feat: Add support to proxy-only subnetworks and new IP CIDR allocation (#1040)

Co-authored-by: Daniel Andrade <[email protected]>

Author: Samir-Cit

0-bootstrap/terraform.example.tfvars

@@ -56,7 +56,7 @@ default_region = "us-central1"
 #     gcp_audit_viewer         = "[email protected]"
 #   }
 # }
-#
+
 
 
 /* ----------------------------------------

3-networks-dual-svpc/envs/development/main.tf

@@ -22,40 +22,48 @@ locals {
   /*
    * Base network ranges
    */
-  base_private_service_cidr = "10.16.64.0/21"
+  base_private_service_cidr = "10.16.8.0/21"
   base_subnet_primary_ranges = {
-    (local.default_region1) = "10.0.64.0/21"
-    (local.default_region2) = "10.1.64.0/21"
+    (local.default_region1) = "10.0.64.0/18"
+    (local.default_region2) = "10.1.64.0/18"
+  }
+  base_subnet_proxy_ranges = {
+    (local.default_region1) = "10.18.2.0/23"
+    (local.default_region2) = "10.19.2.0/23"
   }
   base_subnet_secondary_ranges = {
     (local.default_region1) = [
       {
         range_name    = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod"
-        ip_cidr_range = "100.64.64.0/21"
+        ip_cidr_range = "100.64.64.0/18"
       },
       {
         range_name    = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc"
-        ip_cidr_range = "100.64.72.0/21"
+        ip_cidr_range = "100.65.64.0/18"
       }
     ]
   }
   /*
    * Restricted network ranges
    */
-  restricted_private_service_cidr = "10.24.64.0/21"
+  restricted_private_service_cidr = "10.16.40.0/21"
   restricted_subnet_primary_ranges = {
-    (local.default_region1) = "10.8.64.0/21"
-    (local.default_region2) = "10.9.64.0/21"
+    (local.default_region1) = "10.8.64.0/18"
+    (local.default_region2) = "10.9.64.0/18"
+  }
+  restricted_subnet_proxy_ranges = {
+    (local.default_region1) = "10.26.2.0/23"
+    (local.default_region2) = "10.27.2.0/23"
   }
   restricted_subnet_secondary_ranges = {
     (local.default_region1) = [
       {
         range_name    = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod"
-        ip_cidr_range = "100.72.64.0/21"
+        ip_cidr_range = "100.72.64.0/18"
       },
       {
         range_name    = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc"
-        ip_cidr_range = "100.72.72.0/21"
+        ip_cidr_range = "100.73.64.0/18"
       }
     ]
   }
@@ -76,13 +84,14 @@ module "base_env" {
   enable_partner_interconnect           = false
   base_private_service_cidr             = local.base_private_service_cidr
   base_subnet_primary_ranges            = local.base_subnet_primary_ranges
+  base_subnet_proxy_ranges              = local.base_subnet_proxy_ranges
   base_subnet_secondary_ranges          = local.base_subnet_secondary_ranges
-  base_private_service_connect_ip       = "10.2.64.5"
+  base_private_service_connect_ip       = "10.17.0.2"
   restricted_private_service_cidr       = local.restricted_private_service_cidr
   restricted_subnet_primary_ranges      = local.restricted_subnet_primary_ranges
+  restricted_subnet_proxy_ranges        = local.restricted_subnet_proxy_ranges
   restricted_subnet_secondary_ranges    = local.restricted_subnet_secondary_ranges
-  restricted_private_service_connect_ip = "10.10.64.5"
+  restricted_private_service_connect_ip = "10.17.0.6"
   remote_state_bucket                   = var.remote_state_bucket
   tfc_org_name                          = var.tfc_org_name
-
 }

