The infrastructure created for Cloud Build allows access to on-prem resources by setting up Private Pools, VPC Network Peering between Google's service producer network and a VPC network in the CI/CD project, and on-prem connection with one of three options:
In all the three connection options it is necessary to configure a router using the Custom route advertisement mode so that the Google service network private pool instance that executes the Cloud build jobs can reach instances in the on-prem network.
HA VPN, Dedicated Interconnect and Partner Interconnect configuration can be setup in one of the two network modes: Dual Shared VPC or Hub and Spoke.
For Cloud Build jobs to access on-prem infrastructure, Import and export custom routes are also configured in the peering setup.
0-bootstrap step also has an optional High Availability VPN configuration that can be used to on-prem connection. To enable this configuration do the following steps:
-
Create a secret for the VPN private pre-shared key and grant required roles to the identity used for the deploy, your user email or the Bootstrap terraform service account.
export project_id=<ENV_SECRETS_PROJECT> export secret_name=<VPN_PSK_SECRET_NAME> export member="serviceAccount:<BOOTSTRAP_TERRAFORM_SERVICE_ACCOUNT>|user:<YOUR_EMAIL>" echo '<YOUR-PRESHARED-KEY-SECRET>' | gcloud secrets create "${secret_name}" --project "${project_id}" --replication-policy=automatic --data-file=- gcloud secrets add-iam-policy-binding "${secret_name}" --member="${member}" --role='roles/secretmanager.viewer' --project "${project_id}" gcloud secrets add-iam-policy-binding "${secret_name}" --member="${member}" --role='roles/secretmanager.secretAccessor' --project "${project_id}"
-
In the file
0-bootstrap/cb.tf, in the moduletf_private_pool, update variablevpn_configuration.enable_vpntotrueand provide the required values that are valid for your environment. See thecb-private-poolmodule README file for additional information on the required values.