From 49fe3d7ba1a828c573357fe3863280cfe997be88 Mon Sep 17 00:00:00 2001 From: Pvs Date: Mon, 17 Jul 2023 22:02:46 -0700 Subject: [PATCH 1/5] GCP: Optional Enablement of SSH, RDP, ICMP Protocols In order to restrict unwanted traffic from external sources, the SSH, RDP, and ICMP protocols have been made optional through Compute Firewall. These protocols will only be allowed if the variables enable_ssh, enable_icmp, and enable_rdp are set to true. Signed-off-by: Pvs --- deployments/gcp/awm-multi-region/main.tf | 73 ++++++++++--------- .../gcp/awm-multi-region/networking.tf | 29 +++++++- deployments/gcp/awm-multi-region/vars.tf | 21 +++++- deployments/gcp/awm-nlb-multi-region/main.tf | 71 ++++++++++-------- .../gcp/awm-nlb-multi-region/networking.tf | 29 +++++++- deployments/gcp/awm-nlb-multi-region/vars.tf | 21 +++++- deployments/gcp/awm-single-connector/main.tf | 71 ++++++++++-------- .../gcp/awm-single-connector/networking.tf | 29 +++++++- deployments/gcp/awm-single-connector/vars.tf | 21 +++++- deployments/gcp/dc-only/main.tf | 15 ++-- deployments/gcp/dc-only/networking.tf | 25 ++++++- deployments/gcp/dc-only/vars.tf | 14 +++- deployments/gcp/multi-region/main.tf | 62 +++++++++------- deployments/gcp/multi-region/networking.tf | 29 +++++++- deployments/gcp/multi-region/vars.tf | 21 +++++- deployments/gcp/nlb-multi-region/main.tf | 60 ++++++++------- .../gcp/nlb-multi-region/networking.tf | 31 +++++++- deployments/gcp/nlb-multi-region/vars.tf | 21 +++++- deployments/gcp/single-connector/main.tf | 61 +++++++++------- .../gcp/single-connector/networking.tf | 29 +++++++- deployments/gcp/single-connector/vars.tf | 21 +++++- docs/troubleshooting.md | 27 ++++--- 22 files changed, 565 insertions(+), 216 deletions(-) diff --git a/deployments/gcp/awm-multi-region/main.tf b/deployments/gcp/awm-multi-region/main.tf index fd49492e..4cd48c74 100644 --- a/deployments/gcp/awm-multi-region/main.tf +++ b/deployments/gcp/awm-multi-region/main.tf @@ -104,12 +104,13 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-google-dns.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - google_compute_firewall.allow-icmp.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-dns.name], + [google_compute_firewall.allow-winrm.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) machine_type = var.dc_machine_type disk_size_gb = var.dc_disk_size_gb @@ -139,11 +140,12 @@ module "awm" { gcp_region = var.gcp_region gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.awm-subnet.self_link - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-https.name, - ] + network_tags = concat( + [google_compute_firewall.allow-https.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) machine_type = var.awm_machine_type disk_size_gb = var.awm_disk_size_gb @@ -179,12 +181,13 @@ module "awc-igm" { gcp_region_list = var.awc_region_list subnet_list = google_compute_subnetwork.awc-subnets[*].self_link - network_tags = [ - google_compute_firewall.allow-google-health-check.name, - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-health-check.name], + [google_compute_firewall.allow-pcoip.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.awc_instance_count_list machine_type = var.awc_machine_type @@ -307,10 +310,11 @@ module "win-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_gfx_instance_count_list instance_name = var.win_gfx_instance_name @@ -353,10 +357,11 @@ module "win-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_std_instance_count_list instance_name = var.win_std_instance_name @@ -401,10 +406,11 @@ module "centos-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_gfx_instance_count_list instance_name = var.centos_gfx_instance_name @@ -454,10 +460,11 @@ module "centos-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_std_instance_count_list instance_name = var.centos_std_instance_name diff --git a/deployments/gcp/awm-multi-region/networking.tf b/deployments/gcp/awm-multi-region/networking.tf index 37836057..90815a1e 100644 --- a/deployments/gcp/awm-multi-region/networking.tf +++ b/deployments/gcp/awm-multi-region/networking.tf @@ -69,6 +69,8 @@ resource "google_compute_firewall" "allow-internal" { } resource "google_compute_firewall" "allow-ssh" { + count = var.enable_ssh ? 1 : 0 + name = "${local.prefix}fw-allow-ssh" network = google_compute_network.vpc.self_link @@ -78,7 +80,28 @@ resource "google_compute_firewall" "allow-ssh" { } target_tags = ["${local.prefix}fw-allow-ssh"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) +} + +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr } # Open TCP/443 for Google Load balancers to perform health checks @@ -97,6 +120,7 @@ resource "google_compute_firewall" "allow-google-health-check" { } resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -110,7 +134,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -127,6 +151,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/awm-multi-region/vars.tf b/deployments/gcp/awm-multi-region/vars.tf index c70747f9..d1d16542 100644 --- a/deployments/gcp/awm-multi-region/vars.tf +++ b/deployments/gcp/awm-multi-region/vars.tf @@ -20,6 +20,24 @@ variable "gcp_region" { default = "us-west2" } +variable "enable_ssh" { + description = "Flag to enable or disable the compute firewall on TCP 22 port on all Linux-based machines from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} + variable "gcp_zone" { description = "GCP zone" @@ -523,7 +541,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/deployments/gcp/awm-nlb-multi-region/main.tf b/deployments/gcp/awm-nlb-multi-region/main.tf index cc4616c4..34ef0dc6 100644 --- a/deployments/gcp/awm-nlb-multi-region/main.tf +++ b/deployments/gcp/awm-nlb-multi-region/main.tf @@ -106,12 +106,13 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-google-dns.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - google_compute_firewall.allow-icmp.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-dns.name], + [google_compute_firewall.allow-winrm.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) machine_type = var.dc_machine_type disk_size_gb = var.dc_disk_size_gb @@ -141,11 +142,12 @@ module "awm" { gcp_region = var.gcp_region gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.awm-subnet.self_link - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-https.name, - ] + network_tags = concat( + [google_compute_firewall.allow-https.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) machine_type = var.awm_machine_type disk_size_gb = var.awm_disk_size_gb @@ -184,11 +186,12 @@ module "awc" { subnet_list = google_compute_subnetwork.awc-subnets[*].self_link external_pcoip_ip_list = google_compute_address.nlb-ip[*].address enable_awc_external_ip = var.awc_enable_external_ip - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - ] + network_tags = concat( + [google_compute_firewall.allow-pcoip.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.awc_instance_count_list machine_type = var.awc_machine_type @@ -295,10 +298,11 @@ module "win-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_gfx_instance_count_list instance_name = var.win_gfx_instance_name @@ -341,10 +345,11 @@ module "win-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_std_instance_count_list instance_name = var.win_std_instance_name @@ -389,10 +394,11 @@ module "centos-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_gfx_instance_count_list instance_name = var.centos_gfx_instance_name @@ -442,10 +448,11 @@ module "centos-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_std_instance_count_list instance_name = var.centos_std_instance_name diff --git a/deployments/gcp/awm-nlb-multi-region/networking.tf b/deployments/gcp/awm-nlb-multi-region/networking.tf index 8a98b1b8..0215a06d 100644 --- a/deployments/gcp/awm-nlb-multi-region/networking.tf +++ b/deployments/gcp/awm-nlb-multi-region/networking.tf @@ -68,6 +68,8 @@ resource "google_compute_firewall" "allow-internal" { } resource "google_compute_firewall" "allow-ssh" { + count = var.enable_ssh ? 