update dual-shared

renato-rudnicki · renato-rudnicki · commit 32afc3e0e0c2 · 2025-01-30T17:49:27.000-03:00
diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md
@@ -195,10 +195,15 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
 
    ```bash
    git add .
-   git commit -m 'Initialize networks repo'
+   git commit -m 'Initialize networks repo - plan'
+   ```
+
+1. You must manually plan and apply the `production` environment since the `development`, `nonproduction` and `plan` environments depend on it.
+
+   ```bash
+   git checkout -b production
    ```
 
-1. You must manually plan and apply the `shared` environment (only once) since the `development`, `nonproduction` and `production` environments depend on it.
 1. To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component.
 1. Use `terraform output` to get the Cloud Build project ID and the networks step Terraform Service Account from 0-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation.
 
@@ -210,6 +215,36 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
    echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
    ```
 
+1. Run `init` and `plan` and review output for environment production.
+
+   ```bash
+   ./tf-wrapper.sh init production
+   ./tf-wrapper.sh plan production
+   ```
+
+1. Run `validate` and check for violations.
+
+   ```bash
+   ./tf-wrapper.sh validate production $(pwd)/../gcp-policies ${CLOUD_BUILD_PROJECT_ID}
+   ```
+
+1. Run `apply` production.
+
+   ```bash
+   ./tf-wrapper.sh apply production
+   ```
+
+   1. Push your production branch since development and nonproduction depends it.  Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch),
+   pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID
+
+*Note:** The Production envrionment must be the first branch to be pushed as it includes the DNS Hub communication that will be used by other environments.
+
+   ```bash
+   git push --set-upstream origin production
+   ```
+
+1. You must manually plan and apply the `shared` environment (only once) since the `development`, `nonproduction` and `production` environments depend on it.
+
 1. Run `init` and `plan` and review output for environment shared.
 
    ```bash
@@ -237,17 +272,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
    git push --set-upstream origin plan
    ```
 
-1. Merge changes to production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch),
-   pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID
-
-*Note:** The Production envrionment must be the next branch to be merged as it includes the DNS Hub communication that will be used by other environments.
-
-   ```bash
-   git checkout -b production
-   git push origin production
-   ```
-
-1. After production has been applied, apply development.
+1. After plan has been applied, apply development.
 1. Merge changes to development. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch),
    pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID
 
diff --git a/3-networks-dual-svpc/envs/production/README.md b/3-networks-dual-svpc/envs/production/README.md
@@ -24,6 +24,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no |
 | perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
+| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | `[]` | no |
 | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no |
 
 ## Outputs
diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf
@@ -95,4 +95,5 @@ module "base_env" {
   restricted_private_service_connect_ip = "10.17.0.7"
   remote_state_bucket                   = var.remote_state_bucket
   tfc_org_name                          = var.tfc_org_name
+  target_name_server_addresses          = var.target_name_server_addresses
 }
diff --git a/3-networks-dual-svpc/envs/production/production.auto.tfvars b/3-networks-dual-svpc/envs/production/production.auto.tfvars
@@ -0,0 +1 @@
+../../production.auto.tfvars
diff --git a/3-networks-dual-svpc/envs/production/variables.tf b/3-networks-dual-svpc/envs/production/variables.tf
@@ -14,6 +14,12 @@
  * limitations under the License.
  */
 
+variable "target_name_server_addresses" {
+  description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones."
+  type        = list(map(any))
+  default     = []
+}
+
 variable "remote_state_bucket" {
   description = "Backend bucket to load Terraform Remote State Data from previous steps."
   type        = string
diff --git a/3-networks-dual-svpc/envs/shared/README.md b/3-networks-dual-svpc/envs/shared/README.md
@@ -20,6 +20,9 @@
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| base\_host\_project\_id | The base host project ID |
+| restricted\_host\_project\_id | The restricted host project ID |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/3-networks-dual-svpc/envs/shared/outputs.tf b/3-networks-dual-svpc/envs/shared/outputs.tf
@@ -14,3 +14,14 @@
  * limitations under the License.
  */
 
