diff --git a/deployments/aws/awm-lb-connectors-ha-lls/terraform.tfvars.sample b/deployments/aws/awm-lb-connectors-ha-lls/terraform.tfvars.sample index 462ab797..5053e59f 100644 --- a/deployments/aws/awm-lb-connectors-ha-lls/terraform.tfvars.sample +++ b/deployments/aws/awm-lb-connectors-ha-lls/terraform.tfvars.sample @@ -84,13 +84,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/awm-lb-connectors-ha-lls/vars.tf b/deployments/aws/awm-lb-connectors-ha-lls/vars.tf index b3b24866..e0fc6c93 100644 --- a/deployments/aws/awm-lb-connectors-ha-lls/vars.tf +++ b/deployments/aws/awm-lb-connectors-ha-lls/vars.tf @@ -125,7 +125,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -457,7 +457,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -492,7 +492,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/aws/awm-lb-connectors-lls/terraform.tfvars.sample b/deployments/aws/awm-lb-connectors-lls/terraform.tfvars.sample index 462ab797..5053e59f 100644 --- a/deployments/aws/awm-lb-connectors-lls/terraform.tfvars.sample +++ b/deployments/aws/awm-lb-connectors-lls/terraform.tfvars.sample @@ -84,13 +84,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/awm-lb-connectors-lls/vars.tf b/deployments/aws/awm-lb-connectors-lls/vars.tf index 5014c44e..20da9fdb 100644 --- a/deployments/aws/awm-lb-connectors-lls/vars.tf +++ b/deployments/aws/awm-lb-connectors-lls/vars.tf @@ -125,7 +125,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -430,7 +430,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -465,7 +465,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/aws/awm-lb-connectors/terraform.tfvars.sample b/deployments/aws/awm-lb-connectors/terraform.tfvars.sample index 652244dd..ea8436f7 100644 --- a/deployments/aws/awm-lb-connectors/terraform.tfvars.sample +++ b/deployments/aws/awm-lb-connectors/terraform.tfvars.sample @@ -78,13 +78,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/awm-lb-connectors/vars.tf b/deployments/aws/awm-lb-connectors/vars.tf index c0d41982..7088f7bd 100644 --- a/deployments/aws/awm-lb-connectors/vars.tf +++ b/deployments/aws/awm-lb-connectors/vars.tf @@ -125,7 +125,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -378,7 +378,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -413,7 +413,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/aws/awm-single-connector/terraform.tfvars.sample b/deployments/aws/awm-single-connector/terraform.tfvars.sample index df10259d..32b805fe 100644 --- a/deployments/aws/awm-single-connector/terraform.tfvars.sample +++ b/deployments/aws/awm-single-connector/terraform.tfvars.sample @@ -66,13 +66,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/awm-single-connector/vars.tf b/deployments/aws/awm-single-connector/vars.tf index 6d0e2bbc..d48f97a2 100644 --- a/deployments/aws/awm-single-connector/vars.tf +++ b/deployments/aws/awm-single-connector/vars.tf @@ -126,7 +126,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -358,7 +358,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -393,7 +393,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/aws/lb-connectors-ha-lls/terraform.tfvars.sample b/deployments/aws/lb-connectors-ha-lls/terraform.tfvars.sample index e730ac9c..4e1dedce 100644 --- a/deployments/aws/lb-connectors-ha-lls/terraform.tfvars.sample +++ b/deployments/aws/lb-connectors-ha-lls/terraform.tfvars.sample @@ -64,13 +64,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/lb-connectors-ha-lls/vars.tf b/deployments/aws/lb-connectors-ha-lls/vars.tf index b8caf0a8..71a44fbf 100644 --- a/deployments/aws/lb-connectors-ha-lls/vars.tf +++ b/deployments/aws/lb-connectors-ha-lls/vars.tf @@ -110,7 +110,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -421,7 +421,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -461,7 +461,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "centos_gfx_instance_count" { diff --git a/deployments/aws/lb-connectors-lls/terraform.tfvars.sample b/deployments/aws/lb-connectors-lls/terraform.tfvars.sample index e730ac9c..4e1dedce 100644 --- a/deployments/aws/lb-connectors-lls/terraform.tfvars.sample +++ b/deployments/aws/lb-connectors-lls/terraform.tfvars.sample @@ -64,13 +64,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/lb-connectors-lls/vars.tf b/deployments/aws/lb-connectors-lls/vars.tf index 0d64d6bd..9c879334 100644 --- a/deployments/aws/lb-connectors-lls/vars.tf +++ b/deployments/aws/lb-connectors-lls/vars.tf @@ -110,7 +110,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -394,7 +394,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -429,7 +429,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/aws/lb-connectors/terraform.tfvars.sample b/deployments/aws/lb-connectors/terraform.tfvars.sample index f7f0218e..f7e1f498 100644 --- a/deployments/aws/lb-connectors/terraform.tfvars.sample +++ b/deployments/aws/lb-connectors/terraform.tfvars.sample @@ -61,13 +61,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/lb-connectors/vars.tf b/deployments/aws/lb-connectors/vars.tf index b710c44a..08028a98 100644 --- a/deployments/aws/lb-connectors/vars.tf +++ b/deployments/aws/lb-connectors/vars.tf @@ -110,7 +110,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -348,7 +348,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -383,7 +383,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/aws/single-connector/terraform.tfvars.sample b/deployments/aws/single-connector/terraform.tfvars.sample index 78cf859b..451f260d 100644 --- a/deployments/aws/single-connector/terraform.tfvars.sample +++ b/deployments/aws/single-connector/terraform.tfvars.sample @@ -49,13 +49,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/single-connector/vars.tf b/deployments/aws/single-connector/vars.tf index cc1eb80b..fcc3f26c 100644 --- a/deployments/aws/single-connector/vars.tf +++ b/deployments/aws/single-connector/vars.tf @@ -110,7 +110,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_admin_password" { @@ -327,7 +327,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -362,7 +362,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/gcp/awm-multi-region/main.tf b/deployments/gcp/awm-multi-region/main.tf index fd49492e..4cd48c74 100644 --- a/deployments/gcp/awm-multi-region/main.tf +++ b/deployments/gcp/awm-multi-region/main.tf @@ -104,12 +104,13 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-google-dns.