3-networks-dual-svpc/envs/non-production/main.tf

@@ -22,40 +22,48 @@ locals {
   /*
    * Base network ranges
    */
-  base_private_service_cidr = "10.16.128.0/21"
+  base_private_service_cidr = "10.16.16.0/21"
   base_subnet_primary_ranges = {
-    (local.default_region1) = "10.0.128.0/21"
-    (local.default_region2) = "10.1.128.0/21"
+    (local.default_region1) = "10.0.128.0/18"
+    (local.default_region2) = "10.1.128.0/18"
+  }
+  base_subnet_proxy_ranges = {
+    (local.default_region1) = "10.18.4.0/23"
+    (local.default_region2) = "10.19.4.0/23"
   }
   base_subnet_secondary_ranges = {
     (local.default_region1) = [
       {
         range_name    = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod"
-        ip_cidr_range = "100.64.128.0/21"
+        ip_cidr_range = "100.64.128.0/18"
       },
       {
         range_name    = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc"
-        ip_cidr_range = "100.64.136.0/21"
+        ip_cidr_range = "100.65.128.0/18"
       }
     ]
   }
   /*
    * Restricted network ranges
    */
-  restricted_private_service_cidr = "10.24.128.0/21"
+  restricted_private_service_cidr = "10.16.48.0/21"
   restricted_subnet_primary_ranges = {
-    (local.default_region1) = "10.8.128.0/21"
-    (local.default_region2) = "10.9.128.0/21"
+    (local.default_region1) = "10.8.128.0/18"
+    (local.default_region2) = "10.9.128.0/18"
+  }
+  restricted_subnet_proxy_ranges = {
+    (local.default_region1) = "10.26.4.0/23"
+    (local.default_region2) = "10.27.4.0/23"
   }
   restricted_subnet_secondary_ranges = {
     (local.default_region1) = [
       {
         range_name    = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod"
-        ip_cidr_range = "100.72.128.0/21"
+        ip_cidr_range = "100.72.128.0/18"
       },
       {
         range_name    = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc"
-        ip_cidr_range = "100.72.136.0/21"
+        ip_cidr_range = "100.73.128.0/18"
       }
     ]
   }
@@ -76,12 +84,14 @@ module "base_env" {
   enable_partner_interconnect           = false
   base_private_service_cidr             = local.base_private_service_cidr
   base_subnet_primary_ranges            = local.base_subnet_primary_ranges
+  base_subnet_proxy_ranges              = local.base_subnet_proxy_ranges
   base_subnet_secondary_ranges          = local.base_subnet_secondary_ranges
-  base_private_service_connect_ip       = "10.2.128.5"
+  base_private_service_connect_ip       = "10.17.0.3"
   restricted_private_service_cidr       = local.restricted_private_service_cidr
+  restricted_subnet_proxy_ranges        = local.restricted_subnet_proxy_ranges
   restricted_subnet_primary_ranges      = local.restricted_subnet_primary_ranges
   restricted_subnet_secondary_ranges    = local.restricted_subnet_secondary_ranges
-  restricted_private_service_connect_ip = "10.10.128.5"
+  restricted_private_service_connect_ip = "10.17.0.7"
   remote_state_bucket                   = var.remote_state_bucket
   tfc_org_name                          = var.tfc_org_name
 }

3-networks-dual-svpc/envs/production/main.tf

@@ -22,40 +22,48 @@ locals {
   /*
    * Base network ranges
    */
-  base_private_service_cidr = "10.16.192.0/21"
+  base_private_service_cidr = "10.16.24.0/21"
   base_subnet_primary_ranges = {
-    (local.default_region1) = "10.0.192.0/21"
-    (local.default_region2) = "10.1.192.0/21"
+    (local.default_region1) = "10.0.192.0/18"
+    (local.default_region2) = "10.1.192.0/18"
+  }
+  base_subnet_proxy_ranges = {
+    (local.default_region1) = "10.18.6.0/23"
+    (local.default_region2) = "10.19.6.0/23"
   }
   base_subnet_secondary_ranges = {
     (local.default_region1) = [
       {
         range_name    = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod"
-        ip_cidr_range = "100.64.192.0/21"
+        ip_cidr_range = "100.64.192.0/18"
       },
       {
         range_name    = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc"
-        ip_cidr_range = "100.64.200.0/21"
+        ip_cidr_range = "100.65.192.0/18"
       }
     ]
   }
   /*
    * Restricted network ranges
    */
-  restricted_private_service_cidr = "10.24.192.0/21"
+  restricted_private_service_cidr = "10.16.56.0/21"
   restricted_subnet_primary_ranges = {
-    (local.default_region1) = "10.8.192.0/21"
-    (local.default_region2) = "10.9.192.0/21"
+    (local.default_region1) = "10.8.192.0/18"
+    (local.default_region2) = "10.9.192.0/18"
+  }
+  restricted_subnet_proxy_ranges = {
+    (local.default_region1) = "10.26.6.0/23"
+    (local.default_region2) = "10.27.6.0/23"
   }
   restricted_subnet_secondary_ranges = {
     (local.default_region1) = [
       {
         range_name    = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod"
-        ip_cidr_range = "100.72.192.0/21"
+        ip_cidr_range = "100.72.192.0/18"
       },
       {
         range_name    = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc"
-        ip_cidr_range = "100.72.200.0/21"
+        ip_cidr_range = "100.73.192.0/18"
       }
     ]
   }
@@ -76,12 +84,14 @@ module "base_env" {
   enable_partner_interconnect           = false
   base_private_service_cidr             = local.base_private_service_cidr
   base_subnet_primary_ranges            = local.base_subnet_primary_ranges
+  base_subnet_proxy_ranges              = local.base_subnet_proxy_ranges
   base_subnet_secondary_ranges          = local.base_subnet_secondary_ranges
-  base_private_service_connect_ip       = "10.2.192.5"
+  base_private_service_connect_ip       = "10.17.0.4"
   restricted_private_service_cidr       = local.restricted_private_service_cidr
   restricted_subnet_primary_ranges      = local.restricted_subnet_primary_ranges
+  restricted_subnet_proxy_ranges        = local.restricted_subnet_proxy_ranges
   restricted_subnet_secondary_ranges    = local.restricted_subnet_secondary_ranges
-  restricted_private_service_connect_ip = "10.10.192.5"
+  restricted_private_service_connect_ip = "10.17.0.8"
   remote_state_bucket                   = var.remote_state_bucket
   tfc_org_name                          = var.tfc_org_name
 }

