Including sample GCE VM in billing budget module (#155)

* Adding capability to create GCE VM in Billing Budget module

* Update sample_startup_script.sh.tpl

* Update outputs.tf

* Adding http Firewall and updating startup script

* Update Variables UIMeta

modules/billing_budget/README.md

@@ -63,16 +63,24 @@ _Usage:_
 | *billing_budget_pubsub_topic* | If true, creates a Cloud Pub/Sub topic where budget related messages will be published. Default is false | <code title="">bool</code> |  | <code title="">false</code> |
 | *billing_budget_services* | A list of services ids to be included in the budget. If omitted, all services will be included in the budget. Service ids can be found at https://cloud.google.com/skus/ | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">null</code> |
 | *create_budget* | If the budget should be created | <code title="">bool</code> |  | <code title="">true</code> |
+| *create_network* | If the module has to be deployed in an existing network, set this variable to false | <code title="">bool</code> |  | <code title="">false</code> |
 | *create_project* | Set to true if the module has to create a project.  If you want to deploy in an existing project, set this variable to false | <code title="">bool</code> |  | <code title="">true</code> |
+| *create_vm* | Set to true if the module has to create a GCE VM.  If you want to deploy in an existing project, set this variable to true | <code title="">bool</code> |  | <code title="">false</code> |
 | *deployment_id* | Adds a suffix of 4 random characters to the `project_id` | <code title="">string</code> |  | <code title="">null</code> |
 | *enable_services* | Enable the necessary APIs on the project.  When using an existing project, this can be set to false | <code title="">bool</code> |  | <code title="">true</code> |
 | *folder_id* | Folder ID where the project should be created. It can be skipped if already setting organization_id. Leave blank if the project should be created directly underneath the Organization node | <code title="">string</code> |  | <code title=""></code> |
+| *ip_cidr_range* | Unique IP CIDR Range for Vertex AI Workbench subnet | <code title="">string</code> |  | <code title="">10.142.190.0/24</code> |
+| *network_name* | Name of the network to be created | <code title="">string</code> |  | <code title="">radlab-network</code> |
 | *organization_id* | Organization ID where GCP Resources need to get spin up. It can be skipped if already setting folder_id | <code title="">string</code> |  | <code title=""></code> |
 | *owner_groups* | List of groups that should be added as the owner of the created project | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
 | *owner_users* | List of users that should be added as owner to the created project | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
 | *project_id_prefix* | If `create_project` is true, this will be the prefix of the Project ID & name created. If `create_project` is false this will be the actual Project ID, of the existing project where you want to deploy the module | <code title="">string</code> |  | <code title="">radlab-billing-budget</code> |
+| *region* | Primary region where Compute Instance and VPC subnet will be created | <code title="">string</code> |  | <code title="">us-central1</code> |
 | *resource_creator_identity* | Terraform Service Account which will be creating the GCP resources. If not set, this module deployment will fail | <code title="">string</code> |  | <code title=""></code> |
 | *set_domain_restricted_sharing_policy* | Enable org policy to allow all principals to be added to IAM policies | <code title="">bool</code> |  | <code title="">false</code> |
+| *set_external_ip_policy* | Enable org policy to allow External (Public) IP addresses on virtual machines | <code title="">bool</code> |  | <code title="">false</code> |
+| *set_shielded_vm_policy* | Apply org policy to disable shielded VMs | <code title="">bool</code> |  | <code title="">false</code> |
+| *subnet_name* | Name of the subnet where to deploy the Notebooks | <code title="">string</code> |  | <code title="">radlab-subnet</code> |
 | *trusted_groups* | The list of trusted groups (e.g. `[email protected]`) | <code title="set&#40;string&#41;">set(string)</code> |  | <code title="">[]</code> |
 | *trusted_users* | The list of trusted users (e.g. `[email protected]`) | <code title="set&#40;string&#41;">set(string)</code> |  | <code title="">[]</code> |
 
@@ -83,4 +91,5 @@ _Usage:_
 | billing_budget_budget_id | Resource name of the budget. Values are of the form `billingAccounts/{billingAccountId}/budgets/{budgetId}` | ✓ |
 | deployment_id | RADLab Module Deployment ID |  |
 | project_id | GCP Project ID |  |
+| vm | GCE VM Link |  |
 <!-- END TFDOC -->