1 : 0 + name = "${local.prefix}fw-allow-ssh" network = google_compute_network.vpc.self_link @@ -77,7 +79,28 @@ resource "google_compute_firewall" "allow-ssh" { } target_tags = ["${local.prefix}fw-allow-ssh"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) +} + +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr } # Open TCP/443 for Google Load balancers to perform health checks @@ -96,6 +119,7 @@ resource "google_compute_firewall" "allow-google-health-check" { } resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -109,7 +133,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -126,6 +150,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/awm-nlb-multi-region/vars.tf b/deployments/gcp/awm-nlb-multi-region/vars.tf index 438984fc..eda5f4ba 100644 --- a/deployments/gcp/awm-nlb-multi-region/vars.tf +++ b/deployments/gcp/awm-nlb-multi-region/vars.tf @@ -20,6 +20,24 @@ variable "gcp_region" { default = "us-west2" } +variable "enable_ssh" { + description = "Flag to enable or disable the compute firewall on TCP 22 port on all Linux-based machines from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} + variable "gcp_zone" { description = "GCP zone" @@ -516,7 +534,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/deployments/gcp/awm-single-connector/main.tf b/deployments/gcp/awm-single-connector/main.tf index 3448dbd5..00e785cf 100644 --- a/deployments/gcp/awm-single-connector/main.tf +++ b/deployments/gcp/awm-single-connector/main.tf @@ -105,12 +105,13 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-google-dns.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - google_compute_firewall.allow-icmp.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-dns.name], + [google_compute_firewall.allow-winrm.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) machine_type = var.dc_machine_type disk_size_gb = var.dc_disk_size_gb @@ -140,11 +141,12 @@ module "awm" { gcp_region = var.gcp_region gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.awm-subnet.self_link - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-https.name, - ] + network_tags = concat( + [google_compute_firewall.allow-https.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) machine_type = var.awm_machine_type disk_size_gb = var.awm_disk_size_gb @@ -181,11 +183,12 @@ module "awc" { gcp_region_list = [var.gcp_region] subnet_list = [google_compute_subnetwork.awc-subnet.self_link] - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - ] + network_tags = concat( + [google_compute_firewall.allow-pcoip.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.awc_instance_count] machine_type = var.awc_machine_type @@ -233,10 +236,11 @@ module "win-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.win_gfx_instance_count] instance_name = var.win_gfx_instance_name @@ -279,10 +283,11 @@ module "win-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.win_std_instance_count] instance_name = var.win_std_instance_name @@ -327,10 +332,11 @@ module "centos-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.centos_gfx_instance_count] instance_name = var.centos_gfx_instance_name @@ -380,10 +386,11 @@ module "centos-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.centos_std_instance_count] instance_name = var.centos_std_instance_name diff --git a/deployments/gcp/awm-single-connector/networking.tf b/deployments/gcp/awm-single-connector/networking.tf index e4b187c2..ce59c27b 100644 --- a/deployments/gcp/awm-single-connector/networking.tf +++ b/deployments/gcp/awm-single-connector/networking.tf @@ -68,6 +68,8 @@ resource "google_compute_firewall" "allow-internal" { } resource "google_compute_firewall" "allow-ssh" { + count = var.enable_ssh ? 1 : 0 + name = "${local.prefix}fw-allow-ssh" network = google_compute_network.vpc.self_link @@ -77,10 +79,32 @@ resource "google_compute_firewall" "allow-ssh" { } target_tags = ["${local.prefix}fw-allow-ssh"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) +} + +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr } resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -94,7 +118,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -111,6 +135,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/awm-single-connector/vars.tf b/deployments/gcp/awm-single-connector/vars.tf index bacfb4b1..05aa90ab 100644 --- a/deployments/gcp/awm-single-connector/vars.tf +++ b/deployments/gcp/awm-single-connector/vars.tf @@ -20,6 +20,24 @@ variable "gcp_region" { default = "us-west2" } +variable "enable_ssh" { + description = "Flag to enable or disable the compute firewall on TCP 22 port on all Linux-based machines from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} + variable "gcp_zone" { description = "GCP zone" @@ -496,7 +514,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/deployments/gcp/dc-only/main.tf b/deployments/gcp/dc-only/main.tf index ff49b9ac..1914c369 100644 --- a/deployments/gcp/dc-only/main.tf +++ b/deployments/gcp/dc-only/main.tf @@ -94,13 +94,14 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-dns.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - ] + network_tags = concat( + [google_compute_firewall.allow-dns.name], + [google_compute_firewall.allow-winrm.name], + [google_compute_firewall.allow-pcoip.name], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) gcp_ops_agent_enable = var.gcp_ops_agent_enable ops_setup_script = local.ops_win_setup_script diff --git a/deployments/gcp/dc-only/networking.tf b/deployments/gcp/dc-only/networking.tf index e079f25f..b5d06f4c 100644 --- a/deployments/gcp/dc-only/networking.tf +++ b/deployments/gcp/dc-only/networking.tf @@ -62,7 +62,29 @@ resource "google_compute_firewall" "allow-internal" { source_ranges = [var.dc_subnet_cidr] } +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr +} + resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -76,7 +98,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -93,6 +115,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/dc-only/vars.tf b/deployments/gcp/dc-only/vars.tf index c960d4ee..4558993d 100644 --- a/deployments/gcp/dc-only/vars.tf +++ b/deployments/gcp/dc-only/vars.tf @@ -20,6 +20,17 @@ variable "gcp_region" { default = "us-west2" } +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} variable "gcp_zone" { description = "GCP zone" @@ -169,7 +180,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/deployments/gcp/multi-region/main.tf b/deployments/gcp/multi-region/main.tf index 29da6f1f..22dd94a2 100644 --- a/deployments/gcp/multi-region/main.tf +++ b/deployments/gcp/multi-region/main.tf @@ -102,12 +102,13 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-google-dns.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - google_compute_firewall.allow-icmp.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-dns.name], + [google_compute_firewall.allow-winrm.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) gcp_ops_agent_enable = var.gcp_ops_agent_enable ops_setup_script = local.ops_win_setup_script @@ -140,12 +141,13 @@ module "awc-igm" { gcp_region_list = var.awc_region_list subnet_list = google_compute_subnetwork.awc-subnets[*].self_link - network_tags = [ - google_compute_firewall.allow-google-health-check.name, - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-health-check.name], + [google_compute_firewall.allow-pcoip.