diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md
index 61ade0323..ddfb54ab2 100644
--- a/3-networks-dual-svpc/README.md
+++ b/3-networks-dual-svpc/README.md
@@ -240,6 +240,8 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
1. Merge changes to production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch),
pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID
+*Note:** The Production envrionment must be the next branch to be merged as it includes the DNS Hub communication that will be used by other environments.
+
```bash
git checkout -b production
git push origin production
diff --git a/3-networks-dual-svpc/envs/production/README.md b/3-networks-dual-svpc/envs/production/README.md
index a92f78e34..b769dce48 100644
--- a/3-networks-dual-svpc/envs/production/README.md
+++ b/3-networks-dual-svpc/envs/production/README.md
@@ -1,6 +1,6 @@
# 3-networks-dual-svpc/production
-The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment production.
+The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment production and the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones) that will be used by all environments.
## Prerequisites
diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf
index d2ea8490e..233cafe53 100644
--- a/3-networks-dual-svpc/envs/production/main.tf
+++ b/3-networks-dual-svpc/envs/production/main.tf
@@ -20,48 +20,48 @@ locals {
/*
* Base network ranges
*/
- base_private_service_cidr = "10.16.24.0/21"
+ base_private_service_cidr = "10.16.16.0/21"
base_subnet_primary_ranges = {
- (local.default_region1) = "10.0.192.0/18"
- (local.default_region2) = "10.1.192.0/18"
+ (local.default_region1) = "10.0.128.0/18"
+ (local.default_region2) = "10.1.128.0/18"
}
base_subnet_proxy_ranges = {
- (local.default_region1) = "10.18.6.0/23"
- (local.default_region2) = "10.19.6.0/23"
+ (local.default_region1) = "10.18.4.0/23"
+ (local.default_region2) = "10.19.4.0/23"
}
base_subnet_secondary_ranges = {
(local.default_region1) = [
{
range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod"
- ip_cidr_range = "100.64.192.0/18"
+ ip_cidr_range = "100.64.128.0/18"
},
{
range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc"
- ip_cidr_range = "100.65.192.0/18"
+ ip_cidr_range = "100.65.128.0/18"
}
]
}
/*
* Restricted network ranges
*/
- restricted_private_service_cidr = "10.16.56.0/21"
+ restricted_private_service_cidr = "10.16.48.0/21"
restricted_subnet_primary_ranges = {
- (local.default_region1) = "10.8.192.0/18"
- (local.default_region2) = "10.9.192.0/18"
+ (local.default_region1) = "10.8.128.0/18"
+ (local.default_region2) = "10.9.128.0/18"
}
restricted_subnet_proxy_ranges = {
- (local.default_region1) = "10.26.6.0/23"
- (local.default_region2) = "10.27.6.0/23"
+ (local.default_region1) = "10.26.4.0/23"
+ (local.default_region2) = "10.27.4.0/23"
}
restricted_subnet_secondary_ranges = {
(local.default_region1) = [
{
range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod"
- ip_cidr_range = "100.72.192.0/18"
+ ip_cidr_range = "100.72.128.0/18"
},
{
range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc"
- ip_cidr_range = "100.73.192.0/18"
+ ip_cidr_range = "100.73.128.0/18"
}
]
}
@@ -87,12 +87,12 @@ module "base_env" {
base_subnet_primary_ranges = local.base_subnet_primary_ranges
base_subnet_proxy_ranges = local.base_subnet_proxy_ranges
base_subnet_secondary_ranges = local.base_subnet_secondary_ranges
- base_private_service_connect_ip = "10.17.0.4"
+ base_private_service_connect_ip = "10.17.0.3"
restricted_private_service_cidr = local.restricted_private_service_cidr
- restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges
restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges
+ restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges
restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges
- restricted_private_service_connect_ip = "10.17.0.8"
+ restricted_private_service_connect_ip = "10.17.0.7"
remote_state_bucket = var.remote_state_bucket
tfc_org_name = var.tfc_org_name
}
diff --git a/3-networks-dual-svpc/envs/shared/README.md b/3-networks-dual-svpc/envs/shared/README.md
index 27ab3647c..84a48fa06 100644
--- a/3-networks-dual-svpc/envs/shared/README.md
+++ b/3-networks-dual-svpc/envs/shared/README.md
@@ -1,7 +1,5 @@
# 3-networks-dual-svpc/shared
-The purpose of this step is to set up the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones) that will be used by all environments.
-
## Prerequisites
1. 0-bootstrap executed successfully.
@@ -19,14 +17,11 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google.
| firewall\_policies\_enable\_logging | Toggle hierarchical firewall logging. | `bool` | `true` | no |
| preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no |
| remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
-| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes |
| tfc\_org\_name | Name of the TFC organization | `string` | `""` | no |
| vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
enable_logging = optional(string, "true")
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
## Outputs
-| Name | Description |
-|------|-------------|
-| dns\_hub\_project\_id | The DNS hub project ID |
+No outputs.
diff --git a/3-networks-dual-svpc/envs/shared/dns-hub.tf b/3-networks-dual-svpc/envs/shared/dns-hub.tf
deleted file mode 100644
index 10ffa7084..000000000
--- a/3-networks-dual-svpc/envs/shared/dns-hub.tf
+++ /dev/null
@@ -1,156 +0,0 @@
-/**
- * Copyright 2021 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/******************************************
- DNS Hub VPC
-*****************************************/
-
-module "dns_hub_vpc" {
- source = "terraform-google-modules/network/google"
- version = "~> 9.0"
-
- project_id = local.dns_hub_project_id
- network_name = "vpc-net-dns"
- shared_vpc_host = "false"
- delete_default_internet_gateway_routes = "true"
-
- subnets = [{
- subnet_name = "sb-net-dns-${local.default_region1}"
- subnet_ip = "172.16.0.0/25"
- subnet_region = local.default_region1
- subnet_private_access = "true"
- subnet_flow_logs = var.vpc_flow_logs.enable_logging
- subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval
- subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling
- subnet_flow_logs_metadata = var.vpc_flow_logs.metadata
- subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields
- subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr
- description = "DNS hub subnet for region 1."
- }, {
- subnet_name = "sb-net-dns-${local.default_region2}"
- subnet_ip = "172.16.0.128/25"
- subnet_region = local.default_region2
- subnet_private_access = "true"
- subnet_flow_logs = var.vpc_flow_logs.enable_logging
- subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval
- subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling
- subnet_flow_logs_metadata = var.vpc_flow_logs.metadata
- subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields
- subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr
- description = "DNS hub subnet for region 2."
- }]
-
- routes = [{
- name = "rt-net-dns-1000-all-default-private-api"
- description = "Route through IGW to allow private google api access."
