Add an example for connecting to a private SSM instance using PSC (#11150) (#750)

[upstream:3d79f2e56865fcaf00f7d24b4632e59b1773ade6]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

secure_source_manager_instance_private/main.tf

@@ -62,15 +62,15 @@ resource "google_secure_source_manager_instance" "default" {
   }
   depends_on = [
     google_privateca_certificate_authority.root_ca,
-    time_sleep.wait_60_seconds
+    time_sleep.wait_120_seconds
   ]
 }
 
 # ca pool IAM permissions can take time to propagate
-resource "time_sleep" "wait_60_seconds" {
+resource "time_sleep" "wait_120_seconds" {
   depends_on = [google_privateca_ca_pool_iam_binding.ca_pool_binding]
 
-  create_duration = "60s"
+  create_duration = "120s"
 }
 
 data "google_project" "project" {}

secure_source_manager_instance_private_psc_backend/backing_file.tf

@@ -0,0 +1,15 @@
+# This file has some scaffolding to make sure that names are unique and that
+# a region and zone are selected when you try to create your Terraform resources.
+
+locals {
+  name_suffix = "${random_pet.suffix.id}"
+}
+
+resource "random_pet" "suffix" {
+  length = 2
+}
+
+provider "google" {
+  region = "us-central1"
+  zone   = "us-central1-c"
+}

secure_source_manager_instance_private_psc_backend/main.tf

@@ -0,0 +1,178 @@
+data "google_project" "project" {}
+
+resource "google_privateca_ca_pool" "ca_pool" {
+  name     = "ca-pool-${local.name_suffix}"
+  location = "us-central1"
+  tier     = "ENTERPRISE"
+  publishing_options {
+    publish_ca_cert = true
+    publish_crl     = true
+  }
+}
+
+resource "google_privateca_certificate_authority" "root_ca" {
+  pool                     = google_privateca_ca_pool.ca_pool.name
+  certificate_authority_id = "root-ca-${local.name_suffix}"
+  location                 = "us-central1"
+  config {
+    subject_config {
+      subject {
+        organization = "google"
+        common_name = "my-certificate-authority"
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          cert_sign = true
+          crl_sign = true
+        }
+        extended_key_usage {
+          server_auth = true
+        }
+      }
+    }
+  }
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+
+  // Disable deletion protections for easier test cleanup purposes
+  deletion_protection = false
+  ignore_active_certificates_on_deletion = true
+  skip_grace_period = true
+}
+
+resource "google_privateca_ca_pool_iam_binding" "ca_pool_binding" {
+  ca_pool = google_privateca_ca_pool.ca_pool.id
+  role = "roles/privateca.certificateRequester"
+
+  members = [
+    "serviceAccount:service-${data.google_project.project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com"
+  ]
+}
+
+// See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api
+resource "google_secure_source_manager_instance" "default" {
+  instance_id = "my-instance-${local.name_suffix}"
+  location = "us-central1"
+  private_config {
+    is_private = true
+    ca_pool = google_privateca_ca_pool.ca_pool.id
+  }
+  depends_on = [
+    google_privateca_certificate_authority.root_ca,
+    time_sleep.wait_120_seconds
+  ]
+}
+
+# ca pool IAM permissions can take time to propagate
+resource "time_sleep" "wait_120_seconds" {
+  depends_on = [google_privateca_ca_pool_iam_binding.ca_pool_binding]
+
+  create_duration = "120s"
+}
+
+// Connect SSM private instance with L4 proxy ILB.
+resource "google_compute_network" "network" {
+  name = "my-network-${local.name_suffix}"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "subnet" {
+  name = "my-subnet-${local.name_suffix}"
+  region = "us-central1"
+  network = google_compute_network.network.id
+  ip_cidr_range = "10.0.1.0/24"
+  private_ip_google_access = true
+}
+
+resource "google_compute_region_network_endpoint_group" "psc_neg" {
+  name = "my-neg-${local.name_suffix}"
+  region = "us-central1"
+
+  network_endpoint_type = "PRIVATE_SERVICE_CONNECT"
+  psc_target_service = google_secure_source_manager_instance.default.private_config.0.http_service_attachment
+
+  network = google_compute_network.network.id
+  subnetwork = google_compute_subnetwork.subnet.id
+}
+
+resource "google_compute_region_backend_service" "backend_service" {
+  name = "my-backend-service-${local.name_suffix}"
+  region = "us-central1"
+  protocol = "TCP"
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  backend {
+    group = google_compute_region_network_endpoint_group.psc_neg.id
+    balancing_mode = "UTILIZATION"
+    capacity_scaler = 1.0
+  }
+}
+
+resource "google_compute_subnetwork" "proxy_subnet" {
+  name = "my-proxy-subnet-${local.name_suffix}"
+  region = "us-central1"
+  network = google_compute_network.network.id
+  ip_cidr_range = "10.0.2.0/24"
+  purpose = "REGIONAL_MANAGED_PROXY"
+  role = "ACTIVE"
+}
+
+resource "google_compute_region_target_tcp_proxy" "target_proxy" {
+  name = "my-target-proxy-${local.name_suffix}"
+  region = "us-central1"
+  backend_service = google_compute_region_backend_service.backend_service.id
+}
+
+resource "google_compute_forwarding_rule" "fw_rule_target_proxy" {
+  name = "fw-rule-target-proxy-${local.name_suffix}"
+  region = "us-central1"
+
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  ip_protocol = "TCP"
+  port_range = "443"
+  target = google_compute_region_target_tcp_proxy.target_proxy.id
+  network = google_compute_network.network.id
+  subnetwork = google_compute_subnetwork.subnet.id
+  network_tier = "PREMIUM"
+  depends_on = [google_compute_subnetwork.proxy_subnet]
+}
+
+resource "google_dns_managed_zone" "private_zone" {
+  name = "my-dns-zone-${local.name_suffix}"
+  dns_name = "p.sourcemanager.dev."
+  visibility = "private"
+  private_visibility_config {
+    networks {
+      network_url = google_compute_network.network.id
+    }
+  }
+}
+
+resource "google_dns_record_set" "ssm_instance_html_record" {
+  name = "${google_secure_source_manager_instance.default.host_config.0.html}."
+  type = "A"
+  ttl = 300
+  managed_zone = google_dns_managed_zone.private_zone.name
+  rrdatas = [google_compute_forwarding_rule.fw_rule_target_proxy.ip_address]
+}
+
+resource "google_dns_record_set" "ssm_instance_api_record" {
+  name = "${google_secure_source_manager_instance.default.host_config.0.api}."
+  type = "A"
+  ttl = 300
+  managed_zone = google_dns_managed_zone.private_zone.name
+  rrdatas = [google_compute_forwarding_rule.fw_rule_target_proxy.ip_address]
+}
+
+resource "google_dns_record_set" "ssm_instance_git_record" {
+  name = "${google_secure_source_manager_instance.default.host_config.0.git_http}."
+  type = "A"
+  ttl = 300
+  managed_zone = google_dns_managed_zone.private_zone.name
+  rrdatas = [google_compute_forwarding_rule.fw_rule_target_proxy.ip_address]
+}

