Initial development

.editorconfig

@@ -0,0 +1,14 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.{json,sh}]
+indent_size = 4

.github/dependabot.yml

@@ -0,0 +1,25 @@
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    commit-message:
+      prefix: fix(deps)
+    groups:
+      actions-deps:
+        patterns:
+          - "*"
+
+  - package-ecosystem: terraform
+    directories:
+      - modules/pihole
+    schedule:
+      interval: monthly
+    commit-message:
+      prefix: fix(deps)
+    groups:
+      terraform-deps:
+        patterns:
+          - "*"

.github/workflows/pre-commit-run.yml

@@ -0,0 +1,76 @@
+name: Pre-commit run
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches-ignore:
+      - pre-commit-run/**
+  workflow_dispatch:
+
+env:
+  TFDOCS_VERSION: v0.21.0
+  TFLINT_VERSION: v0.61.0
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  run:
+    name: Pre-commit check
+    runs-on: ubuntu-slim
+    timeout-minutes: 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Evaluate branch name
+        id: ref
+        run: echo "name=${REF##refs/heads/}" >>$GITHUB_OUTPUT
+        env:
+          REF: ${{ github.head_ref || github.ref }}
+
+      # Install pre-commit dependencies
+      - uses: hashicorp/setup-terraform@v3
+
+      - name: Install tflint
+        run: |
+          wget -nv -O /dev/shm/tflint.zip https://github.com/terraform-linters/tflint/releases/download/${TFLINT_VERSION}/tflint_linux_amd64.zip
+          unzip -d $HOME/bin /dev/shm/tflint.zip
+          echo "$HOME/bin" >>$GITHUB_PATH
+
+      - name: Install terraform-docs
+        run: |
+          wget -nv -O - https://github.com/terraform-docs/terraform-docs/releases/download/${TFDOCS_VERSION}/terraform-docs-${TFDOCS_VERSION}-linux-amd64.tar.gz | tar -zxvf - -C $HOME/bin terraform-docs
+          echo "$HOME/bin" >>$GITHUB_PATH
+
+      # Setup pre-commit
+      - name: Install pre-commit
+        run: pip install pre-commit
+
+      - name: Add cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pre-commit
+          key: ${{ runner.os }}-pre-commit-${{ hashFiles('**/.pre-commit-config.yaml') }}
+
+      - name: Initialize pre-commit
+        run: pre-commit install
+
+      - name: Check
+        run: pre-commit run --all-files
+
+      # Create PR if needed
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        if: always()
+        with:
+          title: "chore(pre-commit): auto-format code on ${{ steps.ref.outputs.name }}"
+          commit-message: "chore(pre-commit): auto-format code"
+          body: Reformat code according to pre-defined rules
+          branch: pre-commit-run/${{ steps.ref.outputs.name }}
+          base: ${{ steps.ref.outputs.name }}
+          delete-branch: true
+          labels: bot

.github/workflows/pre-commit-update.yml

@@ -0,0 +1,35 @@
+name: Pre-commit update
+
+on:
+  schedule:
+    - cron: 0 6 1 * *
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update:
+    runs-on: ubuntu-slim
+    timeout-minutes: 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install pre-commit
+        run: pip install pre-commit
+
+      - name: Auto update
+        run: pre-commit autoupdate
+
+      # Create PR if needed
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          title: "ci(pre-commit): updated pre-commit modules on ${{ github.ref_name }}"
+          commit-message: "ci(pre-commit): updated pre-commit modules"
+          body: Updated pre-commit repos to latest versions
+          branch: pre-commit-update/${{ github.ref_name }}
+          delete-branch: true
+          labels: bot,ci

.github/workflows/release-please.yml

@@ -0,0 +1,16 @@
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  pull-requests: write
+
+name: release-please
+
+jobs:
+  release-please:
+    runs-on: ubuntu-slim
+    steps:
+      - uses: googleapis/release-please-action@v4

.gitignore

@@ -10,8 +10,8 @@ crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json

.pre-commit-config.yaml

@@ -0,0 +1,35 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+default_install_hook_types:
+  - pre-commit
+  - commit-msg
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.105.0
+    hooks:
+      - id: terraform_tflint
+      - id: terraform_fmt
+      - id: terraform_docs
+
+  - repo: https://github.com/bridgecrewio/checkov
+    rev: 3.2.504
+    hooks:
+      - id: checkov
+        args:
+          - --quiet
+
+  - repo: https://github.com/compilerla/conventional-pre-commit
+    rev: v4.4.0
+    hooks:
+      - id: conventional-pre-commit
+        stages: [commit-msg]
+        args: []

