From a427e31bb620f9100ffaac2b53852ddf096b45c2 Mon Sep 17 00:00:00 2001
From: Slawomir Koszewski <slawek@koszewscy.waw.pl>
Date: Sun, 30 Mar 2025 11:31:28 +0200
Subject: [PATCH] Working Landing Zone.

---
 .gitignore                    |  6 +++++
 README.md                     | 10 ++++++++
 main.tf                       | 39 +++++++++++++++++++++++++++++
 modules/cloud-vpn/main.tf     |  0
 modules/linux-vm/main.tf      | 21 ++++++++++++++++
 modules/linux-vm/outputs.tf   |  3 +++
 modules/linux-vm/variables.tf | 41 +++++++++++++++++++++++++++++++
 modules/network/main.tf       | 30 +++++++++++++++++++++++
 modules/network/variables.tf  | 20 +++++++++++++++
 variables.tf                  | 46 +++++++++++++++++++++++++++++++++++
 10 files changed, 216 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 main.tf
 create mode 100644 modules/cloud-vpn/main.tf
 create mode 100644 modules/linux-vm/main.tf
 create mode 100644 modules/linux-vm/outputs.tf
 create mode 100644 modules/linux-vm/variables.tf
 create mode 100644 modules/network/main.tf
 create mode 100644 modules/network/variables.tf
 create mode 100644 variables.tf

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7bb98a5
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,6 @@
+*.tfvars
+.terraform*
+*.tfstate
+*.tfstate.backup
+*.tfplan
+*.tfplan.*
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..7c086b2
--- /dev/null
+++ b/README.md
@@ -0,0 +1,10 @@
+# GCP Simple Landing Zone
+
+A simple LZ with a single subnet VPC network, a Cloud NAT and VPN connection.
+
+There are two submodules:
+
+* Network - a module that creates a VPC with defined subnets
+* Cloud VPN - a module that creates a Cloud VPN
+
+
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..646e608
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,39 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 6.27.0"
+    }
+  }
+}
+
+provider "google" {
+  # Configuration options
+  region  = var.region
+  zone    = var.zone
+  project = var.project_id
+}
+
+module "network" {
+  source = "./modules/network"
+
+  name = var.network_name
+  subnets = [
+    {
+      name   = var.subnet_name
+      region = var.region
+      cidr   = var.subnet_cidr
+    }
+  ]
+}
+
+module "vm" {
+  source = "./modules/linux-vm"
+
+  name         = "vm-test"
+  network_name = var.network_name
+  subnet_name  = var.subnet_name
+  ssh          = var.ssh
+
+  depends_on = [module.network]
+}
diff --git a/modules/cloud-vpn/main.tf b/modules/cloud-vpn/main.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/linux-vm/main.tf b/modules/linux-vm/main.tf
new file mode 100644
index 0000000..5b8ee58
--- /dev/null
+++ b/modules/linux-vm/main.tf
@@ -0,0 +1,21 @@
+resource "google_compute_instance" "vm_hub" {
+  name           = var.name
+  machine_type   = var.machine_type
+  can_ip_forward = var.can_ip_forward
+  description    = var.description
+
+  boot_disk {
+    initialize_params {
+      image = "debian-cloud/debian-12"
+    }
+  }
+
+  network_interface {
+    network    = var.network_name
+    subnetwork = var.subnet_name
+  }
+
+  metadata = {
+    ssh-keys = "${var.ssh[0].public_key} ${var.ssh[0].ssh_user}"
+  }
+}
diff --git a/modules/linux-vm/outputs.tf b/modules/linux-vm/outputs.tf
new file mode 100644
index 0000000..730f0d0
--- /dev/null
+++ b/modules/linux-vm/outputs.tf
@@ -0,0 +1,3 @@
+output "vm_internal_ip" {
+  value = google_compute_instance.vm_hub.network_interface[0].network_ip
+}
diff --git a/modules/linux-vm/variables.tf b/modules/linux-vm/variables.tf
new file mode 100644
index 0000000..4964e94
--- /dev/null
+++ b/modules/linux-vm/variables.tf
@@ -0,0 +1,41 @@
+variable "name" {
+  description = "The name of the VM instance."
