├── .github └── release-please.yml ├── .gitignore ├── .ruby-version ├── Makefile ├── README.md ├── build └── lint.cloudbuild.yaml ├── docs └── getting-started.md ├── examples ├── multi_deployment │ ├── main.tf │ ├── outputs.tf │ ├── providers.tf │ └── variables.tf └── single_deployment │ ├── main.tf │ ├── outputs.tf │ ├── providers.tf │ └── variables.tf ├── images ├── cft-velo-multi.png ├── cft-velo-single.png └── cft-velo-solution.png ├── modules ├── multi │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── networking │ └── vpn │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf └── single │ ├── main.tf │ ├── outputs.tf │ └── variables.tf └── tutorials └── multi-deployment-tutorial.md /.github/release-please.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | releaseType: terraform-module 16 | handleGHRelease: true 17 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # OSX leaves these everywhere on SMB shares 2 | ._* 3 | 4 | # OSX trash 5 | **/.DS_Store 6 | 7 | # Python 8 | *.pyc 9 | 10 | # Emacs save files 11 | *~ 12 | \#*\# 13 | .\#* 14 | 15 | # Vim-related files 16 | [._]*.s[a-w][a-z] 17 | [._]s[a-w][a-z] 18 | *.un~ 19 | Session.vim 20 | .netrwhist 21 | 22 | ### https://raw.github.com/github/gitignore/90f149de451a5433aebd94d02d11b0e28843a1af/Terraform.gitignore 23 | 24 | # Local .terraform directories 25 | **/.terraform/* 26 | 27 | # .tfstate files 28 | *.tfstate 29 | *.tfstate.* 30 | **/*.out 31 | 32 | # Crash log files 33 | crash.log 34 | 35 | # Kitchen files 36 | **/inspec.lock 37 | **/.kitchen 38 | **/kitchen.local.yml 39 | **/Gemfile.lock 40 | 41 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most 42 | # .tfvars files are managed as part of configuration and so should be included in 43 | # version control. 44 | **/*.tfvars 45 | 46 | credentials.json 47 | -------------------------------------------------------------------------------- /.ruby-version: -------------------------------------------------------------------------------- 1 | 2.5.3 2 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | SHELL := /usr/bin/env bash 16 | 17 | DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.4.6 18 | DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools 19 | REGISTRY_URL := gcr.io/cloud-foundation-cicd 20 | 21 | .PHONY: docker_test_lint 22 | docker_test_lint: 23 | docker run --rm -it \ 24 | -v $(CURDIR):/workspace \ 25 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 26 | /usr/local/bin/test_lint.sh 27 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 16 | 17 | # CFT Landing Zone (Migrate for Compute Engine) 18 | 19 | ## ⚠ Deprecated 20 | 21 | This module has been deprecated. For general guidance on landing zones, please refer to [terraform-example-foundation](https://github.com/terraform-google-modules/terraform-example-foundation). 22 | 23 | ## Google Cloud Shell Walkthrough 24 | A Google Cloud Shell Walkthrough has been setup to make it easy for users who are new to Migrate and Terraform. This walkthrough provides a set of instructions to get a default installation of Migrate setup that can be used in a production environment. 25 | 26 | If you are familiar with Terraform and would like to run Terraform from a different machine, you can skip this walkthrough and move onto the [Deployment](#Deployment-Type) section. 27 | 28 | [![Open in Google Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/terraform-google-modules/terraform-google-migrate&tutorial=tutorials/multi-deployment-tutorial.md) 29 | 30 | ## Migrate for Compute Engine Prerequisites 31 | 32 | ### Migration Qualification 33 | 34 | Before proceeding with migration, you should already know: 35 | 36 | 1. How many approximately VMs will be migrated 37 | 2. What is migration target VMs source - Azure, AWS or on-prem 38 | 3. How many GCP projects you will need for migrated VMs 39 | 4. Do you have/plan on-prem or other cloud connection to GCP via [VPN](https://cloud.google.com/vpn/docs/concepts/overview) / [Interconnect](https://cloud.google.com/hybrid-connectivity/) 40 | 5. Is there any network load balancing involved 41 | 6. How much storage will be needed in GCP 42 | 43 | ### Deployment Type 44 | 45 | There are two types of deployment that you can choose from using CFT for Migrate for Compute Engine: 46 | 47 | **Single-project** deployment where Migrate for Compute Engine frontend, Cloud Extension and migrated VMs hosted under the same GCP project: 48 | 49 | ![Single Project](images/cft-velo-single.png) 50 | 51 | **Multi-project** deployment, environment is split into four or more different GCP projects to host separated shared VPC, Migrate for Compute Engine frontend and migrated VMs: 52 | 53 | ![Multi Project](images/cft-velo-multi.png) 54 | 55 | **Example** of high level architecture for a multi project landing zone: 56 | 57 | ![Example Solution](images/cft-velo-solution.png) 58 | 59 | ### Technical Prerequisites 60 | 61 | CFT for Migrate for Compute Engine is build on top of [Google Cloud Project Factory Terraform Module](https://github.com/terraform-google-modules/terraform-google-project-factory) and if additional customization needed please refer to the [documentation](https://github.com/terraform-google-modules/terraform-google-project-factory/blob/master/README.md). 62 | 63 | You will create the following via CFT and Terraform: 64 | 65 | 1. GCP project to host Migrate for Compute Engine Manager and Cloud Extensions (CE) 66 | 1. GCP VPC Project (if shared VPC will be used) 67 | 1. VPC with subnets 68 | 1. [Firewall rules](https://cloud.google.com/migrate/compute-engine/docs/4.5/concepts/planning-a-migration/network-access-requirements) for Migrate for Compute Engine 69 | 1. GCP Network Tags for Migrate for Compute Engine 70 | 1. Destination Projects 71 | 1. GCP [roles and service accounts](https://cloud.google.com/migrate/compute-engine/docs/4.5/how-to/configuring-gcp/configuring-gcp-manually) for Migrate for Compute Engine 72 | 1. VPN (Optional) 73 | 74 | Finally [deploying](https://cloud.google.com/migrate/compute-engine/docs/4.5/how-to/configure-manager/configuring-on-gcp) Migrate for Compute Engine Manager via GCP [Marketplace](https://console.cloud.google.com/marketplace/details/click-to-deploy-images/velostrata?_ga=2.230596124.-1830265044.1554384916&_gac=1.75634663.1564563946.CL6bne_m3uMCFYYkGwodLkkPoQ). 75 | -------------------------------------------------------------------------------- /build/lint.cloudbuild.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - name: 'gcr.io/cloud-foundation-cicd/cft/developer-tools:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 17 | id: 'lint' 18 | args: ['/usr/local/bin/test_lint.sh'] 19 | tags: 20 | - 'ci' 21 | - 'lint' 22 | substitutions: 23 | _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' 24 | _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.6' 25 | -------------------------------------------------------------------------------- /docs/getting-started.md: -------------------------------------------------------------------------------- 1 | ## Getting Started 2 | 3 | #### Configuring Migrate for Compute Engine Landing Zone with CFT 4 | 5 | ### Tools 6 | 7 | **Install Cloud SDK** \ 8 | The Google Cloud SDK is used to interact with your GCP resources. [Installation instructions](https://cloud.google.com/sdk/downloads) for 9 | 10 | multiple platforms are available online. 