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+    ".": "0.0.0"
+}

README.md

@@ -1 +1,73 @@
-# terraform
+[![dependabot](https://img.shields.io/badge/Dependabot-enabled-brightgreen?logo=dependabot)](.github/dependabot.yml)
+[![editorconfig](https://img.shields.io/badge/EditorConfig-enabled-brightgreen?logo=editorconfig)](.editorconfig)
+[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](.pre-commit-config.yaml)
+[![release-please](https://img.shields.io/badge/release--please-enabled-brightgreen?logo=google)](.github/workflows/release-please.yml)
+
+# Terraform modules
+
+## pihole
+
+- add **Project IAM Admin** role in [Google Cloud Console (GCP)](https://console.cloud.google.com/iam-admin/iam) to the Terraform service account
+- create new key for the service account in [GCP](https://console.cloud.google.com/iam-admin/serviceaccounts)
+- [add credentials](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started#adding-credentials) for Terraform
+
+## Development
+
+Required software:
+
+- [Terraform](https://developer.hashicorp.com/terraform/install)
+- [pre-commit](https://pre-commit.com/#install)
+- [tflint](https://github.com/terraform-linters/tflint?tab=readme-ov-file#installation)
+- [terraform-docs](https://github.com/terraform-docs/terraform-docs?tab=readme-ov-file#installation)
+- [Checkov](https://www.checkov.io/2.Basics/Installing%20Checkov.html)
+
+### pre-commit
+
+This repository uses [pre-commit](https://pre-commit.com/) hooks. Please install it during development and install hooks after every `git clone`:
+
+```bash
+pre-commit install --install-hooks
+pre-commit run --all-files
+```
+
+It is also used in two GitHub workflows:
+
+1. [Pre-commit run](.github/workflows/pre-commit-run.yml): used as a **Required status check** to validate the whole repository contents. It creates a pull request if any changes were made during the workflow run.
+2. [Pre-commit update](.github/workflows/pre-commit-update.yml): a periodic maintenance workflow to keep the pre-commit hooks versions up-to-date.
+
+### Run
+
+Enter module directory, initialize, plan and apply the module:
+
+```bash
+cd modules/$MODULE_NAME
+
+terraform init
+terraform plan
+terraform apply
+```
+
+### Test
+
+Execute unit tests in module's **tests** directory:
+
+```bash
+cd modules/$MODULE_NAME
+
+terraform test
+```
+
+### Dependencies
+
+Dependencies are maintained by [Dependabot](https://docs.github.com/en/code-security/dependabot). Its configuration can be found in [dependabot.yml](.github/workflows/build.yml).
+
+> NOTE: Make sure it is enabled in the repository [Settings](https://github.com/stanislavbebej/terraform/settings/security_analysis).
+
+### Releases
+
+Module is versioned and released as a "GitHub Release" by [release-please](https://github.com/googleapis/release-please). Its configuration can be found in:
+
+- [release-please.yml](.github/release-please.yml)
+- [release-please-config.json](release-please-config.json)
+
+> NOTE: New versions should not be created manually.

modules/pihole/README.md

@@ -0,0 +1,45 @@
+# PiHole Terraform module
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.14.5 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | 7.20.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | 7.20.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_compute_firewall.default](https://registry.terraform.io/providers/hashicorp/google/7.20.0/docs/resources/compute_firewall) | resource |
+| [google_compute_instance.vm_instance](https://registry.terraform.io/providers/hashicorp/google/7.20.0/docs/resources/compute_instance) | resource |
+| [google_project_iam_member.logging_log_writer](https://registry.terraform.io/providers/hashicorp/google/7.20.0/docs/resources/project_iam_member) | resource |
+| [google_project_iam_member.monitoring_metric_writer](https://registry.terraform.io/providers/hashicorp/google/7.20.0/docs/resources/project_iam_member) | resource |
+| [google_service_account.default](https://registry.terraform.io/providers/hashicorp/google/7.20.0/docs/resources/service_account) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment name used as suffix in resource names | `string` | n/a | yes |
+| <a name="input_gcp_project"></a> [gcp\_project](#input\_gcp\_project) | Google Cloud Platform Project value | `string` | n/a | yes |
+| <a name="input_machine_type"></a> [machine\_type](#input\_machine\_type) | Google Compute Engine machine type | `string` | `"e2-micro"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_ip-external"></a> [ip-external](#output\_ip-external) | n/a |
+| <a name="output_ip-local"></a> [ip-local](#output\_ip-local) | n/a |
+<!-- END_TF_DOCS -->

modules/pihole/bootstrap.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Notes:
+# sudo journalctl -fu google-startup-scripts.service
+
+# Install PiHole
+if ! which pihole &>/dev/null; then
+    mkdir -p /etc/pihole
+    cat >/etc/pihole/setupVars.conf <<END
+PIHOLE_INTERFACE=${NET_INTERFACE}
+PIHOLE_DNS_1=8.8.8.8
+PIHOLE_DNS_2=8.8.4.4
+QUERY_LOGGING=false
+INSTALL_WEB_SERVER=true
+INSTALL_WEB_INTERFACE=true
+LIGHTTPD_ENABLED=true
+CACHE_SIZE=10000
+DNS_FQDN_REQUIRED=true
+DNS_BOGUS_PRIV=true
+DNSMASQ_LISTENING=local
+WEBPASSWORD=
+BLOCKING_ENABLED=true
+END
+    curl -sSL https://install.pi-hole.net | sudo bash -s -- --unattended
+fi
+
+# Install WireGuard with PiHole
+if ! which pivpn &>/dev/null; then
+    cat >/dev/shm/wireguard-setupVars.conf <<END
+pivpnforceipv6route=1
+IPv4dev=${NET_INTERFACE}
+install_user=${VM_USER}
+VPN=wireguard
+pivpnPORT=${WG_PORT}
+pivpnDNS1=10.77.77.1
+pivpnPROTO=udp
+pivpnDEV=wg0
+pivpnNET=10.77.77.0
+subnetClass=24
+pivpnenableipv6=0
+ALLOWED_IPS="10.77.77.0/24"
+UNATTUPG=1
+END
+    curl -sSL https://install.pivpn.io | sudo bash -s -- --unattended /dev/shm/wireguard-setupVars.conf
+fi
+
+# Install OPS agent
+curl -sSL https://dl.google.com/cloudagents/add-google-cloud-ops-agent-repo.sh | sudo bash -s -- --also-install