+  type        = string
+}
+
+variable "machine_type" {
+  description = "The machine type of the VM instance."
+  type        = string
+  default     = "e2-micro"
+}
+
+variable "can_ip_forward" {
+  description = "Whether the VM instance can forward IP packets."
+  type        = bool
+  default     = false
+}
+
+variable "description" {
+  description = "The description of the VM instance."
+  type        = string
+  nullable    = true
+  default     = null
+}
+
+variable "network_name" {
+  description = "The name of the network to attach the VM instance to."
+  type        = string
+}
+
+variable "subnet_name" {
+  description = "The name of the subnet to attach the VM instance to."
+  type        = string
+}
+
+variable "ssh" {
+  description = "SSH Key(s) definition"
+  type = list(object({
+    public_key = string
+    ssh_user   = string
+  }))
+}
diff --git a/modules/network/main.tf b/modules/network/main.tf
new file mode 100644
index 0000000..1257125
--- /dev/null
+++ b/modules/network/main.tf
@@ -0,0 +1,30 @@
+# VPC
+resource "google_compute_network" "vpc_network" {
+  name                    = var.name
+  auto_create_subnetworks = false
+}
+
+# Subnets
+resource "google_compute_subnetwork" "subnet" {
+  count         = length(var.subnets)
+  name          = var.subnets[count.index].name
+  ip_cidr_range = var.subnets[count.index].cidr
+  region        = var.subnets[count.index].region != null ? var.subnets[count.index].region : var.subnets[0].region
+  network       = google_compute_network.vpc_network.id
+}
+
+# Cloud NAT
+resource "google_compute_router" "cr" {
+  name    = "${var.name}-router"
+  network = google_compute_network.vpc_network.id
+  region  = var.subnets[0].region
+}
+
+resource "google_compute_router_nat" "name" {
+  name = "${var.name}-nat"
+  region = var.subnets[0].region
+  router = google_compute_router.cr.name
+  nat_ip_allocate_option = "AUTO_ONLY"
+  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
+  enable_dynamic_port_allocation = true
+}
diff --git a/modules/network/variables.tf b/modules/network/variables.tf
new file mode 100644
index 0000000..40d017a
--- /dev/null
+++ b/modules/network/variables.tf
@@ -0,0 +1,20 @@
+variable "name" {
+  description = "The name of the network."
+  type        = string
+}
+
+# A Cloud NAT will be created in the same region as the first subnet.
+variable "subnets" {
+  description = "A list of subnets with names and CIDRs."
+
+  type = list(object({
+    name   = string
+    cidr   = string
+    region = string
+  }))
+
+  validation {
+    condition     = var.subnets[0].region != null
+    error_message = "The region for the first subnet must be specified."
+  }
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..963e0fa
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,46 @@
+variable "project_id" {
+  description = "The ID of the project."
+  type        = string
+}
+
+variable "region" {
+  description = "The region for the resources."
+  type        = string
+  default     = "europe-central2"
+}
+
+variable "zone" {
+  description = "The zone for the resources."
+  type        = string
+  default     = "europe-central2-b"
+}
+
+variable "network_name" {
+  description = "The name of the network."
+  type        = string
+  default     = "dom-lab-network"
+}
+
+variable "subnet_name" {
+  description = "The name of the subnet."
+  type        = string
+  default     = "waw-default"
+}
+
+variable "subnet_cidr" {
+  description = "The CIDR range for the subnet."
+  type        = string
+  default     = "192.168.16.0/24"
+}
+
+variable "ssh" {
+  description = "SSH Key(s) definition"
+  type = list(object({
+    public_key = string
+    ssh_user   = string
+  }))
+  default = [{
+    public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1Z96CGdoNnbazs89cdnDLDdju6UtuKAZctEAmnEaAC"
+    ssh_user   = "slawek@1password"
+  }]
+}