11 | 12 | **Install Terraform** \ 13 | Terraform is used to automate the manipulation of cloud infrastructure. Its [installation instructions](https://www.terraform.io/intro/getting-started/install.html) are also available online. 14 | 15 | **Authenticate gcloud** \ 16 | Prior to running this, ensure you have authenticated your gcloud client by running the following command: 17 | 18 | ``` 19 | gcloud auth application-default login 20 | ``` 21 | 22 | ### Deployment 23 | 24 | Download the repository: 25 | 26 | ``` 27 | git clone https://github.com/terraform-google-modules/terraform-google-migrate.git 28 | ``` 29 | 30 | File structure 31 | 32 | The project has the following folders and files: 33 | 34 | ``` 35 | 36 | /: root folder 37 | /examples: Examples for doing single and multi project deployments 38 | /modules: Modules for core, single and multi projects 39 | /helpers: Optional helper scripts for ease of use 40 | /main.tf: TODO 41 | /variables.tf:TODO 42 | /output.tf: TODO 43 | /readme.md: this file 44 | 45 | ``` 46 | 47 | **Single project deployment:** 48 | 49 | We will start with deploying our **single** project: 50 | 51 | ``` 52 | cd examples/single_deployment 53 | ``` 54 | 55 | Provide this variables in terraform.tfvars: 56 | 57 | ``` 58 | organization_id = "GCP ORGANIZATION ID" 59 | billing_account = "GCP BILLING ID" 60 | credentials_path = "SA KEY USED TO PROVISION RESOURCES" 61 | subnet_01_ip = "GCP VPC SUBNET IP" 62 | subnet_02_ip = "GCP VPC SUBNET IP" 63 | subnet_03_ip = "GCP VPC SUBNET IP" 64 | subnet_01_region = "GCP VPC REGION" 65 | subnet_02_region = "GCP VPC REGION" 66 | subnet_03_region = "GCP VPC REGION" 67 | local_subnet_01_ip = "ON-PREM/OTHER CLOUD SUBNET" 68 | ``` 69 | 70 | Initialize, plan and deploy: 71 | 72 | ``` 73 | terraform init 74 | tf plan -var-file="terraform.tfvars" 75 | tf apply -var-file="terraform.tfvars" 76 | ``` 77 | 78 | The service accounts and project names required for completing the deployment will be generated as terraform output. 79 | 80 | Once complete continue with [deploying](https://cloud.google.com/migrate/compute-engine/docs/4.5/how-to/configure-manager/configuring-on-gcp) Migrate for Compute Engine Manager via GCP [Marketplace](https://console.cloud.google.com/marketplace/details/click-to-deploy-images/velostrata?_ga=2.230596124.-1830265044.1554384916&_gac=1.75634663.1564563946.CL6bne_m3uMCFYYkGwodLkkPoQ) and Migrate for Compute Engine [backend](https://cloud.google.com/migrate/compute-engine/docs/4.5/how-to/configure-manager/configuring-vms-vm) or [prerequisites](https://cloud.google.com/migrate/compute-engine/docs/4.5/how-to/migrate-aws-to-gcp/overview) for AWS if migrating from AWS, and [prerequisites](https://cloud.google.com/migrate/compute-engine/docs/4.5/how-to/migrate-azure-to-gcp/azure-prerequisites) for Microsoft. 81 | 82 | **Multi project deployment:** 83 | 84 | ``` 85 | cd .. 86 | cd examples/multi_deployment 87 | ``` 88 | 89 | Provide this variables in terraform.tfvars: 90 | 91 | ``` 92 | organization_id = "GCP ORGANIZATION ID" 93 | billing_account = "GCP BILLING ID" 94 | credentials_path = "SA KEY USED TO PROVISION RESOURCES" 95 | subnet_01_ip = "GCP VPC SUBNET IP" 96 | subnet_02_ip = "GCP VPC SUBNET IP" 97 | subnet_03_ip = "GCP VPC SUBNET IP" 98 | subnet_01_region = "GCP VPC REGION" 99 | subnet_02_region = "GCP VPC REGION" 100 | subnet_03_region = "GCP VPC REGION" 101 | local_subnet_01_ip = "ON-PREM/OTHER CLOUD SUBNET" 102 | ``` 103 | 104 | The service accounts and project names required for completing the deployment will be generated as terraform output. 105 | 106 | Once complete continue with [deploying](https://cloud.google.com/migrate/compute-engine/docs/4.5/how-to/configure-manager/configuring-on-gcp) Migrate for Compute Engine Manager via GCP [Marketplace](https://console.cloud.google.com/marketplace/details/click-to-deploy-images/velostrata?_ga=2.230596124.-1830265044.1554384916&_gac=1.75634663.1564563946.CL6bne_m3uMCFYYkGwodLkkPoQ) and Migrate for Compute Engine [backend](https://cloud.google.com/migrate/compute-engine/docs/4.5/how-to/configure-manager/configuring-vms-vm) or [prerequisites](https://cloud.google.com/migrate/compute-engine/docs/4.5/how-to/migrate-aws-to-gcp/overview) for AWS if migrating from AWS, and [prerequisites](https://cloud.google.com/migrate/compute-engine/docs/4.5/how-to/migrate-azure-to-gcp/azure-prerequisites) for Microsoft Azure. 107 | -------------------------------------------------------------------------------- /examples/multi_deployment/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /***************************************** 18 | Folder Structure 19 | *****************************************/ 20 | module "migration-folders" { 21 | source = "terraform-google-modules/folders/google" 22 | version = "~> 2.0" 23 | # parent = "organizations/${var.organization_id}" 24 | parent = "folders/619261348000" 25 | names = concat(["shared"], var.environments) 26 | set_roles = true 27 | per_folder_admins = var.per_folder_admins 28 | all_folder_admins = var.all_folder_admins 29 | } 30 | 31 | /***************************************** 32 | Velostrata Multi Project Deployment 33 | *****************************************/ 34 | 35 | module "velos-multi-project" { 36 | source = "../../modules/multi" 37 | organization_id = var.organization_id 38 | billing_account = var.billing_account 39 | vpc_folder_id = split("/", module.migration-folders.ids["shared"])[1] 40 | velo_folder_id = split("/", module.migration-folders.ids["shared"])[1] 41 | prod_folder_id = split("/", module.migration-folders.ids["prod"])[1] 42 | nonprod_folder_id = split("/", module.migration-folders.ids["nonprod"])[1] 43 | subnet_01_ip = var.subnet_01_ip 44 | subnet_02_ip = var.subnet_02_ip 45 | subnet_03_ip = var.subnet_03_ip 46 | subnet_01_region = var.subnet_01_region 47 | subnet_02_region = var.subnet_02_region 48 | subnet_03_region = var.subnet_03_region 49 | local_subnet_01_ip = var.local_subnet_01_ip 50 | 51 | } 52 | /***************************************** 53 | VPN 54 | *****************************************/ 55 | 56 | module "velos-vpn" { 57 | source = "../../modules/networking/vpn" 58 | project_id = module.velos-multi-project.shared_vpc_project_id 59 | network = module.velos-multi-project.network_name 60 | router_region = var.router_region 61 | vpn_region = var.vpn_region 62 | } 63 | -------------------------------------------------------------------------------- /examples/multi_deployment/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "folders" { 18 | description = "Folder ids" 19 | value = module.migration-folders.ids 20 | } 21 | 22 | output "shared_vpc_project_id" { 23 | value = module.velos-multi-project.shared_vpc_project_id 24 | description = "The ID of the shared VPC host project" 25 | } 26 | 27 | output "velos_project_id" { 28 | value = module.velos-multi-project.velos_project_id 29 | description = "The ID of the velo project" 30 | } 31 | 32 | output "prod_project_id" { 33 | value = module.velos-multi-project.prod_project_id 34 | description = "The ID of the prod