- destination_range = "199.36.153.8/30"
- next_hop_internet = "true"
- priority = "1000"
- }]
-}
-
-/******************************************
- Default DNS Policy
- *****************************************/
-
-resource "google_dns_policy" "default_policy" {
- project = local.dns_hub_project_id
- name = "dp-dns-hub-default-policy"
- enable_inbound_forwarding = true
- enable_logging = var.dns_enable_logging
- networks {
- network_url = module.dns_hub_vpc.network_self_link
- }
-}
-
-/******************************************
- DNS Forwarding
-*****************************************/
-
-module "dns-forwarding-zone" {
- source = "terraform-google-modules/cloud-dns/google"
- version = "~> 5.0"
-
- project_id = local.dns_hub_project_id
- type = "forwarding"
- name = "fz-dns-hub"
- domain = var.domain
-
- private_visibility_config_networks = [
- module.dns_hub_vpc.network_self_link
- ]
- target_name_server_addresses = var.target_name_server_addresses
-}
-
-/*********************************************************
- Routers to advertise DNS proxy range "35.199.192.0/19"
-*********************************************************/
-
-module "dns_hub_region1_router1" {
- source = "terraform-google-modules/cloud-router/google"
- version = "~> 6.0"
-
- name = "cr-net-dns-${local.default_region1}-cr1"
- project = local.dns_hub_project_id
- network = module.dns_hub_vpc.network_name
- region = local.default_region1
- bgp = {
- asn = local.dns_bgp_asn_number
- advertised_ip_ranges = [{ range = "35.199.192.0/19" }]
- }
-}
-
-module "dns_hub_region1_router2" {
- source = "terraform-google-modules/cloud-router/google"
- version = "~> 6.0"
-
- name = "cr-net-dns-${local.default_region1}-cr2"
- project = local.dns_hub_project_id
- network = module.dns_hub_vpc.network_name
- region = local.default_region1
- bgp = {
- asn = local.dns_bgp_asn_number
- advertised_ip_ranges = [{ range = "35.199.192.0/19" }]
- }
-}
-
-module "dns_hub_region2_router1" {
- source = "terraform-google-modules/cloud-router/google"
- version = "~> 6.0"
-
- name = "cr-net-dns-${local.default_region2}-cr3"
- project = local.dns_hub_project_id
- network = module.dns_hub_vpc.network_name
- region = local.default_region2
- bgp = {
- asn = local.dns_bgp_asn_number
- advertised_ip_ranges = [{ range = "35.199.192.0/19" }]
- }
-}
-
-module "dns_hub_region2_router2" {
- source = "terraform-google-modules/cloud-router/google"
- version = "~> 6.0"
-
- name = "cr-net-dns-${local.default_region2}-cr4"
- project = local.dns_hub_project_id
- network = module.dns_hub_vpc.network_name
- region = local.default_region2
- bgp = {
- asn = local.dns_bgp_asn_number
- advertised_ip_ranges = [{ range = "35.199.192.0/19" }]
- }
-}
diff --git a/3-networks-dual-svpc/envs/shared/interconnect.tf.example b/3-networks-dual-svpc/envs/shared/interconnect.tf.example
index 239e406df..818d8b26e 100644
--- a/3-networks-dual-svpc/envs/shared/interconnect.tf.example
+++ b/3-networks-dual-svpc/envs/shared/interconnect.tf.example
@@ -17,8 +17,8 @@
module "dns_hub_interconnect" {
source = "../../modules/dedicated_interconnect"
- vpc_name = "net-dns"
- interconnect_project_id = local.dns_hub_project_id
+ vpc_name = "vpc-p-shared-restricted"
+ interconnect_project_id = local.restricted_project_id
region1 = local.default_region1
region1_router1_name = module.dns_hub_region1_router1.router.name
diff --git a/3-networks-dual-svpc/envs/shared/outputs.tf b/3-networks-dual-svpc/envs/shared/outputs.tf
index f7aca2374..9d277cce1 100644
--- a/3-networks-dual-svpc/envs/shared/outputs.tf
+++ b/3-networks-dual-svpc/envs/shared/outputs.tf
@@ -14,7 +14,3 @@
* limitations under the License.
*/
-output "dns_hub_project_id" {
- value = local.dns_hub_project_id
- description = "The DNS hub project ID"
-}
diff --git a/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example b/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example
index d78a7454f..67d045e7e 100644
--- a/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example
+++ b/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example
@@ -17,8 +17,8 @@
module "dns_hub_interconnect" {
source = "../../modules/partner_interconnect"
- vpc_name = "net-dns"
- attachment_project_id = local.dns_hub_project_id
+ vpc_name = "vpc-p-shared-restricted"
+ attachment_project_id = local.restricted_project_id
preactivate = var.preactivate_partner_interconnect
region1 = local.default_region1
diff --git a/3-networks-dual-svpc/envs/shared/remote.tf b/3-networks-dual-svpc/envs/shared/remote.tf
index 8bb1ddc51..72017f904 100644
--- a/3-networks-dual-svpc/envs/shared/remote.tf
+++ b/3-networks-dual-svpc/envs/shared/remote.tf
@@ -21,8 +21,8 @@ locals {
default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix
- dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id
interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id
+ restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id
parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id
bootstrap_folder_name = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name
common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name
diff --git a/3-networks-dual-svpc/envs/shared/shared.auto.tfvars b/3-networks-dual-svpc/envs/shared/shared.auto.tfvars
deleted file mode 120000
index b7f8387a8..000000000
--- a/3-networks-dual-svpc/envs/shared/shared.auto.tfvars
+++ /dev/null
@@ -1 +0,0 @@
-../../shared.auto.tfvars
\ No newline at end of file
diff --git a/3-networks-dual-svpc/envs/shared/variables.tf b/3-networks-dual-svpc/envs/shared/variables.tf
index 193ea63b3..960985cd8 100644
--- a/3-networks-dual-svpc/envs/shared/variables.tf
+++ b/3-networks-dual-svpc/envs/shared/variables.tf
@@ -56,11 +56,6 @@ variable "bgp_asn_dns" {
default = 64667
}
-variable "target_name_server_addresses" {
- description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones."
- type = list(map(any))
-}
-
variable "firewall_policies_enable_logging" {
type = bool
description = "Toggle hierarchical firewall logging."
diff --git a/3-networks-dual-svpc/modules/base_env/README.md b/3-networks-dual-svpc/modules/base_env/README.md
index d543340d4..4ce102cfc 100644
--- a/3-networks-dual-svpc/modules/base_env/README.md
+++ b/3-networks-dual-svpc/modules/base_env/README.md
@@ -32,6 +32,7 @@
| restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes |
| restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes |
| restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
+| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | `[]` | no |
| tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes |
## Outputs
@@ -56,5 +57,6 @@
| restricted\_subnets\_names | The names of the subnets being created |
| restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets |
| restricted\_subnets\_self\_links | The self-links of subnets being created |
+| target\_name\_server\_addresses | List of IPv4 addresses of the target name servers for the forwarding zone configuration. These IP addresses should point to the name server responsible for replying to DNS queries. |
diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf
index cfd4958a5..c5679eea7 100644
--- a/3-networks-dual-svpc/modules/base_env/main.tf
+++ b/3-networks-dual-svpc/modules/base_env/main.tf
@@ -170,8 +170,8 @@ module "restricted_shared_vpc" {
source = "../restricted_shared_vpc"
project_id = local.restricted_project_id
- dns_hub_project_id = local.dns_hub_project_id
project_number = local.restricted_project_number
+ production_restricted_project_id = local.production_restricted_project_id
environment_code = var.environment_code
access_context_manager_policy_id = var.access_context_manager_policy_id
restricted_services = local.restricted_services
@@ -202,6 +202,8 @@ module "restricted_shared_vpc" {
local.dedicated_interconnect_egress_policy,
var.egress_policies_dry_run
))
+ target_name_server_addresses = var.target_name_server_addresses
+
subnets = [
@@ -262,15 +264,16 @@ module "restricted_shared_vpc" {
module "base_shared_vpc" {
source = "../base_shared_vpc"
- project_id = local.base_project_id
- dns_hub_project_id = local.dns_hub_project_id
- environment_code = var.environment_code
- private_service_cidr = var.base_private_service_cidr
- private_service_connect_ip = var.base_private_service_connect_ip
- default_region1 = var.default_region1
- default_region2 = var.default_region2
- domain = var.domain
- bgp_asn_subnet = local.bgp_asn_number
+ project_id = local.base_project_id
+ production_project_id = local.production_base_project_id
+ environment_code = var.environment_code
+ private_service_cidr = var.base_private_service_cidr
+ private_service_connect_ip = var.base_private_service_connect_ip
+ default_region1 = var.default_region1
+ default_region2 = var.default_region2
+ domain = var.domain
+ bgp_asn_subnet = local.bgp_asn_number
+ target_name_server_addresses = var.target_name_server_addresses
subnets = [
{
@@ -323,3 +326,4 @@ module "base_shared_vpc" {
"sb-${var.environment_code}-shared-base-${var.default_region1}" = var.base_subnet_secondary_ranges[var.default_region1]
}
}
+
diff --git a/3-networks-dual-svpc/modules/base_env/outputs.tf b/3-networks-dual-svpc/modules/base_env/outputs.tf
index 05dfc0107..c67e52119 100644
--- a/3-networks-dual-svpc/modules/base_env/outputs.tf
+++ b/3-networks-dual-svpc/modules/base_env/outputs.tf
@@ -14,6 +14,12 @@
* limitations under the License.