+
+output "restricted_host_project_id" {
+  value       = local.restricted_net_hub_project_id
+  description = "The restricted host project ID"
+}
+
+output "base_host_project_id" {
+  value       = local.base_net_hub_project_id
+  description = "The base host project ID"
+}
+
diff --git a/3-networks-dual-svpc/envs/shared/remote.tf b/3-networks-dual-svpc/envs/shared/remote.tf
@@ -15,19 +15,21 @@
  */
 
 locals {
-  env                       = "common"
-  environment_code          = "c"
-  dns_bgp_asn_number        = var.bgp_asn_dns
-  default_region1           = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
-  default_region2           = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
-  folder_prefix             = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix
-  parent_id                 = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id
-  bootstrap_folder_name     = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name
-  common_folder_name        = data.terraform_remote_state.org.outputs.common_folder_name
-  network_folder_name       = data.terraform_remote_state.org.outputs.network_folder_name
-  development_folder_name   = data.terraform_remote_state.env_development.outputs.env_folder
-  nonproduction_folder_name = data.terraform_remote_state.env_nonproduction.outputs.env_folder
-  production_folder_name    = data.terraform_remote_state.env_production.outputs.env_folder
+  env                           = "common"
+  environment_code              = "c"
+  dns_bgp_asn_number            = var.bgp_asn_dns
+  default_region1               = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
+  default_region2               = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
+  folder_prefix                 = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix
+  parent_id                     = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id
+  bootstrap_folder_name         = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name
+  common_folder_name            = data.terraform_remote_state.org.outputs.common_folder_name
+  network_folder_name           = data.terraform_remote_state.org.outputs.network_folder_name
+  development_folder_name       = data.terraform_remote_state.env_development.outputs.env_folder
+  nonproduction_folder_name     = data.terraform_remote_state.env_nonproduction.outputs.env_folder
+  production_folder_name        = data.terraform_remote_state.env_production.outputs.env_folder
+  base_net_hub_project_id       = data.terraform_remote_state.org.outputs.base_net_hub_project_id       //
+  restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id //
 }
 
 data "terraform_remote_state" "bootstrap" {
diff --git a/3-networks-dual-svpc/modules/base_env/README.md b/3-networks-dual-svpc/modules/base_env/README.md
@@ -41,6 +41,7 @@
 |------|-------------|
 | access\_level\_name | Access context manager access level name for the enforced perimeter |
 | access\_level\_name\_dry\_run | Access context manager access level name for the dry-run perimeter |
+| base\_dns\_project\_id | The base DNS project ID |
 | base\_host\_project\_id | The base host project ID |
 | base\_network\_name | The name of the VPC being created |
 | base\_network\_self\_link | The URI of the VPC being created |
@@ -49,6 +50,7 @@
 | base\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets |
 | base\_subnets\_self\_links | The self-links of subnets being created |
 | enforce\_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. |
+| restricted\_dns\_project\_id | The restricted DNS project ID |
 | restricted\_host\_project\_id | The restricted host project ID |
 | restricted\_network\_name | The name of the VPC being created |
 | restricted\_network\_self\_link | The URI of the VPC being created |
diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf
@@ -171,7 +171,7 @@ module "restricted_shared_vpc" {
 
   project_id                       = local.restricted_project_id
   project_number                   = local.restricted_project_number
-  production_project_id            = local.production_restricted_project_id
+  restricted_dns_project_id        = local.restricted_dns_project_id
   environment_code                 = var.environment_code
   access_context_manager_policy_id = var.access_context_manager_policy_id
   restricted_services              = local.restricted_services
@@ -265,7 +265,7 @@ module "base_shared_vpc" {
   source = "../base_shared_vpc"
 
   project_id                   = local.base_project_id
-  production_project_id        = local.production_base_project_id
+  base_dns_project_id          = local.base_dns_project_id
   environment_code             = var.environment_code
   private_service_cidr         = var.base_private_service_cidr
   private_service_connect_ip   = var.base_private_service_connect_ip
diff --git a/3-networks-dual-svpc/modules/base_env/outputs.tf b/3-networks-dual-svpc/modules/base_env/outputs.tf
@@ -24,6 +24,11 @@ output "target_name_server_addresses" {
  Restricted Outputs
 *********************/
 
+output "restricted_dns_project_id" {
+  value       = local.restricted_dns_project_id
+  description = "The restricted DNS project ID"
+}
+
 output "restricted_host_project_id" {
   value       = local.restricted_project_id
   description = "The restricted host project ID"
@@ -85,6 +90,11 @@ output "restricted_service_perimeter_name" {
  Private Outputs
 *****************************************/
 