secure_source_manager_instance_private_psc_backend/motd

@@ -0,0 +1,7 @@
+===
+
+These examples use real resources that will be billed to the
+Google Cloud Platform project you use - so make sure that you
+run "terraform destroy" before quitting!
+
+===

secure_source_manager_instance_private_psc_backend/tutorial.md

@@ -0,0 +1,79 @@
+# Secure Source Manager Instance Private Psc Backend - Terraform
+
+## Setup
+
+<walkthrough-author name="[email protected]" analyticsId="UA-125550242-1" tutorialName="secure_source_manager_instance_private_psc_backend" repositoryUrl="https://github.com/terraform-google-modules/docs-examples"></walkthrough-author>
+
+Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform.
+
+<walkthrough-project-billing-setup></walkthrough-project-billing-setup>
+
+Terraform provisions real GCP resources, so anything you create in this session will be billed against this project.
+
+## Terraforming!
+
+Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command
+to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up
+the project name from the environment variable.
+
+```bash
+export GOOGLE_CLOUD_PROJECT={{project-id}}
+```
+
+After that, let's get Terraform started. Run the following to pull in the providers.
+
+```bash
+terraform init
+```
+
+With the providers downloaded and a project set, you're ready to use Terraform. Go ahead!
+
+```bash
+terraform apply
+```
+
+Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan.
+
+```bash
+yes
+```
+
+
+## Post-Apply
+
+### Editing your config
+
+Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed.
+
+```bash
+terraform plan
+```
+
+So let's make a change! Try editing a number, or appending a value to the name in the editor. Then,
+run a 'plan' again.
+
+```bash
+terraform plan
+```
+
+Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes
+at the 'yes' prompt.
+
+```bash
+terraform apply
+```
+
+```bash
+yes
+```
+
+## Cleanup
+
+Run the following to remove the resources Terraform provisioned:
+
+```bash
+terraform destroy
+```
+```bash
+yes
+```

secure_source_manager_instance_private_psc_endpoint/backing_file.tf

@@ -0,0 +1,15 @@
+# This file has some scaffolding to make sure that names are unique and that
+# a region and zone are selected when you try to create your Terraform resources.
+
+locals {
+  name_suffix = "${random_pet.suffix.id}"
+}
+
+resource "random_pet" "suffix" {
+  length = 2
+}
+
+provider "google" {
+  region = "us-central1"
+  zone   = "us-central1-c"
+}