*/
+output "target_name_server_addresses" {
+ value = var.target_name_server_addresses
+ description = "List of IPv4 addresses of the target name servers for the forwarding zone configuration. These IP addresses should point to the name server responsible for replying to DNS queries."
+}
+
+
/*********************
Restricted Outputs
*********************/
@@ -113,3 +119,4 @@ output "base_subnets_secondary_ranges" {
value = module.base_shared_vpc.subnets_secondary_ranges
description = "The secondary ranges associated with these subnets"
}
+
diff --git a/3-networks-dual-svpc/modules/base_env/remote.tf b/3-networks-dual-svpc/modules/base_env/remote.tf
index 8bad47f0d..80db5b34a 100644
--- a/3-networks-dual-svpc/modules/base_env/remote.tf
+++ b/3-networks-dual-svpc/modules/base_env/remote.tf
@@ -15,16 +15,18 @@
*/
locals {
- restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id
- restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number
- base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id
- interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number
- dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id
- organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email
- networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email
- projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email
+ restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id
+ base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id
+ restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number
+ interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number
+ organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email
+ networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email
+ projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email
+ production_restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].restricted_shared_vpc_project_id
+ production_base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].base_shared_vpc_project_id
}
+
data "terraform_remote_state" "bootstrap" {
backend = "gcs"
@@ -42,3 +44,4 @@ data "terraform_remote_state" "org" {
prefix = "terraform/org/state"
}
}
+
diff --git a/3-networks-dual-svpc/modules/base_env/variables.tf b/3-networks-dual-svpc/modules/base_env/variables.tf
index 963eae139..4bb88ca6c 100644
--- a/3-networks-dual-svpc/modules/base_env/variables.tf
+++ b/3-networks-dual-svpc/modules/base_env/variables.tf
@@ -14,6 +14,12 @@
* limitations under the License.
*/
+variable "target_name_server_addresses" {
+ description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones."
+ type = list(map(any))
+ default = []
+}
+
variable "remote_state_bucket" {
description = "Backend bucket to load Terraform Remote State Data from previous steps."
type = string
@@ -212,3 +218,4 @@ variable "tfc_org_name" {
description = "Name of the TFC organization"
type = string
}
+
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md
index 10b8c0e1c..1372cc47e 100644
--- a/3-networks-dual-svpc/modules/base_shared_vpc/README.md
+++ b/3-networks-dual-svpc/modules/base_shared_vpc/README.md
@@ -3,12 +3,12 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| base\_network\_name | The name of the VPC being created | `string` | `""` | no |
| bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes |
| default\_region1 | Default region 1 for subnets and Cloud Routers | `string` | n/a | yes |
| default\_region2 | Default region 2 for subnets and Cloud Routers | `string` | n/a | yes |
| dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no |
| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
-| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes |
| domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
| enable\_all\_vpc\_internal\_traffic | Enable firewall policy rule to allow internal traffic (ingress and egress). | `bool` | `false` | no |
| environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes |
@@ -19,9 +19,11 @@
| nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no |
| private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no |
| private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint | `string` | n/a | yes |
+| production\_project\_id | Project ID for Base Shared. | `string` | `""` | no |
| project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes |
| secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no |
| subnets | The list of subnets being created | list(object({
subnet_name = string
subnet_ip = string
subnet_region = string
subnet_private_access = optional(string, "false")
subnet_private_ipv6_access = optional(string)
subnet_flow_logs = optional(string, "false")
subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
subnet_flow_logs_sampling = optional(string, "0.5")
subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
subnet_flow_logs_filter = optional(string, "true")
subnet_flow_logs_metadata_fields = optional(list(string), [])
description = optional(string)
purpose = optional(string)
role = optional(string)
stack_type = optional(string)
ipv6_access_type = optional(string)
})) | `[]` | no |
+| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes |
| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
## Outputs
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf
index 3b11a05eb..9ed5abc34 100644
--- a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf
+++ b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf
@@ -32,14 +32,19 @@ resource "google_dns_policy" "default_policy" {
Creates DNS Peering to DNS HUB
*****************************************/
data "google_compute_network" "vpc_dns_hub" {
- name = "vpc-net-dns"
- project = var.dns_hub_project_id
+
+ count = var.environment_code != "p" ? 1 : 0
+
+ name = "vpc-p-shared-base"
+ project = var.production_project_id
}
module "peering_zone" {
source = "terraform-google-modules/cloud-dns/google"
version = "~> 5.0"
+ count = var.environment_code != "p" ? 1 : 0
+
project_id = var.project_id
type = "peering"
name = "dz-${var.environment_code}-shared-base-to-dns-hub"
@@ -49,5 +54,25 @@ module "peering_zone" {
private_visibility_config_networks = [
module.main.network_self_link
]
- target_network = data.google_compute_network.vpc_dns_hub.self_link
+ target_network = data.google_compute_network.vpc_dns_hub[0].self_link
+}
+
+/******************************************
+ DNS Forwarding
+*****************************************/
+module "dns_forwarding_zone" {
+ source = "terraform-google-modules/cloud-dns/google"
+ version = "~> 5.0"
+
+ count = var.environment_code == "p" ? 1 : 0
+
+ project_id = var.project_id
+ type = "forwarding"
+ name = "fz-dns-hub"
+ domain = var.domain
+
+ private_visibility_config_networks = [
+ module.main.network_self_link
+ ]
+ target_name_server_addresses = var.target_name_server_addresses
}
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf
index 25fb01aa3..e4c22a827 100644
--- a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf
+++ b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf
@@ -15,9 +15,11 @@
*/
locals {
- vpc_name = "${var.environment_code}-shared-base"
- network_name = "vpc-${local.vpc_name}"
- private_googleapis_cidr = module.private_service_connect.private_service_connect_ip
+ vpc_name = "${var.environment_code}-shared-base"
+ network_name = "vpc-${local.vpc_name}"
+ private_googleapis_cidr = module.private_service_connect.private_service_connect_ip
+ google_private_service_range = "35.199.192.0/19"
+ advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }]
}
/******************************************
@@ -62,6 +64,7 @@ module "main" {
)
}
+
/***************************************************************
Configure Service Networking for Cloud SQL & future services.
