refactoy DNS Dual-Shared

renato-rudnicki · renato-rudnicki · commit cc17b6a798dd · 2024-12-20T16:49:59.000-03:00
diff --git a/3-networks-dual-svpc/envs/development/main.tf b/3-networks-dual-svpc/envs/development/main.tf
@@ -96,3 +96,4 @@ module "base_env" {
   remote_state_bucket                   = var.remote_state_bucket
   tfc_org_name                          = var.tfc_org_name
 }
+
diff --git a/3-networks-dual-svpc/envs/development/variables.tf b/3-networks-dual-svpc/envs/development/variables.tf
@@ -82,3 +82,4 @@ variable "tfc_org_name" {
   type        = string
   default     = ""
 }
+
diff --git a/3-networks-dual-svpc/envs/nonproduction/main.tf b/3-networks-dual-svpc/envs/nonproduction/main.tf
@@ -96,3 +96,4 @@ module "base_env" {
   remote_state_bucket                   = var.remote_state_bucket
   tfc_org_name                          = var.tfc_org_name
 }
+
diff --git a/3-networks-dual-svpc/envs/nonproduction/variables.tf b/3-networks-dual-svpc/envs/nonproduction/variables.tf
@@ -82,3 +82,4 @@ variable "tfc_org_name" {
   type        = string
   default     = ""
 }
+
diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf
@@ -249,184 +249,3 @@ module "base_env" {
   tfc_org_name                          = var.tfc_org_name
   target_name_server_addresses          = var.target_name_server_addresses
 }
-#################### net_hub below
-
-/******************************************
-  Base Network VPC
-*****************************************/
-
-# module "base_shared_vpc" {
-#   source = "../../modules/base_shared_vpc"
-
-#   project_id                    = local.base_project_id
-#   #project_id                    = var.base_net_hub_project_id
-#   environment_code              = local.environment_code
-#   private_service_connect_ip    = "10.17.0.1"
-#   bgp_asn_subnet                = local.bgp_asn_number
-#   default_region1               = local.default_region1
-#   default_region2               = local.default_region2
-#   domain                        = var.domain
-#   dns_enable_inbound_forwarding = var.base_hub_dns_enable_inbound_forwarding
-#   dns_enable_logging            = var.base_hub_dns_enable_logging
-#   firewall_enable_logging       = var.base_hub_firewall_enable_logging
-#   nat_enabled                   = var.base_hub_nat_enabled
-#   nat_bgp_asn                   = var.base_hub_nat_bgp_asn
-#   nat_num_addresses_region1     = var.base_hub_nat_num_addresses_region1
-#   nat_num_addresses_region2     = var.base_hub_nat_num_addresses_region2
-#   windows_activation_enabled    = var.base_hub_windows_activation_enabled
-#   target_name_server_addresses  = var.target_name_server_addresses
-#   #mode                          = "hub"
-
-#   subnets = [
-#     {
-#       subnet_name                      = "sb-c-shared-base-hub-${local.default_region1}"
-#       subnet_ip                        = local.base_subnet_primary_ranges[local.default_region1]
-#       subnet_region                    = local.default_region1
-#       subnet_private_access            = "true"
-#       subnet_flow_logs                 = var.base_vpc_flow_logs.enable_logging
-#       subnet_flow_logs_interval        = var.base_vpc_flow_logs.aggregation_interval
-#       subnet_flow_logs_sampling        = var.base_vpc_flow_logs.flow_sampling
-#       subnet_flow_logs_metadata        = var.base_vpc_flow_logs.metadata
-#       subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields
-#       subnet_flow_logs_filter          = var.base_vpc_flow_logs.filter_expr
-#       description                      = "Base network hub subnet for ${local.default_region1}"
-#     },
-#     {
-#       subnet_name                      = "sb-c-shared-base-hub-${local.default_region2}"
-#       subnet_ip                        = local.base_subnet_primary_ranges[local.default_region2]
-#       subnet_region                    = local.default_region2
-#       subnet_private_access            = "true"
-#       subnet_flow_logs                 = var.base_vpc_flow_logs.enable_logging
-#       subnet_flow_logs_interval        = var.base_vpc_flow_logs.aggregation_interval
-#       subnet_flow_logs_sampling        = var.base_vpc_flow_logs.flow_sampling
-#       subnet_flow_logs_metadata        = var.base_vpc_flow_logs.metadata
-#       subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields
-#       subnet_flow_logs_filter          = var.base_vpc_flow_logs.filter_expr
-#       description                      = "Base network hub subnet for ${local.default_region2}"
-#     },
-#     {
-#       subnet_name      = "sb-c-shared-base-hub-${local.default_region1}-proxy"
-#       subnet_ip        = local.base_subnet_proxy_ranges[local.default_region1]
-#       subnet_region    = local.default_region1
-#       subnet_flow_logs = false
-#       description      = "Base network hub proxy-only subnet for ${local.default_region1}"
-#       role             = "ACTIVE"
-#       purpose          = "REGIONAL_MANAGED_PROXY"
-#     },
-#     {
-#       subnet_name      = "sb-c-shared-base-hub-${local.default_region2}-proxy"
-#       subnet_ip        = local.base_subnet_proxy_ranges[local.default_region2]
-#       subnet_region    = local.default_region2
-#       subnet_flow_logs = false
-#       description      = "Base network hub proxy-only subnet for ${local.default_region2}"
-#       role             = "ACTIVE"
-#       purpose          = "REGIONAL_MANAGED_PROXY"
-#     }
-#   ]
-#   secondary_ranges = {}
-
-#   #depends_on = [module.dns_hub_vpc]
-# }
-
-/******************************************
-  Restricted Network VPC