project" 35 | } 36 | 37 | output "non_prod_project_id" { 38 | value = module.velos-multi-project.non_prod_project_id 39 | description = "The ID of the stage project" 40 | } 41 | 42 | output "velos_network_name" { 43 | description = "Name of the VPC created" 44 | value = module.velos-multi-project.network_name 45 | } 46 | 47 | output "velos_migration_manager_svc" { 48 | description = "Velostrata migration service account" 49 | value = module.velos-multi-project.velos_migration_manager_svc 50 | } 51 | 52 | output "velos_compute_engine_cloud_extension_svc" { 53 | description = "Velostrata cloud extension service account" 54 | value = module.velos-multi-project.velos_compute_engine_cloud_extension_svc 55 | } 56 | 57 | output "vpc_tunnel_name" { 58 | description = "The VPN tunnel name is" 59 | value = module.velos-vpn.vpn_tunnels_names-dynamic 60 | } 61 | 62 | output "gateway_ip" { 63 | description = "The VPN Gateway Public IP" 64 | value = module.velos-vpn.gateway_ip 65 | } 66 | -------------------------------------------------------------------------------- /examples/multi_deployment/providers.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | provider "google" { 18 | version = "~> 2.19" 19 | } 20 | 21 | provider "google-beta" { 22 | version = "~> 2.19" 23 | } 24 | -------------------------------------------------------------------------------- /examples/multi_deployment/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "organization_id" { 18 | description = "The organization id for the associated services" 19 | } 20 | 21 | variable "billing_account" { 22 | description = "The ID of the billing account to associate this project with" 23 | } 24 | 25 | variable "credentials_path" { 26 | description = "Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials." 27 | default = "~/.config/gcloud/application_default_credentials.json" 28 | } 29 | 30 | variable "environments" { 31 | type = list(string) 32 | description = "List of folders to be created in addition to VPC Shared project and Velostrata Project" 33 | default = ["prod", "nonprod"] 34 | } 35 | 36 | variable "all_folder_admins" { 37 | type = list(string) 38 | description = "List of IAM-style members that will get the extended permissions across all the folders." 39 | default = [] 40 | } 41 | 42 | variable "per_folder_admins" { 43 | type = list(string) 44 | description = "List of IAM-style members per folder who will get extended permissions." 45 | default = [] 46 | } 47 | 48 | variable "subnet_01_ip" { 49 | description = "IP range for the subnet" 50 | } 51 | 52 | variable "subnet_02_ip" { 53 | description = "IP range for the subnet" 54 | } 55 | 56 | variable "subnet_03_ip" { 57 | description = "IP range for the subnet" 58 | } 59 | 60 | variable "subnet_01_region" { 61 | description = "Region of subnet 1" 62 | } 63 | 64 | variable "subnet_02_region" { 65 | description = "Region of subnet 2" 66 | } 67 | 68 | variable "subnet_03_region" { 69 | description = "Region of subnet 3" 70 | } 71 | 72 | variable "local_subnet_01_ip" { 73 | description = "IP range of the on-prem network" 74 | } 75 | 76 | variable "router_region" { 77 | description = "The region in which you want to create the router" 78 | } 79 | 80 | variable "vpn_region" { 81 | description = "The region in which you want to create the VPN gateway" 82 | } 83 | -------------------------------------------------------------------------------- /examples/single_deployment/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /***************************************** 18 | Folder Structure 19 | *****************************************/ 20 | module "migration-folders" { 21 | source = "terraform-google-modules/folders/google" 22 | version = "~> 2.0" 23 | # parent = "organizations/${var.organization_id}" 24 | parent = "folders/778694630464" 25 | names = ["velos"] 26 | set_roles = true 27 | per_folder_admins = var.per_folder_admins 28 | all_folder_admins = var.all_folder_admins 29 | } 30 | 31 | /***************************************** 32 | Velostrata Single Project Deployment 33 | *****************************************/ 34 | 35 | module "velos-single-project" { 36 | source = "../../modules/single" 37 | organization_id = var.organization_id 38 | billing_account = var.billing_account 39 | folder_id = split("/", module.migration-folders.ids["velos"])[1] 40 | subnet_01_ip = var.subnet_01_ip 41 | subnet_02_ip = var.subnet_02_ip 42 | subnet_03_ip = var.subnet_03_ip 43 | subnet_01_region = var.subnet_01_region 44 | subnet_02_region = var.subnet_02_region 45 | subnet_03_region = var.subnet_03_region 46 | local_subnet_01_ip = var.local_subnet_01_ip 47 | 48 | } 49 | 50 | /***************************************** 51 | VPN 52 | *****************************************/ 53 | module "velos-vpn" { 54 | source = "../../modules/networking/vpn" 55 | project_id = module.velos-single-project.project_id 56 | network = module.velos-single-project.network_name 57 | router_region = var.router_region 58 | vpn_region = var.vpn_region 59 | } 60 | -------------------------------------------------------------------------------- /examples/single_deployment/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "folders" { 18 | description = "Folder ids" 19 | value = module.migration-folders.ids 20 | } 21 | 22 | output "core_project_id" { 23 | description = "Project id of the velos project" 24 | value = module.velos-single-project.project_id 25 | } 26 | 27 | output "velos_network_name" { 28 | description = "Name of the VPC created" 29 | value = module.velos-single-project.network_name 30 | } 31 | 32 | output "velos_migration_manager_svc" { 33 | description = "Velostrata migration service account" 34 | value = module.velos-single-project.velos_migration_manager_svc 35 | } 36 | 37 | output "velos_compute_engine_cloud_extension_svc" { 38 | description = "Velostrata cloud extension service account" 39 | value = module.velos-single-project.velos_compute_engine_cloud_extension_svc 40 | } 41 | 42 | output "vpc_tunnel_name" { 43 | description = "The VPN tunnel name is" 44 | value = module.velos-vpn.vpn_tunnels_names-dynamic 45 | } 46 | 47 | output "gateway_ip" { 48 | description = "The VPN Gateway Public IP" 49 | value = module.velos-vpn.gateway_ip 50 | } 51 | -------------------------------------------------------------------------------- /examples/single_deployment/providers.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | provider "google" { 18 | version = "~> 2.19" 19 | } 20 | 21 | provider "google-beta" { 22 | version = "~> 2.19" 23 | } 24 | -------------------------------------------------------------------------------- /examples/single_deployment/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "organization_id" { 18 | description = "The organization id for the associated services" 19 | } 20 | 21 | variable "billing_account" { 22 | description = "The ID of the billing account to associate this project with" 23 | } 24 | 25 | variable "all_folder_admins" { 26 | type = list(string) 27 | description = "List of IAM-style members that will get the extended permissions across all the folders." 28 | default = [] 29 | } 30 | 31 | variable "per_folder_admins" { 32 | type = list(string) 33 | description = "List of IAM-style members per folder who will get extended permissions." 