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - google_compute_firewall.allow-icmp.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-dns.name], + [google_compute_firewall.allow-winrm.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) machine_type = var.dc_machine_type disk_size_gb = var.dc_disk_size_gb @@ -139,11 +140,12 @@ module "awm" { gcp_region = var.gcp_region gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.awm-subnet.self_link - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-https.name, - ] + network_tags = concat( + [google_compute_firewall.allow-https.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) machine_type = var.awm_machine_type disk_size_gb = var.awm_disk_size_gb @@ -179,12 +181,13 @@ module "awc-igm" { gcp_region_list = var.awc_region_list subnet_list = google_compute_subnetwork.awc-subnets[*].self_link - network_tags = [ - google_compute_firewall.allow-google-health-check.name, - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-health-check.name], + [google_compute_firewall.allow-pcoip.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.awc_instance_count_list machine_type = var.awc_machine_type @@ -307,10 +310,11 @@ module "win-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_gfx_instance_count_list instance_name = var.win_gfx_instance_name @@ -353,10 +357,11 @@ module "win-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_std_instance_count_list instance_name = var.win_std_instance_name @@ -401,10 +406,11 @@ module "centos-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_gfx_instance_count_list instance_name = var.centos_gfx_instance_name @@ -454,10 +460,11 @@ module "centos-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_std_instance_count_list instance_name = var.centos_std_instance_name diff --git a/deployments/gcp/awm-multi-region/networking.tf b/deployments/gcp/awm-multi-region/networking.tf index 37836057..90815a1e 100644 --- a/deployments/gcp/awm-multi-region/networking.tf +++ b/deployments/gcp/awm-multi-region/networking.tf @@ -69,6 +69,8 @@ resource "google_compute_firewall" "allow-internal" { } resource "google_compute_firewall" "allow-ssh" { + count = var.enable_ssh ? 1 : 0 + name = "${local.prefix}fw-allow-ssh" network = google_compute_network.vpc.self_link @@ -78,7 +80,28 @@ resource "google_compute_firewall" "allow-ssh" { } target_tags = ["${local.prefix}fw-allow-ssh"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) +} + +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr } # Open TCP/443 for Google Load balancers to perform health checks @@ -97,6 +120,7 @@ resource "google_compute_firewall" "allow-google-health-check" { } resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -110,7 +134,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -127,6 +151,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/awm-multi-region/terraform.tfvars.sample b/deployments/gcp/awm-multi-region/terraform.tfvars.sample index b4b4847a..be7b6173 100644 --- a/deployments/gcp/awm-multi-region/terraform.tfvars.sample +++ b/deployments/gcp/awm-multi-region/terraform.tfvars.sample @@ -96,21 +96,21 @@ centos_std_instance_count_list = [] # win_gfx_accelerator_type = "nvidia-tesla-p4-vws" # win_gfx_accelerator_count = 1 # win_gfx_disk_size_gb = 50 -# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # win_std_machine_type = "n1-standard-4" # win_std_disk_size_gb = 50 -# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # centos_gfx_machine_type = "n1-standard-2" # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" # centos_gfx_accelerator_count = 1 # centos_gfx_disk_size_gb = 50 -# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" # centos_std_machine_type = "n1-standard-2" # centos_std_disk_size_gb = 50 -# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_admin_ssh_pub_key_file = "~/.ssh/id_rsa.pub" diff --git a/deployments/gcp/awm-multi-region/vars.tf b/deployments/gcp/awm-multi-region/vars.tf index c70747f9..78410afd 100644 --- a/deployments/gcp/awm-multi-region/vars.tf +++ b/deployments/gcp/awm-multi-region/vars.tf @@ -20,6 +20,24 @@ variable "gcp_region" { default = "us-west2" } +variable "enable_ssh" { + description = "Flag to enable or disable the compute firewall on TCP 22 port on all Linux-based machines from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} + variable "gcp_zone" { description = "GCP zone" @@ -81,7 +99,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { @@ -169,7 +187,7 @@ variable "awm_disk_size_gb" { variable "awm_disk_image" { description = "Disk image for the Anyware Manager" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } variable "awm_admin_user" { @@ -235,7 +253,7 @@ variable "awc_disk_size_gb" { variable "awc_disk_image" { description = "Disk image for the Anyware Connector" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } # TODO: does this have to match the tag at the end of the SSH pub key? @@ -399,7 +417,7 @@ variable "win_gfx_disk_size_gb" { variable "win_gfx_disk_image" { description = "Disk image for the Windows Graphics Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_gfx_pcoip_agent_version" { @@ -429,7 +447,7 @@ variable "win_std_disk_size_gb" { variable "win_std_disk_image" { description = "Disk image for the Windows Standard Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_std_pcoip_agent_version" { @@ -469,7 +487,7 @@ variable "centos_gfx_disk_size_gb" { variable "centos_gfx_disk_image" { description = "Disk image for the CentOS Graphics Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_std_instance_count_list" { @@ -494,7 +512,7 @@ variable "centos_std_disk_size_gb" { variable "centos_std_disk_image" { description = "Disk image for the CentOS Standard Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_admin_user" { @@ -523,7 +541,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/deployments/gcp/awm-nlb-multi-region/main.tf b/deployments/gcp/awm-nlb-multi-region/main.tf index cc4616c4..34ef0dc6 100644 --- a/deployments/gcp/awm-nlb-multi-region/main.tf +++ b/deployments/gcp/awm-nlb-multi-region/main.tf @@ -106,12 +106,13 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-google-dns.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - google_compute_firewall.allow-icmp.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-dns.name], + [google_compute_firewall.allow-winrm.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) machine_type = var.dc_machine_type disk_size_gb = var.dc_disk_size_gb @@ -141,11 +142,12 @@ module "awm" { gcp_region = var.gcp_region gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.awm-subnet.self_link - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-https.name, - ] + network_tags = concat( + [google_compute_firewall.allow-https.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) machine_type = var.awm_machine_type disk_size_gb = var.awm_disk_size_gb @@ -184,11 +186,12 @@ module "awc" { subnet_list = google_compute_subnetwork.awc-subnets[*].self_link external_pcoip_ip_list = google_compute_address.nlb-ip[*].address enable_awc_external_ip = var.awc_enable_external_ip - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - ] + network_tags = concat( + [google_compute_firewall.allow-pcoip.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.awc_instance_count_list machine_type = var.awc_machine_type @@ -295,10 +298,11 @@ module "win-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_gfx_instance_count_list instance_name = var.win_gfx_instance_name @@ -341,10 +345,11 @@ module "win-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_std_instance_count_list instance_name = var.win_std_instance_name @@ -389,10 +394,11 @@ module "centos-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_gfx_instance_count_list instance_name = var.centos_gfx_instance_name @@ -442,10 +448,11 @@ module "centos-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_std_instance_count_list instance_name = var.centos_std_instance_name diff --git a/deployments/gcp/awm-nlb-multi-region/networking.tf b/deployments/gcp/awm-nlb-multi-region/networking.tf index 8a98b1b8..0215a06d 100644 --- a/deployments/gcp/awm-nlb-multi-region/networking.tf +++ b/deployments/gcp/awm-nlb-multi-region/networking.tf @@ -68,6 +68,8 @@ resource "google_compute_firewall" "allow-internal" { } resource "google_compute_firewall" "allow-ssh" { + count = var.enable_ssh ? 1 : 0 + name = "${local.prefix}fw-allow-ssh" network = google_compute_network.vpc.self_link @@ -77,7 +79,28 @@ resource "google_compute_firewall" "allow-ssh" { } target_tags = ["${local.prefix}fw-allow-ssh"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) +} + +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr } # Open TCP/443 for Google Load balancers to perform health checks @@ -96,6 +119,7 @@ resource "google_compute_firewall" "allow-google-health-check" { } resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -109,7 +133,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -126,6 +150,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/awm-nlb-multi-region/terraform.tfvars.sample b/deployments/gcp/awm-nlb-multi-region/terraform.tfvars.sample index 464d8144..48fc0458 100644 --- a/deployments/gcp/awm-nlb-multi-region/terraform.tfvars.sample +++ b/deployments/gcp/awm-nlb-multi-region/terraform.tfvars.sample @@ -93,21 +93,21 @@ centos_std_instance_count_list = [] # win_gfx_accelerator_type = "nvidia-tesla-p4-vws" # win_gfx_accelerator_count = 1 # win_gfx_disk_size_gb = 50 -# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # win_std_machine_type = "n1-standard-4" # win_std_disk_size_gb = 50 -# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # centos_gfx_machine_type = "n1-standard-2" # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" # centos_gfx_accelerator_count = 1 # centos_gfx_disk_size_gb = 50 -# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" # centos_std_machine_type = "n1-standard-2" # centos_std_disk_size_gb = 50 -# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_admin_ssh_pub_key_file = "~/.ssh/id_rsa.pub" diff --git a/deployments/gcp/awm-nlb-multi-region/vars.tf b/deployments/gcp/awm-nlb-multi-region/vars.tf index 438984fc..4e5d2d0e 100644 --- a/deployments/gcp/awm-nlb-multi-region/vars.tf +++ b/deployments/gcp/awm-nlb-multi-region/vars.tf @@ -20,6 +20,24 @@ variable "gcp_region" { default = "us-west2" } +variable "enable_ssh" { + description = "Flag to enable or disable the compute firewall on TCP 22 port on all Linux-based machines from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} + variable "gcp_zone" { description = "GCP zone" @@ -81,7 +99,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { @@ -169,7 +187,7 @@ variable "awm_disk_size_gb" { variable "awm_disk_image" { description = "Disk image for the Anyware