**************************************************************/
@@ -101,7 +104,7 @@ module "region1_router1" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.private_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
@@ -116,7 +119,7 @@ module "region1_router2" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.private_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
@@ -131,7 +134,7 @@ module "region2_router1" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.private_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
@@ -146,6 +149,7 @@ module "region2_router2" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.private_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
+
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/outputs.tf b/3-networks-dual-svpc/modules/base_shared_vpc/outputs.tf
index 226e21343..f2e9e6eeb 100644
--- a/3-networks-dual-svpc/modules/base_shared_vpc/outputs.tf
+++ b/3-networks-dual-svpc/modules/base_shared_vpc/outputs.tf
@@ -14,6 +14,7 @@
* limitations under the License.
*/
+
output "network_name" {
value = module.main.network_name
description = "The name of the VPC being created"
@@ -78,3 +79,4 @@ output "region2_router2" {
value = module.region2_router2
description = "Router 2 for Region 2"
}
+
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf
index 4b2fca26b..5afba9883 100644
--- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf
+++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf
@@ -14,16 +14,29 @@
* limitations under the License.
*/
-variable "project_id" {
+variable "target_name_server_addresses" {
+ description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones."
+ type = list(map(any))
+}
+
+variable "base_network_name" {
type = string
- description = "Project ID for Private Shared VPC."
+ description = "The name of the VPC being created"
+ default = ""
}
-variable "dns_hub_project_id" {
+variable "production_project_id" {
+ description = "Project ID for Base Shared."
type = string
- description = "The DNS hub project ID"
+ default = ""
}
+variable "project_id" {
+ type = string
+ description = "Project ID for Private Shared VPC."
+}
+
+
variable "environment_code" {
type = string
description = "A short form of the folder level resources (environment) within the Google Cloud organization."
@@ -142,3 +155,4 @@ variable "enable_all_vpc_internal_traffic" {
description = "Enable firewall policy rule to allow internal traffic (ingress and egress)."
default = false
}
+
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md
index 1ce44d877..f0937fcb1 100644
--- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md
+++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md
@@ -9,7 +9,6 @@
| default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
| dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no |
| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
-| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes |
| domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
| egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.
Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`
Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | list(object({
from = any
to = any
})) | `[]` | no |
| egress\_policies\_dry\_run | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.
Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`
Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | list(object({
from = any
to = any
})) | `[]` | no |
@@ -27,12 +26,16 @@
| nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no |
| private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no |
| private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes |
+| production\_restricted\_project\_id | Project ID for Restricted Shared. | `string` | `""` | no |
| project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes |
| project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes |
+| restricted\_net\_hub\_project\_id | The restricted net hub project ID | `string` | `""` | no |
+| restricted\_network\_name | The name of the VPC being created | `string` | `""` | no |
| restricted\_services | List of services to restrict in an enforced perimeter. | `list(string)` | n/a | yes |
| restricted\_services\_dry\_run | List of services to restrict in a dry-run perimeter. | `list(string)` | n/a | yes |
| secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no |
| subnets | The list of subnets being created | list(object({
subnet_name = string
subnet_ip = string
subnet_region = string
subnet_private_access = optional(string, "false")
subnet_private_ipv6_access = optional(string)
subnet_flow_logs = optional(string, "false")
subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
subnet_flow_logs_sampling = optional(string, "0.5")
subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
subnet_flow_logs_filter = optional(string, "true")
subnet_flow_logs_metadata_fields = optional(list(string), [])
description = optional(string)
purpose = optional(string)
role = optional(string)
stack_type = optional(string)
ipv6_access_type = optional(string)
})) | `[]` | no |
+| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes |
| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
## Outputs
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf
index 138ad4505..2d07d80a9 100644
--- a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf
+++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf
@@ -32,14 +32,19 @@ resource "google_dns_policy" "default_policy" {
Creates DNS Peering to DNS HUB
*****************************************/
data "google_compute_network" "vpc_dns_hub" {
- name = "vpc-net-dns"
- project = var.dns_hub_project_id
+
+ count = var.environment_code != "p" ? 1 : 0
+
+ name = "vpc-p-shared-restricted"
+ project = var.production_restricted_project_id
}
module "peering_zone" {
source = "terraform-google-modules/cloud-dns/google"
version = "~> 5.0"
+ count = var.environment_code != "p" ? 1 : 0
+
project_id = var.project_id
type = "peering"
name = "dz-${var.environment_code}-shared-restricted-to-dns-hub"
@@ -49,5 +54,26 @@ module "peering_zone" {
private_visibility_config_networks = [
module.main.network_self_link
]
- target_network = data.google_compute_network.vpc_dns_hub.self_link
+ target_network = data.google_compute_network.vpc_dns_hub[0].self_link
+}
+
+/******************************************
+ DNS Forwarding
+*****************************************/
+module "dns_forwarding_zone" {
+ source = "terraform-google-modules/cloud-dns/google"
+ version = "~> 5.0"
+
+ count = var.environment_code == "p" ? 1 : 0
+
+ project_id = var.project_id
+ type = "forwarding"
+ name = "fz-dns-hub"
+ domain = var.domain
+
+ private_visibility_config_networks = [
+ module.main.network_self_link
+ ]
+ target_name_server_addresses = var.target_name_server_addresses
}
+
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf
index dfdf7cd50..306a19d28 100644
--- a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf
+++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf
@@ -15,9 +15,11 @@
*/
locals {
- vpc_name = "${var.environment_code}-shared-restricted"
- network_name = "vpc-${local.vpc_name}"
- restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip
+ vpc_name = "${var.environment_code}-shared-restricted"
+ network_name = "vpc-${local.vpc_name}"
+ restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip
+ google_private_service_range = "35.199.192.0/19"
+ advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }]
}
/******************************************
@@ -63,6 +65,7 @@ module "main" {
)
}
+
/***************************************************************
Configure Service Networking for Cloud SQL & future services.
**************************************************************/
@@ -105,7 +108,7 @@ module "region1_router1" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
@@ -120,7 +123,7 @@ module "region1_router2" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
@@ -135,7 +138,7 @@ module "region2_router1" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
@@ -150,6 +153,7 @@ module "region2_router2" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
+
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/outputs.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/outputs.tf
index af80f106d..748ec4ca3 100644
--- a/3-networks-dual-svpc/modules/restricted_shared_vpc/outputs.tf
+++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/outputs.tf
@@ -88,3 +88,4 @@ output "service_perimeter_name" {
value = local.perimeter_name
description = "Access context manager service perimeter name for the enforced perimeter"
}
+
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf
index 7774c1d49..f73965b07 100644
--- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf
+++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf
@@ -14,6 +14,29 @@
* limitations under the License.
*/
+variable "production_restricted_project_id" {
+ description = "Project ID for Restricted Shared."
+ type = string
+ default = ""
+}
+
+variable "target_name_server_addresses" {
+ description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones."
