A Heroku Private Space provides a container for internally routed apps that are only accessible within its private network.

Private Space VPN Connections provide site-to-site interconnection with Google Cloud VPN.

Apps on either side of the VPN connection may access apps on the other side other by DNS name via the established IPSec network tunnels. Two tunnels provide redundancy to ensure uninterrupted network connectivity.

A single Terraform config embodies the complete integration between Heroku and Google Cloud Platform, enabling high-level collaboration, repeatability, test-ability, and change management.

• Heroku
• Google Cloud Platform
• Terraform

• Config drift when using Heroku or Google Dashboard or CLI. Once the config is applied, if changes are made to the resources outside of Terraform, then the Terraform state will no longer match its configuration, making it impossible to apply or destroy further until the drifting values are imported (for new resources) or manually updated in terraform.tfstate.

• Heroku
  • install command-line tools (CLI)
  • an account (must be a member of an Enterprise account for access to Private Spaces)
  • a team in the Enterprise account
• Google Cloud
  • install Cloud SDK
  • an account
• install git
• install Terraform

Use this module from another Terraform configuration to provision the Google Cloud resources for Private Spaces VPN:

provider "google" {
  version = "~> 1.19"
  region  = "${var.google_region}"
}
provider "heroku" {
  version = "~> 1.5"
}
module "heroku_vpn_gcp" {
  source = "github.com/heroku-examples/terraform-heroku-vpn-gcp"
  providers = {
    google = "google"
  }
  // …input variables
}

👓 See examples for usage details.

Ensure the requirements are met, then,

1. Clone this repo:

   git clone git@github.com:heroku-examples/terraform-heroku-vpn-gcp.git
   cd terraform-heroku-vpn-gcp/

2. Set Heroku API key

   1. heroku authorizations:create -d terraform-heroku-vpn-gcp
   2. export HEROKU_API_KEY=<"Token" value from the authorization>

3. Login & configure Google Cloud

   1. gcloud init
   2. gcloud auth application-default login
   3. export GOOGLE_PROJECT=<project-name>

4. cd examples/heroku-private-space

5. terraform init

6. Optionally, import any existing resources:

   • Heroku Private Space
     • terraform import heroku_space.default <Name or ID>
     • When running subsequent Terraform commands, the heroku_enterprise_team, heroku_private_space, & heroku_private_space_region input variables must match the existing Private Space's values
   • Google VPC Network
     • terraform import google_compute_network.default <Name>
     • When running subsequent Terraform commands, the google_network & google_network_auto_create_subnetworks input variable must match the existing network's values
   • Google VPC Subnetwork
     • terraform import google_compute_subnetwork.default <Name>
     • When running subsequent Terraform commands, the google_subnetwork, google_subnetwork_cidr_block, google_subnetwork_private_ip_access, & google_region input variables must match the existing subnet's values

7. Then, apply the config with your own top-level config values:

   terraform apply \
     -var heroku_enterprise_team=example-team \
     -var heroku_private_space=example-space \
     -var heroku_private_space_region=oregon \
     -var google_region=us-west1

🔬 This is a community proof-of-concept, MIT license, provided "as is", without warranty of any kind.