Manager" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } variable "awm_admin_user" { @@ -235,7 +253,7 @@ variable "awc_disk_size_gb" { variable "awc_disk_image" { description = "Disk image for the Anyware Connector" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } # TODO: does this have to match the tag at the end of the SSH pub key? @@ -392,7 +410,7 @@ variable "win_gfx_disk_size_gb" { variable "win_gfx_disk_image" { description = "Disk image for the Windows Graphics Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_gfx_pcoip_agent_version" { @@ -422,7 +440,7 @@ variable "win_std_disk_size_gb" { variable "win_std_disk_image" { description = "Disk image for the Windows Standard Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_std_pcoip_agent_version" { @@ -462,7 +480,7 @@ variable "centos_gfx_disk_size_gb" { variable "centos_gfx_disk_image" { description = "Disk image for the CentOS Graphics Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_std_instance_count_list" { @@ -487,7 +505,7 @@ variable "centos_std_disk_size_gb" { variable "centos_std_disk_image" { description = "Disk image for the CentOS Standard Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_admin_user" { @@ -516,7 +534,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/deployments/gcp/awm-single-connector/main.tf b/deployments/gcp/awm-single-connector/main.tf index 3448dbd5..00e785cf 100644 --- a/deployments/gcp/awm-single-connector/main.tf +++ b/deployments/gcp/awm-single-connector/main.tf @@ -105,12 +105,13 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-google-dns.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - google_compute_firewall.allow-icmp.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-dns.name], + [google_compute_firewall.allow-winrm.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) machine_type = var.dc_machine_type disk_size_gb = var.dc_disk_size_gb @@ -140,11 +141,12 @@ module "awm" { gcp_region = var.gcp_region gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.awm-subnet.self_link - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-https.name, - ] + network_tags = concat( + [google_compute_firewall.allow-https.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) machine_type = var.awm_machine_type disk_size_gb = var.awm_disk_size_gb @@ -181,11 +183,12 @@ module "awc" { gcp_region_list = [var.gcp_region] subnet_list = [google_compute_subnetwork.awc-subnet.self_link] - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - ] + network_tags = concat( + [google_compute_firewall.allow-pcoip.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.awc_instance_count] machine_type = var.awc_machine_type @@ -233,10 +236,11 @@ module "win-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.win_gfx_instance_count] instance_name = var.win_gfx_instance_name @@ -279,10 +283,11 @@ module "win-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.win_std_instance_count] instance_name = var.win_std_instance_name @@ -327,10 +332,11 @@ module "centos-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.centos_gfx_instance_count] instance_name = var.centos_gfx_instance_name @@ -380,10 +386,11 @@ module "centos-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.centos_std_instance_count] instance_name = var.centos_std_instance_name diff --git a/deployments/gcp/awm-single-connector/networking.tf b/deployments/gcp/awm-single-connector/networking.tf index e4b187c2..ce59c27b 100644 --- a/deployments/gcp/awm-single-connector/networking.tf +++ b/deployments/gcp/awm-single-connector/networking.tf @@ -68,6 +68,8 @@ resource "google_compute_firewall" "allow-internal" { } resource "google_compute_firewall" "allow-ssh" { + count = var.enable_ssh ? 1 : 0 + name = "${local.prefix}fw-allow-ssh" network = google_compute_network.vpc.self_link @@ -77,10 +79,32 @@ resource "google_compute_firewall" "allow-ssh" { } target_tags = ["${local.prefix}fw-allow-ssh"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) +} + +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr } resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -94,7 +118,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -111,6 +135,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/awm-single-connector/terraform.tfvars.sample b/deployments/gcp/awm-single-connector/terraform.tfvars.sample index 4f9c532f..cdafea37 100644 --- a/deployments/gcp/awm-single-connector/terraform.tfvars.sample +++ b/deployments/gcp/awm-single-connector/terraform.tfvars.sample @@ -66,24 +66,24 @@ win_gfx_instance_count = 0 # win_gfx_accelerator_type = "nvidia-tesla-p4-vws" # win_gfx_accelerator_count = 1 # win_gfx_disk_size_gb = 50 -# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" win_std_instance_count = 0 # win_std_machine_type = "n1-standard-4" # win_std_disk_size_gb = 50 -# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" centos_gfx_instance_count = 0 # centos_gfx_machine_type = "n1-standard-2" # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" # centos_gfx_accelerator_count = 1 # centos_gfx_disk_size_gb = 50 -# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_std_instance_count = 0 # centos_std_machine_type = "n1-standard-2" # centos_std_disk_size_gb = 50 -# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_admin_ssh_pub_key_file = "~/.ssh/id_rsa.pub" diff --git a/deployments/gcp/awm-single-connector/vars.tf b/deployments/gcp/awm-single-connector/vars.tf index bacfb4b1..a1baec56 100644 --- a/deployments/gcp/awm-single-connector/vars.tf +++ b/deployments/gcp/awm-single-connector/vars.tf @@ -20,6 +20,24 @@ variable "gcp_region" { default = "us-west2" } +variable "enable_ssh" { + description = "Flag to enable or disable the compute firewall on TCP 22 port on all Linux-based