_interface[0].address}
	ST_VM_INT_IP=${google_compute_instance.standalone_project_vm.network_interface[0].address}
	${file("scripts/install-network-page.sh")}
	EOF


	network_interface {
	network = google_compute_network.shared_network.self_link

	access_config {
	// Ephemeral IP
	}
	}

	service_account {
	scopes = ["https://www.googleapis.com/auth/compute.readonly"]
	}

	depends_on = [google_project_service.service_project_2]
	}

	# Create a VM which hosts a web page stating its identity ("standalone").
	resource "google_compute_instance" "standalone_project_vm" {
	name = "tf-standalone-vm"
	machine_type = "f1-micro"
	project = google_project.standalone_project.project_id
	zone = var.region_zone

	boot_disk {
	initialize_params {
	image = "projects/debian-cloud/global/images/family/debian-8"
	}
	}

	metadata_startup_script = "VM_NAME=standalone\n${file("scripts/install-vm.sh")}"

	network_interface {
	network = google_compute_network.standalone_network.self_link

	access_config {
	// Ephemeral IP
	}
	}

	service_account {
	scopes = ["https://www.googleapis.com/auth/compute.readonly"]
	}

	depends_on = [google_project_service.standalone_project]
	}