+ type = list(map(any))
+}
+
+variable "restricted_net_hub_project_id" {
+ type = string
+ description = "The restricted net hub project ID"
+ default = ""
+}
+
+variable "restricted_network_name" {
+ type = string
+ description = "The name of the VPC being created"
+ default = ""
+}
+
variable "access_context_manager_policy_id" {
type = number
description = "The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`."
@@ -29,11 +52,6 @@ variable "project_number" {
description = "Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter."
}
-variable "dns_hub_project_id" {
- type = string
- description = "The DNS hub project ID"
-}
-
variable "environment_code" {
type = string
description = "A short form of the folder level resources (environment) within the Google Cloud organization."
@@ -214,3 +232,4 @@ variable "ingress_policies_dry_run" {
}))
default = []
}
+
diff --git a/3-networks-hub-and-spoke/envs/shared/README.md b/3-networks-hub-and-spoke/envs/shared/README.md
index f4a8db3d9..f8deac849 100644
--- a/3-networks-hub-and-spoke/envs/shared/README.md
+++ b/3-networks-hub-and-spoke/envs/shared/README.md
@@ -52,6 +52,6 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google.
| Name | Description |
|------|-------------|
-| dns\_hub\_project\_id | The DNS hub project ID |
+| project | Project name |
diff --git a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf b/3-networks-hub-and-spoke/envs/shared/dns-hub.tf
deleted file mode 100644
index 6f3dc2d96..000000000
--- a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf
+++ /dev/null
@@ -1,156 +0,0 @@
-/**
- * Copyright 2022 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/******************************************
- DNS Hub VPC
-*****************************************/
-
-module "dns_hub_vpc" {
- source = "terraform-google-modules/network/google"
- version = "~> 9.0"
-
- project_id = local.dns_hub_project_id
- network_name = "vpc-net-dns"
- shared_vpc_host = "false"
- delete_default_internet_gateway_routes = "true"
-
- subnets = [{
- subnet_name = "sb-net-dns-${local.default_region1}"
- subnet_ip = "172.16.0.0/25"
- subnet_region = local.default_region1
- subnet_private_access = "true"
- subnet_flow_logs = var.dns_vpc_flow_logs.enable_logging
- subnet_flow_logs_interval = var.dns_vpc_flow_logs.aggregation_interval
- subnet_flow_logs_sampling = var.dns_vpc_flow_logs.flow_sampling
- subnet_flow_logs_metadata = var.dns_vpc_flow_logs.metadata
- subnet_flow_logs_metadata_fields = var.dns_vpc_flow_logs.metadata_fields
- subnet_flow_logs_filter = var.dns_vpc_flow_logs.filter_expr
- description = "DNS hub subnet for region 1."
- }, {
- subnet_name = "sb-net-dns-${local.default_region2}"
- subnet_ip = "172.16.0.128/25"
- subnet_region = local.default_region2
- subnet_private_access = "true"
- subnet_flow_logs = var.dns_vpc_flow_logs.enable_logging
- subnet_flow_logs_interval = var.dns_vpc_flow_logs.aggregation_interval
- subnet_flow_logs_sampling = var.dns_vpc_flow_logs.flow_sampling
- subnet_flow_logs_metadata = var.dns_vpc_flow_logs.metadata
- subnet_flow_logs_metadata_fields = var.dns_vpc_flow_logs.metadata_fields
- subnet_flow_logs_filter = var.dns_vpc_flow_logs.filter_expr
- description = "DNS hub subnet for region 2."
- }]
-
- routes = [{
- name = "rt-net-dns-1000-all-default-private-api"
- description = "Route through IGW to allow private google api access."
- destination_range = "199.36.153.8/30"
- next_hop_internet = "true"
- priority = "1000"
- }]
-}
-
-/******************************************
- Default DNS Policy
- *****************************************/
-
-resource "google_dns_policy" "default_policy" {
- project = local.dns_hub_project_id
- name = "dp-dns-hub-default-policy"
- enable_inbound_forwarding = true
- enable_logging = var.dns_enable_logging
- networks {
- network_url = module.dns_hub_vpc.network_self_link
- }
-}
-
-/******************************************
- DNS Forwarding
-*****************************************/
-
-module "dns-forwarding-zone" {
- source = "terraform-google-modules/cloud-dns/google"
- version = "~> 5.0"
-
- project_id = local.dns_hub_project_id
- type = "forwarding"
- name = "fz-dns-hub"
- domain = var.domain
-
- private_visibility_config_networks = [
- module.dns_hub_vpc.network_self_link
- ]
- target_name_server_addresses = var.target_name_server_addresses
-}
-
-/*********************************************************
- Routers to advertise DNS proxy range "35.199.192.0/19"
-*********************************************************/
-
-module "dns_hub_region1_router1" {
- source = "terraform-google-modules/cloud-router/google"
- version = "~> 6.0"
-
- name = "cr-net-dns-${local.default_region1}-cr1"
- project = local.dns_hub_project_id
- network = module.dns_hub_vpc.network_name
- region = local.default_region1
- bgp = {
- asn = local.dns_bgp_asn_number
- advertised_ip_ranges = [{ range = "35.199.192.0/19" }]
- }
-}
-
-module "dns_hub_region1_router2" {
- source = "terraform-google-modules/cloud-router/google"
- version = "~> 6.0"
-
- name = "cr-net-dns-${local.default_region1}-cr2"
- project = local.dns_hub_project_id
- network = module.dns_hub_vpc.network_name
- region = local.default_region1
- bgp = {
- asn = local.dns_bgp_asn_number
- advertised_ip_ranges = [{ range = "35.199.192.0/19" }]
- }
-}
-
-module "dns_hub_region2_router1" {
- source = "terraform-google-modules/cloud-router/google"
- version = "~> 6.0"
-
- name = "cr-net-dns-${local.default_region2}-cr3"
- project = local.dns_hub_project_id
- network = module.dns_hub_vpc.network_name
- region = local.default_region2
- bgp = {
- asn = local.dns_bgp_asn_number
- advertised_ip_ranges = [{ range = "35.199.192.0/19" }]
- }
-}
-
-module "dns_hub_region2_router2" {
- source = "terraform-google-modules/cloud-router/google"
- version = "~> 6.0"
-
- name = "cr-net-dns-${local.default_region2}-cr4"
- project = local.dns_hub_project_id
- network = module.dns_hub_vpc.network_name
- region = local.default_region2
- bgp = {
- asn = local.dns_bgp_asn_number
- advertised_ip_ranges = [{ range = "35.199.192.0/19" }]
- }
-}
diff --git a/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example b/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example
index 9151fa3fa..c4486e270 100644
--- a/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example
+++ b/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example
@@ -14,50 +14,6 @@
* limitations under the License.