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.awc_instance_count_list machine_type = var.awc_machine_type @@ -268,10 +270,11 @@ module "win-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_gfx_instance_count_list instance_name = var.win_gfx_instance_name @@ -314,10 +317,11 @@ module "win-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_std_instance_count_list instance_name = var.win_std_instance_name @@ -362,10 +366,11 @@ module "centos-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_gfx_instance_count_list instance_name = var.centos_gfx_instance_name @@ -415,10 +420,11 @@ module "centos-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_std_instance_count_list instance_name = var.centos_std_instance_name diff --git a/deployments/gcp/multi-region/networking.tf b/deployments/gcp/multi-region/networking.tf index 4a31ef11..23cba1c5 100644 --- a/deployments/gcp/multi-region/networking.tf +++ b/deployments/gcp/multi-region/networking.tf @@ -67,6 +67,8 @@ resource "google_compute_firewall" "allow-internal" { } resource "google_compute_firewall" "allow-ssh" { + count = var.enable_ssh ? 1 : 0 + name = "${local.prefix}fw-allow-ssh" network = google_compute_network.vpc.self_link @@ -76,7 +78,28 @@ resource "google_compute_firewall" "allow-ssh" { } target_tags = ["${local.prefix}fw-allow-ssh"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) +} + +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr } # Open TCP/443 for Google Load balancers to perform health checks @@ -95,6 +118,7 @@ resource "google_compute_firewall" "allow-google-health-check" { } resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -108,7 +132,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -125,6 +149,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/multi-region/vars.tf b/deployments/gcp/multi-region/vars.tf index 7e048367..ed47bc34 100644 --- a/deployments/gcp/multi-region/vars.tf +++ b/deployments/gcp/multi-region/vars.tf @@ -20,6 +20,24 @@ variable "gcp_region" { default = "us-west2" } +variable "enable_ssh" { + description = "Flag to enable or disable the compute firewall on TCP 22 port on all Linux-based machines from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} + variable "gcp_zone" { description = "GCP zone" @@ -488,7 +506,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/deployments/gcp/nlb-multi-region/main.tf b/deployments/gcp/nlb-multi-region/main.tf index a83c091f..79375602 100644 --- a/deployments/gcp/nlb-multi-region/main.tf +++ b/deployments/gcp/nlb-multi-region/main.tf @@ -103,12 +103,13 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-google-dns.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - google_compute_firewall.allow-icmp.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-dns.name], + [google_compute_firewall.allow-winrm.name], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) gcp_ops_agent_enable = var.gcp_ops_agent_enable ops_setup_script = local.ops_win_setup_script @@ -143,11 +144,12 @@ module "awc" { subnet_list = google_compute_subnetwork.awc-subnets[*].self_link external_pcoip_ip_list = google_compute_address.nlb-ip[*].address enable_awc_external_ip = var.awc_enable_external_ip - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - ] + network_tags = concat( + [google_compute_firewall.allow-pcoip.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.awc_instance_count_list machine_type = var.awc_machine_type @@ -255,10 +257,11 @@ module "win-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_gfx_instance_count_list instance_name = var.win_gfx_instance_name @@ -301,10 +304,11 @@ module "win-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.win_std_instance_count_list instance_name = var.win_std_instance_name @@ -349,10 +353,11 @@ module "centos-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_gfx_instance_count_list instance_name = var.centos_gfx_instance_name @@ -402,10 +407,11 @@ module "centos-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = var.centos_std_instance_count_list instance_name = var.centos_std_instance_name diff --git a/deployments/gcp/nlb-multi-region/networking.tf b/deployments/gcp/nlb-multi-region/networking.tf index 2ee41ded..25c6913d 100644 --- a/deployments/gcp/nlb-multi-region/networking.tf +++ b/deployments/gcp/nlb-multi-region/networking.tf @@ -66,7 +66,9 @@ resource "google_compute_firewall" "allow-internal" { ) } -resource "google_compute_firewall" "allow-ssh" { +rresource "google_compute_firewall" "allow-ssh" { + count = var.enable_ssh ? 1 : 0 + name = "${local.prefix}fw-allow-ssh" network = google_compute_network.vpc.self_link @@ -76,7 +78,28 @@ resource "google_compute_firewall" "allow-ssh" { } target_tags = ["${local.prefix}fw-allow-ssh"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) +} + +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr } # Open TCP/443 for Google Load balancers to perform health checks @@ -95,6 +118,7 @@ resource "google_compute_firewall" "allow-google-health-check" { } resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -108,7 +132,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -125,6 +149,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/nlb-multi-region/vars.tf b/deployments/gcp/nlb-multi-region/vars.tf index b4587d2c..89c4e6f0 100644 --- a/deployments/gcp/nlb-multi-region/vars.tf +++ b/deployments/gcp/nlb-multi-region/vars.tf @@ -20,6 +20,24 @@ variable "gcp_region" { default = "us-west2" } +variable "enable_ssh" { + description = "Flag to enable or disable the compute firewall on TCP 22 port on all Linux-based machines from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} + variable "gcp_zone" { description = "GCP zone" @@ -481,7 +499,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/deployments/gcp/single-connector/main.tf b/deployments/gcp/single-connector/main.tf index d94f07ca..fd9f6fb7 100644 --- a/deployments/gcp/single-connector/main.tf +++ b/deployments/gcp/single-connector/main.tf @@ -102,12 +102,13 @@ module "dc" { gcp_zone = var.gcp_zone subnet = google_compute_subnetwork.dc-subnet.self_link private_ip = var.dc_private_ip - network_tags = [ - google_compute_firewall.allow-google-dns.name, - google_compute_firewall.allow-rdp.name, - google_compute_firewall.allow-winrm.name, - google_compute_firewall.allow-icmp.name, - ] + network_tags = concat( + [google_compute_firewall.allow-google-dns.name], + [google_compute_firewall.allow-winrm.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) gcp_ops_agent_enable = var.gcp_ops_agent_enable ops_setup_script = local.ops_win_setup_script @@ -140,11 +141,12 @@ module "awc" { gcp_region_list = [var.gcp_region] subnet_list = [google_compute_subnetwork.awc-subnet.self_link] - network_tags = [ - google_compute_firewall.allow-ssh.name, - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-pcoip.name, - ] + network_tags = concat( + [ google_compute_firewall.allow-pcoip.name], + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.awc_instance_count] machine_type = var.awc_machine_type @@ -191,10 +193,12 @@ module "win-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) + instance_count_list = [var.win_gfx_instance_count] instance_name = var.win_gfx_instance_name @@ -237,10 +241,11 @@ module "win-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-rdp.