machines from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} + variable "gcp_zone" { description = "GCP zone" @@ -81,7 +99,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { @@ -122,7 +140,7 @@ variable "awm_disk_size_gb" { variable "awm_disk_image" { description = "Disk image for the Anyware Manager" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } variable "awm_admin_user" { @@ -183,7 +201,7 @@ variable "awc_disk_size_gb" { variable "awc_disk_image" { description = "Disk image for the Anyware Connector" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } # TODO: does this have to match the tag at the end of the SSH pub key? @@ -372,7 +390,7 @@ variable "win_gfx_disk_size_gb" { variable "win_gfx_disk_image" { description = "Disk image for the Windows Graphics Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_gfx_pcoip_agent_version" { @@ -402,7 +420,7 @@ variable "win_std_disk_size_gb" { variable "win_std_disk_image" { description = "Disk image for the Windows Standard Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_std_pcoip_agent_version" { @@ -442,7 +460,7 @@ variable "centos_gfx_disk_size_gb" { variable "centos_gfx_disk_image" { description = "Disk image for the CentOS Graphics Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_std_instance_count" { @@ -467,7 +485,7 @@ variable "centos_std_disk_size_gb" { variable "centos_std_disk_image" { description = "Disk image for the CentOS Standard Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_admin_user" { @@ -496,7 +514,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/deployments/gcp/dc-only/main.tf b/deployments/gcp/dc-only/main.tf index ff49b9ac..1914c369 100644 --- a/deployments/gcp/dc-only/main.tf +++ b/deployments/gcp/dc-only/main.tf @@ -94,13 +94,14 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-dns.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - ] + network_tags = concat( + [google_compute_firewall.allow-dns.name], + [google_compute_firewall.allow-winrm.name], + [google_compute_firewall.allow-pcoip.name], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) gcp_ops_agent_enable = var.gcp_ops_agent_enable ops_setup_script = local.ops_win_setup_script diff --git a/deployments/gcp/dc-only/networking.tf b/deployments/gcp/dc-only/networking.tf index e079f25f..b5d06f4c 100644 --- a/deployments/gcp/dc-only/networking.tf +++ b/deployments/gcp/dc-only/networking.tf @@ -62,7 +62,29 @@ resource "google_compute_firewall" "allow-internal" { source_ranges = [var.dc_subnet_cidr] } +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr +} + resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -76,7 +98,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -93,6 +115,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/dc-only/vars.tf b/deployments/gcp/dc-only/vars.tf index c960d4ee..8ecc7709 100644 --- a/deployments/gcp/dc-only/vars.tf +++ b/deployments/gcp/dc-only/vars.tf @@ -20,6 +20,17 @@ variable "gcp_region" { default = "us-west2" } +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} variable "gcp_zone" { description = "GCP zone" @@ -76,7 +87,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { @@ -169,7 +180,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/deployments/gcp/multi-region/main.tf b/deployments/gcp/multi-region/main.tf index 29da6f1f..22dd94a2 100644 --- a/deployments/gcp/multi-region/main.tf +++ b/deployments/gcp/multi-region/main.tf @@ -102,12 +102,13 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-google-dns.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - google_compute_firewall.allow-icmp.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-dns.name], + [google_compute_firewall.allow-winrm.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) gcp_ops_agent_enable = var.gcp_ops_agent_enable ops_setup_script = local.ops_win_setup_script @@ -140,12 +141,13 @@ module "awc-igm" { gcp_region_list = var.awc_region_list subnet_list = google_compute_subnetwork.awc-subnets[*].self_link - network_tags = [ - google_compute_firewall.allow-google-health-check.name, - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-health-check.name], + [google_compute_firewall.allow-pcoip.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.awc_instance_count_list machine_type = var.awc_machine_type @@ -268,10 +270,11 @@ module "win-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_gfx_instance_count_list instance_name = var.win_gfx_instance_name @@ -314,10 +317,11 @@ module "win-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_std_instance_count_list instance_name = var.win_std_instance_name @@ -362,10 +366,11 @@ module "centos-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_gfx_instance_count_list instance_name = var.centos_gfx_instance_name @@ -415,10 +420,11 @@ module "centos-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_std_instance_count_list instance_name = var.centos_std_instance_name diff --git a/deployments/gcp/multi-region/networking.tf b/deployments/gcp/multi-region/networking.tf index 4a31ef11..23cba1c5 100644 --- a/deployments/gcp/multi-region/networking.tf +++ b/deployments/gcp/multi-region/networking.tf @@ -67,6 +67,8 @@ resource "google_compute_firewall" "allow-internal" { } resource "google_compute_firewall" "allow-ssh" { + count = var.enable_ssh ? 