terraform-google-modules
diff --git a/‎3-networks-dual-svpc/envs/production/README.md‎
Lines changed: 2 additions & 0 deletions b/‎3-networks-dual-svpc/envs/production/README.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎3-networks-dual-svpc/envs/production/main.tf‎
Lines changed: 24 additions & 24 deletions b/‎3-networks-dual-svpc/envs/production/main.tf‎
Lines changed: 24 additions & 24 deletions
diff --git a/‎3-networks-dual-svpc/envs/production/remote.tf‎
Lines changed: 6 additions & 6 deletions b/‎3-networks-dual-svpc/envs/production/remote.tf‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎3-networks-dual-svpc/envs/shared/README.md‎
Lines changed: 0 additions & 1 deletion b/‎3-networks-dual-svpc/envs/shared/README.md‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎3-networks-dual-svpc/envs/shared/remote.tf‎
Lines changed: 6 additions & 6 deletions b/‎3-networks-dual-svpc/envs/shared/remote.tf‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎3-networks-dual-svpc/modules/base_env/README.md‎
Lines changed: 2 additions & 0 deletions b/‎3-networks-dual-svpc/modules/base_env/README.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎3-networks-dual-svpc/modules/base_env/main.tf‎
Lines changed: 10 additions & 10 deletions b/‎3-networks-dual-svpc/modules/base_env/main.tf‎
Lines changed: 10 additions & 10 deletions
@@ -24,6 +24,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | base\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Base Hub. | `number` | `2` | no |
 | base\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Base Hub. | `number` | `2` | no |
 | base\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Base Hub | `bool` | `false` | no |
+| base\_vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.<br>  aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.<br>  flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].<br>  metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.<br>  metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.<br>  filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | <pre>object({<br>    enable_logging       = optional(string, "true")<br>    aggregation_interval = optional(string, "INTERVAL_5_SEC")<br>    flow_sampling        = optional(string, "0.5")<br>    metadata             = optional(string, "INCLUDE_ALL_METADATA")<br>    metadata_fields      = optional(list(string), [])<br>    filter_expr          = optional(string, "true")<br>  })</pre> | `{}` | no |
 | custom\_restricted\_services | List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no |
 | domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes |
 | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.<br><br>Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |
@@ -43,6 +44,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | restricted\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Restricted Hub. | `number` | `2` | no |
 | restricted\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Restricted Hub. | `number` | `2` | no |
 | restricted\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Restricted Hub. | `bool` | `false` | no |
+| restricted\_vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.<br>  aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.<br>  flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].<br>  metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.<br>  metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.<br>  filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | <pre>object({<br>    enable_logging       = optional(string, "true")<br>    aggregation_interval = optional(string, "INTERVAL_5_SEC")<br>    flow_sampling        = optional(string, "0.5")<br>    metadata             = optional(string, "INCLUDE_ALL_METADATA")<br>    metadata_fields      = optional(list(string), [])<br>    filter_expr          = optional(string, "true")<br>  })</pre> | `{}` | no |
 | target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes |
 | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no |
 
 
@@ -66,32 +66,32 @@ locals {
     ]
   }
 
-##############################
+  ##############################
 
-    restricted_services         = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service
-    restricted_services_dry_run = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service
+  restricted_services         = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service
+  restricted_services_dry_run = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service
 
-    bgp_asn_number     = var.enable_partner_interconnect ? "16550" : "64514"
-   # dns_bgp_asn_number = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns
+  bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514"
+  # dns_bgp_asn_number = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns
 
-#   dedicated_interconnect_egress_policy = var.enable_dedicated_interconnect ? [
-#     {
-#       "from" = {
-#         "identity_type" = ""
-#         "identities"    = ["serviceAccount:${local.networks_service_account}"]
-#       },
-#       "to" = {
-#         "resources" = ["projects/${local.interconnect_project_number}"]
-#         "operations" = {
-#           "compute.googleapis.com" = {
-#             "methods" = ["*"]
-#           }
-#         }
-#       }
-#     },
-#   ] : []
+  #   dedicated_interconnect_egress_policy = var.enable_dedicated_interconnect ? [
+  #     {
+  #       "from" = {
+  #         "identity_type" = ""
+  #         "identities"    = ["serviceAccount:${local.networks_service_account}"]
+  #       },
+  #       "to" = {
+  #         "resources" = ["projects/${local.interconnect_project_number}"]
+  #         "operations" = {
+  #           "compute.googleapis.com" = {
+  #             "methods" = ["*"]
+  #           }
+  #         }
+  #       }
+  #     },
+  #   ] : []
 
-supported_restricted_service = [
+  supported_restricted_service = [
     "accessapproval.googleapis.com",
     "adsdatahub.googleapis.com",
     "aiplatform.googleapis.com",
@@ -216,7 +216,7 @@ supported_restricted_service = [
     "workstations.googleapis.com",
   ]
 