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_rdp ? [google_compute_firewall.allow-rdp[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.win_std_instance_count] instance_name = var.win_std_instance_name @@ -285,10 +290,11 @@ module "centos-gfx" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.centos_gfx_instance_count] instance_name = var.centos_gfx_instance_name @@ -338,10 +344,11 @@ module "centos-std" { idle_shutdown_minutes_idle_before_shutdown = var.idle_shutdown_minutes_idle_before_shutdown idle_shutdown_polling_interval_minutes = var.idle_shutdown_polling_interval_minutes - network_tags = [ - google_compute_firewall.allow-icmp.name, - google_compute_firewall.allow-ssh.name, - ] + network_tags = concat( + var.enable_icmp ? [google_compute_firewall.allow-icmp[0].name] : [], + var.enable_ssh ? [google_compute_firewall.allow-ssh[0].name] : [], + var.gcp_iap_enable ? [google_compute_firewall.allow-iap[0].name] : [], + ) instance_count_list = [var.centos_std_instance_count] instance_name = var.centos_std_instance_name diff --git a/deployments/gcp/single-connector/networking.tf b/deployments/gcp/single-connector/networking.tf index 08c09113..86facc97 100644 --- a/deployments/gcp/single-connector/networking.tf +++ b/deployments/gcp/single-connector/networking.tf @@ -63,6 +63,8 @@ resource "google_compute_firewall" "allow-internal" { } resource "google_compute_firewall" "allow-ssh" { + count = var.enable_ssh ? 1 : 0 + name = "${local.prefix}fw-allow-ssh" network = google_compute_network.vpc.self_link @@ -72,10 +74,32 @@ resource "google_compute_firewall" "allow-ssh" { } target_tags = ["${local.prefix}fw-allow-ssh"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) +} + +# To allow IAP to connect to GCP VM instances +resource "google_compute_firewall" "allow-iap" { + count = var.gcp_iap_enable ? 1 : 0 + + name = "${local.prefix}fw-allow-iap" + network = google_compute_network.vpc.self_link + + allow { + protocol = "tcp" + ports = ["22"] + } + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["${local.prefix}fw-allow-iap"] + source_ranges = local.iap_cidr } resource "google_compute_firewall" "allow-rdp" { + count = var.enable_rdp ? 1 : 0 name = "${local.prefix}fw-allow-rdp" network = google_compute_network.vpc.self_link @@ -89,7 +113,7 @@ resource "google_compute_firewall" "allow-rdp" { } target_tags = ["${local.prefix}fw-allow-rdp"] - source_ranges = concat([local.myip], var.allowed_admin_cidrs, (var.gcp_iap_enable ? local.iap_cidr : [])) + source_ranges = concat([local.myip], var.allowed_admin_cidrs) } resource "google_compute_firewall" "allow-winrm" { @@ -106,6 +130,7 @@ resource "google_compute_firewall" "allow-winrm" { } resource "google_compute_firewall" "allow-icmp" { + count = var.enable_icmp ? 1 : 0 name = "${local.prefix}fw-allow-icmp" network = google_compute_network.vpc.self_link diff --git a/deployments/gcp/single-connector/vars.tf b/deployments/gcp/single-connector/vars.tf index 664d262c..b043798d 100644 --- a/deployments/gcp/single-connector/vars.tf +++ b/deployments/gcp/single-connector/vars.tf @@ -15,6 +15,24 @@ variable "gcp_credentials_file" { } } +variable "enable_ssh" { + description = "Flag to enable or disable the compute firewall on TCP 22 port on all Linux-based machines from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_icmp" { + description = "Flag to enable or disable the compute firewall for ICMP protocol on all workstations from allowed_admin_cidrs" + type = bool + default = false +} + +variable "enable_rdp" { + description = "Flag to enable or disable the compute firewall on TCP/UDP 3389 Port on all Windows-based machines from allowed_admin_cidrs" + type = bool + default = false +} + variable "gcp_region" { description = "GCP region" default = "us-west2" @@ -461,7 +479,8 @@ variable "gcp_ops_agent_enable" { } variable "gcp_iap_enable" { - description = "Enable GCP IAP for connecting instances via IAP" + description = "Enables or Disables Access via GCP's IAP: If set to 'true', this option opens TCP ports 22 (SSH) and 3389 (RDP) in the compute firewall, specifically for traffic originating from GCP's IAP CIDR range. This allows administrators to access VMs using SSH or RDP through GCP's IAP TCP forwarding feature" + type = bool default = true } diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 80283ac9..b0c8ce26 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -14,15 +14,24 @@ --- -### Connecting to VMs Using SSH/RDP -- Access to AWS instances through SSH/RDP is only possible if the variables enable_ssh/enable_rdp in the terraform.tfvars file are set to True. -- To debug Linux VMs, SSH can be used to login to the machines for troubleshooting and viewing log files. -- To debug Windows VMs, a RDP client such as Windows Remote Desktop on Windows or xfreerdp on Linux can be used to login to the machines for troubleshooting and viewing log files. -- Workstation VMs are not exposed to the internet and do not have public IPs, a bastion host such as the DC or Connector can be used to access the Workstation VMs on the private network. - -### Connecting to AWS Instances Using Session Manager -- Session Manager is enabled by default on all AWS instances, allowing access to all virtual machines (VMs) via Session Manager, unless enable_ssm is set to false in terraform.tfvars -- To access VM's through SSM, Please refer this link - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html +### Accessing VMs +- For troubleshooting deployments, access to the VMs is available for debugging and log file inspection. +- By default, AWS VMs are accessible via AWS Systems Manager (SSM), whereas GCP VM instances can be accessed through the Identity-Aware Proxy (IAP). + +### Connecting to AWS VM Instances Using AWS Systems Manager (SSM) +- SSM is enabled by default on all AWS VM instances, allowing access to all VM instances via AWS Systems Manager (SSM), unless `enable_ssm` is set to false in `terraform.tfvars`. +- To access VM Instance's through SSM, please refer to this link - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html + +### Connecting to GCP VM Instances using Identity-Aware Proxy (IAP) +- IAP is enabled by default on all GCP VM instances, allowing access to all VM instances via Identity-Aware Proxy (IAP), unless `gcp_iap_enable` is set to false in `terraform.tfvars`. +- To access VM Instance's through IAP, please refer to this link - https://cloud.google.com/iap/docs/using-tcp-forwarding + +### Alternative ways to connect to VMs +- Should IAP or SSM be unavailable or intentionally disabled, SSH or RDP clients can be utilized for VM access. +- Direct SSH/RDP access to AWS or GCP VM instances from the machine executing Terraform is contingent upon setting the `enable_ssh` or `enable_rdp` variables to true within the `terraform.tfvars` file. +- Workstation VMs, not having public IPs, remain inaccessible from the internet. However, a bastion host—like the DC or Connector—provides a bridge to access Workstation VMs within the private network. +- For public IP access to workstation VMs, set the `enable_workstation_public_ip` to true in the `terraform.tfvars` file. +- Additionally, ensure the activation of SSH or RDP by setting the `enable_ssh` or `enable_rdp` variables respectively. ### Connecting to CentOS Workstations - One way to access CentOS Workstations is to use the Connector as a bastion host. Please refer to the log tables below for the corresponding for each VM. From f4589adfcb316bf6d237c63a1e53f3ea1de5ce21 Mon Sep 17 00:00:00 2001 From: Daniel Bergel Date: Wed, 11 Oct 2023 12:05:01 +0000 Subject: [PATCH 2/5] GCP: Updated OS images: CentOS 7, Rocky 8 projects/centos-cloud/global/images/centos-7-v20231010 projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010 Signed-off-by: Daniel Bergel --- deployments/gcp/awm-multi-region/terraform.tfvars.sample | 4 ++-- deployments/gcp/awm-multi-region/vars.tf | 8 ++++---- .../gcp/awm-nlb-multi-region/terraform.tfvars.sample | 4 ++-- deployments/gcp/awm-nlb-multi-region/vars.tf | 8 ++++---- .../gcp/awm-single-connector/terraform.tfvars.sample | 4 ++-- deployments/gcp/awm-single-connector/vars.tf | 8 ++++---- deployments/gcp/multi-region/terraform.tfvars.sample | 4 ++-- deployments/gcp/multi-region/vars.tf | 6 +++--- deployments/gcp/nlb-multi-region/terraform.tfvars.sample | 4 ++-- deployments/gcp/nlb-multi-region/vars.tf | 6 +++--- deployments/gcp/single-connector/terraform.tfvars.sample | 4 ++-- deployments/gcp/single-connector/vars.tf | 6 +++--- 12 files changed, 33 insertions(+), 33 deletions(-) diff --git a/deployments/gcp/awm-multi-region/terraform.tfvars.sample b/deployments/gcp/awm-multi-region/terraform.tfvars.sample index b4b4847a..a643d400 100644 --- a/deployments/gcp/awm-multi-region/terraform.tfvars.sample +++ b/deployments/gcp/awm-multi-region/terraform.tfvars.sample @@ -106,11 +106,11 @@ centos_std_instance_count_list = [] # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" # centos_gfx_accelerator_count = 1 # centos_gfx_disk_size_gb = 50 -# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" # centos_std_machine_type = "n1-standard-2" # centos_std_disk_size_gb = 50 -# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_admin_ssh_pub_key_file = "~/.ssh/id_rsa.pub" diff --git a/deployments/gcp/awm-multi-region/vars.tf b/deployments/gcp/awm-multi-region/vars.tf index d1d16542..1bd90a77 100644 --- a/deployments/gcp/awm-multi-region/vars.tf +++ b/deployments/gcp/awm-multi-region/vars.tf @@ -187,7 +187,7 @@ variable "awm_disk_size_gb" { variable "awm_disk_image" { description = "Disk image for the Anyware Manager" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } variable "awm_admin_user" { @@ -253,7 +253,7 @@ variable "awc_disk_size_gb" { variable "awc_disk_image" { description = "Disk image for the Anyware Connector" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } # TODO: does this have to match the tag at the end of the SSH pub key? @@ -487,7 +487,7 @@ variable "centos_gfx_disk_size_gb" { variable "centos_gfx_disk_image" { description = "Disk image for the CentOS Graphics Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_std_instance_count_list" { @@ -512,7 +512,7 @@ variable "centos_std_disk_size_gb" { variable "centos_std_disk_image" { description = "Disk image for the CentOS Standard Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_admin_user" { diff --git a/deployments/gcp/awm-nlb-multi-region/terraform.tfvars.sample b/deployments/gcp/awm-nlb-multi-region/terraform.tfvars.sample index 464d8144..98d1e16f 100644 --- a/deployments/gcp/awm-nlb-multi-region/terraform.tfvars.sample +++ b/deployments/gcp/awm-nlb-multi-region/terraform.tfvars.sample @@ -103,11 +103,11 @@ centos_std_instance_count_list = [] # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" # centos_gfx_accelerator_count = 1 # centos_gfx_disk_size_gb = 50 -# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" # centos_std_machine_type = "n1-standard-2" # centos_std_disk_size_gb = 50 -# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_admin_ssh_pub_key_file = "~/.ssh/id_rsa.pub" diff --git a/deployments/gcp/awm-nlb-multi-region/vars.tf b/deployments/gcp/awm-nlb-multi-region/vars.tf index eda5f4ba..49e76404 100644 --- a/deployments/gcp/awm-nlb-multi-region/vars.tf +++ b/deployments/gcp/awm-nlb-multi-region/vars.tf @@ -187,7 +187,7 @@ variable "awm_disk_size_gb" { variable "awm_disk_image" { description = "Disk image for the Anyware Manager" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } variable "awm_admin_user" { @@ -253,7 +253,7 @@ variable "awc_disk_size_gb" { variable "awc_disk_image" { description = "Disk image for the Anyware Connector" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } # TODO: does this have to match the tag at the end of the SSH pub key? @@ -480,7 +480,7 @@ variable "centos_gfx_disk_size_gb" { variable "centos_gfx_disk_image" { description = "Disk image for the CentOS Graphics Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_std_instance_count_list" { @@ -505,7 +505,7 @@ variable "centos_std_disk_size_gb" { variable "centos_std_disk_image" { description = "Disk image for the CentOS Standard Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_admin_user" { diff --git a/deployments/gcp/awm-single-connector/terraform.tfvars.sample b/deployments/gcp/awm-single-connector/terraform.tfvars.sample index 4f9c532f..c996a84a 100644 --- a/deployments/gcp/awm-single-connector/terraform.tfvars.sample +++ b/deployments/gcp/awm-single-connector/terraform.tfvars.sample @@ -78,12 +78,12 @@ centos_gfx_instance_count = 0 # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" # centos_gfx_accelerator_count = 1 # centos_gfx_disk_size_gb = 50 -# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_std_instance_count = 0 # centos_std_machine_type = "n1-standard-2" # centos_std_disk_size_gb = 50 -# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_admin_ssh_pub_key_file = "~/.ssh/id_rsa.pub" diff --git a/deployments/gcp/awm-single-connector/vars.tf b/deployments/gcp/awm-single-connector/vars.tf index 05aa90ab..d5bfc006 100644 --- a/deployments/gcp/awm-single-connector/vars.tf +++ b/deployments/gcp/awm-single-connector/vars.tf @@ -140,7 +140,7 @@ variable "awm_disk_size_gb" { variable "awm_disk_image" { description = "Disk image for the Anyware Manager" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } variable "awm_admin_user" { @@ -201,7 +201,7 @@ variable "awc_disk_size_gb" { variable "awc_disk_image" { description = "Disk image for the Anyware Connector" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } # TODO: does this have to match the tag at the end of the SSH pub key? @@ -460,7 +460,7 @@ variable "centos_gfx_disk_size_gb" { variable "centos_gfx_disk_image" { description = "Disk image for the CentOS Graphics Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_std_instance_count" { @@ -485,7 +485,7 @@ variable "centos_std_disk_size_gb" { variable "centos_std_disk_image" { description = "Disk image for the CentOS Standard Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_admin_user" { diff --git a/deployments/gcp/multi-region/terraform.tfvars.sample b/deployments/gcp/multi-region/terraform.tfvars.sample index 244539b4..2f809462 100644 --- a/deployments/gcp/multi-region/terraform.tfvars.sample +++ b/deployments/gcp/multi-region/terraform.tfvars.sample @@ -97,11 +97,11 @@ centos_std_instance_count_list = [] # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" # centos_gfx_accelerator_count = 1 # centos_gfx_disk_size_gb = 50 -# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" # centos_std_machine_type = "n1-standard-2" # centos_std_disk_size_gb = 50 -# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_admin_ssh_pub_key_file = "~/.ssh/id_rsa.pub" diff --git a/deployments/gcp/multi-region/vars.tf b/deployments/gcp/multi-region/vars.tf index ed47bc34..014493ea 100644 --- a/deployments/gcp/multi-region/vars.tf +++ b/deployments/gcp/multi-region/vars.tf @@ -197,7 +197,7 @@ variable "awc_disk_size_gb" { variable "awc_disk_image" { description = "Disk image for the Anyware Connector" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } # TODO: does this have to match the tag at the end of the SSH pub key? @@ -452,7 +452,7 @@ variable "centos_gfx_disk_size_gb" { variable "centos_gfx_disk_image" { description = "Disk image for the CentOS Graphics Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_std_instance_count_list" { @@ -477,7 +477,7 @@ variable "centos_std_disk_size_gb" { variable "centos_std_disk_image" { description = "Disk image for the CentOS Standard Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_admin_user" { diff --git a/deployments/gcp/nlb-multi-region/terraform.tfvars.sample b/deployments/gcp/nlb-multi-region/terraform.tfvars.sample index 729c6a9d..9143e791 100644 --- a/deployments/gcp/nlb-multi-region/terraform.tfvars.sample +++ b/deployments/gcp/nlb-multi-region/terraform.tfvars.sample @@ -94,11 +94,11 @@ centos_std_instance_count_list = [] # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" # centos_gfx_accelerator_count = 1 # centos_gfx_disk_size_gb = 50 -# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" # centos_std_machine_type = "n1-standard-2" # centos_std_disk_size_gb = 50 -# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_admin_ssh_pub_key_file = "~/.ssh/id_rsa.pub" diff --git a/deployments/gcp/nlb-multi-region/vars.tf b/deployments/gcp/nlb-multi-region/vars.tf index 89c4e6f0..02f7ed5a 100644 --- a/deployments/gcp/nlb-multi-region/vars.tf +++ b/deployments/gcp/nlb-multi-region/vars.tf @@ -197,7 +197,7 @@ variable "awc_disk_size_gb" { variable "awc_disk_image" { description = "Disk image for the Anyware Connector" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } # TODO: does this have to match the tag at the end of the SSH pub key? @@ -445,7 +445,7 @@ variable "centos_gfx_disk_size_gb" { variable "centos_gfx_disk_image" { description = "Disk image for the CentOS Graphics Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_std_instance_count_list" { @@ -470,7 +470,7 @@ variable "centos_std_disk_size_gb" { variable "centos_std_disk_image" { description = "Disk image for the CentOS Standard Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_admin_user" { diff --git a/deployments/gcp/single-connector/terraform.tfvars.sample b/deployments/gcp/single-connector/terraform.tfvars.sample index cbcb39d5..426708d9 100644 --- a/deployments/gcp/single-connector/terraform.tfvars.sample +++ b/deployments/gcp/single-connector/terraform.tfvars.sample @@ -69,12 +69,12 @@ centos_gfx_instance_count = 0 # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" # centos_gfx_accelerator_count = 1 # centos_gfx_disk_size_gb = 50 -# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_gfx_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_std_instance_count = 0 # centos_std_machine_type = "n1-standard-2" # centos_std_disk_size_gb = 50 -# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20230912" +# centos_std_disk_image = "projects/centos-cloud/global/images/centos-7-v20231010" centos_admin_ssh_pub_key_file = "~/.ssh/id_rsa.pub" diff --git a/deployments/gcp/single-connector/vars.tf b/deployments/gcp/single-connector/vars.tf index b043798d..53512327 100644 --- a/deployments/gcp/single-connector/vars.tf +++ b/deployments/gcp/single-connector/vars.tf @@ -145,7 +145,7 @@ variable "awc_disk_size_gb" { variable "awc_disk_image" { description = "Disk image for the Anyware Connector" - default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20230912" + default = "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010" } # TODO: does this have to match the tag at the end of the SSH pub key? @@ -425,7 +425,7 @@ variable "centos_gfx_disk_size_gb" { variable "centos_gfx_disk_image" { description = "Disk image for the CentOS Graphics Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_std_instance_count" { @@ -450,7 +450,7 @@ variable "centos_std_disk_size_gb" { variable "centos_std_disk_image" { description = "Disk image for the CentOS Standard Workstation" - default = "projects/centos-cloud/global/images/centos-7-v20230912" + default = "projects/centos-cloud/global/images/centos-7-v20231010" } variable "centos_admin_user" { From 563926077169e846f65d9000aaabba737060b1c4 Mon Sep 17 00:00:00 2001 From: Daniel Bergel Date: Thu, 12 Oct 2023 12:05:08 +0000 Subject: [PATCH 3/5] GCP: Updated OS images: Windows projects/windows-cloud/global/images/windows-server-2019-dc-v20231011 Signed-off-by: Daniel Bergel --- deployments/gcp/awm-multi-region/terraform.tfvars.sample | 4 ++-- deployments/gcp/awm-multi-region/vars.tf | 6 +++--- .../gcp/awm-nlb-multi-region/terraform.tfvars.sample | 4 ++-- deployments/gcp/awm-nlb-multi-region/vars.tf | 6 +++--- .../gcp/awm-single-connector/terraform.tfvars.sample | 4 ++-- deployments/gcp/awm-single-connector/vars.tf | 6 +++--- deployments/gcp/dc-only/vars.tf | 2 +- deployments/gcp/multi-region/terraform.tfvars.sample | 4 ++-- deployments/gcp/multi-region/vars.tf | 6 +++--- deployments/gcp/nlb-multi-region/terraform.tfvars.sample | 4 ++-- deployments/gcp/nlb-multi-region/vars.tf | 6 +++--- deployments/gcp/single-connector/terraform.tfvars.sample | 4 ++-- deployments/gcp/single-connector/vars.tf | 6 +++--- 13 files changed, 31 insertions(+), 31 deletions(-) diff --git a/deployments/gcp/awm-multi-region/terraform.tfvars.sample b/deployments/gcp/awm-multi-region/terraform.tfvars.sample index a643d400..be7b6173 100644 --- a/deployments/gcp/awm-multi-region/terraform.tfvars.sample +++ b/deployments/gcp/awm-multi-region/terraform.tfvars.sample @@ -96,11 +96,11 @@ centos_std_instance_count_list = [] # win_gfx_accelerator_type = "nvidia-tesla-p4-vws" # win_gfx_accelerator_count = 1 # win_gfx_disk_size_gb = 50 -# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # win_std_machine_type = "n1-standard-4" # win_std_disk_size_gb = 50 -# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # centos_gfx_machine_type = "n1-standard-2" # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" diff --git a/deployments/gcp/awm-multi-region/vars.tf b/deployments/gcp/awm-multi-region/vars.tf index 1bd90a77..78410afd 100644 --- a/deployments/gcp/awm-multi-region/vars.tf +++ b/deployments/gcp/awm-multi-region/vars.tf @@ -99,7 +99,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { @@ -417,7 +417,7 @@ variable "win_gfx_disk_size_gb" { variable "win_gfx_disk_image" { description = "Disk image for the Windows Graphics Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_gfx_pcoip_agent_version" { @@ -447,7 +447,7 @@ variable "win_std_disk_size_gb" { variable "win_std_disk_image" { description = "Disk image for the Windows Standard Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/gcp/awm-nlb-multi-region/terraform.tfvars.sample b/deployments/gcp/awm-nlb-multi-region/terraform.tfvars.sample index 98d1e16f..48fc0458 100644 --- a/deployments/gcp/awm-nlb-multi-region/terraform.tfvars.sample +++ b/deployments/gcp/awm-nlb-multi-region/terraform.tfvars.sample @@ -93,11 +93,11 @@ centos_std_instance_count_list = [] # win_gfx_accelerator_type = "nvidia-tesla-p4-vws" # win_gfx_accelerator_count = 1 # win_gfx_disk_size_gb = 50 -# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # win_std_machine_type = "n1-standard-4" # win_std_disk_size_gb = 50 -# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # centos_gfx_machine_type = "n1-standard-2" # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" diff --git a/deployments/gcp/awm-nlb-multi-region/vars.tf b/deployments/gcp/awm-nlb-multi-region/vars.tf index 49e76404..4e5d2d0e 100644 --- a/deployments/gcp/awm-nlb-multi-region/vars.tf +++ b/deployments/gcp/awm-nlb-multi-region/vars.tf @@ -99,7 +99,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { @@ -410,7 +410,7 @@ variable "win_gfx_disk_size_gb" { variable "win_gfx_disk_image" { description = "Disk image for the Windows Graphics Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_gfx_pcoip_agent_version" { @@ -440,7 +440,7 @@ variable "win_std_disk_size_gb" { variable "win_std_disk_image" { description = "Disk image for the Windows Standard Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/gcp/awm-single-connector/terraform.tfvars.sample b/deployments/gcp/awm-single-connector/terraform.tfvars.sample