-*****************************************/
-
-# module "restricted_shared_vpc" {
-#   source = "../../modules/restricted_shared_vpc"
-
-#   project_id                       = local.restricted_project_id
-#   project_number                   = local.restricted_project_number
-#   #project_id                       = var.restricted_net_hub_project_id
-#   #project_number                   = var.project_number
-#   environment_code                 = local.environment_code
-#   private_service_connect_ip       = "10.17.0.5"
-#   access_context_manager_policy_id = var.access_context_manager_policy_id
-#   restricted_services              = local.restricted_services
-#   restricted_services_dry_run      = local.restricted_services_dry_run
-#   members = distinct(concat([
-#     "serviceAccount:${local.networks_service_account}",
-#     "serviceAccount:${local.projects_service_account}",
-#     "serviceAccount:${local.organization_service_account}",
-#   ], var.perimeter_additional_members))
-#   members_dry_run = distinct(concat([
-#     "serviceAccount:${local.networks_service_account}",
-#     "serviceAccount:${local.projects_service_account}",
-#     "serviceAccount:${local.organization_service_account}",
-#   ], var.perimeter_additional_members))
-#   bgp_asn_subnet                = local.bgp_asn_number
-#   default_region1               = local.default_region1
-#   default_region2               = local.default_region2
-#   domain                        = var.domain
-#   dns_enable_inbound_forwarding = var.restricted_hub_dns_enable_inbound_forwarding
-#   dns_enable_logging            = var.restricted_hub_dns_enable_logging
-#   firewall_enable_logging       = var.restricted_hub_firewall_enable_logging
-#   nat_enabled                   = var.restricted_hub_nat_enabled
-#   nat_bgp_asn                   = var.restricted_hub_nat_bgp_asn
-#   nat_num_addresses_region1     = var.restricted_hub_nat_num_addresses_region1
-#   nat_num_addresses_region2     = var.restricted_hub_nat_num_addresses_region2
-#   windows_activation_enabled    = var.restricted_hub_windows_activation_enabled
-#   target_name_server_addresses  = var.target_name_server_addresses
-#   #mode                          = "hub"
-
-#   subnets = [
-#     {
-#       subnet_name                      = "sb-c-shared-restricted-hub-${local.default_region1}"
-#       subnet_ip                        = local.restricted_subnet_primary_ranges[local.default_region1]
-#       subnet_region                    = local.default_region1
-#       subnet_private_access            = "true"
-#       subnet_flow_logs                 = var.restricted_vpc_flow_logs.enable_logging
-#       subnet_flow_logs_interval        = var.restricted_vpc_flow_logs.aggregation_interval
-#       subnet_flow_logs_sampling        = var.restricted_vpc_flow_logs.flow_sampling
-#       subnet_flow_logs_metadata        = var.restricted_vpc_flow_logs.metadata
-#       subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields
-#       subnet_flow_logs_filter          = var.restricted_vpc_flow_logs.filter_expr
-#       description                      = "Restricted network hub subnet for ${local.default_region1}"
-#     },
-#     {
-#       subnet_name                      = "sb-c-shared-restricted-hub-${local.default_region2}"
-#       subnet_ip                        = local.restricted_subnet_primary_ranges[local.default_region2]
-#       subnet_region                    = local.default_region2
-#       subnet_private_access            = "true"
-#       subnet_flow_logs                 = var.restricted_vpc_flow_logs.enable_logging
-#       subnet_flow_logs_interval        = var.restricted_vpc_flow_logs.aggregation_interval
-#       subnet_flow_logs_sampling        = var.restricted_vpc_flow_logs.flow_sampling
-#       subnet_flow_logs_metadata        = var.restricted_vpc_flow_logs.metadata
-#       subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields
-#       subnet_flow_logs_filter          = var.restricted_vpc_flow_logs.filter_expr
-#       description                      = "Restricted network hub subnet for ${local.default_region2}"
-#     },
-#     {
-#       subnet_name      = "sb-c-shared-restricted-hub-${local.default_region1}-proxy"
-#       subnet_ip        = local.restricted_subnet_proxy_ranges[local.default_region1]
-#       subnet_region    = local.default_region1
-#       subnet_flow_logs = false
-#       description      = "Restricted network hub proxy-only subnet for ${local.default_region1}"
-#       role             = "ACTIVE"
-#       purpose          = "REGIONAL_MANAGED_PROXY"
-#     },
-#     {
-#       subnet_name      = "sb-c-shared-restricted-hub-${local.default_region2}-proxy"
-#       subnet_ip        = local.restricted_subnet_proxy_ranges[local.default_region2]
-#       subnet_region    = local.default_region2
-#       subnet_flow_logs = false
-#       description      = "Restricted network hub proxy-only subnet for ${local.default_region2}"
-#       role             = "ACTIVE"
-#       purpose          = "REGIONAL_MANAGED_PROXY"
-#     }
-#   ]
-#   secondary_ranges = {}
-
-#   egress_policies = distinct(concat(
-#     #local.dedicated_interconnect_egress_policy,
-#     var.egress_policies
-#   ))
-
-#   ingress_policies = var.ingress_policies
-
-#   #depends_on = [module.dns_hub_vpc]
-# }
-
-#########################################################################################
-
-
diff --git a/3-networks-dual-svpc/envs/production/remote.tf b/3-networks-dual-svpc/envs/production/remote.tf
@@ -15,17 +15,14 @@
  */
 
