fix: SSH via external IP

README.md

@@ -148,7 +148,77 @@ gcloud auth application-default login
 
 > **Token Caching**: If you have been running Terraform commands for a long time, you may want to clear any cached tokens on your machine, as they can become invalid over time. To avoid token caching, we need to run the application default login command: `gcloud auth application-default login`.
 
-With this setup in place, we can now start using HCP Terraform to create resources on Google Cloud.
+### 🔏 Policies
+
+We will have to provide organization level roles that will be inherited by the service account and the root user.
+
+> All permission we provide will be given to the `organization principal`, i.e., `gcp.<domain>.tld`.
+
+Here's a list of required roles:
+
+- `gcp.<domain>.tld`:
+  - `Billing Account Creator`
+  - `Organization Administrator`
+  - `Organization Policy Administrator`
+  - `Project Creator`
+- root user:
+  - `Folder Admin`
+  - `Organization Administrator`
+- service account:
+  - `Editor`
+  - `Folder Admin`
+  - `Project Creator`
+
+### 💻 SSH into Compute Instance
+
+To `ssh` into the VM instance, we will have to add the public SSH key into the project [`metadata`](https://console.cloud.google.com/compute/metadata).
+This can also be [done via Terraform](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_project_metadata.html#example-usage---adding-an-ssh-key).
+
+```tf
+/*
+A key set in project metadata is propagated to every instance in the project.
+This resource configuration is prone to causing frequent diffs as Google adds SSH Keys when the SSH Button is pressed in the console.
+It is better to use OS Login instead.
+*/
+resource "google_compute_project_metadata" "my_ssh_key" {
+  metadata = {
+    ssh-keys = <<EOF
+      dev:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILg6UtHDNyMNAh0GjaytsJdrUxjtLy3APXqZfNZhvCeT dev
+      foo:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILg6UtHDNyMNAh0GjaytsJdrUxjtLy3APXqZfNZhvCeT bar
+    EOF
+  }
+}
+```
+
+#### Generate the SSH key locally
+
+To generate the ssh key locally on your workstation, use the following command:
+
+```bash
+# follow the on-screen steps after running the command
+# avoid adding a passphrase
+ssh-keygen -t rsa -b 2048 -C <username>
+```
+
+Once the public SSH key has been added to the VM instance metadata, we can use the `external IP` to connect to the VM instance.
+Use the below command to connect to the instance:
+
+```bash
+ssh -i <path-to-private-key> <username>@<external-ip>
+```
+
+### 🕹️ Enabling APIs
+
+In order to create resources on GCP, we will have to enable some basic APIs. This can be done via Terraform.
+
+Below is a non-exhaustive list of APIs that can come in handy:
+
+- `compute.googleapis.com`
+- `storage.googleapis.com`
+- `container.googleapis.com`
+- `orgpolicy.googleapis.com`
+
+> NOTE: Remember to add timed delays to resources when creating them via Terraform.
 
 ## :wrench: Working with Terraform
 

modules/network/main.tf

@@ -5,23 +5,33 @@ resource "google_compute_network" "vpc" {
   routing_mode                    = "REGIONAL"
   auto_create_subnetworks         = false
   mtu                             = 1460
-  delete_default_routes_on_create = false
+  delete_default_routes_on_create = true
 }
 
 # creating subnet
 resource "google_compute_subnetwork" "public_subnet" {
   name          = var.subnet_name
   ip_cidr_range = var.subnet_cidr[0]
   network       = google_compute_network.vpc.id
+  stack_type    = "IPV4_ONLY"
   region        = var.region
   depends_on    = [google_compute_network.vpc]
 }
 
-# Router for the network
-resource "google_compute_router" "csye7125_router" {
-  name    = "csye7125-router"
-  region  = var.region
-  network = google_compute_network.vpc.id
+resource "google_compute_route" "default_to_internet" {
+  name             = "default-internet-gateway"
+  network          = google_compute_network.vpc.name
+  dest_range       = "0.0.0.0/0"
+  next_hop_gateway = "default-internet-gateway"
+  priority         = 1000
+  description      = "Default route to the internet"
+}
+
+# Static public IP address
+resource "google_compute_address" "Public_nat" {
+  name         = "publicnat"
+  address_type = "EXTERNAL"
+  network_tier = "PREMIUM"
 }
 
 # Firewall rules
@@ -37,7 +47,6 @@ resource "google_compute_firewall" "ssh_rule" {
     ports    = ["22"]
   }
   source_ranges = ["0.0.0.0/0"]
-  # target_tags   = ["csye7125", "vm", "dev"]
 }
 
 

modules/projects/main.tf

@@ -1,7 +1,15 @@
 resource "google_project" "vpc_project" {
-  name                = var.project_name
-  project_id          = var.project_id
-  folder_id           = "folders/${var.gke_folder_id}"
-  billing_account     = var.billing_account_id
-  auto_create_network = false
+  name            = var.project_name
+  project_id      = var.project_id
+  folder_id       = "folders/${var.gke_folder_id}"
+  billing_account = var.billing_account_id
+  # auto_create_network = false
+}
+
+resource "google_organization_policy" "default_network_policy" {
+  org_id     = var.org_id
+  constraint = "compute.skipDefaultNetworkCreation"
+  boolean_policy {
+    enforced = true
+  }
 }

modules/vm/main.tf

@@ -3,7 +3,7 @@ resource "google_compute_instance" "csye7125_vm" {
   machine_type = var.machine_type
   zone         = var.zone
 
-  tags = ["csye7125", "vm", "dev"]
+  # tags = ["csye7125", "vm", "dev"]
 
   boot_disk {
     initialize_params {