34 | default = [] 35 | } 36 | 37 | variable "subnet_01_ip" { 38 | description = "IP range for the subnet" 39 | } 40 | 41 | variable "subnet_02_ip" { 42 | description = "IP range for the subnet" 43 | } 44 | 45 | variable "subnet_03_ip" { 46 | description = "IP range for the subnet" 47 | } 48 | 49 | variable "subnet_01_region" { 50 | description = "Region of subnet 1" 51 | } 52 | 53 | variable "subnet_02_region" { 54 | description = "Region of subnet 2" 55 | } 56 | 57 | variable "subnet_03_region" { 58 | description = "Region of subnet 3" 59 | } 60 | 61 | variable "local_subnet_01_ip" { 62 | description = "IP range of the on-prem network" 63 | } 64 | 65 | variable "router_region" { 66 | description = "The region in which you want to create the router" 67 | } 68 | 69 | variable "vpn_region" { 70 | description = "The region in which you want to create the VPN gateway" 71 | } 72 | -------------------------------------------------------------------------------- /images/cft-velo-multi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/terraform-google-modules/terraform-google-migrate/941d765c3e4cdd04da58cec05bc34f3f5b9e4e1d/images/cft-velo-multi.png -------------------------------------------------------------------------------- /images/cft-velo-single.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/terraform-google-modules/terraform-google-migrate/941d765c3e4cdd04da58cec05bc34f3f5b9e4e1d/images/cft-velo-single.png -------------------------------------------------------------------------------- /images/cft-velo-solution.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/terraform-google-modules/terraform-google-migrate/941d765c3e4cdd04da58cec05bc34f3f5b9e4e1d/images/cft-velo-solution.png -------------------------------------------------------------------------------- /modules/multi/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | ############################################################################### 18 | # Networking (VPCs, Firewalls) 19 | ############################################################################### 20 | 21 | locals { 22 | bindings = [ 23 | { role = "roles/iam.serviceAccountTokenCreator" 24 | members = ["serviceAccount:${google_service_account.velos-manager.email}"] 25 | }, 26 | { role = "roles/iam.serviceAccountUser" 27 | members = ["serviceAccount:${google_service_account.velos-manager.email}"] 28 | }, 29 | { role = "roles/logging.logWriter" 30 | members = [ 31 | "serviceAccount:${google_service_account.velos-manager.email}", 32 | "serviceAccount:${google_service_account.velos-cloud-extension.email}" 33 | ] 34 | }, 35 | { role = "roles/monitoring.metricWriter" 36 | members = [ 37 | "serviceAccount:${google_service_account.velos-manager.email}", 38 | "serviceAccount:${google_service_account.velos-cloud-extension.email}" 39 | ] 40 | }, 41 | { role = "roles/monitoring.viewer" 42 | members = ["serviceAccount:${google_service_account.velos-manager.email}"] 43 | }, 44 | { role = "roles/cloudmigration.storageaccess" 45 | members = ["serviceAccount:${google_service_account.velos-cloud-extension.email}"] 46 | } 47 | ] 48 | } 49 | 50 | /****************************************** 51 | Network Creation 52 | *****************************************/ 53 | 54 | module "vpc" { 55 | source = "terraform-google-modules/network/google" 56 | version = "~> 2.0" 57 | 58 | project_id = module.vpc-project.project_id 59 | network_name = var.network_name 60 | 61 | delete_default_internet_gateway_routes = "false" 62 | shared_vpc_host = "true" 63 | 64 | subnets = [ 65 | { 66 | subnet_name = "${var.network_name}-subnet-01" 67 | subnet_ip = var.subnet_01_ip 68 | subnet_region = var.subnet_01_region 69 | }, 70 | { 71 | subnet_name = "${var.network_name}-subnet-02" 72 | subnet_ip = var.subnet_02_ip 73 | subnet_region = var.subnet_02_region 74 | subnet_private_access = "true" 75 | subnet_flow_logs = "true" 76 | }, 77 | { 78 | subnet_name = "${var.network_name}-subnet-03" 79 | subnet_ip = var.subnet_03_ip 80 | subnet_region = var.subnet_03_region 81 | subnet_private_access = "true" 82 | subnet_flow_logs = "true" 83 | }, 84 | ] 85 | 86 | } 87 | 88 | module "net-shared-vpc-access" { 89 | source = "terraform-google-modules/network/google//modules/fabric-net-svpc-access" 90 | host_project_id = module.vpc-project.project_id 91 | service_project_num = 3 92 | service_project_ids = [module.velo-project.project_id, module.prod-project.project_id, module.nonprod-project.project_id] 93 | host_subnets = module.vpc.subnets_names 94 | host_subnet_regions = [var.subnet_01_region, var.subnet_02_region, var.subnet_03_region] 95 | host_subnet_users = { 96 | "${var.network_name}-subnet-01" = "serviceAccount:${module.velo-project.service_account_email},serviceAccount:${module.prod-project.service_account_email},serviceAccount:${module.nonprod-project.service_account_email}" 97 | "${var.network_name}-subnet-02" = "serviceAccount:${module.velo-project.service_account_email},serviceAccount:${module.prod-project.service_account_email},serviceAccount:${module.nonprod-project.service_account_email}" 98 | "${var.network_name}-subnet-03" = "serviceAccount:${module.velo-project.service_account_email},serviceAccount:${module.prod-project.service_account_email},serviceAccount:${module.nonprod-project.service_account_email}" 99 | } 100 | host_service_agent_role = true 101 | host_service_agent_users = [ 102 | "serviceAccount:${google_service_account.velos-manager.email}", 103 | "serviceAccount:${google_service_account.velos-cloud-extension.email}", 104 | ] 105 | } 106 | 107 | /****************************************** 108 | Firewall Rules Creation 109 | *****************************************/ 110 | 111 | resource "google_compute_firewall" "velos-backend-control" { 112 | name = "velos-backend-control" 113 | description = "Control plane between Velostrata Backend and Velostrata Manager" 114 | network = var.network_name 115 | project = module.vpc-project.project_id 116 | source_ranges = [var.local_subnet_01_ip] 117 | target_tags = ["fw-velosmanager"] 118 | depends_on = [module.vpc] 119 | 120 | allow { 121 | protocol = "tcp" 122 | ports = ["9119"] 123 | } 124 | } 125 | 126 | resource "google_compute_firewall" "velos-ce-backend" { 127 | name = "velos-ce-backend" 128 | description = "Encrypted migration data sent from Velostrata Backend to Cloud Extensions" 129 | network = var.network_name 130 | project = module.vpc-project.project_id 131 | source_ranges = [var.local_subnet_01_ip] 132 | target_tags = ["fw-velostrata"] 133 | depends_on = [module.vpc] 134 | 135 | allow { 136 | protocol = "tcp" 137 | ports = ["9111"] 138 | } 139 | } 140 | 141 | resource "google_compute_firewall" "velos-ce-control" { 142 | name = "velos-ce-control" 143 | description = "Control plane between Cloud Extensions and Velostrata Manager" 144 | network = var.network_name 145 | project = module.vpc-project.project_id 146 | source_tags = ["fw-velosmanager"] 147 | target_tags = ["fw-velostrata"] 148 | depends_on = [module.vpc] 149 | 150 | allow { 151 | protocol = "tcp" 152 | ports = ["443", "9111"] 153 | } 154 | } 155 | 156 | resource "google_compute_firewall" "velos-ce-cross" { 157 | name = "velos-ce-cross" 158 | description = "Synchronization between Cloud Extension nodes" 159 | network = var.network_name 160 | project = module.vpc-project.project_id 161 | source_tags = ["fw-velostrata"] 162 | target_tags = ["fw-velostrata"] 163 | depends_on = [module.vpc] 164 | 165 | allow { 166 | protocol = "all" 167 | } 168 | } 169 | 170 | resource "google_compute_firewall" "velos-console-probe" { 171 | name = "velos-console-probe" 172 | description = "Allows the Velostrata Manager to check if the SSH or RDP console on the migrated VM is available" 173 | network = var.network_name 174 | project = module.vpc-project.project_id 175 | source_tags = ["fw-velosmanager"] 176 | target_tags = ["fw-workload"] 177 | depends_on = [module.vpc] 178 | 179 | allow { 180 | protocol = "tcp" 181 | ports = ["22", "3389"] 182 | } 183 | } 184 | 185 | resource "google_compute_firewall" "velos-vcplugin" { 186 | name = "velos-vcplugin" 187 | description = "Control plane between vCenter plugin and Velostrata Manager" 188 | network = var.network_name 189 | project = module.vpc-project.project_id 190 | source_ranges = [var.local_subnet_01_ip] 191 | target_tags = ["fw-velosmanager"] 192 | depends_on = [module.vpc] 193 | 194 | allow { 195 | protocol = "tcp" 196 | ports = ["443"] 197 | } 198 | } 199 | 200 | resource "google_compute_firewall" "velos-webui" { 201 | name = "velos-webui" 202 | description = "HTTPS access to Velostrata Manager for web UI" 203 | network = var.network_name 204 | project = module.vpc-project.project_id 205 | source_ranges = [var.local_subnet_01_ip, "10.10.20.0/24"] 206 | target_tags = ["fw-velosmanager"] 207 | depends_on = [module.vpc] 208 | 209 | allow { 210 | protocol = "tcp" 211 | ports = ["443"] 212 | } 213 | } 214 | 215 | resource "google_compute_firewall" "velos-workload" { 216 | name = "velos-workload" 217 | description = "iSCSI for data migration and syslog" 218 | network = var.network_name 219 | project = module.vpc-project.project_id 220 | source_ranges = [var.local_subnet_01_ip, "10.10.20.0/24"] 221 | target_tags = ["fw-velosmanager"] 222 | depends_on = [module.vpc] 223 | 224 | allow { 225 | protocol = "tcp" 226 | ports = ["3260"] 227 | } 228 | allow { 229 | protocol = "udp" 230 | ports = ["514"] 231 | } 232 | } 233 | 234 | ############################################################################### 235 | # Projects 236 | ############################################################################### 237 | module "vpc-project" { 238 | source = "terraform-google-modules/project-factory/google" 239 | version = "~> 6.0" 240 | name = "${var.project_prefix}-${var.vpc_project_name}" 241 | random_project_id = "true" 242 | org_id = var.organization_id 243 | folder_id = var.velo_folder_id 244 | billing_account = var.billing_account 245 | activate_apis = ["iam.googleapis.com", "cloudresourcemanager.googleapis.com", "compute.googleapis.com", "storage-component.googleapis.com", "logging.googleapis.com", "monitoring.googleapis.com"] 246 | } 247 | 248 | module "velo-project" { 249 | source = "terraform-google-modules/project-factory/google" 250 | version = "~> 6.0" 251 | name = "${var.project_prefix}-${var.velo_project_name}" 252 | random_project_id = "true" 253 | org_id = var.organization_id 254 | folder_id = var.velo_folder_id 255 | billing_account = var.billing_account 256 | activate_apis = ["iam.googleapis.com", "cloudresourcemanager.googleapis.com", "compute.googleapis.com", "storage-component.googleapis.com", "logging.googleapis.com", "monitoring.googleapis.com"] 257 | } 258 | 259 | module "prod-project" { 260 | source = "terraform-google-modules/project-factory/google" 261 | version = "~> 6.0" 262 | name = "${var.project_prefix}-${var.prod_project_name}" 263 | random_project_id = "true" 264 | org_id = var.organization_id 265 | folder_id = var.prod_folder_id 266 | billing_account = var.billing_account 267 | activate_apis = ["iam.googleapis.com", "cloudresourcemanager.googleapis.com", "compute.googleapis.com", "storage-component.googleapis.com", "logging.googleapis.com", "monitoring.googleapis.com"] 268 | } 269 | 270 | module "nonprod-project" { 271 | source = "terraform-google-modules/project-factory/google" 272 | version = "~> 6.0" 273 | name = "${var.project_prefix}-${var.nonprod_project_name}" 274 | random_project_id = "true" 275 | org_id = var.organization_id 276 | folder_id = var.nonprod_folder_id 277 | billing_account = var.billing_account 278 | activate_apis = ["iam.googleapis.com", "cloudresourcemanager.googleapis.com", "compute.googleapis.com", "storage-component.googleapis.com", "logging.googleapis.com", "monitoring.googleapis.com"] 279 | } 280 | 281 | ############################################################################### 282 | # IAM (service accounts, roles) 283 | ############################################################################### 284 | 285 | /****************************************** 286 | Service Accounts 287 | *****************************************/ 288 | 289 | resource "google_service_account" "velos-manager" { 290 | account_id = "velos-manager" 291 | display_name = "velos-manager" 292 | project = module.velo-project.project_id 293 | } 294 | 295 | resource "google_service_account" "velos-cloud-extension" { 296 | account_id = "velos-cloud-extension" 297 | display_name = "velos-cloud-extension" 298 | project = module.velo-project.project_id 299 | } 300 | 301 | /****************************************** 302 | Bind Roles to Service Accounts 303 | *****************************************/ 304 | 305 | #Not using organizations_iam module due to for_each unable to compute 306 | resource "google_organization_iam_binding" "serviceAccountUser" { 307 | org_id = var.organization_id 308 | role = "roles/iam.serviceAccountUser" 309 | members = [ 310 | "serviceAccount:${google_service_account.velos-manager.email}" 311 | ] 312 | depends_on = [google_service_account.velos-manager] 313 | } 314 | 315 | resource "google_organization_iam_binding" "velos_gcp_mgmt" { 316 | org_id = var.organization_id 317 | role = "roles/cloudmigration.inframanager" 318 | members = [ 319 | "serviceAccount:${google_service_account.velos-manager.email}" 320 | ] 321 | depends_on = [google_service_account.velos-cloud-extension] 322 | } 323 | 324 | #replaced IAM module due to for_each error. 