modules/billing_budget/main.tf

@@ -65,4 +65,49 @@ resource "google_project_service" "enabled_services" {
   service                    = each.value
   disable_dependent_services = true
   disable_on_destroy         = true
+}
+
+#########################################################################
+# Creating GCE VMs in vpc-xlb
+#########################################################################
+
+data "google_compute_image" "debian_11_bullseye" {
+  family  = "debian-11"
+  project = "debian-cloud"
+}
+
+data "google_compute_zones" "available_zones" {
+  project = local.project.project_id
+  region  = var.region
+  status  = "UP"
+}
+
+resource "google_compute_instance" "vm" {
+  count                     = var.create_vm ? 1 : 0
+  project                   = local.project.project_id
+  zone                      = data.google_compute_zones.available_zones.names.0
+  name                      = "radlab-vm"
+  machine_type              = "f1-micro"
+  allow_stopping_for_update = true
+  metadata_startup_script   = templatefile("${path.module}/scripts/build/sample_startup_script.sh.tpl", {})
+  metadata = {
+    enable-oslogin = true
+  }
+  boot_disk {
+    initialize_params {
+      image = data.google_compute_image.debian_11_bullseye.self_link
+    }
+  }
+
+  network_interface {
+    subnetwork         = local.subnet.self_link
+    subnetwork_project = local.project.project_id
+    access_config {
+      // Ephemeral public IP
+    }
+  }
+
+  depends_on = [
+    time_sleep.wait_120_seconds,
+  ]
 }

modules/billing_budget/network.tf

@@ -0,0 +1,114 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+locals {
+  network = (
+    var.create_network
+    ? try(module.vpc_network.0.network.network, null)
+    : try(data.google_compute_network.default.0, null)
+  )
+
+  subnet = (
+    var.create_network
+    ? try(module.vpc_network.0.subnets["${var.region}/${var.subnet_name}"], null)
+    : try(data.google_compute_subnetwork.default.0, null)
+  )
+}
+
+data "google_compute_network" "default" {
+  count   = var.create_network ? 0 : 1
+  project = local.project.project_id
+  name    = var.network_name
+}
+
+data "google_compute_subnetwork" "default" {
+  count   = var.create_network ? 0 : 1
+  project = local.project.project_id
+  name    = var.subnet_name
+  region  = var.region
+}
+
+
+#########################################################################
+# vpc-network - VPC Network & Subnests
+#########################################################################
+
+module "vpc_network" {
+  count   = var.create_network ? 1 : 0
+  source  = "terraform-google-modules/network/google"
+  version = "~> 5.1.0"
+
+  project_id   = local.project.project_id
+  network_name = var.network_name
+  routing_mode = "GLOBAL"
+  description  = "VPC Network created via Terraform"
+
+  subnets = [
+    {
+      subnet_name           = var.subnet_name
+      subnet_ip             = var.ip_cidr_range
+      subnet_region         = var.region
+      description           = "Subnetwork inside *vpc-analytics* VPC network, created via Terraform"
+      subnet_private_access = true
+    }
+  ]
+
+  firewall_rules = [
+    {
+      name        = "fw-allow-internal"
+      description = "Firewall rule to allow traffic on all ports inside VPC network."
+      priority    = 65534
+      ranges      = ["10.0.0.0/8"]
+      direction   = "INGRESS"
+
+      allow = [{
+        protocol = "tcp"
+        ports    = ["0-65535"]
+      }]
+    },
+    {
+      name        = "fw-allow-ssh"
+      description = "Firewall rule to allow ssh on port 22."
+      priority    = 65534
+      ranges      = ["0.0.0.0/0"]
+      direction   = "INGRESS"
+
+      allow = [{
+        protocol = "tcp"
+        ports    = ["22"]
+      }]
+    },
+    {
+      name        = "fw-allow-http"
+      description = "Firewall rule to allow HTTP traffic on port 80."
+      priority    = 65534
+      ranges      = ["0.0.0.0/0"]
+      direction   = "INGRESS"
+
+      allow = [{
+        protocol = "tcp"
+        ports    = ["80"]
+      }]
+    }
+  ]
+
+  depends_on = [
+    module.project_radlab_billing_budget,
+    google_project_service.enabled_services,
+    time_sleep.wait_120_seconds
+  ]
+}

modules/billing_budget/orgpolicy.tf

@@ -14,6 +14,21 @@
  * limitations under the License.
  */
 
+resource "google_project_organization_policy" "external_ip_policy" {
+  count      = var.set_external_ip_policy && var.create_vm ? 1 : 0
+  constraint = "compute.vmExternalIpAccess"
+  project    = local.project.project_id
+
+  list_policy {
+    allow {
+      all = true
+    }
+  }
+  depends_on = [
+    module.project_radlab_billing_budget
+  ]
+}
+
 resource "google_project_organization_policy" "domain_restricted_sharing_policy" {
   count      = var.set_domain_restricted_sharing_policy && var.create_budget && var.billing_budget_pubsub_topic ? 1 : 0
   constraint = "iam.allowedPolicyMemberDomains"
@@ -30,12 +45,27 @@ resource "google_project_organization_policy" "domain_restricted_sharing_policy"
   ]
 }
 