 locals {
-  default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
-  default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
-  ####
+  default_region1              = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
+  default_region2              = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
   organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email
   networks_service_account     = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email
   projects_service_account     = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email
-
-  restricted_project_id     = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id
-  restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_number
-  base_project_id           = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].base_shared_vpc_project_id
-
+  restricted_project_id        = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id
+  restricted_project_number    = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_number
+  base_project_id              = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].base_shared_vpc_project_id
 }
 
 data "terraform_remote_state" "bootstrap" {
@@ -38,7 +35,6 @@ data "terraform_remote_state" "bootstrap" {
 }
 
 
-###################################
 
 data "terraform_remote_state" "org" {
   backend = "gcs"
diff --git a/3-networks-dual-svpc/envs/production/variables.tf b/3-networks-dual-svpc/envs/production/variables.tf
@@ -14,7 +14,6 @@
  * limitations under the License.
  */
 
-
 variable "base_vpc_flow_logs" {
   description = <<EOT
   enable_logging: set to true to enable VPC flow logging for the subnetworks.
@@ -174,7 +173,6 @@ variable "target_name_server_addresses" {
   type        = list(map(any))
 }
 
-##############################
 variable "remote_state_bucket" {
   description = "Backend bucket to load Terraform Remote State Data from previous steps."
   type        = string
diff --git a/3-networks-dual-svpc/envs/shared/outputs.tf b/3-networks-dual-svpc/envs/shared/outputs.tf
@@ -14,7 +14,3 @@
  * limitations under the License.
  */
 
-#output "dns_hub_project_id" {
-#  value       = local.dns_hub_project_id
-#  description = "The DNS hub project ID"
-#}
diff --git a/3-networks-dual-svpc/envs/shared/variables.tf b/3-networks-dual-svpc/envs/shared/variables.tf
@@ -56,11 +56,6 @@ variable "bgp_asn_dns" {
   default     = 64667
 }
 
-#variable "target_name_server_addresses" {
-#  description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones."
-#  type        = list(map(any))
-#}
-
 variable "firewall_policies_enable_logging" {
   type        = bool
   description = "Toggle hierarchical firewall logging."
diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf
@@ -169,8 +169,9 @@ locals {
 module "restricted_shared_vpc" {
   source = "../restricted_shared_vpc"
 