-######################################
+  ######################################
 }
 
 module "base_env" {
@@ -247,7 +247,7 @@ module "base_env" {
   restricted_private_service_connect_ip = "10.17.0.8"
   remote_state_bucket                   = var.remote_state_bucket
   tfc_org_name                          = var.tfc_org_name
-  target_name_server_addresses  = var.target_name_server_addresses
+  target_name_server_addresses          = var.target_name_server_addresses
 }
 #################### net_hub below
 
 
@@ -18,13 +18,13 @@ locals {
   default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
   default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
   ####
-  organization_service_account      = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email
-  networks_service_account          = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email
-  projects_service_account          = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email
+  organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email
+  networks_service_account     = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email
+  projects_service_account     = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email
 
-  restricted_project_id        = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id
-  restricted_project_number    = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_number
-  base_project_id              = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].base_shared_vpc_project_id
+  restricted_project_id     = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id
+  restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_number
+  base_project_id           = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].base_shared_vpc_project_id
 
 }
 
 
@@ -19,7 +19,6 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google.
 | firewall\_policies\_enable\_logging | Toggle hierarchical firewall logging. | `bool` | `true` | no |
 | preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
-| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes |
 | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no |
 | vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.<br>  aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.<br>  flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].<br>  metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.<br>  metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.<br>  filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | <pre>object({<br>    enable_logging       = optional(string, "true")<br>    aggregation_interval = optional(string, "INTERVAL_5_SEC")<br>    flow_sampling        = optional(string, "0.5")<br>    metadata             = optional(string, "INCLUDE_ALL_METADATA")<br>    metadata_fields      = optional(list(string), [])<br>    filter_expr          = optional(string, "true")<br>  })</pre> | `{}` | no |
 
 
@@ -15,12 +15,12 @@
  */
 
 locals {
-  env                       = "common"
-  environment_code          = "c"
-  dns_bgp_asn_number        = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns
-  default_region1           = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
-  default_region2           = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
-  folder_prefix             = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix
+  env                = "common"
+  environment_code   = "c"
+  dns_bgp_asn_number = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns
+  default_region1    = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
+  default_region2    = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
+  folder_prefix      = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix
   #interconnect_project_id   = data.terraform_remote_state.org.outputs.interconnect_project_id
   parent_id                 = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id
   bootstrap_folder_name     = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name
 
@@ -32,6 +32,7 @@
 | restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes |
 | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes |
 | restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.<br>  flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].<br>  metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.<br>  metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.<br>  filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | <pre>object({<br>    aggregation_interval = optional(string, "INTERVAL_5_SEC")<br>    flow_sampling        = optional(string, "0.5")<br>    metadata             = optional(string, "INCLUDE_ALL_METADATA")<br>    metadata_fields      = optional(list(string), [])<br>    filter_expr          = optional(string, "true")<br>  })</pre> | `{}` | no |
+| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | `[]` | no |
 | tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes |
 
 ## Outputs
@@ -56,5 +57,6 @@
 | restricted\_subnets\_names | The names of the subnets being created |
 | restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets |
 | restricted\_subnets\_self\_links | The self-links of subnets being created |
+| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -169,8 +169,8 @@ locals {
 module "restricted_shared_vpc" {
   source = "../restricted_shared_vpc"
 
-  project_id                        = local.restricted_project_id
-  project_number                    = local.restricted_project_number
+  project_id     = local.restricted_project_id
+  project_number = local.restricted_project_number
 
 
   environment_code                 = var.environment_code
@@ -187,14 +187,14 @@ module "restricted_shared_vpc" {
     "serviceAccount:${local.projects_service_account}",
     "serviceAccount:${local.organization_service_account}",
   ], var.perimeter_additional_members))
-  private_service_cidr         = var.restricted_private_service_cidr
-  private_service_connect_ip   = var.restricted_private_service_connect_ip
-  bgp_asn_subnet               = local.bgp_asn_number
-  default_region1              = var.default_region1
-  default_region2              = var.default_region2
-  domain                       = var.domain
-  ingress_policies             = var.ingress_policies
-  ingress_policies_dry_run     = var.ingress_policies_dry_run
+  private_service_cidr       = var.restricted_private_service_cidr
+  private_service_connect_ip = var.restricted_private_service_connect_ip
+  bgp_asn_subnet             = local.bgp_asn_number
+  default_region1            = var.default_region1
+  default_region2            = var.default_region2
+  domain                     = var.domain
+  ingress_policies           = var.ingress_policies
+  ingress_policies_dry_run   = var.ingress_policies_dry_run
   egress_policies = distinct(concat(
     #local.dedicated_interconnect_egress_policy,
     var.egress_policies