3-networks-dual-svpc/modules/base_env/README.md

@@ -7,6 +7,7 @@
 | base\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Base Shared Vpc. | `string` | n/a | yes |
 | base\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC | `string` | n/a | yes |
 | base\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Base Shared Vpc. | `map(string)` | n/a | yes |
+| base\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Base Shared Vpc. | `map(string)` | n/a | yes |
 | base\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Base Shared Vpc. | `map(list(map(string)))` | n/a | yes |
 | base\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.<br>  flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].<br>  metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.<br>  metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.<br>  filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | <pre>object({<br>    aggregation_interval = optional(string, "INTERVAL_5_SEC")<br>    flow_sampling        = optional(string, "0.5")<br>    metadata             = optional(string, "INCLUDE_ALL_METADATA")<br>    metadata_fields      = optional(list(string), [])<br>    filter_expr          = optional(string, "true")<br>  })</pre> | `{}` | no |
 | custom\_restricted\_services | List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no |
@@ -24,6 +25,7 @@
 | restricted\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Restricted Shared Vpc. | `string` | n/a | yes |
 | restricted\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Restricted Shared VPC | `string` | n/a | yes |
 | restricted\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes |
+| restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes |
 | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes |
 | restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.<br>  flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].<br>  metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.<br>  metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.<br>  filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | <pre>object({<br>    aggregation_interval = optional(string, "INTERVAL_5_SEC")<br>    flow_sampling        = optional(string, "0.5")<br>    metadata             = optional(string, "INCLUDE_ALL_METADATA")<br>    metadata_fields      = optional(list(string), [])<br>    filter_expr          = optional(string, "true")<br>  })</pre> | `{}` | no |
 | tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes |

3-networks-dual-svpc/modules/base_env/main.tf

@@ -218,6 +218,24 @@ module "restricted_shared_vpc" {
       subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields
       subnet_flow_logs_filter          = var.restricted_vpc_flow_logs.filter_expr
       description                      = "Second ${var.env} subnet example."
+    },
+    {
+      subnet_name      = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy"
+      subnet_ip        = var.restricted_subnet_proxy_ranges[var.default_region1]
+      subnet_region    = var.default_region1
+      subnet_flow_logs = false
+      description      = "First ${var.env} proxy-only subnet example."
+      role             = "ACTIVE"
+      purpose          = "REGIONAL_MANAGED_PROXY"
+    },
+    {
+      subnet_name      = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy"
+      subnet_ip        = var.restricted_subnet_proxy_ranges[var.default_region2]
+      subnet_region    = var.default_region2
+      subnet_flow_logs = false
+      description      = "Second ${var.env} proxy-only subnet example."
+      role             = "ACTIVE"
+      purpose          = "REGIONAL_MANAGED_PROXY"
     }
   ]
   secondary_ranges = {
@@ -270,8 +288,27 @@ module "base_shared_vpc" {
       subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields
       subnet_flow_logs_filter          = var.base_vpc_flow_logs.filter_expr
       description                      = "Second ${var.env} subnet example."
+    },
+    {
+      subnet_name      = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy"
+      subnet_ip        = var.base_subnet_proxy_ranges[var.default_region1]
+      subnet_region    = var.default_region1
+      subnet_flow_logs = false
+      description      = "First ${var.env} proxy-only subnet example."
+      role             = "ACTIVE"
+      purpose          = "REGIONAL_MANAGED_PROXY"
+    },
+    {
+      subnet_name      = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy"
+      subnet_ip        = var.base_subnet_proxy_ranges[var.default_region2]
+      subnet_region    = var.default_region2
+      subnet_flow_logs = false
+      description      = "Second ${var.env} proxy-only subnet example."
+      role             = "ACTIVE"
+      purpose          = "REGIONAL_MANAGED_PROXY"
     }
   ]
+
   secondary_ranges = {
     "sb-${var.environment_code}-shared-base-${var.default_region1}" = var.base_subnet_secondary_ranges[var.default_region1]
   }

3-networks-dual-svpc/modules/base_env/variables.tf

@@ -71,6 +71,11 @@ variable "base_subnet_primary_ranges" {
   description = "The base subnet primary IPTs ranges to the Base Shared Vpc."
 }
 
+variable "base_subnet_proxy_ranges" {
+  type        = map(string)
+  description = "The base proxy-only subnet primary IPTs ranges to the Base Shared Vpc."
+}
+
 variable "base_subnet_secondary_ranges" {
   type        = map(list(map(string)))
   description = "The base subnet secondary IPTs ranges to the Base Shared Vpc."
@@ -109,6 +114,11 @@ variable "restricted_subnet_primary_ranges" {
   description = "The base subnet primary IPTs ranges to the Restricted Shared Vpc."
 }
 
+variable "restricted_subnet_proxy_ranges" {
+  type        = map(string)
+  description = "The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc."
+}
+
 variable "restricted_subnet_secondary_ranges" {
   type        = map(list(map(string)))
   description = "The base subnet secondary IPTs ranges to the Restricted Shared Vpc"