-  project_id     = local.restricted_project_id
-  project_number = local.restricted_project_number
+  project_id                 = local.restricted_project_id
+  project_number             = local.restricted_project_number
+  prod_restricted_project_id = local.prod_restricted_project_id
 
 
   environment_code                 = var.environment_code
@@ -266,6 +267,7 @@ module "base_shared_vpc" {
   source = "../base_shared_vpc"
 
   project_id                   = local.base_project_id
+  production_project_id        = local.prod_base_project_id
   environment_code             = var.environment_code
   private_service_cidr         = var.base_private_service_cidr
   private_service_connect_ip   = var.base_private_service_connect_ip
diff --git a/3-networks-dual-svpc/modules/base_env/remote.tf b/3-networks-dual-svpc/modules/base_env/remote.tf
@@ -22,6 +22,9 @@ locals {
   organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email
   networks_service_account     = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email
   projects_service_account     = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email
+  prod_restricted_project_id   = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].restricted_shared_vpc_project_id
+  prod_base_project_id         = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].base_shared_vpc_project_id
+
 }
 
 
@@ -43,3 +46,4 @@ data "terraform_remote_state" "org" {
   }
 }
 
+
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md
@@ -4,7 +4,6 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | base\_network\_name | The name of the VPC being created | `string` | `""` | no |
-| base\_project\_id | The base project ID | `string` | `""` | no |
 | bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes |
 | default\_region1 | Default region 1 for subnets and Cloud Routers | `string` | n/a | yes |
 | default\_region2 | Default region 2 for subnets and Cloud Routers | `string` | n/a | yes |
@@ -20,6 +19,7 @@
 | nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no |
 | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no |
 | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint | `string` | n/a | yes |
+| production\_project\_id | Production Project ID | `string` | `""` | no |
 | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes |
 | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no |
 | subnets | The list of subnets being created | <pre>list(object({<br>    subnet_name                      = string<br>    subnet_ip                        = string<br>    subnet_region                    = string<br>    subnet_private_access            = optional(string, "false")<br>    subnet_private_ipv6_access       = optional(string)<br>    subnet_flow_logs                 = optional(string, "false")<br>    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")<br>    subnet_flow_logs_sampling        = optional(string, "0.5")<br>    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")<br>    subnet_flow_logs_filter          = optional(string, "true")<br>    subnet_flow_logs_metadata_fields = optional(list(string), [])<br>    description                      = optional(string)<br>    purpose                          = optional(string)<br>    role                             = optional(string)<br>    stack_type                       = optional(string)<br>    ipv6_access_type                 = optional(string)<br>  }))</pre> | `[]` | no |
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf
@@ -33,17 +33,17 @@ resource "google_dns_policy" "default_policy" {
 *****************************************/
 data "google_compute_network" "vpc_dns_hub" {
 
-  #count = local.environment == "production" ? 1 : 0
+  count = var.environment_code != "p" ? 1 : 0
 
-  name    = local.network_name
-  project = var.project_id
+  name    = "vpc-p-shared-base"
+  project = var.production_project_id
 }
 
 module "peering_zone" {
   source  = "terraform-google-modules/cloud-dns/google"
   version = "~> 5.0"
 
-  #count = local.environment == "production" ? 1 : 0
+  count = var.environment_code != "p" ? 1 : 0
 
   project_id  = var.project_id
   type        = "peering"
@@ -54,8 +54,7 @@ module "peering_zone" {
   private_visibility_config_networks = [
     module.main.network_self_link
   ]
-  #target_network = data.google_compute_network.vpc_dns_hub[0].self_link
-  target_network = data.google_compute_network.vpc_dns_hub.self_link
+  target_network = data.google_compute_network.vpc_dns_hub[0].self_link
 }
 
 /******************************************
@@ -65,7 +64,7 @@ module "dns_forwarding_zone" {
   source  = "terraform-google-modules/cloud-dns/google"
   version = "~> 5.0"
 
-  #count = local.environment == "production" ? 1 : 0
+  count = var.environment_code == "p" ? 1 : 0
 
   project_id = var.project_id
   type       = "forwarding"
@@ -77,3 +76,4 @@ module "dns_forwarding_zone" {
   ]
   target_name_server_addresses = var.target_name_server_addresses
 }
+
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -96,3 +96,4 @@ module "base_env" {`
`96`	`96`	`remote_state_bucket = var.remote_state_bucket`
`97`	`97`	`tfc_org_name = var.tfc_org_name`
`98`	`98`	`}`
	`99`	`+`
Original file line number	Diff line number	Diff line change
`@@ -82,3 +82,4 @@ variable "tfc_org_name" {`
`82`	`82`	`type = string`
`83`	`83`	`default = ""`
`84`	`84`	`}`
	`85`	`+`