1 : 0 + name = "${local.prefix}fw-allow-ssh" network = google_compute_network.vpc.self_link @@ -76,7 +78,28 @@ resource "google_compute_firewall" "allow-ssh" { } target_tags = ["${local.prefix}fw-allow-ssh"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) +} + +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr } # Open TCP/443 for Google Load balancers to perform health checks @@ -95,6 +118,7 @@ resource "google_compute_firewall" "allow-google-health-check" { } resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -108,7 +132,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -125,6 +149,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/multi-region/terraform.tfvars.sample b/deployments/gcp/multi-region/terraform.tfvars.sample index 244539b4..ad986f81 100644 --- a/deployments/gcp/multi-region/terraform.tfvars.sample +++ b/deployments/gcp/multi-region/terraform.tfvars.sample @@ -87,21 +87,21 @@ centos_std_instance_count_list = [] # win_gfx_accelerator_type = "nvidia-tesla-p4-vws" # win_gfx_accelerator_count = 1 # win_gfx_disk_size_gb = 50 -# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # win_std_machine_type = "n1-standard-4" # win_std_disk_size_gb = 50 -# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # centos_gfx_machine_type = "n1-standard-2" # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" # centos_gfx_accelerator_count = 1 # centos_gfx_disk_size_gb = 50 -# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" # centos_std_machine_type = "n1-standard-2" # centos_std_disk_size_gb = 50 -# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_admin_ssh_pub_key_file = "~/.ssh/id_rsa.pub" diff --git a/deployments/gcp/multi-region/vars.tf b/deployments/gcp/multi-region/vars.tf index 7e048367..373b5308 100644 --- a/deployments/gcp/multi-region/vars.tf +++ b/deployments/gcp/multi-region/vars.tf @@ -20,6 +20,24 @@ variable "gcp_region" { default = "us-west2" } +variable "enable_ssh" { + description = "Flag to enable or disable the compute firewall on TCP 22 port on all Linux-based machines from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} + variable "gcp_zone" { description = "GCP zone" @@ -81,7 +99,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { @@ -179,7 +197,7 @@ variable "awc_disk_size_gb" { variable "awc_disk_image" { description = "Disk image for the Anyware Connector" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } # TODO: does this have to match the tag at the end of the SSH pub key? @@ -364,7 +382,7 @@ variable "win_gfx_disk_size_gb" { variable "win_gfx_disk_image" { description = "Disk image for the Windows Graphics Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_gfx_pcoip_agent_version" { @@ -394,7 +412,7 @@ variable "win_std_disk_size_gb" { variable "win_std_disk_image" { description = "Disk image for the Windows Standard Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_std_pcoip_agent_version" { @@ -434,7 +452,7 @@ variable "centos_gfx_disk_size_gb" { variable "centos_gfx_disk_image" { description = "Disk image for the CentOS Graphics Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_std_instance_count_list" { @@ -459,7 +477,7 @@ variable "centos_std_disk_size_gb" { variable "centos_std_disk_image" { description = "Disk image for the CentOS Standard Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_admin_user" { @@ -488,7 +506,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/deployments/gcp/nlb-multi-region/main.tf b/deployments/gcp/nlb-multi-region/main.tf index a83c091f..79375602 100644 --- a/deployments/gcp/nlb-multi-region/main.tf +++ b/deployments/gcp/nlb-multi-region/main.tf @@ -103,12 +103,13 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-google-dns.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - google_compute_firewall.allow-icmp.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-dns.name], + [google_compute_firewall.allow-winrm.name], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) gcp_ops_agent_enable = var.gcp_ops_agent_enable ops_setup_script = local.ops_win_setup_script @@ -143,11 +144,12 @@ module "awc" { subnet_list = google_compute_subnetwork.awc-subnets[*].self_link external_pcoip_ip_list = google_compute_address.nlb-ip[*].address enable_awc_external_ip = var.awc_enable_external_ip - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - ] + network_tags = concat( + [google_compute_firewall.allow-pcoip.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.awc_instance_count_list machine_type = var.awc_machine_type @@ -255,10 +257,11 @@ module "win-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_gfx_instance_count_list instance_name = var.win_gfx_instance_name @@ -301,10 +304,11 @@ module "win-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_std_instance_count_list instance_name = var.win_std_instance_name @@ -349,10 +353,11 @@ module "centos-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_gfx_instance_count_list instance_name = var.centos_gfx_instance_name @@ -402,10 +407,11 @@ module "centos-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_std_instance_count_list instance_name = var.centos_std_instance_name diff --git a/deployments/gcp/nlb-multi-region/networking.tf b/deployments/gcp/nlb-multi-region/networking.tf index 2ee41ded..a94caeda 100644 --- a/deployments/gcp/nlb-multi-region/networking.tf +++ b/deployments/gcp/nlb-multi-region/networking.tf @@ -67,6 +67,8 @@ resource "google_compute_firewall" "allow-internal" { } resource "google_compute_firewall" "allow-ssh" { + count = var.enable_ssh ? 