325 | resource "google_project_iam_binding" "iam" { 326 | count = length(local.bindings) 327 | project = module.velo-project.project_id 328 | role = local.bindings[count.index].role 329 | members = local.bindings[count.index].members 330 | } 331 | 332 | #for deploying velostrata from marketplace velo-proj Google APIs service account needs compute.networkUser on host 333 | resource "google_project_iam_binding" "vpc-velo-proj-cloud-services-svc" { 334 | project = module.vpc-project.project_id 335 | role = "roles/compute.networkUser" 336 | members = ["serviceAccount:${module.velo-project.project_number}@cloudservices.gserviceaccount.com"] 337 | } 338 | -------------------------------------------------------------------------------- /modules/multi/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "shared_vpc_project_id" { 18 | value = module.vpc-project.project_id 19 | description = "The ID of the shared vpc project" 20 | } 21 | 22 | output "velos_project_id" { 23 | value = module.velo-project.project_id 24 | description = "The ID of the velo project" 25 | } 26 | 27 | output "prod_project_id" { 28 | value = module.prod-project.project_id 29 | description = "The ID of the prod project" 30 | } 31 | 32 | output "non_prod_project_id" { 33 | value = module.nonprod-project.project_id 34 | description = "The ID of the nonpod project" 35 | } 36 | 37 | output "network_name" { 38 | value = module.vpc.network_name 39 | description = "The name of the VPC being created" 40 | } 41 | 42 | output "velos_migration_manager_svc" { 43 | value = google_service_account.velos-manager.email 44 | description = "Service account for Manager Service" 45 | } 46 | 47 | output "velos_compute_engine_cloud_extension_svc" { 48 | value = google_service_account.velos-cloud-extension.email 49 | description = "Service account for Compute Engine Cloud Extension" 50 | } 51 | 52 | -------------------------------------------------------------------------------- /modules/multi/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "organization_id" { 18 | description = "The organization id for the associated services" 19 | } 20 | 21 | variable "billing_account" { 22 | description = "The ID of the billing account to associate this projects with" 23 | } 24 | 25 | variable "project_prefix" { 26 | description = "Prefix to append to all project" 27 | default = "multi-" 28 | } 29 | 30 | variable "vpc_project_name" { 31 | description = "Shared VPC GCP Project Name" 32 | default = "shared-network" 33 | } 34 | 35 | variable "velo_project_name" { 36 | description = "Velostrata GCP Project Name" 37 | default = "shared-migrate" 38 | } 39 | 40 | variable "prod_project_name" { 41 | description = "Production GCP Project Name" 42 | default = "prod-core" 43 | } 44 | 45 | variable "nonprod_project_name" { 46 | description = "Nonprod GCP Project Name" 47 | default = "nonprod-core" 48 | } 49 | variable "vpc_folder_id" { 50 | description = "Shared VPC Folder ID" 51 | } 52 | variable "velo_folder_id" { 53 | description = "Velostrata Folder ID" 54 | } 55 | 56 | variable "prod_folder_id" { 57 | description = "Production Folder ID" 58 | } 59 | 60 | variable "nonprod_folder_id" { 61 | description = "Nonprod Folder ID" 62 | } 63 | variable "network_name" { 64 | description = "Name for Shared VPC network" 65 | default = "velo-network" 66 | } 67 | 68 | variable "subnet_01_ip" { 69 | description = "IP range for the subnet" 70 | #default = "" 71 | } 72 | 73 | variable "subnet_02_ip" { 74 | description = "IP range for the subnet" 75 | #default = "" 76 | } 77 | 78 | variable "subnet_03_ip" { 79 | description = "IP range for the subnet" 80 | #default = "" 81 | } 82 | 83 | variable "subnet_01_region" { 84 | description = "Region of subnet 1" 85 | #default = "" 86 | } 87 | 88 | variable "subnet_02_region" { 89 | description = "Region of subnet 2" 90 | #default = "" 91 | } 92 | 93 | variable "subnet_03_region" { 94 | description = "Region of subnet 3" 95 | #default = "" 96 | } 97 | 98 | variable "local_subnet_01_ip" { 99 | description = "IP range of the on-prem network" 100 | #default = "" 101 | } 102 | -------------------------------------------------------------------------------- /modules/networking/vpn/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | 18 | resource "google_compute_router" "cr_to_mgt_vpc" { 19 | name = var.router_name 20 | region = var.router_region 21 | network = var.network 22 | project = var.project_id 23 | 24 | bgp { 25 | asn = var.bgp_asn 26 | } 27 | } 28 | 29 | module "vpn_dynamic" { 30 | source = "terraform-google-modules/vpn/google" 31 | version = "~> 1.2.0" 32 | 33 | project_id = var.project_id 34 | network = var.network 35 | region = var.vpn_region 36 | gateway_name = var.gateway_name 37 | tunnel_name_prefix = var.tunnel_name_prefix 38 | shared_secret = var.shared_secret 39 | tunnel_count = var.tunnel_count 40 | peer_ips = var.peer_ips 41 | 42 | cr_enabled = true 43 | cr_name = google_compute_router.cr_to_mgt_vpc.name 44 | bgp_cr_session_range = var.bgp_cr_session_range 45 | bgp_remote_session_range = var.bgp_remote_session_range 46 | peer_asn = var.peer_asn 47 | } 48 | -------------------------------------------------------------------------------- /modules/networking/vpn/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | output "vpn_tunnels_names-dynamic" { 17 | description = "The VPN tunnel name is" 18 | value = module.vpn_dynamic.vpn_tunnels_names-dynamic 19 | } 20 | 21 | output "ipsec_secret-dynamic" { 22 | description = "The secret" 23 | value = module.vpn_dynamic.ipsec_secret-dynamic 24 | } 25 | 26 | output "gateway_ip" { 27 | description = "The VPN Gateway Public IP" 28 | value = module.vpn_dynamic.gateway_ip 29 | } 30 | -------------------------------------------------------------------------------- /modules/networking/vpn/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | variable "project_id" { 17 | type = string 18 | description = "The ID of the project where this VPC will be created" 19 | } 20 | 21 | variable "network" { 22 | type = string 23 | description = "The name of VPC being created" 24 | } 25 | 26 | variable "router_region" { 27 | type = string 28 | description = "The region in which you want to create the router" 29 | } 30 | 31 | variable "vpn_region" { 32 | type = string 33 | description = "The region in which you want to create the VPN gateway" 34 | } 35 | variable "router_name" { 36 | type = string 37 | description = "The name for the router" 38 | default = "router-vm-migrate" 39 | } 40 | 41 | variable "gateway_name" { 42 | type = string 43 | description = "The name of VPN gateway" 44 | default = "vpn-gw-vm-migrate" 45 | } 46 | 47 | variable "tunnel_count" { 48 | type = number 49 | description = "The number of tunnels from each VPN gw" 50 | default = 2 51 | } 52 | 53 | variable "tunnel_name_prefix" { 54 | type = string 55 | description = "The optional custom name of VPN tunnel being created" 56 | default = "vpn-tn-vm-migrate" 57 | } 58 | 59 | variable "peer_ips" { 60 | type = list(string) 61 | description = "IP address of remote-peer/gateway" 62 | default = ["1.1.1.1", "2.2.2.2"] 63 | } 64 | 65 | variable "shared_secret" { 66 | type = string 67 | description = "Please enter the shared secret/pre-shared key" 68 | default = "secret" 69 | } 70 | 71 | variable "peer_asn" { 72 | type = list(string) 73 | description = "Please enter the ASN of the BGP peer that cloud router will use" 74 | default = ["64516", "64517"] 75 | } 76 | 77 | variable "bgp_cr_session_range" { 78 | type = list(string) 79 | description = "Please enter the cloud-router interface IP/Session IP" 80 | default = ["169.254.1.1/30", "169.254.1.5/30"] 81 | } 82 | 83 | variable "bgp_remote_session_range" { 84 | type = list(string) 85 | description = "Please enter the remote environments BGP Session IP" 86 | default = ["169.254.1.2", "169.254.1.6"] 87 | } 88 | 89 | variable "bgp_asn" { 90 | type = string 91 | description = "Please enter the ASN that cloud router will use" 92 | default = "64515" 93 | } 94 | -------------------------------------------------------------------------------- /modules/single/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | locals { 18 | bindings = [ 19 | { role = "roles/iam.serviceAccountTokenCreator" 20 | members = ["serviceAccount:${google_service_account.velos-manager.email}"] 21 | }, 22 | { role = "roles/iam.serviceAccountUser" 23 | members = ["serviceAccount:${google_service_account.velos-manager.email}"] 24 | }, 25 | { role = "roles/logging.logWriter" 26 | members = [ 27 | "serviceAccount:${google_service_account.velos-manager.email}", 28 | "serviceAccount:${google_service_account.velos-cloud-extension.email}" 29 | ] 30 | }, 31 | { role = "roles/monitoring.metricWriter" 32 | members = [ 33 | "serviceAccount:${google_service_account.velos-manager.email}", 34 | "serviceAccount:${google_service_account.velos-cloud-extension.email}" 35 | ] 36 | }, 37 | { role = "roles/monitoring.viewer" 38 | members = ["serviceAccount:${google_service_account.velos-manager.email}"] 39 | }, 40 | { role = "roles/cloudmigration.inframanager" 41 | members = ["serviceAccount:${google_service_account.velos-manager.email}"] 42 | }, 43 | { role = "roles/cloudmigration.storageaccess" 44 | members = ["serviceAccount:${google_service_account.velos-cloud-extension.email}"] 45 | } 46 | ] 47 | } 48 | resource "random_string" "suffix" { 49 | length = 4 50 | special = false 51 | upper = false 52 | } 53 | 54 | ############################################################################### 55 | # Project 56 | ############################################################################### 57 | 58 | module "velos-project" { 59 | source = "terraform-google-modules/project-factory/google" 60 | version = "~> 5.0" 61 | name = var.project_name == "" ? "velos-core-project-${random_string.suffix.result}" : var.project_name 62 | org_id = var.organization_id 63 | billing_account = var.billing_account 64 | default_service_account = var.default_service_account 65 | folder_id = var.folder_id 66 | activate_apis = ["iam.googleapis.com", "cloudresourcemanager.googleapis.com", "compute.googleapis.com", "storage-component.googleapis.com", "logging.googleapis.com", "monitoring.googleapis.com"] 67 | } 68 | ############################################################################### 69 | # Networking (VPCs, Firewalls) 70 | ############################################################################### 71 | 72 | /****************************************** 73 | Network Creation 74 | *****************************************/ 75 | 76 | module "vpc" { 77 | source = "terraform-google-modules/network/google" 78 | version = "~> 1.4.3" 79 | 80 | project_id = module.velos-project.project_id 81 | network_name = var.network_name 82 | 83 | delete_default_internet_gateway_routes = "true" 84 | shared_vpc_host = "false" 85 | 86 | subnets = [ 87 | { 88 | subnet_name = "${var.network_name}-subnet-01" 89 | subnet_ip = var.subnet_01_ip 90 | subnet_region = var.subnet_01_region 91 | }, 92 | { 93 | subnet_name = "${var.network_name}-subnet-02" 94 | subnet_ip = var.subnet_02_ip 95 | subnet_region = var.subnet_01_region 96 | subnet_private_access = "true" 97 | subnet_flow_logs = "false" 98 | }, 99 | { 100 | subnet_name = "${var.network_name}-subnet-03" 101 | subnet_ip = var.subnet_03_ip 102 | subnet_region = var.subnet_01_region 103 | subnet_private_access = "true" 104 | subnet_flow_logs = "false" 105 | }, 106 | ] 107 | 108 | } 109 | 110 | /****************************************** 111 | Firewall Rules Creation 112 | *****************************************/ 113 | 114 | resource "google_compute_firewall" "velos-backend-control" { 115 | name = "velos-backend-control" 116 | description = "Control plane between Velostrata Backend and Velostrata Manager" 117 | network = var.network_name 118 | project = module.velos-project.project_id 119 | source_ranges = [var.local_subnet_01_ip] 120 | target_tags = ["fw-velosmanager"] 121 | depends_on = [module.vpc] 122 | 123 | allow { 124 | protocol = "tcp" 125 | ports = ["9119"] 126 | } 127 | } 128 | 129 | resource "google_compute_firewall" "velos-ce-backend" { 130 | name = "velos-ce-backend" 131 | description = "Encrypted migration data sent from Velostrata Backend to Cloud Extensions" 132 | network = var.network_name 133 | project = module.velos-project.project_id 134 | source_ranges = [var.local_subnet_01_ip] 135 | target_tags = ["fw-velostrata"] 136 | depends_on = [module.vpc] 137 | 138 | allow { 139 | protocol = "tcp" 140 | ports = ["9111"] 141 | } 142 | } 143 | 144 | resource "google_compute_firewall" "velos-ce-control" { 145 | name = "velos-ce-control" 146 | description = "Control plane between Cloud Extensions and Velostrata Manager" 147 | network = var.network_name 148 | project = module.velos-project.project_id 149 | source_tags = ["fw-velosmanager"] 150 | target_tags = ["fw-velostrata"] 151 | depends_on = [module.vpc] 152 | 153 | allow { 154 | protocol = "tcp" 155 | ports = ["443", "9111"] 156 | } 157 | } 158 | 159 | resource "google_compute_firewall" "velos-ce-cross" { 160 | name = "velos-ce-cross" 161 | description = "Synchronization between Cloud Extension nodes" 162 | network = var.network_name 163 | project = module.velos-project.project_id 164 | source_tags = ["fw-velostrata"] 165 | target_tags = ["fw-velostrata"] 166 | depends_on = [module.vpc] 167 | 168 | allow { 169 | protocol = "all" 170 | } 171 | } 172 | 173 | resource "google_compute_firewall" "velos-console-probe" { 174 | name = "velos-console-probe" 175 | description = "Allows the Velostrata Manager to check if the SSH or RDP console on the migrated VM is available" 176 | network = var.network_name 177 | project = module.velos-project.project_id 178 | source_tags = ["fw-velosmanager"] 179 | target_tags = ["fw-workload"] 180 | depends_on = [module.vpc] 181 | 182 | allow { 183 | protocol = "tcp" 184 | ports = ["22", "3389"] 185 | } 186 | } 187 | 188 | resource "google_compute_firewall" "velos-vcplugin" { 189 | name = "velos-vcplugin" 190 | description = "Control plane between vCenter plugin and Velostrata Manager" 191 | network = var.network_name 192 | project = module.velos-project.project_id 193 | source_ranges = [var.local_subnet_01_ip] 194 | target_tags = ["fw-velosmanager"] 195 | depends_on = [module.vpc] 196 | 197 | allow { 198 | protocol = "tcp" 199 | ports = ["443"] 200 | } 201 | } 202 | 203 | resource "google_compute_firewall" "velos-webui" { 204 | name = "velos-webui" 205 | description = "HTTPS access to Velostrata Manager for web UI" 206 | network = var.network_name 207 | project = module.velos-project.project_id 208 | source_ranges = [var.local_subnet_01_ip, "10.10.20.0/24"] 209 | target_tags = ["fw-velosmanager"] 210 | depends_on = [module.vpc] 211 | 212 | allow { 213 | protocol = "tcp" 214 | ports = ["443"] 215 | } 216 | } 217 | 218 | resource "google_compute_firewall" "velos-workload" { 219 | name = "velos-workload" 220 | description = "iSCSI for data migration and syslog" 221 | network = var.network_name 222 | project = module.velos-project.project_id 223 | source_ranges = [var.local_subnet_01_ip, "10.10.20.0/24"] 224 | target_tags = ["fw-velosmanager"] 225 | depends_on = [module.vpc] 226 | 227 | allow { 228 | protocol = "tcp" 229 | ports = ["3260"] 230 | } 231 | allow { 232 | protocol = "udp" 233 | ports = ["514"] 234 | } 235 | } 236 | 237 | ############################################################################### 238 | # IAM (service accounts, roles) 239 | ############################################################################### 240 | 241 | /****************************************** 242 | Service Accounts 243 | *****************************************/ 244 | 245 | resource "google_service_account" "velos-manager" { 246 | account_id = "velos-manager" 247 | display_name = "velos-manager" 248 | project = module.velos-project.project_id 249 | } 250 | 251 | resource "google_service_account" "velos-cloud-extension" { 252 | account_id = "velos-cloud-extension" 253 | display_name = "velos-cloud-extension" 254 | project = module.velos-project.project_id 255 | } 256 | 257 | /****************************************** 258 | Bind Roles to Service Accounts 259 | *****************************************/ 260 | #replaced IAM module due to for_each error. 