From 62558f0fab5cde1373d61bb35850a18055a9b3f1 Mon Sep 17 00:00:00 2001 From: Jakub Novak Date: Tue, 30 Sep 2025 13:06:32 +0200 Subject: [PATCH 1/3] Add NAT for API nodes --- iac/provider-gcp/Makefile | 2 ++ iac/provider-gcp/main.tf | 3 ++ iac/provider-gcp/nomad-cluster/main.tf | 4 +++ .../nomad-cluster/network/main.tf | 34 +++++++++++++++++++ .../nomad-cluster/network/variables.tf | 12 +++++++ .../nomad-cluster/nodepool-api.tf | 2 +- iac/provider-gcp/nomad-cluster/variables.tf | 10 ++++++ iac/provider-gcp/variables.tf | 12 +++++++ 8 files changed, 78 insertions(+), 1 deletion(-) diff --git a/iac/provider-gcp/Makefile b/iac/provider-gcp/Makefile index 75f16509fc..d9c4ddc3d1 100644 --- a/iac/provider-gcp/Makefile +++ b/iac/provider-gcp/Makefile @@ -20,6 +20,8 @@ tf_vars := TF_VAR_environment=$(TERRAFORM_ENVIRONMENT) \ $(call tfvar, CLIENT_CLUSTER_CACHE_DISK_SIZE_GB) \ $(call tfvar, API_MACHINE_TYPE) \ $(call tfvar, API_CLUSTER_SIZE) \ + $(call tfvar, API_USE_NAT) \ + $(call tfvar, API_NAT_IPS) \ $(call tfvar, BUILD_MACHINE_TYPE) \ $(call tfvar, BUILD_CLUSTER_SIZE) \ $(call tfvar, BUILD_CLUSTER_ROOT_DISK_SIZE_GB) \ diff --git a/iac/provider-gcp/main.tf b/iac/provider-gcp/main.tf index a54091e6dc..0b96316f53 100644 --- a/iac/provider-gcp/main.tf +++ b/iac/provider-gcp/main.tf @@ -105,6 +105,9 @@ module "cluster" { loki_node_pool = var.loki_node_pool orchestrator_node_pool = var.orchestrator_node_pool + api_use_nat = var.api_use_nat + api_nat_ips = var.api_nat_ips + logs_health_proxy_port = var.logs_health_proxy_port logs_proxy_port = var.logs_proxy_port diff --git a/iac/provider-gcp/nomad-cluster/main.tf b/iac/provider-gcp/nomad-cluster/main.tf index a7a1ac909d..3bfbde93a6 100644 --- a/iac/provider-gcp/nomad-cluster/main.tf +++ b/iac/provider-gcp/nomad-cluster/main.tf @@ -91,6 +91,10 @@ module "network" { cloudflare_api_token_secret_name = var.cloudflare_api_token_secret_name gcp_project_id = var.gcp_project_id + gcp_region = var.gcp_region + + api_use_nat = var.api_use_nat + api_nat_ips = var.api_nat_ips api_port = var.api_port docker_reverse_proxy_port = var.docker_reverse_proxy_port diff --git a/iac/provider-gcp/nomad-cluster/network/main.tf b/iac/provider-gcp/nomad-cluster/network/main.tf index dbe6278068..10752e9e6f 100644 --- a/iac/provider-gcp/nomad-cluster/network/main.tf +++ b/iac/provider-gcp/nomad-cluster/network/main.tf @@ -792,3 +792,37 @@ resource "google_compute_security_policy" "disable-bots-log-collector" { } } } + +# Cloud Router for NAT +resource "google_compute_router" "nat_router" { + count = var.api_use_nat ? 1 : 0 + name = "${var.prefix}nat-router" + network = var.network_name + region = var.gcp_region +} + +# Static IP addresses for NAT (only created if explicit IPs not provided) +resource "google_compute_address" "nat_ips" { + count = var.api_use_nat && length(var.api_nat_ips) == 0 ? 2 : 0 + name = "${var.prefix}nat-ip-${count.index + 1}" + region = var.gcp_region +} + +# Cloud NAT for API nodes +resource "google_compute_router_nat" "api_nat" { + count = var.api_use_nat ? 1 : 0 + name = "${var.prefix}api-nat" + router = google_compute_router.nat_router[0].name + nat_ip_allocate_option = "MANUAL_ONLY" + nat_ips = length(var.api_nat_ips) > 0 ? var.api_nat_ips : google_compute_address.nat_ips[*].self_link + source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" + + log_config { + enable = true + filter = "ERRORS_ONLY" + } + + lifecycle { + create_before_destroy = true + } +} diff --git a/iac/provider-gcp/nomad-cluster/network/variables.tf b/iac/provider-gcp/nomad-cluster/network/variables.tf index ea7c9c6b9f..d64d566890 100644 --- a/iac/provider-gcp/nomad-cluster/network/variables.tf +++ b/iac/provider-gcp/nomad-cluster/network/variables.tf @@ -27,6 +27,18 @@ variable "gcp_project_id" { type = string } +variable "gcp_region" { + type = string +} + +variable "api_use_nat" { + type = bool +} + +variable "api_nat_ips" { + type = list(string) + description = "List of static IP addresses to use for NAT. If empty and api_use_nat is true, IPs will be created