*/
-module "dns_hub_interconnect" {
- source = "../../modules/dedicated_interconnect"
-
- vpc_name = "net-dns"
- interconnect_project_id = local.dns_hub_project_id
-
- region1 = local.default_region1
- region1_router1_name = module.dns_hub_region1_router1.router.name
- region1_interconnect1_candidate_subnets = ["169.254.0.0/29"]
- region1_interconnect1_vlan_tag8021q = "3931"
- region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1"
- region1_interconnect1_location = "las-zone1-770"
- region1_interconnect1_onprem_dc = "onprem-dc1"
- region1_router2_name = module.dns_hub_region1_router2.router.name
- region1_interconnect2_candidate_subnets = ["169.254.0.8/29"]
- region1_interconnect2_vlan_tag8021q = "3932"
- region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2"
- region1_interconnect2_location = "las-zone1-770"
- region1_interconnect2_onprem_dc = "onprem-dc2"
-
- region2 = local.default_region2
- region2_router1_name = module.dns_hub_region2_router1.router.name
- region2_interconnect1_candidate_subnets = ["169.254.0.16/29"]
- region2_interconnect1_vlan_tag8021q = "3933"
- region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3"
- region2_interconnect1_location = "lax-zone2-19"
- region2_interconnect1_onprem_dc = "onprem-dc3"
- region2_router2_name = module.dns_hub_region2_router2.router.name
- region2_interconnect2_candidate_subnets = ["169.254.0.24/29"]
- region2_interconnect2_vlan_tag8021q = "3934"
- region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4"
- region2_interconnect2_location = "lax-zone1-403"
- region2_interconnect2_onprem_dc = "onprem-dc4"
-
- peer_asn = "64515"
- peer_name = "interconnect-peer"
-
- cloud_router_labels = {
- vlan_1 = "cr1",
- vlan_2 = "cr2",
- vlan_3 = "cr3",
- vlan_4 = "cr4"
- }
-}
module "shared_restricted_interconnect" {
source = "../../modules/dedicated_interconnect"
diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf
index ec6a99e84..dcffa010d 100644
--- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf
+++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf
@@ -175,7 +175,6 @@ module "base_shared_vpc" {
source = "../../modules/base_shared_vpc"
project_id = local.base_net_hub_project_id
- dns_hub_project_id = local.dns_hub_project_id
environment_code = local.environment_code
private_service_connect_ip = "10.17.0.1"
bgp_asn_subnet = local.bgp_asn_number
@@ -190,6 +189,7 @@ module "base_shared_vpc" {
nat_num_addresses_region1 = var.base_hub_nat_num_addresses_region1
nat_num_addresses_region2 = var.base_hub_nat_num_addresses_region2
windows_activation_enabled = var.base_hub_windows_activation_enabled
+ target_name_server_addresses = var.target_name_server_addresses
mode = "hub"
subnets = [
@@ -240,7 +240,6 @@ module "base_shared_vpc" {
]
secondary_ranges = {}
- depends_on = [module.dns_hub_vpc]
}
/******************************************
@@ -252,7 +251,6 @@ module "restricted_shared_vpc" {
project_id = local.restricted_net_hub_project_id
project_number = local.restricted_net_hub_project_number
- dns_hub_project_id = local.dns_hub_project_id
environment_code = local.environment_code
private_service_connect_ip = "10.17.0.5"
access_context_manager_policy_id = var.access_context_manager_policy_id
@@ -280,6 +278,7 @@ module "restricted_shared_vpc" {
nat_num_addresses_region1 = var.restricted_hub_nat_num_addresses_region1
nat_num_addresses_region2 = var.restricted_hub_nat_num_addresses_region2
windows_activation_enabled = var.restricted_hub_windows_activation_enabled
+ target_name_server_addresses = var.target_name_server_addresses
mode = "hub"
subnets = [
@@ -337,5 +336,4 @@ module "restricted_shared_vpc" {
ingress_policies = var.ingress_policies
- depends_on = [module.dns_hub_vpc]
}
diff --git a/3-networks-hub-and-spoke/envs/shared/outputs.tf b/3-networks-hub-and-spoke/envs/shared/outputs.tf
index 06f9b0702..cf2a4cecf 100644
--- a/3-networks-hub-and-spoke/envs/shared/outputs.tf
+++ b/3-networks-hub-and-spoke/envs/shared/outputs.tf
@@ -14,7 +14,8 @@
* limitations under the License.
*/
-output "dns_hub_project_id" {
- value = local.dns_hub_project_id
- description = "The DNS hub project ID"
+output "project" {
+ value = local.restricted_net_hub_project_id
+ description = "Project name"
}
+
diff --git a/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example b/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example
index c85b39594..92cd21dde 100644
--- a/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example
+++ b/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example
@@ -15,37 +15,6 @@
*/
-module "dns_hub_interconnect" {
- source = "../../modules/partner_interconnect"
-
- vpc_name = "net-dns"
- attachment_project_id = local.dns_hub_project_id
- preactivate = var.preactivate_partner_interconnect
-
- region1 = local.default_region1
- region1_router1_name = module.dns_hub_region1_router1.router.name
- region1_interconnect1_location = "las-zone1-770"
- region1_interconnect1_onprem_dc = "onprem-dc-1"
- region1_router2_name = module.dns_hub_region1_router2.router.name
- region1_interconnect2_location = "las-zone1-770"
- region1_interconnect2_onprem_dc = "onprem-dc-2"
-
- region2 = local.default_region2
- region2_router1_name = module.dns_hub_region2_router1.router.name
- region2_interconnect1_location = "lax-zone2-19"
- region2_interconnect1_onprem_dc = "onprem-dc-3"
- region2_router2_name = module.dns_hub_region2_router2.router.name
- region2_interconnect2_location = "lax-zone1-403"
- region2_interconnect2_onprem_dc = "onprem-dc-4"
-
- cloud_router_labels = {
- vlan_1 = "cr1",
- vlan_2 = "cr2",
- vlan_3 = "cr3",
- vlan_4 = "cr4"
- }
-}
-
module "shared_restricted_interconnect" {
source = "../../modules/partner_interconnect"
diff --git a/3-networks-hub-and-spoke/envs/shared/remote.tf b/3-networks-hub-and-spoke/envs/shared/remote.tf
index 6660a6627..78e898578 100644
--- a/3-networks-hub-and-spoke/envs/shared/remote.tf
+++ b/3-networks-hub-and-spoke/envs/shared/remote.tf
@@ -15,7 +15,6 @@
*/
locals {
- dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id
interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id
interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number
parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder
diff --git a/3-networks-hub-and-spoke/envs/shared/remote.tf.cloud.example b/3-networks-hub-and-spoke/envs/shared/remote.tf.cloud.example
index 127d907ee..f609c65e4 100644
--- a/3-networks-hub-and-spoke/envs/shared/remote.tf.cloud.example
+++ b/3-networks-hub-and-spoke/envs/shared/remote.tf.cloud.example
@@ -15,7 +15,6 @@
*/
locals {
- dns_hub_project_id = data.tfe_outputs.org.nonsensitive_values.dns_hub_project_id
interconnect_project_id = data.tfe_outputs.org.nonsensitive_values.interconnect_project_id
interconnect_project_number = data.tfe_outputs.org.nonsensitive_values.interconnect_project_number