1 : 0 + name = "${local.prefix}fw-allow-ssh" network = google_compute_network.vpc.self_link @@ -76,7 +78,28 @@ resource "google_compute_firewall" "allow-ssh" { } target_tags = ["${local.prefix}fw-allow-ssh"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) +} + +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr } # Open TCP/443 for Google Load balancers to perform health checks @@ -95,6 +118,7 @@ resource "google_compute_firewall" "allow-google-health-check" { } resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -108,7 +132,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -125,6 +149,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/nlb-multi-region/terraform.tfvars.sample b/deployments/gcp/nlb-multi-region/terraform.tfvars.sample index 729c6a9d..ff65315c 100644 --- a/deployments/gcp/nlb-multi-region/terraform.tfvars.sample +++ b/deployments/gcp/nlb-multi-region/terraform.tfvars.sample @@ -84,21 +84,21 @@ centos_std_instance_count_list = [] # win_gfx_accelerator_type = "nvidia-tesla-p4-vws" # win_gfx_accelerator_count = 1 # win_gfx_disk_size_gb = 50 -# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # win_std_machine_type = "n1-standard-4" # win_std_disk_size_gb = 50 -# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # centos_gfx_machine_type = "n1-standard-2" # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" # centos_gfx_accelerator_count = 1 # centos_gfx_disk_size_gb = 50 -# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" # centos_std_machine_type = "n1-standard-2" # centos_std_disk_size_gb = 50 -# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_admin_ssh_pub_key_file = "~/.ssh/id_rsa.pub" diff --git a/deployments/gcp/nlb-multi-region/vars.tf b/deployments/gcp/nlb-multi-region/vars.tf index b4587d2c..2a57eb3a 100644 --- a/deployments/gcp/nlb-multi-region/vars.tf +++ b/deployments/gcp/nlb-multi-region/vars.tf @@ -20,6 +20,24 @@ variable "gcp_region" { default = "us-west2" } +variable "enable_ssh" { + description = "Flag to enable or disable the compute firewall on TCP 22 port on all Linux-based machines from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} + variable "gcp_zone" { description = "GCP zone" @@ -81,7 +99,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { @@ -179,7 +197,7 @@ variable "awc_disk_size_gb" { variable "awc_disk_image" { description = "Disk image for the Anyware Connector" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } # TODO: does this have to match the tag at the end of the SSH pub key? @@ -357,7 +375,7 @@ variable "win_gfx_disk_size_gb" { variable "win_gfx_disk_image" { description = "Disk image for the Windows Graphics Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_gfx_pcoip_agent_version" { @@ -387,7 +405,7 @@ variable "win_std_disk_size_gb" { variable "win_std_disk_image" { description = "Disk image for the Windows Standard Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_std_pcoip_agent_version" { @@ -427,7 +445,7 @@ variable "centos_gfx_disk_size_gb" { variable "centos_gfx_disk_image" { description = "Disk image for the CentOS Graphics Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_std_instance_count_list" { @@ -452,7 +470,7 @@ variable "centos_std_disk_size_gb" { variable "centos_std_disk_image" { description = "Disk image for the CentOS Standard Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_admin_user" { @@ -481,7 +499,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/deployments/gcp/single-connector/main.tf b/deployments/gcp/single-connector/main.tf index d94f07ca..fd9f6fb7 100644 --- a/deployments/gcp/single-connector/main.tf +++ b/deployments/gcp/single-connector/main.tf @@ -102,12 +102,13 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-google-dns.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - google_compute_firewall.allow-icmp.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-dns.name], + [google_compute_firewall.allow-winrm.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) gcp_ops_agent_enable = var.gcp_ops_agent_enable ops_setup_script = local.ops_win_setup_script @@ -140,11 +141,12 @@ module "awc" { gcp_region_list = [var.gcp_region] subnet_list = [google_compute_subnetwork.awc-subnet.self_link] - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - ] + network_tags = concat( + [ google_compute_firewall.allow-pcoip.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.awc_instance_count] machine_type = var.awc_machine_type @@ -191,10 +193,12 @@ module "win-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) + instance_count_list = [var.win_gfx_instance_count] instance_name = var.win_gfx_instance_name @@ -237,10 +241,11 @@ module "win-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.win_std_instance_count] instance_name = var.win_std_instance_name @@ -285,10 +290,11 @@ module "centos-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.centos_gfx_instance_count] instance_name = var.centos_gfx_instance_name @@ -338,10 +344,11 @@ module "centos-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.centos_std_instance_count] instance_name = var.centos_std_instance_name diff --git a/deployments/gcp/single-connector/networking.tf b/deployments/gcp/single-connector/networking.tf index 08c09113..86facc97 100644 --- a/deployments/gcp/single-connector/networking.tf +++ b/deployments/gcp/single-connector/networking.tf @@ -63,6 +63,8 @@ resource "google_compute_firewall" "allow-internal" { } resource "google_compute_firewall" "allow-ssh" { + count = var.enable_ssh ? 