From cff1cab9408dead304979eda063af23ec2815211 Mon Sep 17 00:00:00 2001 From: gastonchenet Date: Thu, 4 Dec 2025 09:33:27 +0100 Subject: [PATCH] Update --- terraform/environments/dev/main.tf | 51 ++++++++++++++++++++++ terraform/environments/dev/outputs.tf | 24 +++++++++++ terraform/environments/dev/variables.tf | 53 +++++++++++++++++++++++ terraform/modules/compute/main.tf | 49 +++++++++++++++------ terraform/modules/compute/outputs.tf | 38 ++++++++--------- terraform/modules/compute/variables.tf | 45 +++++++++++++++---- terraform/modules/iam/main.tf | 41 ++++++------------ terraform/modules/iam/outputs.tf | 15 +++---- terraform/modules/iam/variables.tf | 25 +++++++++-- terraform/modules/network/main.tf | 57 ++++++++----------------- terraform/modules/network/outputs.tf | 4 -- terraform/modules/network/variables.tf | 2 - 12 files changed, 276 insertions(+), 128 deletions(-) diff --git a/terraform/environments/dev/main.tf b/terraform/environments/dev/main.tf index e69de29..8641f65 100644 --- a/terraform/environments/dev/main.tf +++ b/terraform/environments/dev/main.tf @@ -0,0 +1,51 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.0" + } + local = { + source = "hashicorp/local" + version = ">= 2.0" + } + } +} + +provider "google" { + project = var.project_id + region = var.region + zone = var.zone +} + +provider "local" {} + +module "iam" { + source = "../../modules/iam" + + + project_id = var.project_id + sa_name = "tf-sa" + sa_display_name = "Terraform SA for TP" +} + +module "compute" { + source = "../../modules/compute" + + project_id = var.project_id + region = var.region + zone = var.zone + instance_type = var.instance_type + network = var.network + frontend_subnet_id = var.frontend_subnet_id + backend_subnet_id = var.backend_subnet_id + database_subnet_id = var.database_subnet_id + ssh_pub_key = var.ssh_pub_key + service_account_email = module.iam.service_account_email +} + +module "network" { + source = "../../modules/network" + + project_name = var.project_id + region = var.region +} \ No newline at end of file diff --git a/terraform/environments/dev/outputs.tf b/terraform/environments/dev/outputs.tf index e69de29..d6d0982 100644 --- a/terraform/environments/dev/outputs.tf +++ b/terraform/environments/dev/outputs.tf @@ -0,0 +1,24 @@ +output "frontend_public_ip" { + value = module.compute.frontend_public_ip +} + +output "frontend_internal_ip" { + value = module.compute.frontend_internal_ip +} + +output "backend_internal_ip" { + value = module.compute.backend_internal_ip +} + +output "database_internal_ip" { + value = module.compute.database_internal_ip +} + +output "service_account_email" { + value = module.iam.service_account_email +} + +output "service_account_key" { + value = module.iam.service_account_key + sensitive = true +} \ No newline at end of file diff --git a/terraform/environments/dev/variables.tf b/terraform/environments/dev/variables.tf index e69de29..385c3c4 100644 --- a/terraform/environments/dev/variables.tf +++ b/terraform/environments/dev/variables.tf @@ -0,0 +1,53 @@ +variable "project_id" { + type = string + description = "GCP project id" + default = "school-478713" +} + +variable "region" { + type = string + description = "The region of the VM" + default = "europe-west1" +} + +variable "zone" { + type = string + description = "The zone of the VM" + default = "europe-west1-b" +} + +variable "frontend_subnet_id" { + type = string + description = "self_link du subnet frontend" + default = "projects/my-gcp-project/regions/europe-west1/subnetworks/frontend-subnet" +} + +variable "backend_subnet_id" { + type = string + description = "self_link du subnet backend" + default = "projects/my-gcp-project/regions/europe-west1/subnetworks/backend-subnet" +} + +variable "database_subnet_id" { + type = string + description = "self_link du subnet database" + default = "projects/my-gcp-project/regions/europe-west1/subnetworks/database-subnet" +} + +variable "network" { + type = string + description = "VPC network self_link or name" + default = "projects/my-gcp-project/global/networks/my-vpc" +} + +variable "ssh_pub_key" { + type = string + description = "SSH public key to provision (optional)" + default = "ssh-ed25519 AAAA... user@example.com" +} + +variable "instance_type" { + type = string + description = "Type of the VM instance" + default = "e2-minimal" +} \ No newline at end of file diff --git a/terraform/modules/compute/main.tf b/terraform/modules/compute/main.tf index bcfedc4..a828568 100644 --- a/terraform/modules/compute/main.tf +++ b/terraform/modules/compute/main.tf @@ -1,74 +1,99 @@ -# compute/main.tf - resource "google_compute_instance" "frontend" { - name = "frontend-instance" - machine_type = var.instance_type + name = "frontend-${substr(var.zone, -1, 2)}" + project = var.project_id zone = var.zone + machine_type = var.instance_type + labels = merge({tier = "frontend"}, var.labels) boot_disk { initialize_params { image = "debian-cloud/debian-11" size = 10 + type = "pd-standard" } } network_interface { + network = var.network subnetwork = var.frontend_subnet_id - access_config {} # IP publique + access_config {} } metadata = { enable-oslogin = "TRUE" + ssh-keys = var.ssh_pub_key } tags = ["frontend", "ssh"] + + service_account { + email = var.service_account_email + scopes = ["userinfo-email", "compute-ro"] + } } resource "google_compute_instance" "backend" { - name = "backend-instance" - machine_type = var.instance_type + name = "backend-${substr(var.zone, -1, 2)}" + project = var.project_id zone = var.zone + machine_type = var.instance_type + labels = merge({tier = "backend"}, var.labels) boot_disk { initialize_params { image = "debian-cloud/debian-11" size = 10 + type = "pd-standard" } } network_interface { + network = var.network subnetwork = var.backend_subnet_id - # Pas d'IP publique } metadata = { enable-oslogin = "TRUE" + ssh-keys = var.ssh_pub_key } tags = ["backend", "ssh"] + + service_account { + email = var.service_account_email + scopes = ["userinfo-email", "compute-ro"] + } } resource "google_compute_instance" "database" { - name = "database-instance" - machine_type = var.instance_type + name = "database-${substr(var.zone, -1, 2)}" + project = var.project_id zone = var.zone + machine_type = var.instance_type + labels = merge({tier = "database"}, var.labels) boot_disk { initialize_params { image = "debian-cloud/debian-11" size = 20 + type = "pd-standard" } } network_interface { + network = var.network subnetwork = var.database_subnet_id - # Pas d'IP publique } metadata = { enable-oslogin = "TRUE" + ssh-keys = var.ssh_pub_key } tags = ["database", "ssh"] -} + service_account { + email = var.service_account_email + scopes = ["userinfo-email", "compute-ro"] + } +} \ No newline at end of file diff --git a/terraform/modules/compute/outputs.tf b/terraform/modules/compute/outputs.tf index 6843c81..26e2665 100644 --- a/terraform/modules/compute/outputs.tf +++ b/terraform/modules/compute/outputs.tf @@ -1,27 +1,23 @@ -# compute/outputs.tf - -# 1. IPs internes de toutes les instances -output "internal_ips" { - description = "IPs internes des instances" - value = { - frontend = google_compute_instance.frontend.network_interface[0].network_ip - backend = google_compute_instance.backend.network_interface[0].network_ip - database = google_compute_instance.database.network_interface[0].network_ip - } +output "frontend_internal_ip" { + value = google_compute_instance.frontend.network_interface[0].network_ip } -# 2. IP publique du frontend output "frontend_public_ip" { - description = "IP publique de l'instance frontend" - value = google_compute_instance.frontend.network_interface[0].access_config[0].nat_ip + value = google_compute_instance.frontend.network_interface[0].access_config[0].nat_ip } -# 3. Noms des instances -output "instance_names" { - description = "Noms des instances" - value = { - frontend = google_compute_instance.frontend.name - backend = google_compute_instance.backend.name - database = google_compute_instance.database.name - } +output "backend_internal_ip" { + value = google_compute_instance.backend.network_interface[0].network_ip } + +output "database_internal_ip" { + value = google_compute_instance.database.network_interface[0].network_ip +} + +output "instance_names" { + value = [ + google_compute_instance.frontend.name, + google_compute_instance.backend.name, + google_compute_instance.database.name, + ] +} \ No newline at end of file diff --git a/terraform/modules/compute/variables.tf b/terraform/modules/compute/variables.tf index 5d8da14..4e32df0 100644 --- a/terraform/modules/compute/variables.tf +++ b/terraform/modules/compute/variables.tf @@ -1,27 +1,56 @@ -# compute/variables.tf - -variable "instance_type" { - description = "Type d'instance GCE à utiliser" +variable "project_id" { type = string + description = "GCP project id" +} + +variable "region" { + type = string + description = "GCP region" } variable "zone" { - description = "Zone dans laquelle déployer les instances" type = string + description = "GCP zone (ex: europe-west1-b)" +} + +variable "instance_type" { + type = string + description = "Machine type for instances (ex: e2-medium)" + default = "e2-medium" +} + +variable "network" { + type = string + description = "VPC network self_link or name" } variable "frontend_subnet_id" { - description = "ID du sous-réseau frontend" type = string + description = "Frontend subnet self_link" } variable "backend_subnet_id" { - description = "ID du sous-réseau backend" type = string + description = "Backend subnet self_link" } variable "database_subnet_id" { - description = "ID du sous-réseau database" type = string + description = "Database subnet self_link" } +variable "ssh_pub_key" { + type = string + description = "SSH public key to add as metadata for OS Login fallback (optional)" + default = "" +} + +variable "service_account_email" { + type = string + description = "Service account email to attach to instances" +} + +variable "labels" { + type = map(string) + default = {} +} \ No newline at end of file diff --git a/terraform/modules/iam/main.tf b/terraform/modules/iam/main.tf index e06329b..88a220f 100644 --- a/terraform/modules/iam/main.tf +++ b/terraform/modules/iam/main.tf @@ -1,36 +1,19 @@ -# iam/main.tf - -# 1. Compte de service pour Terraform resource "google_service_account" "terraform_sa" { - account_id = "terraform-sa" - display_name = "Terraform Service Account" + account_id = var.sa_name project = var.project_id + display_name = var.sa_display_name } -# 2. Clé pour ce compte de service resource "google_service_account_key" "terraform_sa_key" { - service_account_id = google_service_account.terraform_sa.id - public_key_type = "TYPE_X509_PEM_FILE" -} - -# 3. Rôles IAM nécessaires -resource "google_project_iam_member" "terraform_sa_roles" { - for_each = toset([ - "roles/compute.admin", - "roles/iam.serviceAccountUser", - "roles/oslogin.admin", - "roles/viewer" - ]) - - project = var.project_id - role = each.value - member = "serviceAccount:${google_service_account.terraform_sa.email}" -} - -# 4. Configuration OS Login avec clé SSH -resource "google_os_login_ssh_public_key" "terraform_sa_ssh" { - username = "terraform" - public_key = file("~/.ssh/id_rsa.pub") - project = var.project_id + service_account_id = google_service_account.terraform_sa.name + keepers = { + display_name = google_service_account.terraform_sa.display_name + } } +resource "google_project_iam_member" "sa_roles" { + for_each = toset(var.roles) + project = var.project_id + role = each.key + member = "serviceAccount:${google_service_account.terraform_sa.email}" +} \ No newline at end of file diff --git a/terraform/modules/iam/outputs.tf b/terraform/modules/iam/outputs.tf index a85dd76..cebb939 100644 --- a/terraform/modules/iam/outputs.tf +++ b/terraform/modules/iam/outputs.tf @@ -1,15 +1,12 @@ -# iam/outputs.tf - -# 1. Email du compte de service output "service_account_email" { - description = "Email du compte de service Terraform" - value = google_service_account.terraform_sa.email + value = google_service_account.terraform_sa.email } -# 2. Clé du compte de service (sensitive) output "service_account_key" { - description = "Clé privée du compte de service Terraform" - value = google_service_account_key.terraform_sa_key.private_key - sensitive = true + value = google_service_account_key.terraform_sa_key.private_key + sensitive = true } +output "service_account_key_id" { + value = google_service_account_key.terraform_sa_key.name +} \ No newline at end of file diff --git a/terraform/modules/iam/variables.tf b/terraform/modules/iam/variables.tf index 5623535..a82c35e 100644 --- a/terraform/modules/iam/variables.tf +++ b/terraform/modules/iam/variables.tf @@ -1,7 +1,26 @@ -# iam/variables.tf - variable "project_id" { - description = "ID du projet GCP" type = string + description = "GCP project id" } +variable "sa_name" { + type = string + description = "Service account name (id)" + default = "terraform-sa" +} + +variable "sa_display_name" { + type = string + description = "Service account display name" + default = "Terraform Service Account" +} + +variable "roles" { + type = list(string) + default = [ + "roles/compute.instanceAdmin.v1", + "roles/iam.serviceAccountUser", + "roles/iam.serviceAccountKeyAdmin", + ] + description = "Liste des roles à attribuer au compte de service" +} \ No newline at end of file diff --git a/terraform/modules/network/main.tf b/terraform/modules/network/main.tf index b16df69..15751c2 100644 --- a/terraform/modules/network/main.tf +++ b/terraform/modules/network/main.tf @@ -1,12 +1,9 @@ -// 1. VPC personnalisé resource "google_compute_network" "vpc" { name = "${var.project_name}-vpc" project = var.project_name auto_create_subnetworks = false } -// 2. Sous-réseaux - resource "google_compute_subnetwork" "frontend" { name = "${var.project_name}-frontend-subnet" project = var.project_name @@ -31,17 +28,12 @@ resource "google_compute_subnetwork" "database" { ip_cidr_range = var.database_cidr } -// 3. Règles de firewall - -// 3.1 HTTP/HTTPS vers frontend (depuis Internet) resource "google_compute_firewall" "frontend_http_https" { - name = "${var.project_name}-fw-frontend-http-https" - project = var.project_name - network = google_compute_network.vpc.name - + name = "${var.project_name}-fw-frontend-http-https" + project = var.project_name + network = google_compute_network.vpc.name description = "Autorise HTTP/HTTPS vers les instances frontend" - - direction = "INGRESS" + direction = "INGRESS" allow { protocol = "tcp" @@ -49,61 +41,46 @@ resource "google_compute_firewall" "frontend_http_https" { } source_ranges = ["0.0.0.0/0"] - - // Les instances frontend devront avoir ce tag - target_tags = ["frontend"] + target_tags = ["frontend"] } -// 3.2 SSH vers toutes les instances (depuis la plage fournie) resource "google_compute_firewall" "ssh_all" { - name = "${var.project_name}-fw-ssh-all" - project = var.project_name - network = google_compute_network.vpc.name - + name = "${var.project_name}-fw-ssh-all" + project = var.project_name + network = google_compute_network.vpc.name description = "Autorise SSH vers toutes les instances du VPC" - - direction = "INGRESS" + direction = "INGRESS" allow { protocol = "tcp" ports = ["22"] } - // Une seule CIDR passée en string, on l'enferme dans une liste source_ranges = [var.ssh_source_ranges] } -// 3.3 Port 8000 de frontend vers backend resource "google_compute_firewall" "frontend_to_backend_8000" { - name = "${var.project_name}-fw-frontend-backend-8000" - project = var.project_name - network = google_compute_network.vpc.name - + name = "${var.project_name}-fw-frontend-backend-8000" + project = var.project_name + network = google_compute_network.vpc.name description = "Autorise le trafic TCP 8000 des instances frontend vers backend" - - direction = "INGRESS" + direction = "INGRESS" allow { protocol = "tcp" ports = ["8000"] } - // Le trafic vient des instances taguées 'frontend' source_tags = ["frontend"] - - // Et cible les instances taguées 'backend' target_tags = ["backend"] } -// 3.4 Port 3306 de backend vers database resource "google_compute_firewall" "backend_to_database_3306" { - name = "${var.project_name}-fw-backend-database-3306" - project = var.project_name - network = google_compute_network.vpc.name - + name = "${var.project_name}-fw-backend-database-3306" + project = var.project_name + network = google_compute_network.vpc.name description = "Autorise le trafic TCP 3306 des instances backend vers database" - - direction = "INGRESS" + direction = "INGRESS" allow { protocol = "tcp" diff --git a/terraform/modules/network/outputs.tf b/terraform/modules/network/outputs.tf index 64a067f..ba6db68 100644 --- a/terraform/modules/network/outputs.tf +++ b/terraform/modules/network/outputs.tf @@ -1,12 +1,8 @@ -# output.tf - -# 1. ID du VPC output "vpc_id" { description = "ID du VPC personnalisé" value = google_compute_network.vpc.id } -# 2. IDs des sous-réseaux sous forme de map output "subnet_ids" { description = "Map des IDs des sous-réseaux (frontend, backend, database)" value = { diff --git a/terraform/modules/network/variables.tf b/terraform/modules/network/variables.tf index f2b5d44..5d2babb 100644 --- a/terraform/modules/network/variables.tf +++ b/terraform/modules/network/variables.tf @@ -1,13 +1,11 @@ variable "project_name" { description = "Name of the project" type = string - default = "school-478713" } variable "region" { description = "The region of the VM" type = string - default = "europe-west1" } variable "frontend_cidr" {