parent_folder = data.tfe_outputs.bootstrap.nonsensitive_values.common_config.parent_folder
diff --git a/3-networks-hub-and-spoke/modules/base_env/README.md b/3-networks-hub-and-spoke/modules/base_env/README.md
index a4f1f2ba6..b3683838d 100644
--- a/3-networks-hub-and-spoke/modules/base_env/README.md
+++ b/3-networks-hub-and-spoke/modules/base_env/README.md
@@ -33,6 +33,7 @@
| restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes |
| restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes |
| restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
+| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | `[]` | no |
| tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes |
## Outputs
@@ -57,5 +58,6 @@
| restricted\_subnets\_names | The names of the subnets being created |
| restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets |
| restricted\_subnets\_self\_links | The self-links of subnets being created |
+| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration |
diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf
index 354ce2957..a50e05619 100644
--- a/3-networks-hub-and-spoke/modules/base_env/main.tf
+++ b/3-networks-hub-and-spoke/modules/base_env/main.tf
@@ -166,7 +166,6 @@ module "restricted_shared_vpc" {
project_id = local.restricted_project_id
project_number = local.restricted_project_number
- dns_hub_project_id = local.dns_hub_project_id
restricted_net_hub_project_id = local.restricted_net_hub_project_id
restricted_net_hub_project_number = local.restricted_net_hub_project_number
environment_code = var.environment_code
@@ -183,15 +182,16 @@ module "restricted_shared_vpc" {
"serviceAccount:${local.projects_service_account}",
"serviceAccount:${local.organization_service_account}",
], var.perimeter_additional_members))
- private_service_cidr = var.restricted_private_service_cidr
- private_service_connect_ip = var.restricted_private_service_connect_ip
- ingress_policies = var.ingress_policies
- egress_policies = var.egress_policies
- bgp_asn_subnet = local.bgp_asn_number
- default_region1 = var.default_region1
- default_region2 = var.default_region2
- domain = var.domain
- mode = "spoke"
+ private_service_cidr = var.restricted_private_service_cidr
+ private_service_connect_ip = var.restricted_private_service_connect_ip
+ ingress_policies = var.ingress_policies
+ egress_policies = var.egress_policies
+ bgp_asn_subnet = local.bgp_asn_number
+ default_region1 = var.default_region1
+ default_region2 = var.default_region2
+ domain = var.domain
+ mode = "spoke"
+ target_name_server_addresses = var.target_name_server_addresses
subnets = [
{
@@ -251,17 +251,17 @@ module "restricted_shared_vpc" {
module "base_shared_vpc" {
source = "../base_shared_vpc"
- project_id = local.base_project_id
- dns_hub_project_id = local.dns_hub_project_id
- base_net_hub_project_id = local.base_net_hub_project_id
- environment_code = var.environment_code
- private_service_cidr = var.base_private_service_cidr
- private_service_connect_ip = var.base_private_service_connect_ip
- default_region1 = var.default_region1
- default_region2 = var.default_region2
- domain = var.domain
- bgp_asn_subnet = local.bgp_asn_number
- mode = "spoke"
+ project_id = local.base_project_id
+ base_net_hub_project_id = local.base_net_hub_project_id
+ environment_code = var.environment_code
+ private_service_cidr = var.base_private_service_cidr
+ private_service_connect_ip = var.base_private_service_connect_ip
+ default_region1 = var.default_region1
+ default_region2 = var.default_region2
+ domain = var.domain
+ bgp_asn_subnet = local.bgp_asn_number
+ mode = "spoke"
+ target_name_server_addresses = var.target_name_server_addresses
subnets = [
{
diff --git a/3-networks-hub-and-spoke/modules/base_env/outputs.tf b/3-networks-hub-and-spoke/modules/base_env/outputs.tf
index b51cda651..053c1c134 100644
--- a/3-networks-hub-and-spoke/modules/base_env/outputs.tf
+++ b/3-networks-hub-and-spoke/modules/base_env/outputs.tf
@@ -14,6 +14,11 @@
* limitations under the License.
*/
+output "target_name_server_addresses" {
+ value = var.target_name_server_addresses
+ description = "List of IPv4 address of target name servers for the forwarding zone configuration"
+}
+
/*********************
Restricted Outputs
*********************/
diff --git a/3-networks-hub-and-spoke/modules/base_env/remote.tf b/3-networks-hub-and-spoke/modules/base_env/remote.tf
index 755146d7a..8a6e50259 100644
--- a/3-networks-hub-and-spoke/modules/base_env/remote.tf
+++ b/3-networks-hub-and-spoke/modules/base_env/remote.tf
@@ -18,7 +18,6 @@ locals {
restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id
restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number
base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id
- dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id
base_net_hub_project_id = data.terraform_remote_state.org.outputs.base_net_hub_project_id
restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id
restricted_net_hub_project_number = data.terraform_remote_state.org.outputs.restricted_net_hub_project_number
diff --git a/3-networks-hub-and-spoke/modules/base_env/remote.tf.cloud.example b/3-networks-hub-and-spoke/modules/base_env/remote.tf.cloud.example
index 14d3bd29f..05eefabbe 100644
--- a/3-networks-hub-and-spoke/modules/base_env/remote.tf.cloud.example
+++ b/3-networks-hub-and-spoke/modules/base_env/remote.tf.cloud.example
@@ -18,7 +18,6 @@ locals {
restricted_project_id = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].restricted_shared_vpc_project_id
restricted_project_number = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].restricted_shared_vpc_project_number
base_project_id = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].base_shared_vpc_project_id
- dns_hub_project_id = data.tfe_outputs.org.nonsensitive_values.dns_hub_project_id
base_net_hub_project_id = data.tfe_outputs.org.nonsensitive_values.base_net_hub_project_id
restricted_net_hub_project_id = data.tfe_outputs.org.nonsensitive_values.restricted_net_hub_project_id
restricted_net_hub_project_number = data.tfe_outputs.org.nonsensitive_values.restricted_net_hub_project_number
diff --git a/3-networks-hub-and-spoke/modules/base_env/variables.tf b/3-networks-hub-and-spoke/modules/base_env/variables.tf
index bdbf39987..aa4cdef97 100644
--- a/3-networks-hub-and-spoke/modules/base_env/variables.tf
+++ b/3-networks-hub-and-spoke/modules/base_env/variables.tf
@@ -14,6 +14,12 @@
* limitations under the License.
*/
+variable "target_name_server_addresses" {
+ description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones."
+ type = list(map(any))
+ default = []
+}
+
variable "remote_state_bucket" {
description = "Backend bucket to load Terraform Remote State Data from previous steps."