261 | resource "google_project_iam_binding" "iam" { 262 | count = length(local.bindings) 263 | project = module.velos-project.project_id 264 | role = local.bindings[count.index].role 265 | members = local.bindings[count.index].members 266 | } 267 | -------------------------------------------------------------------------------- /modules/single/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "project_id" { 18 | value = module.velos-project.project_id 19 | description = "The ID of the project" 20 | } 21 | 22 | output "network_name" { 23 | value = module.vpc.network_name 24 | description = "The name of the VPC being created" 25 | } 26 | 27 | output "network_self_link" { 28 | value = module.vpc.network_self_link 29 | description = "The URI of the VPC being created" 30 | } 31 | output "velos_migration_manager_svc" { 32 | value = google_service_account.velos-manager.email 33 | description = "Service account for Manager Service" 34 | } 35 | output "velos_compute_engine_cloud_extension_svc" { 36 | value = google_service_account.velos-cloud-extension.email 37 | description = "Service account for Compute Engine Cloud Extension" 38 | } 39 | -------------------------------------------------------------------------------- /modules/single/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "network_name" { 18 | description = "Name for the VPC network" 19 | default = "velo-network" 20 | } 21 | 22 | variable "organization_id" { 23 | description = "The organization id for the associated services" 24 | } 25 | 26 | variable "billing_account" { 27 | description = "The ID of the billing account to associate this project with" 28 | } 29 | 30 | variable "default_service_account" { 31 | description = "Project default service account setting: can be one of `delete`, `depriviledge`, or `keep`." 32 | default = "depriviledge" 33 | } 34 | 35 | variable "project_name" { 36 | description = "Project Name for GCP project" 37 | default = "" 38 | } 39 | 40 | variable "folder_id" { 41 | description = "The ID of a folder to host this project" 42 | type = string 43 | default = "" 44 | } 45 | 46 | variable "subnet_01_ip" { 47 | description = "IP range for the subnet" 48 | #default = "" 49 | } 50 | 51 | variable "subnet_02_ip" { 52 | description = "IP range for the subnet" 53 | #default = "" 54 | } 55 | 56 | variable "subnet_03_ip" { 57 | description = "IP range for the subnet" 58 | #default = "" 59 | } 60 | 61 | variable "subnet_01_region" { 62 | description = "Region of subnet 1" 63 | #default = "" 64 | } 65 | 66 | variable "subnet_02_region" { 67 | description = "Region of subnet 2" 68 | #default = "" 69 | } 70 | 71 | variable "subnet_03_region" { 72 | description = "Region of subnet 3" 73 | #default = "" 74 | } 75 | 76 | variable "local_subnet_01_ip" { 77 | description = "IP range of the on-prem network" 78 | #default = "" 79 | } 80 | -------------------------------------------------------------------------------- /tutorials/multi-deployment-tutorial.md: -------------------------------------------------------------------------------- 1 | # Terraform Google Cloud Migrate 2 | 3 | ## Let's get started! 4 | 5 | This guide will show you how to deploy the infrastructure required for Migrate using Terraform and Cloud Foundation Toolkit. 6 | 7 | **Time to complete**: About 1 hour 8 | 9 | Click the **Start** button to move to the next step. 10 | 11 | ## Cloning the repository 12 | 13 | Let's get started by cloning the git repo Migrate Cloud Foundations Toolkit repository inorder to use the provided examples. 14 | 15 | ```bash 16 | git clone https://github.com/terraform-google-modules/terraform-google-migrate 17 | ``` 18 | 19 | Let's navigate to the cloned repo and into the examples. 20 | We will be using the multi_deployment example in this walkthrough. 21 | 22 | ```bash 23 | cd terraform-google-migrate/examples/multi_deployment 24 | ``` 25 | 26 | ## Assign permissions to the account running this Terraform script 27 | 28 | The account running the Terraform script needs these permissions: 29 | 30 | - Organization Role Administrator 31 | - Organization Administrator 32 | - Compute Admin 33 | - (Project) Owner 34 | 35 | ## Exploring the Terraform code and setting variables 36 | 37 | The file defines infrastructure that will be created. 38 | 39 | The file defines variables like billing account, subnet ips etc that will be used. 40 | 41 | The file defines what outputs Terraform will provide us. This includes service account emails that will be used for deploying the Migrate frontend. 42 | 43 | Let's create a `terraform.tfvars` and set some of variables necessary to deploy the infrastructure. 44 | 45 | ```bash 46 | touch terraform.tfvars 47 | ``` 48 | 49 | The following variables needs to be set in the file 50 | 51 | ```terraform 52 | organization_id = "YOUR ORG ID" 53 | billing_account = "YOUR BILLING ACCOUNT" 54 | per_folder_admins = ["user:USER@DOMAIN.com", "group:GROUP@DOMAIN.com"] 55 | all_folder_admins = ["user:USER@DOMAIN.com", "group:GROUP@DOMAIN.com"] 56 | subnet_01_ip = "CIDR IP ADDRESS" 57 | subnet_02_ip = "CIDR IP ADDRESS" 58 | subnet_03_ip = "CIDR IP ADDRESS" 59 | subnet_01_region = "REGION FOR SUBNET" 60 | subnet_02_region = "REGION FOR SUBNET" 61 | subnet_03_region = "REGION FOR SUBNET" 62 | local_subnet_01_ip = "CIDR IP ADDRESS" 63 | router_region = "REGION FOR CLOUD ROUTER" 64 | vpn_region = "REGION FOR VPN" 65 | ``` 66 | 67 | **Tip**: Clicking on the files will open then in the cloud editor. 68 | 69 | Next, we will deploy infrastructure with Terraform 70 | 71 | ## Deploying infrastructure with Terraform 72 | 73 | Let's start by initializing Terraform. This will download the necessary modules and initialize Terraform. 74 | 75 | ```bash 76 | terraform init 77 | ``` 78 | 79 | Now, we can plan the infrastructure. This will show you the changes Terraform intends to make to the current state for your infrastructure. 80 | 81 | ```bash 82 | terraform plan --out=plan.out 83 | ``` 84 | 85 | Finally, we can apply the above planned infrastructure to create it in GCP. 86 | 87 | ```bash 88 | terraform apply "plan.out" 89 | ``` 90 | 91 | ## Congratulations 92 | 93 | 94 | 95 | You’re all set! 96 | 97 | Now you can deploy the Migrate frontend from the marketplace. 98 | --------------------------------------------------------------------------------