1 : 0 + name = "${local.prefix}fw-allow-ssh" network = google_compute_network.vpc.self_link @@ -72,10 +74,32 @@ resource "google_compute_firewall" "allow-ssh" { } target_tags = ["${local.prefix}fw-allow-ssh"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) +} + +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr } resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -89,7 +113,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -106,6 +130,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/single-connector/terraform.tfvars.sample b/deployments/gcp/single-connector/terraform.tfvars.sample index cbcb39d5..73b9a26b 100644 --- a/deployments/gcp/single-connector/terraform.tfvars.sample +++ b/deployments/gcp/single-connector/terraform.tfvars.sample @@ -57,24 +57,24 @@ win_gfx_instance_count = 0 # win_gfx_accelerator_type = "nvidia-tesla-p4-vws" # win_gfx_accelerator_count = 1 # win_gfx_disk_size_gb = 50 -# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" win_std_instance_count = 0 # win_std_machine_type = "n1-standard-4" # win_std_disk_size_gb = 50 -# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" centos_gfx_instance_count = 0 # centos_gfx_machine_type = "n1-standard-2" # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" # centos_gfx_accelerator_count = 1 # centos_gfx_disk_size_gb = 50 -# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_std_instance_count = 0 # centos_std_machine_type = "n1-standard-2" # centos_std_disk_size_gb = 50 -# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_admin_ssh_pub_key_file = "~/.ssh/id_rsa.pub" diff --git a/deployments/gcp/single-connector/vars.tf b/deployments/gcp/single-connector/vars.tf index 664d262c..fefb08af 100644 --- a/deployments/gcp/single-connector/vars.tf +++ b/deployments/gcp/single-connector/vars.tf @@ -15,6 +15,24 @@ variable "gcp_credentials_file" { } } +variable "enable_ssh" { + description = "Flag to enable or disable the compute firewall on TCP 22 port on all Linux-based machines from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} + variable "gcp_region" { description = "GCP region" default = "us-west2" @@ -81,7 +99,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { @@ -127,7 +145,7 @@ variable "awc_disk_size_gb" { variable "awc_disk_image" { description = "Disk image for the Anyware Connector" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } # TODO: does this have to match the tag at the end of the SSH pub key? @@ -337,7 +355,7 @@ variable "win_gfx_disk_size_gb" { variable "win_gfx_disk_image" { description = "Disk image for the Windows Graphics Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_gfx_pcoip_agent_version" { @@ -367,7 +385,7 @@ variable "win_std_disk_size_gb" { variable "win_std_disk_image" { description = "Disk image for the Windows Standard Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_std_pcoip_agent_version" { @@ -407,7 +425,7 @@ variable "centos_gfx_disk_size_gb" { variable "centos_gfx_disk_image" { description = "Disk image for the CentOS Graphics Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_std_instance_count" { @@ -432,7 +450,7 @@ variable "centos_std_disk_size_gb" { variable "centos_std_disk_image" { description = "Disk image for the CentOS Standard Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_admin_user" { @@ -461,7 +479,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 80283ac9..b0c8ce26 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -14,15 +14,24 @@ --- -### Connecting to VMs Using SSH/RDP -- Access to AWS instances through SSH/RDP is only possible if the variables enable_ssh/enable_rdp in the terraform.tfvars file are set to True. -- To debug Linux VMs, SSH can be used to login to the machines for troubleshooting and viewing log files. -- To debug Windows VMs, a RDP client such as Windows Remote Desktop on Windows or xfreerdp on Linux can be used to login to the machines for troubleshooting and viewing log files. -- Workstation VMs are not exposed to the internet and do not have public IPs, a bastion host such as the DC or Connector can be used to access the Workstation VMs on the private network. - -### Connecting to AWS Instances Using Session Manager -- Session Manager is enabled by default on all AWS instances, allowing access to all virtual machines (VMs) via Session Manager, unless enable_ssm is set to false in terraform.tfvars -- To access VM's through SSM, Please refer this link - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html +### Accessing VMs +- For troubleshooting deployments, access to the VMs is available for debugging and log file inspection. +- By default, AWS VMs are accessible via AWS Systems Manager (SSM), whereas GCP VM instances can be accessed through the Identity-Aware Proxy (IAP). + +### Connecting to AWS VM Instances Using AWS Systems Manager (SSM) +- SSM is enabled by default on all AWS VM instances, allowing access to all VM instances via AWS Systems Manager (SSM), unless `enable_ssm` is set to false in `terraform.tfvars`. +- To access VM Instance's through SSM, please refer to this link - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html + +### Connecting to GCP VM Instances using Identity-Aware Proxy (IAP) +- IAP is enabled by default on all GCP VM instances, allowing access to all VM instances via Identity-Aware Proxy (IAP), unless `gcp_iap_enable` is set to false in `terraform.tfvars`. +- To access VM Instance's through IAP, please refer to this link - https://cloud.google.com/iap/docs/using-tcp-forwarding + +### Alternative ways to connect to VMs +- Should IAP or SSM be unavailable or intentionally disabled, SSH or RDP clients can be utilized for VM access. +- Direct SSH/RDP access to AWS or GCP VM instances from the machine executing Terraform is contingent upon setting the `enable_ssh` or `enable_rdp` variables to true within the `terraform.tfvars` file. +- Workstation VMs, not having public IPs, remain inaccessible from the internet. However, a bastion host—like the DC or Connector—provides a bridge to access Workstation VMs within the private network. +- For public IP access to workstation VMs, set the `enable_workstation_public_ip` to true in the `terraform.tfvars` file. +- Additionally, ensure the activation of SSH or RDP by setting the `enable_ssh` or `enable_rdp` variables respectively. ### Connecting to CentOS Workstations - One way to access CentOS Workstations is to use the Connector as a bastion host. Please refer to the log tables below for the corresponding for each VM.