+resource "google_project_organization_policy" "shielded_vm_policy" {
+  count      = var.set_shielded_vm_policy ? 1 : 0
+  constraint = "compute.requireShieldedVm"
+  project    = local.project.project_id
+
+  boolean_policy {
+    enforced = false
+  }
+  depends_on = [
+    module.project_radlab_billing_budget
+  ]
+}
+
 resource "time_sleep" "wait_120_seconds" {
 
-  count = (var.set_domain_restricted_sharing_policy && var.create_budget && var.billing_budget_pubsub_topic) || var.enable_services ? 1 : 0
+  count = (var.set_domain_restricted_sharing_policy && var.create_budget && var.billing_budget_pubsub_topic) || var.set_external_ip_policy || var.set_shielded_vm_policy || var.enable_services ? 1 : 0
 
   depends_on = [
       google_project_organization_policy.domain_restricted_sharing_policy,
+      google_project_organization_policy.external_ip_policy,
+      google_project_organization_policy.shielded_vm_policy,
       google_project_service.enabled_services
       ]
 

modules/billing_budget/outputs.tf

@@ -28,4 +28,10 @@ output "deployment_id" {
 output "project_id" {
   description = "GCP Project ID"
   value       = local.project.project_id
+}
+
+output "vm" {
+  description = "GCE VM Link"
+  value       = var.create_vm ? "https://console.cloud.google.com/compute/instancesDetail/zones/${google_compute_instance.vm[0].zone}/instances/${google_compute_instance.vm[0].name}?project=${local.project.project_id}" : null
+
 }

modules/billing_budget/scripts/build/sample_startup_script.sh.tpl

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     https://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+sudo apt update && sudo apt -y install apache2
+
+sudo systemctl status apache2
+
+echo '<!doctype html><html><body><h1>Hello World!</h1></body></html>' | sudo tee /var/www/html/index.html

modules/billing_budget/variables.tf

@@ -94,6 +94,18 @@ variable "create_project" {
   default     = true
 }
 
+variable "create_network" {
+  description = "If the module has to be deployed in an existing network, set this variable to false. {{UIMeta group=2 order=1 }}"
+  type        = bool
+  default     = false
+}
+
+variable "create_vm" {
+  description = "Set to true if the module has to create a GCE VM.  If you want to deploy in an existing project, set this variable to true. {{UIMeta group=3 order=1 }}"
+  type        = bool
+  default     = false
+}
+
 variable "deployment_id" {
   description = "Adds a suffix of 4 random characters to the `project_id`."
   type        = string
@@ -112,6 +124,18 @@ variable "folder_id" {
   default     = ""
 }
 
+variable "ip_cidr_range" {
+  description = "Unique IP CIDR Range for Vertex AI Workbench subnet. {{UIMeta group=2 order=4 }}"
+  type        = string
+  default     = "10.142.190.0/24"
+}
+
+variable "network_name" {
+  description = "Name of the network to be created. {{UIMeta group=2 order=2 }}"
+  type        = string
+  default     = "radlab-network"
+}
+
 variable "organization_id" {
   description = "Organization ID where GCP Resources need to get spin up. It can be skipped if already setting folder_id. {{UIMeta group=0 order=1 }}"
   type        = string
@@ -136,6 +160,12 @@ variable "project_id_prefix" {
   default     = "radlab-billing-budget"
 }
 
+variable "region" {
+  description = "Primary region where Compute Instance and VPC subnet will be created. {{UIMeta group=2 order=5 }}"
+  type        = string
+  default     = "us-central1"
+}
+
 variable "resource_creator_identity" {
   description = "Terraform Service Account which will be creating the GCP resources. If not set, this module deployment will fail. {{UIMeta group=0 order=4 updatesafe }}"
   type        = string
@@ -148,6 +178,24 @@ variable "set_domain_restricted_sharing_policy" {
   default     = false
 }
 
+variable "set_external_ip_policy" {
+  description = "Enable org policy to allow External (Public) IP addresses on virtual machines. {{UIMeta group=0 order=16 updatesafe }}"
+  type        = bool
+  default     = false
+}
+
+variable "set_shielded_vm_policy" {
+  description = "Apply org policy to disable shielded VMs. {{UIMeta group=0 order=17 updatesafe }}"
+  type        = bool
+  default     = false
+}
+
+variable "subnet_name" {
+  description = "Name of the subnet where to deploy the Notebooks. {{UIMeta group=2 order=3 }}"
+  type        = string
+  default     = "radlab-subnet"
+}
+
 variable "trusted_groups" {
   description = "The list of trusted groups (e.g. `[email protected]`). {{UIMeta group=1 order=5 updatesafe }}"
   type        = set(string)