index c996a84a..cdafea37 100644 --- a/deployments/gcp/awm-single-connector/terraform.tfvars.sample +++ b/deployments/gcp/awm-single-connector/terraform.tfvars.sample @@ -66,12 +66,12 @@ win_gfx_instance_count = 0 # win_gfx_accelerator_type = "nvidia-tesla-p4-vws" # win_gfx_accelerator_count = 1 # win_gfx_disk_size_gb = 50 -# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" win_std_instance_count = 0 # win_std_machine_type = "n1-standard-4" # win_std_disk_size_gb = 50 -# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" centos_gfx_instance_count = 0 # centos_gfx_machine_type = "n1-standard-2" diff --git a/deployments/gcp/awm-single-connector/vars.tf b/deployments/gcp/awm-single-connector/vars.tf index d5bfc006..a1baec56 100644 --- a/deployments/gcp/awm-single-connector/vars.tf +++ b/deployments/gcp/awm-single-connector/vars.tf @@ -99,7 +99,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { @@ -390,7 +390,7 @@ variable "win_gfx_disk_size_gb" { variable "win_gfx_disk_image" { description = "Disk image for the Windows Graphics Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_gfx_pcoip_agent_version" { @@ -420,7 +420,7 @@ variable "win_std_disk_size_gb" { variable "win_std_disk_image" { description = "Disk image for the Windows Standard Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/gcp/dc-only/vars.tf b/deployments/gcp/dc-only/vars.tf index 4558993d..8ecc7709 100644 --- a/deployments/gcp/dc-only/vars.tf +++ b/deployments/gcp/dc-only/vars.tf @@ -87,7 +87,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { diff --git a/deployments/gcp/multi-region/terraform.tfvars.sample b/deployments/gcp/multi-region/terraform.tfvars.sample index 2f809462..ad986f81 100644 --- a/deployments/gcp/multi-region/terraform.tfvars.sample +++ b/deployments/gcp/multi-region/terraform.tfvars.sample @@ -87,11 +87,11 @@ centos_std_instance_count_list = [] # win_gfx_accelerator_type = "nvidia-tesla-p4-vws" # win_gfx_accelerator_count = 1 # win_gfx_disk_size_gb = 50 -# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # win_std_machine_type = "n1-standard-4" # win_std_disk_size_gb = 50 -# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # centos_gfx_machine_type = "n1-standard-2" # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" diff --git a/deployments/gcp/multi-region/vars.tf b/deployments/gcp/multi-region/vars.tf index 014493ea..373b5308 100644 --- a/deployments/gcp/multi-region/vars.tf +++ b/deployments/gcp/multi-region/vars.tf @@ -99,7 +99,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { @@ -382,7 +382,7 @@ variable "win_gfx_disk_size_gb" { variable "win_gfx_disk_image" { description = "Disk image for the Windows Graphics Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_gfx_pcoip_agent_version" { @@ -412,7 +412,7 @@ variable "win_std_disk_size_gb" { variable "win_std_disk_image" { description = "Disk image for the Windows Standard Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/gcp/nlb-multi-region/terraform.tfvars.sample b/deployments/gcp/nlb-multi-region/terraform.tfvars.sample index 9143e791..ff65315c 100644 --- a/deployments/gcp/nlb-multi-region/terraform.tfvars.sample +++ b/deployments/gcp/nlb-multi-region/terraform.tfvars.sample @@ -84,11 +84,11 @@ centos_std_instance_count_list = [] # win_gfx_accelerator_type = "nvidia-tesla-p4-vws" # win_gfx_accelerator_count = 1 # win_gfx_disk_size_gb = 50 -# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # win_std_machine_type = "n1-standard-4" # win_std_disk_size_gb = 50 -# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" # centos_gfx_machine_type = "n1-standard-2" # centos_gfx_accelerator_type = "nvidia-tesla-p4-vws" diff --git a/deployments/gcp/nlb-multi-region/vars.tf b/deployments/gcp/nlb-multi-region/vars.tf index 02f7ed5a..2a57eb3a 100644 --- a/deployments/gcp/nlb-multi-region/vars.tf +++ b/deployments/gcp/nlb-multi-region/vars.tf @@ -99,7 +99,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { @@ -375,7 +375,7 @@ variable "win_gfx_disk_size_gb" { variable "win_gfx_disk_image" { description = "Disk image for the Windows Graphics Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_gfx_pcoip_agent_version" { @@ -405,7 +405,7 @@ variable "win_std_disk_size_gb" { variable "win_std_disk_image" { description = "Disk image for the Windows Standard Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/gcp/single-connector/terraform.tfvars.sample b/deployments/gcp/single-connector/terraform.tfvars.sample index 426708d9..73b9a26b 100644 --- a/deployments/gcp/single-connector/terraform.tfvars.sample +++ b/deployments/gcp/single-connector/terraform.tfvars.sample @@ -57,12 +57,12 @@ win_gfx_instance_count = 0 # win_gfx_accelerator_type = "nvidia-tesla-p4-vws" # win_gfx_accelerator_count = 1 # win_gfx_disk_size_gb = 50 -# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_gfx_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" win_std_instance_count = 0 # win_std_machine_type = "n1-standard-4" # win_std_disk_size_gb = 50 -# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" +# win_std_disk_image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" centos_gfx_instance_count = 0 # centos_gfx_machine_type = "n1-standard-2" diff --git a/deployments/gcp/single-connector/vars.tf b/deployments/gcp/single-connector/vars.tf index 53512327..fefb08af 100644 --- a/deployments/gcp/single-connector/vars.tf +++ b/deployments/gcp/single-connector/vars.tf @@ -99,7 +99,7 @@ variable "dc_disk_size_gb" { variable "dc_disk_image" { description = "Disk image for the Domain Controller" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "dc_admin_password" { @@ -355,7 +355,7 @@ variable "win_gfx_disk_size_gb" { variable "win_gfx_disk_image" { description = "Disk image for the Windows Graphics Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_gfx_pcoip_agent_version" { @@ -385,7 +385,7 @@ variable "win_std_disk_size_gb" { variable "win_std_disk_image" { description = "Disk image for the Windows Standard Workstation" - default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20230913" + default = "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011" } variable "win_std_pcoip_agent_version" { From f91ebea7f3274ac9b4f4cb656aad2bbf0a2f445a Mon Sep 17 00:00:00 2001 From: Pvs Date: Thu, 12 Oct 2023 21:21:05 -0700 Subject: [PATCH 4/5] Fix Typo error in Networking.tf Corrected a spelling mistake in GCP/NLB Multi-region/networking.tf Signed-off-by: Pvs --- deployments/gcp/nlb-multi-region/networking.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/gcp/nlb-multi-region/networking.tf b/deployments/gcp/nlb-multi-region/networking.tf index 25c6913d..a94caeda 100644 --- a/deployments/gcp/nlb-multi-region/networking.tf +++ b/deployments/gcp/nlb-multi-region/networking.tf @@ -66,7 +66,7 @@ resource "google_compute_firewall" "allow-internal" { ) } -rresource "google_compute_firewall" "allow-ssh" { +resource "google_compute_firewall" "allow-ssh" { count = var.enable_ssh ? 