type = string
diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md
index bc1d6b4e1..e0ed9e736 100644
--- a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md
+++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md
@@ -9,7 +9,6 @@
| default\_region2 | Default region 2 for subnets and Cloud Routers | `string` | n/a | yes |
| dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no |
| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
-| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes |
| domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
| enable\_all\_vpc\_internal\_traffic | Enable firewall policy rule to allow internal traffic (ingress and egress). | `bool` | `false` | no |
| enable\_transitivity\_traffic | Enable a firewall policy rule to allow traffic between Hub and Spokes (ingress only). | `bool` | `true` | no |
@@ -25,6 +24,7 @@
| project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes |
| secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no |
| subnets | The list of subnets being created | list(object({
subnet_name = string
subnet_ip = string
subnet_region = string
subnet_private_access = optional(string, "false")
subnet_private_ipv6_access = optional(string)
subnet_flow_logs = optional(string, "false")
subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
subnet_flow_logs_sampling = optional(string, "0.5")
subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
subnet_flow_logs_filter = optional(string, "true")
subnet_flow_logs_metadata_fields = optional(list(string), [])
description = optional(string)
purpose = optional(string)
role = optional(string)
stack_type = optional(string)
ipv6_access_type = optional(string)
})) | `[]` | no |
+| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes |
| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
## Outputs
diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf
index 99a7db603..d20c3f0df 100644
--- a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf
+++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf
@@ -32,14 +32,18 @@ resource "google_dns_policy" "default_policy" {
Creates DNS Peering to DNS HUB
*****************************************/
data "google_compute_network" "vpc_dns_hub" {
- name = "vpc-net-dns"
- project = var.dns_hub_project_id
+ count = var.mode == "spoke" ? 1 : 0
+
+ name = data.google_compute_network.vpc_base_net_hub[0].name
+ project = var.base_net_hub_project_id
}
module "peering_zone" {
source = "terraform-google-modules/cloud-dns/google"
version = "~> 5.0"
+ count = var.mode == "spoke" ? 1 : 0
+
project_id = var.project_id
type = "peering"
name = "dz-${var.environment_code}-shared-base-to-dns-hub"
@@ -49,5 +53,25 @@ module "peering_zone" {
private_visibility_config_networks = [
module.main.network_self_link
]
- target_network = data.google_compute_network.vpc_dns_hub.self_link
+ target_network = data.google_compute_network.vpc_dns_hub[0].self_link
+}
+
+/******************************************
+ DNS Forwarding
+*****************************************/
+module "dns_forwarding_zone" {
+ source = "terraform-google-modules/cloud-dns/google"
+ version = "~> 5.0"
+
+ count = var.mode != "spoke" ? 1 : 0
+
+ project_id = var.project_id
+ type = "forwarding"
+ name = "fz-dns-hub"
+ domain = var.domain
+
+ private_visibility_config_networks = [
+ module.main.network_self_link
+ ]
+ target_name_server_addresses = var.target_name_server_addresses
}
diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf
index eed177f9f..e9c4fbba6 100644
--- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf
+++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf
@@ -15,10 +15,12 @@
*/
locals {
- mode = var.mode == "hub" ? "-hub" : "-spoke"
- vpc_name = "${var.environment_code}-shared-base${local.mode}"
- network_name = "vpc-${local.vpc_name}"
- private_googleapis_cidr = module.private_service_connect.private_service_connect_ip
+ mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke"
+ vpc_name = "${var.environment_code}-shared-base${local.mode}"
+ network_name = "vpc-${local.vpc_name}"
+ private_googleapis_cidr = module.private_service_connect.private_service_connect_ip
+ google_private_service_range = "35.199.192.0/19"
+ advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }]
}
/******************************************
@@ -126,7 +128,7 @@ module "region1_router1" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.private_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
@@ -142,7 +144,7 @@ module "region1_router2" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.private_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
@@ -158,7 +160,7 @@ module "region2_router1" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.private_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
@@ -174,6 +176,6 @@ module "region2_router2" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.private_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf
index 0afd5bbaa..ed45d3a9a 100644
--- a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf
+++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf
@@ -14,14 +14,14 @@
* limitations under the License.
*/
-variable "project_id" {
- type = string
- description = "Project ID for Private Shared VPC."
+variable "target_name_server_addresses" {
+ description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones."
+ type = list(map(any))
}
-variable "dns_hub_project_id" {
+variable "project_id" {
type = string
- description = "The DNS hub project ID"
+ description = "Project ID for Private Shared VPC."
}
variable "base_net_hub_project_id" {
diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md
index 03b4b29e9..de75121ad 100644
--- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md
+++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md
@@ -9,7 +9,6 @@
| default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
| dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no |
| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
-| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes |
| domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
| egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.
Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`
Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | list(object({
from = any
to = any
})) | `[]` | no |
| egress\_policies\_dry\_run | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.
Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`
Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | list(object({
from = any
to = any
})) | `[]` | no |
@@ -37,6 +36,7 @@
| restricted\_services\_dry\_run | List of services to restrict in a dry-run perimeter. | `list(string)` | n/a | yes |
| secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no |
| subnets | The list of subnets being created | list(object({
subnet_name = string
subnet_ip = string
subnet_region = string
subnet_private_access = optional(string, "false")
subnet_private_ipv6_access = optional(string)
subnet_flow_logs = optional(string, "false")
subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
subnet_flow_logs_sampling = optional(string, "0.5")
subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
subnet_flow_logs_filter = optional(string, "true")
subnet_flow_logs_metadata_fields = optional(list(string), [])
description = optional(string)
purpose = optional(string)
role = optional(string)
stack_type = optional(string)
ipv6_access_type = optional(string)
})) | `[]` | no |
+| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes |
| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
## Outputs
diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf
index edef23d18..e5706d46f 100644
--- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf
+++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf
@@ -32,14 +32,18 @@ resource "google_dns_policy" "default_policy" {
Creates DNS Peering to DNS HUB
*****************************************/
data "google_compute_network" "vpc_dns_hub" {
- name = "vpc-net-dns"
- project = var.dns_hub_project_id
+ count = var.mode == "spoke" ? 1 : 0
+
+ name = data.google_compute_network.vpc_restricted_net_hub[0].name
+ project = var.restricted_net_hub_project_id
}
module "peering_zone" {
source = "terraform-google-modules/cloud-dns/google"
version = "~> 5.0"
+ count = var.mode == "spoke" ? 1 : 0
+
project_id = var.project_id
type = "peering"
name = "dz-${var.environment_code}-shared-restricted-to-dns-hub"
@@ -49,5 +53,25 @@ module "peering_zone" {
private_visibility_config_networks = [
module.main.network_self_link
]
- target_network = data.google_compute_network.vpc_dns_hub.self_link
+ target_network = data.google_compute_network.vpc_dns_hub[0].self_link
+}
+
+/******************************************
+ DNS Forwarding
+*****************************************/
+module "dns_forwarding_zone" {
+ source = "terraform-google-modules/cloud-dns/google"
+ version = "~> 5.0"
+
+ count = var.mode != "spoke" ? 1 : 0
+
+ project_id = var.project_id
+ type = "forwarding"
+ name = "fz-dns-hub"
+ domain = var.domain
+
+ private_visibility_config_networks = [
+ module.main.network_self_link
+ ]
+ target_name_server_addresses = var.target_name_server_addresses
}
diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf
index b81619ea7..07cd09540 100644
--- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf
+++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf
@@ -15,10 +15,12 @@
*/
locals {
- mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke"
- vpc_name = "${var.environment_code}-shared-restricted${local.mode}"
- network_name = "vpc-${local.vpc_name}"
- restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip
+ mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke"
+ vpc_name = "${var.environment_code}-shared-restricted${local.mode}"
+ network_name = "vpc-${local.vpc_name}"
+ restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip
+ google_private_service_range = "35.199.192.0/19"
+ advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }]
}
/******************************************
@@ -130,7 +132,7 @@ module "region1_router1" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
@@ -146,7 +148,7 @@ module "region1_router2" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
@@ -162,7 +164,7 @@ module "region2_router1" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
@@ -178,6 +180,6 @@ module "region2_router2" {
bgp = {
asn = var.bgp_asn_subnet
advertised_groups = ["ALL_SUBNETS"]
- advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }]
+ advertised_ip_ranges = local.advertised_ip
}
}
diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf
index 853e47bdc..4814ff734 100644
--- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf
+++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf
@@ -14,6 +14,11 @@
* limitations under the License.
*/
+variable "target_name_server_addresses" {
+ description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones."
+ type = list(map(any))
+}
+
variable "access_context_manager_policy_id" {
type = number
description = "The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`."
@@ -29,11 +34,6 @@ variable "project_number" {
description = "Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter."
}
-variable "dns_hub_project_id" {
- type = string
- description = "The DNS hub project ID"
-}
-
variable "restricted_net_hub_project_id" {
type = string
description = "The restricted net hub project ID"