From 43a5465bea7e934afa833ab0014d88c86f07705b Mon Sep 17 00:00:00 2001
From: BillAnastasiadis <54620830+BillAnastasiadis@users.noreply.github.com>
Date: Wed, 11 Dec 2024 10:31:28 +0200
Subject: [PATCH] Add GCP peering to terraform (#301)

---
 terraform/gcp/infrastructure.tf | 77 +++++++++++++++++++++++++++++++++
 terraform/gcp/variables.tf      | 26 +++++++++++
 2 files changed, 103 insertions(+)

diff --git a/terraform/gcp/infrastructure.tf b/terraform/gcp/infrastructure.tf
index 9fa2a6c0..989dee36 100644
--- a/terraform/gcp/infrastructure.tf
+++ b/terraform/gcp/infrastructure.tf
@@ -82,3 +82,80 @@ resource "google_compute_firewall" "ha_firewall_allow_tcp" {
   }
 }
 
+# IBSM related network imports
+
+data "google_compute_network" "ibsm_vpc" {
+  count = var.enable_ibsm_peering
+  name  = var.ibsm_vpc_name
+}
+
+data "google_compute_subnetwork" "ibsm_subnet" {
+  count  = var.enable_ibsm_peering
+  name   = var.ibsm_subnet_name
+  region = var.ibsm_subnet_region
+}
+
+# IBSM Peering resources
+
+# Peering from HANA VPC to ibsm VPC
+resource "google_compute_network_peering" "hana_to_ibsm" {
+  count = var.enable_ibsm_peering
+
+  name                 = "${local.deployment_name}-hana-to-ibsm"
+  network              = local.network_link
+  peer_network         = data.google_compute_network.ibsm_vpc[0].self_link
+  export_custom_routes = true
+  import_custom_routes = true
+}
+
+# Peering from ibsm VPC to HANA VPC
+resource "google_compute_network_peering" "ibsm_to_hana" {
+  count = var.enable_ibsm_peering
+
+  name                 = "ibsm-to-${local.deployment_name}-hana"
+  network              = data.google_compute_network.ibsm_vpc[0].self_link
+  peer_network         = local.network_link
+  export_custom_routes = true
+  import_custom_routes = true
+}
+
+# Allow internal traffic from HANA VPC to ibsm VPC
+resource "google_compute_firewall" "allow_internal_from_hana" {
+  count = var.enable_ibsm_peering
+
+  name    = "${local.deployment_name}-fw-allow-from-hana"
+  network = data.google_compute_network.ibsm_vpc[0].name
+
+  allow {
+    protocol = "icmp"
+  }
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22", "80"]
+  }
+
+  source_ranges = [local.subnet_address_range]
+  description   = "Allow internal traffic from HANA VPC to ibsm VPC"
+}
+
+# Allow internal traffic from ibsm VPC to HANA VPC
+resource "google_compute_firewall" "allow_internal_from_ibsm" {
+  count = var.enable_ibsm_peering
+
+  name    = "${local.deployment_name}-fw-allow-from-ibsm"
+  network = local.vpc_name
+
+  allow {
+    protocol = "icmp"
+  }
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22", "80"]
+  }
+
+  source_ranges = [data.google_compute_subnetwork.ibsm_subnet[0].ip_cidr_range]
+  description   = "Allow internal traffic from ibsm VPC to HANA VPC"
+}
+
diff --git a/terraform/gcp/variables.tf b/terraform/gcp/variables.tf
index 712b6e86..75a53d54 100644
--- a/terraform/gcp/variables.tf
+++ b/terraform/gcp/variables.tf
@@ -775,3 +775,29 @@ variable "iscsi_remote_python" {
   default     = "/usr/bin/python3"
 }
 
+# Peering related variables
+
+variable "enable_ibsm_peering" {
+  description = "Enable netwrk peering between hana vpc and ibsm vpc (0 to disable, 1 to enable)"
+  type        = number
+  default     = 0
+}
+
+variable "ibsm_vpc_name" {
+  description = "Name of the ibsm VPC network"
+  type        = string
+  default     = ""
+}
+
+variable "ibsm_subnet_name" {
+  description = "Name of the ibsm subnet"
+  type        = string
+  default     = ""
+}
+
+variable "ibsm_subnet_region" {
+  description = "Region of the ibsm subnet"
+  type        = string
+  default     = ""
+}
+