Listing 1: Definition für die gitlab-ci.yaml-Datei include: - component: $CI_SERVER_FQDN/components/opentofu/ full-pipeline@ inputs: # The version must currently be specified explicitly as an input, # to find the correctly associated images. # This can be removed # once https://gitlab.com/gitlaborg/gitlab/-/issues/438275 is solved. version: opentofu_version: stages: [validate, test, build, deploy, cleanup] Listing 2: Module in der Google-Cloud aufrufen module "host-project" { source = "./fabric/modules/project" billing_account = var.billing_account_id name = "host" parent = var.folder_id prefix = var.prefix shared_vpc_host_config = { enabled = true } } module "service-project" { source = "./fabric/modules/project" billing_account = var.billing_account_id name = "service" parent = var.folder_id prefix = var.prefix services = [ "container.googleapis.com", "run.googleapis.com" ] shared_vpc_service_config = { host_project = module.host-project.project_id service_agent_iam = { "roles/compute.networkUser" = [ "cloudservices", "container-engine" ] "roles/vpcaccess.user" = [ "cloudrun" ] "roles/container.hostServiceAgentUser" = [ "container-engine" ] } } } Listing 3: YAML-Dateien in Ordner ablegen compute.trustedImageProjects: rules: - allow: values: - projects/my-project compute.vmExternalIpAccess: rules: - deny: all: true iam.allowedPolicyMemberDomains: rules: - allow: values: - C0xxxxxxx - C0yyyyyyy Listing 4: Netze über net-vpc-Module anlegen module "vpc-host" { source = "./fabric/modules/net-vpc" project_id = var.project_id name = "my-host-network" subnets = [ { ip_cidr_range = "10.0.0.0/24" name = "subnet-1" region = "europe-west1" secondary_ip_ranges = { pods = "172.16.0.0/20" services = "192.168.0.0/24" } iam = { "roles/compute.networkUser" = [ "serviceAccount:${var.service_ account.email}" ] "roles/compute.securityAdmin" = [ "serviceAccount:${var.service_ account.email}" ] } } ] shared_vpc_host = true shared_vpc_service_projects = [ module.service-project.project_id ] } Listing 5: Aufbau eines hochverfügbaren VPN module "vpn_ha" { source = "./fabric/modules/net-vpn-ha" project_id = var.project_id region = var.region network = var.vpc.self_link name = "mynet-to-onprem" peer_gateways = { default = { external = { redundancy_type = "SINGLE_IP_ INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] # on-prem router ip address } } } router_config = { asn = 64514 } tunnels = { remote-0 = { bgp_peer = { address = "169.254.1.1" asn = 64513 # BFD is optional bfd = { min_receive_interval = 1000 min_transmit_interval = 1000 multiplier = 5 session_initialization_mode = "ACTIVE" } # MD5 Authentication is optional md5_authentication_key = { name = "foo" key = "bar" } } bgp_session_range = "169.254.1.2/30" peer_external_gateway_interface = 0 shared_secret = "mySecret" vpn_gateway_interface = 0 } remote-1 = { bgp_peer = { address = "169.254.2.1" asn = 64513 # BFD is optional bfd = { min_receive_interval = 1000 min_transmit_interval = 1000 multiplier = 5 session_initialization_mode = "ACTIVE" } # MD5 Authentication is optional md5_authentication_key = { name = "foo" key = "bar" } } bgp_session_range = "169.254.2.2/30" peer_external_gateway_interface = 0 shared_secret = "mySecret" vpn_gateway_interface = 1 } } } Listing 6: Erzeugen einer privaten DNS-Zone module "private-dns" { source = "./fabric/modules/dns" project_id = var.project_id name = "test-example" zone_config = { domain = "test.example." private = { client_networks = [var.vpc.self_link] } } recordsets = { "A localhost" = { records = ["127.0.0.1"] } "A myhost" = { ttl = 600, records = ["10.0.0.120"] } } iam = { "roles/dns.admin" = ["group:${var.group_email}"] } }