automatically." +} variable "cloudflare_api_token_secret_name" { type = string diff --git a/iac/provider-gcp/nomad-cluster/nodepool-api.tf b/iac/provider-gcp/nomad-cluster/nodepool-api.tf index 40873d6539..9fbe6422ab 100644 --- a/iac/provider-gcp/nomad-cluster/nodepool-api.tf +++ b/iac/provider-gcp/nomad-cluster/nodepool-api.tf @@ -146,7 +146,7 @@ resource "google_compute_instance_template" "api" { network = var.network_name dynamic "access_config" { - for_each = ["public_ip"] + for_each = var.api_use_nat ? [] : ["public_ip"] content {} } } diff --git a/iac/provider-gcp/nomad-cluster/variables.tf b/iac/provider-gcp/nomad-cluster/variables.tf index 365d079b6e..21f3e27b17 100644 --- a/iac/provider-gcp/nomad-cluster/variables.tf +++ b/iac/provider-gcp/nomad-cluster/variables.tf @@ -325,3 +325,13 @@ variable "orchestrator_base_hugepages_percentage" { description = "The percentage of memory to use for preallocated hugepages." type = number } + +variable "api_use_nat" { + description = "Whether API nodes should use NAT with dedicated external IPs." + type = bool +} + +variable "api_nat_ips" { + type = list(string) + description = "List of static IP addresses to use for NAT. If empty and api_use_nat is true, IPs will be created automatically." +} diff --git a/iac/provider-gcp/variables.tf b/iac/provider-gcp/variables.tf index 31241bcdf7..ec0a595f5a 100644 --- a/iac/provider-gcp/variables.tf +++ b/iac/provider-gcp/variables.tf @@ -47,6 +47,18 @@ variable "api_node_pool" { default = "api" } +variable "api_use_nat" { + type = bool + description = "Whether API nodes should use NAT with dedicated external IPs." + default = false +} + +variable "api_nat_ips" { + type = list(string) + description = "List of names for static IP addresses to use for NAT. If empty and api_use_nat is true, IPs will be created automatically." + default = [] +} + variable "api_resources_cpu_count" { type = number default = 2 From 45a7e8082a1aaefd6366caaf67df81435fc3255d Mon Sep 17 00:00:00 2001 From: Jakub Novak Date: Thu, 9 Oct 2025 15:39:12 +0200 Subject: [PATCH 2/3] Update description --- iac/provider-gcp/nomad-cluster/network/variables.tf | 1 - iac/provider-gcp/nomad-cluster/variables.tf | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/iac/provider-gcp/nomad-cluster/network/variables.tf b/iac/provider-gcp/nomad-cluster/network/variables.tf index d64d566890..346ba41dba 100644 --- a/iac/provider-gcp/nomad-cluster/network/variables.tf +++ b/iac/provider-gcp/nomad-cluster/network/variables.tf @@ -37,7 +37,6 @@ variable "api_use_nat" { variable "api_nat_ips" { type = list(string) - description = "List of static IP addresses to use for NAT. If empty and api_use_nat is true, IPs will be created automatically." } variable "cloudflare_api_token_secret_name" { diff --git a/iac/provider-gcp/nomad-cluster/variables.tf b/iac/provider-gcp/nomad-cluster/variables.tf index 21f3e27b17..32d47bb8ae 100644 --- a/iac/provider-gcp/nomad-cluster/variables.tf +++ b/iac/provider-gcp/nomad-cluster/variables.tf @@ -333,5 +333,5 @@ variable "api_use_nat" { variable "api_nat_ips" { type = list(string) - description = "List of static IP addresses to use for NAT. If empty and api_use_nat is true, IPs will be created automatically." + description = "List of names for static IP addresses to use for NAT. If empty and api_use_nat is true, IPs will be created automatically." } From ec0628950a0d2d9e9cf5ebff32a031d981e6a08a Mon Sep 17 00:00:00 2001 From: Jakub Novak Date: Thu, 9 Oct 2025 15:43:27 +0200 Subject: [PATCH 3/3] Format --- iac/provider-gcp/nomad-cluster/network/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iac/provider-gcp/nomad-cluster/network/variables.tf b/iac/provider-gcp/nomad-cluster/network/variables.tf index 346ba41dba..47a646d306 100644 --- a/iac/provider-gcp/nomad-cluster/network/variables.tf +++ b/iac/provider-gcp/nomad-cluster/network/variables.tf @@ -36,7 +36,7 @@ variable "api_use_nat" { } variable "api_nat_ips" { - type = list(string) + type = list(string) } variable "cloudflare_api_token_secret_name" {