1 : 0 name = "${local.prefix}fw-allow-ssh" From f106c7f6423959a55278b94b2b63f650de65c31d Mon Sep 17 00:00:00 2001 From: Daniel Bergel Date: Fri, 13 Oct 2023 12:04:46 +0000 Subject: [PATCH 5/5] AWS: Updated OS images: Windows Windows_Server-2019-English-Full-Base-2023.10.11 Signed-off-by: Daniel Bergel --- .../aws/awm-lb-connectors-ha-lls/terraform.tfvars.sample | 4 ++-- deployments/aws/awm-lb-connectors-ha-lls/vars.tf | 6 +++--- .../aws/awm-lb-connectors-lls/terraform.tfvars.sample | 4 ++-- deployments/aws/awm-lb-connectors-lls/vars.tf | 6 +++--- deployments/aws/awm-lb-connectors/terraform.tfvars.sample | 4 ++-- deployments/aws/awm-lb-connectors/vars.tf | 6 +++--- .../aws/awm-single-connector/terraform.tfvars.sample | 4 ++-- deployments/aws/awm-single-connector/vars.tf | 6 +++--- .../aws/lb-connectors-ha-lls/terraform.tfvars.sample | 4 ++-- deployments/aws/lb-connectors-ha-lls/vars.tf | 6 +++--- deployments/aws/lb-connectors-lls/terraform.tfvars.sample | 4 ++-- deployments/aws/lb-connectors-lls/vars.tf | 6 +++--- deployments/aws/lb-connectors/terraform.tfvars.sample | 4 ++-- deployments/aws/lb-connectors/vars.tf | 6 +++--- deployments/aws/single-connector/terraform.tfvars.sample | 4 ++-- deployments/aws/single-connector/vars.tf | 6 +++--- 16 files changed, 40 insertions(+), 40 deletions(-) diff --git a/deployments/aws/awm-lb-connectors-ha-lls/terraform.tfvars.sample b/deployments/aws/awm-lb-connectors-ha-lls/terraform.tfvars.sample index 462ab797..5053e59f 100644 --- a/deployments/aws/awm-lb-connectors-ha-lls/terraform.tfvars.sample +++ b/deployments/aws/awm-lb-connectors-ha-lls/terraform.tfvars.sample @@ -84,13 +84,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/awm-lb-connectors-ha-lls/vars.tf b/deployments/aws/awm-lb-connectors-ha-lls/vars.tf index b3b24866..e0fc6c93 100644 --- a/deployments/aws/awm-lb-connectors-ha-lls/vars.tf +++ b/deployments/aws/awm-lb-connectors-ha-lls/vars.tf @@ -125,7 +125,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -457,7 +457,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -492,7 +492,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/aws/awm-lb-connectors-lls/terraform.tfvars.sample b/deployments/aws/awm-lb-connectors-lls/terraform.tfvars.sample index 462ab797..5053e59f 100644 --- a/deployments/aws/awm-lb-connectors-lls/terraform.tfvars.sample +++ b/deployments/aws/awm-lb-connectors-lls/terraform.tfvars.sample @@ -84,13 +84,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/awm-lb-connectors-lls/vars.tf b/deployments/aws/awm-lb-connectors-lls/vars.tf index 5014c44e..20da9fdb 100644 --- a/deployments/aws/awm-lb-connectors-lls/vars.tf +++ b/deployments/aws/awm-lb-connectors-lls/vars.tf @@ -125,7 +125,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -430,7 +430,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -465,7 +465,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/aws/awm-lb-connectors/terraform.tfvars.sample b/deployments/aws/awm-lb-connectors/terraform.tfvars.sample index 652244dd..ea8436f7 100644 --- a/deployments/aws/awm-lb-connectors/terraform.tfvars.sample +++ b/deployments/aws/awm-lb-connectors/terraform.tfvars.sample @@ -78,13 +78,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/awm-lb-connectors/vars.tf b/deployments/aws/awm-lb-connectors/vars.tf index c0d41982..7088f7bd 100644 --- a/deployments/aws/awm-lb-connectors/vars.tf +++ b/deployments/aws/awm-lb-connectors/vars.tf @@ -125,7 +125,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -378,7 +378,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -413,7 +413,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/aws/awm-single-connector/terraform.tfvars.sample b/deployments/aws/awm-single-connector/terraform.tfvars.sample index df10259d..32b805fe 100644 --- a/deployments/aws/awm-single-connector/terraform.tfvars.sample +++ b/deployments/aws/awm-single-connector/terraform.tfvars.sample @@ -66,13 +66,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/awm-single-connector/vars.tf b/deployments/aws/awm-single-connector/vars.tf index 6d0e2bbc..d48f97a2 100644 --- a/deployments/aws/awm-single-connector/vars.tf +++ b/deployments/aws/awm-single-connector/vars.tf @@ -126,7 +126,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -358,7 +358,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -393,7 +393,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/aws/lb-connectors-ha-lls/terraform.tfvars.sample b/deployments/aws/lb-connectors-ha-lls/terraform.tfvars.sample index e730ac9c..4e1dedce 100644 --- a/deployments/aws/lb-connectors-ha-lls/terraform.tfvars.sample +++ b/deployments/aws/lb-connectors-ha-lls/terraform.tfvars.sample @@ -64,13 +64,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/lb-connectors-ha-lls/vars.tf b/deployments/aws/lb-connectors-ha-lls/vars.tf index b8caf0a8..71a44fbf 100644 --- a/deployments/aws/lb-connectors-ha-lls/vars.tf +++ b/deployments/aws/lb-connectors-ha-lls/vars.tf @@ -110,7 +110,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -421,7 +421,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -461,7 +461,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "centos_gfx_instance_count" { diff --git a/deployments/aws/lb-connectors-lls/terraform.tfvars.sample b/deployments/aws/lb-connectors-lls/terraform.tfvars.sample index e730ac9c..4e1dedce 100644 --- a/deployments/aws/lb-connectors-lls/terraform.tfvars.sample +++ b/deployments/aws/lb-connectors-lls/terraform.tfvars.sample @@ -64,13 +64,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/lb-connectors-lls/vars.tf b/deployments/aws/lb-connectors-lls/vars.tf index 0d64d6bd..9c879334 100644 --- a/deployments/aws/lb-connectors-lls/vars.tf +++ b/deployments/aws/lb-connectors-lls/vars.tf @@ -110,7 +110,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -394,7 +394,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -429,7 +429,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/aws/lb-connectors/terraform.tfvars.sample b/deployments/aws/lb-connectors/terraform.tfvars.sample index f7f0218e..f7e1f498 100644 --- a/deployments/aws/lb-connectors/terraform.tfvars.sample +++ b/deployments/aws/lb-connectors/terraform.tfvars.sample @@ -61,13 +61,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/lb-connectors/vars.tf b/deployments/aws/lb-connectors/vars.tf index b710c44a..08028a98 100644 --- a/deployments/aws/lb-connectors/vars.tf +++ b/deployments/aws/lb-connectors/vars.tf @@ -110,7 +110,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_pcoip_agent_install" { @@ -348,7 +348,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -383,7 +383,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" { diff --git a/deployments/aws/single-connector/terraform.tfvars.sample b/deployments/aws/single-connector/terraform.tfvars.sample index 78cf859b..451f260d 100644 --- a/deployments/aws/single-connector/terraform.tfvars.sample +++ b/deployments/aws/single-connector/terraform.tfvars.sample @@ -49,13 +49,13 @@ win_gfx_instance_count = 0 # win_gfx_instance_type = "g4dn.xlarge" # win_gfx_disk_size_gb = 50 # win_gfx_ami_owner = "amazon" -# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_gfx_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" win_std_instance_count = 0 # win_std_instance_type = "t3.xlarge" # win_std_disk_size_gb = 50 # win_std_ami_owner = "amazon" -# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.09.13" +# win_std_ami_name = "Windows_Server-2019-English-Full-Base-2023.10.11" centos_gfx_instance_count = 0 # centos_gfx_instance_type = "g4dn.xlarge" diff --git a/deployments/aws/single-connector/vars.tf b/deployments/aws/single-connector/vars.tf index cc1eb80b..fcc3f26c 100644 --- a/deployments/aws/single-connector/vars.tf +++ b/deployments/aws/single-connector/vars.tf @@ -110,7 +110,7 @@ variable "dc_ami_owner" { variable "dc_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "dc_admin_password" { @@ -327,7 +327,7 @@ variable "win_gfx_ami_owner" { variable "win_gfx_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_gfx_pcoip_agent_version" { @@ -362,7 +362,7 @@ variable "win_std_ami_owner" { variable "win_std_ami_name" { description = "Name of the Windows AMI to create workstation from" - default = "Windows_Server-2019-English-Full-Base-2023.09.13" + default = "Windows_Server-2019-English-Full-Base-2023.10.11" } variable "win_std_pcoip_agent_version" {