+output "base_dns_project_id" {
+  value       = local.base_dns_project_id
+  description = "The base DNS project ID"
+}
+
 output "base_host_project_id" {
   value       = local.base_project_id
   description = "The base host project ID"
diff --git a/3-networks-dual-svpc/modules/base_env/remote.tf b/3-networks-dual-svpc/modules/base_env/remote.tf
@@ -15,15 +15,15 @@
  */
 
 locals {
-  restricted_project_id            = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id
-  base_project_id                  = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id
-  restricted_project_number        = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number
-  interconnect_project_number      = data.terraform_remote_state.org.outputs.interconnect_project_number
-  organization_service_account     = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email
-  networks_service_account         = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email
-  projects_service_account         = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email
-  production_restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].restricted_shared_vpc_project_id
-  production_base_project_id       = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].base_shared_vpc_project_id
+  restricted_project_id        = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id
+  base_project_id              = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id
+  restricted_project_number    = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number
+  interconnect_project_number  = data.terraform_remote_state.org.outputs.interconnect_project_number
+  organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email
+  networks_service_account     = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email
+  projects_service_account     = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email
+  restricted_dns_project_id    = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].restricted_shared_vpc_project_id
+  base_dns_project_id          = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].base_shared_vpc_project_id
 }
 
 data "terraform_remote_state" "bootstrap" {
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md
@@ -20,7 +20,6 @@
 | nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no |
 | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no |
 | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint | `string` | n/a | yes |
-| production\_project\_id | Project ID for Base Shared. | `string` | `""` | no |
 | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes |
 | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no |
 | subnets | The list of subnets being created | <pre>list(object({<br>    subnet_name                      = string<br>    subnet_ip                        = string<br>    subnet_region                    = string<br>    subnet_private_access            = optional(string, "false")<br>    subnet_private_ipv6_access       = optional(string)<br>    subnet_flow_logs                 = optional(string, "false")<br>    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")<br>    subnet_flow_logs_sampling        = optional(string, "0.5")<br>    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")<br>    subnet_flow_logs_filter          = optional(string, "true")<br>    subnet_flow_logs_metadata_fields = optional(list(string), [])<br>    description                      = optional(string)<br>    purpose                          = optional(string)<br>    role                             = optional(string)<br>    stack_type                       = optional(string)<br>    ipv6_access_type                 = optional(string)<br>  }))</pre> | `[]` | no |
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf
@@ -31,12 +31,6 @@ variable "base_network_name" {
   default     = ""
 }
 
-variable "production_project_id" {
-  description = "Project ID for Base Shared."
-  type        = string
-  default     = ""
-}
-
 variable "project_id" {
   type        = string
   description = "Project ID for Private Shared VPC."
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md
@@ -26,7 +26,6 @@
 | nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no |
 | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no |
 | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes |
-| production\_project\_id | Project ID for Restricted Shared. | `string` | `""` | no |
 | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes |
 | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes |
 | restricted\_dns\_project\_id | Project ID for DNS Restricted Shared. | `string` | `""` | no |
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf
@@ -20,12 +20,6 @@ variable "restricted_dns_project_id" {
   default     = ""
 }
 
-variable "production_project_id" {
-  description = "Project ID for Restricted Shared."
-  type        = string
-  default     = ""
-}
-
 variable "target_name_server_addresses" {
   description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones."
   type        = list(map(any))
diff --git a/3-networks-dual-svpc/production.auto.example.tfvars b/3-networks-dual-svpc/production.auto.example.tfvars
@@ -0,0 +1,29 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// List of IPv4 address of target name servers for the forwarding zone configuration.
+// See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones
+target_name_server_addresses = [
+  {
+    ipv4_address    = "192.168.0.1",
+    forwarding_path = "default"
+  },
+  {
+    ipv4_address    = "192.168.0.2",
+    forwarding_path = "default"
+  }
+]
+

Original file line number	Diff line number	Diff line change
`@@ -95,4 +95,5 @@ module "base_env" {`
`95`	`95`	`restricted_private_service_connect_ip = "10.17.0.7"`
`96`	`96`	`remote_state_bucket = var.remote_state_bucket`
`97`	`97`	`tfc_org_name = var.tfc_org_name`
	`98`	`+ target_name_server_addresses = var.target_name_server_addresses`
`98`	`99`	`}`