diff --git a/0-bootstrap/README-GitHub.md b/0-bootstrap/README-GitHub.md index 8b424e319..db5be2592 100644 --- a/0-bootstrap/README-GitHub.md +++ b/0-bootstrap/README-GitHub.md @@ -215,7 +215,7 @@ export the GitHub fine grained access token as an environment variable: terraform apply bootstrap.tfplan ``` -1. Run `terraform output` to get the email address of the terraform service accounts that will be used to run manual steps for `shared` environments in steps `3-networks-dual-svpc`, `3-networks-hub-and-spoke`, and `4-projects`. +1. Run `terraform output` to get the email address of the terraform service accounts that will be used to run manual steps for `shared` environments in steps `3-networks-svpc`, `3-networks-hub-and-spoke`, and `4-projects`. ```bash export network_step_sa=$(terraform output -raw networks_step_terraform_service_account_email) @@ -508,7 +508,7 @@ See any of the envs folder [README.md](../2-environments/envs/production/README. 1. Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-ENVIRONMENTS-REPO/actions under `tf-apply`. 1. You can now move to the instructions in the network stage. -To use the [Dual Shared VPC](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) network mode go to [Deploying step 3-networks-dual-svpc](#deploying-step-3-networks-dual-svpc), +To use the [Shared VPC](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) network mode go to [Deploying step 3-networks-svpc](#deploying-step-3-networks-svpc), or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hub-and-spoke) to use the [Hub and Spoke](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke) network mode. 1. Before moving to the next step, go back to the parent directory. @@ -517,9 +517,9 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu cd .. ``` -## Deploying step 3-networks-dual-svpc +## Deploying step 3-networks-svpc -1. Clone the repository you created to host the `3-networks-dual-svpc` terraform configuration at the same level of the `terraform-example-foundation` folder. +1. Clone the repository you created to host the `3-networks-svpc` terraform configuration at the same level of the `terraform-example-foundation` folder. ```bash git clone git@github.com:/.git gcp-networks @@ -557,7 +557,7 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu 1. Copy contents of foundation to new repo. ```bash - cp -RT ../terraform-example-foundation/3-networks-dual-svpc/ . + cp -RT ../terraform-example-foundation/3-networks-svpc/ . cp -RT ../terraform-example-foundation/policy-library/ ./policy-library mkdir -p .github/workflows cp ../terraform-example-foundation/build/github-tf-* ./.github/workflows/ @@ -587,8 +587,8 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu ``` 1. Update `common.auto.tfvars` file with values from your GCP environment. -See any of the envs folder [README.md](../3-networks-dual-svpc/envs/production/README.md#inputs) files for additional information on the values in the `common.auto.tfvars` file. -1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the restricted project. +See any of the envs folder [README.md](../3-networks-svpc/envs/production/README.md#inputs) files for additional information on the values in the `common.auto.tfvars` file. +1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the project. 1. Update the `remote_state_bucket` variable with the backend bucket from step Bootstrap in the `common.auto.tfvars` file. ```bash @@ -643,24 +643,48 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th ./tf-wrapper.sh apply shared ``` -1. Push your plan branch. +1. You must manually plan and apply the `production` environment since the `development`, `nonproduction` and `plan` environments depend on it. ```bash - git push --set-upstream origin plan + git checkout production + git merge plan ``` -1. Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/pull/new/plan from the `plan` branch to the `production` branch and review the output. +1. Run `init` and `plan` and review output for environment production. - > NOTE: Development and Non-production branches depends on the production branch to be deployed first, for the `3-networks-dual-svpc`. + ```bash + ./tf-wrapper.sh init production + ./tf-wrapper.sh plan production + ``` -1. The Pull request will trigger a GitHub Action that will run Terraform `init`/`plan`/`validate` in the `production` environment. -1. Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under `tf-pull-request`. -1. If the GitHub action is successful, merge the pull request in to the `production` branch. -1. The merge will trigger a GitHub Action that will apply the terraform configuration for the `production` environment. -1. Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under `tf-apply`. -1. If the GitHub action is successful, apply the next environment. +1. Run `apply` production. -1. Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/pull/new/plan from the `plan` branch to the `development` branch and review the output. + ```bash + ./tf-wrapper.sh apply production + ``` + +1. Push your production branch since development and nonproduction depends it. + +*Note:** The Production envrionment must be the first branch to be pushed as it includes the DNS Hub communication that will be used by other environments. + + ```bash + git add . + git commit -m 'Initialize networks repo - production' + git push --set-upstream origin production + ``` + +1. Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/merge_requests?scope=all&state=opened from the `production` branch to the `plan` branch and review the output. + +> NOTE: Development and Non-production branches depends on the production branch to be deployed first, for the `3-networks-dual-svpc`. + +1. Push your plan branch. + + ```bash + git checkout plan --set-upstream origin plan + git push + ``` + +1. Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/pull/new/plan from the `production` branch to the `development` branch and review the output. 1. The Pull request will trigger a GitHub Action that will run Terraform `init`/`plan`/`validate` in the `development` environment. 1. Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under `tf-pull-request`. 1. If the GitHub action is successful, merge the pull request in to the `development` branch. @@ -748,7 +772,7 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th 1. Update `common.auto.tfvars` file with values from your GCP environment. See any of the envs folder [README.md](../3-networks-hub-and-spoke/envs/production/README.md#inputs) files for additional information on the values in the `common.auto.tfvars` file. -1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the restricted project. +1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the project. 1. Update the `remote_state_bucket` variable with the backend bucket from step Bootstrap in the `common.auto.tfvars` file. ```bash diff --git a/0-bootstrap/README-GitLab.md b/0-bootstrap/README-GitLab.md index 6117b9577..ff3207693 100644 --- a/0-bootstrap/README-GitLab.md +++ b/0-bootstrap/README-GitLab.md @@ -184,7 +184,7 @@ Run the `0-bootstrap/scripts/git_create_branches_helper.sh` script to create the 1. Go to https://gitlab.com/GITLAB-OWNER/GITLAB-RUNNER-REPO/-/settings/ci_cd#js-token-access 1. Add all the repositories: Bootstrap, Organization, Environments, Networks, and Projects to the allow list tha allow access to the CI/CD runner image. -1. In "Allow CI job tokens from the following projects to access this project" add the other projects/repositories. Format is / +1. In "Allow CI job tokens from the following projects to access this project" add the other projects/repositories. Format is `/` ### Deploying step 0-bootstrap @@ -283,7 +283,7 @@ export the GitLab personal or group access token as an environment variable: terraform apply bootstrap.tfplan ``` -1. Run `terraform output` to get the email address of the terraform service accounts that will be used to run manual steps for `shared` environments in steps `3-networks-dual-svpc`, `3-networks-hub-and-spoke`, and `4-projects`. +1. Run `terraform output` to get the email address of the terraform service accounts that will be used to run manual steps for `shared` environments in steps `3-networks-svpc`, `3-networks-hub-and-spoke`, and `4-projects`. ```bash export network_step_sa=$(terraform output -raw networks_step_terraform_service_account_email) @@ -539,10 +539,10 @@ See any of the envs folder [README.md](../2-environments/envs/production/README. ``` 1. You can now move to the instructions in the network stage. -To use the [Dual Shared VPC](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) network mode go to [Deploying step 3-networks-dual-svpc](#deploying-step-3-networks-dual-svpc), +To use the [Dual Shared VPC](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) network mode go to [Deploying step 3-networks-svpc](#deploying-step-3-networks-svpc), or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hub-and-spoke) to use the [Hub and Spoke](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke) network mode. -## Deploying step 3-networks-dual-svpc +## Deploying step 3-networks-svpc 1. Navigate into the repo. All subsequent steps assume you are running them from the `gcp-networks` directory. If you run them from another directory, adjust your copy paths accordingly. @@ -560,7 +560,7 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu 1. Copy contents of foundation to new repo. ```bash - cp -RT ../terraform-example-foundation/3-networks-dual-svpc/ . + cp -RT ../terraform-example-foundation/3-networks-svpc/ . cp -RT ../terraform-example-foundation/policy-library/ ./policy-library cp ../terraform-example-foundation/build/gitlab-ci.yml ./.gitlab-ci.yml cp ../terraform-example-foundation/build/run_gcp_auth.sh . @@ -590,8 +590,8 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu ``` 1. Update `common.auto.tfvars` file with values from your GCP environment. -See any of the envs folder [README.md](../3-networks-dual-svpc/envs/production/README.md#inputs) files for additional information on the values in the `common.auto.tfvars` file. -1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the restricted project. +See any of the envs folder [README.md](../3-networks-svpc/envs/production/README.md#inputs) files for additional information on the values in the `common.auto.tfvars` file. +1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the project. 1. Update the `remote_state_bucket` variable with the backend bucket from step Bootstrap in the `common.auto.tfvars` file. ```bash @@ -646,37 +646,61 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th ./tf-wrapper.sh apply shared ``` +1. You must manually plan and apply the `production` environment since the `development`, `nonproduction` and `plan` environments depend on it. + + ```bash + git checkout production + git merge plan + ``` + +1. Run `init` and `plan` and review output for environment production. + + ```bash + ./tf-wrapper.sh init production + ./tf-wrapper.sh plan production + ``` + +1. Run `apply` production. + + ```bash + ./tf-wrapper.sh apply production + ``` + + 1. Push your production branch since development and nonproduction depends it. + +*Note:** The Production envrionment must be the first branch to be pushed as it includes the DNS Hub communication that will be used by other environments. + + ```bash + git add . + git commit -m 'Initialize networks repo - production' + git push + ``` + +1. Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/merge_requests?scope=all&state=opened from the `production` branch to the `plan` branch and review the output. + 1. Push your plan branch. ```bash + git checkout plan git push ``` -1. Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/merge_requests?scope=all&state=opened from the `plan` branch to the `production` branch and review the output. +1. Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/merge_requests?scope=all&state=opened from the `production` branch to the `development` branch and review the output. > NOTE: Development and Non-production branches depends on the production branch to be deployed first, for the `3-networks-dual-svpc`. -1. The merge request will trigger a GitLab pipelines that will run Terraform `init`/`plan`/`validate` in the `production` environment. -1. Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines. -1. If the GitLab pipelines is successful, merge the merge request in to the `production` branch. -1. The merge will trigger a GitLab pipelines that will apply the terraform configuration for the `production` environment. -1. Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines under `tf-apply`. - -1. Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/merge_requests?scope=all&state=opened from the `plan` branch to the `development` branch and review the output. 1. The merge request will trigger a GitLab pipelines that will run Terraform `init`/`plan`/`validate` in the `development` environment. 1. Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines. 1. If the GitLab pipelines is successful, merge the merge request in to the `development` branch. 1. The merge will trigger a GitLab pipelines that will apply the terraform configuration for the `development` environment. 1. Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines under `tf-apply`. -1. If the GitLab pipelines is successful, apply the next environment. -1. Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/merge_requests?scope=all&state=opened from the `development` branch to the `nonproduction` branch and review the output. +1. Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/merge_requests?scope=all&state=opened from the `production` branch to the `nonproduction` branch and review the output. 1. The merge request will trigger a GitLab pipelines that will run Terraform `init`/`plan`/`validate` in the `nonproduction` environment. 1. Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines. 1. If the GitLab pipelines is successful, merge the merge request in to the `nonproduction` branch. 1. The merge will trigger a GitLab pipelines that will apply the terraform configuration for the `nonproduction` environment. 1. Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines under `tf-apply`. -1. If the GitLab pipelines is successful, apply the next environment. 1. Before executing the next steps, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` environment variable. @@ -728,7 +752,7 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th 1. Update `common.auto.tfvars` file with values from your GCP environment. See any of the envs folder [README.md](../3-networks-hub-and-spoke/envs/production/README.md#inputs) files for additional information on the values in the `common.auto.tfvars` file. -1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the restricted project. +1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the project. 1. Update the `remote_state_bucket` variable with the backend bucket from step Bootstrap in the `common.auto.tfvars` file. ```bash diff --git a/0-bootstrap/README-Jenkins.md b/0-bootstrap/README-Jenkins.md index 5ece83a8f..b1bd39a07 100644 --- a/0-bootstrap/README-Jenkins.md +++ b/0-bootstrap/README-Jenkins.md @@ -546,9 +546,9 @@ Here you will configure a VPN Network tunnel to enable connectivity between the ``` 1. Review the apply output in your Controller's web UI (you might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Controller UI). -1. You can now move to the instructions in the next step, go to [Deploying step 3-networks-dual-svpc](#deploying-step-3-networks-dual-svpc) to use the Dual Shared VPC mode, or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hub-and-spoke) to use the Hub and Spoke network mode. +1. You can now move to the instructions in the next step, go to [Deploying step 3-networks-svpc](#deploying-step-3-networks-svpc) to use the Dual Shared VPC mode, or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hub-and-spoke) to use the Hub and Spoke network mode. -## Deploying step 3-networks-dual-svpc +## Deploying step 3-networks-svpc 1. Clone the repo you created manually in 0-bootstrap. @@ -568,7 +568,7 @@ Here you will configure a VPN Network tunnel to enable connectivity between the 1. Copy contents of foundation to new repo. ```bash - cp -RT ../terraform-example-foundation/3-networks-dual-svpc/ . + cp -RT ../terraform-example-foundation/3-networks-svpc/ . cp -RT ../terraform-example-foundation/policy-library/ ./policy-library cp ../terraform-example-foundation/build/Jenkinsfile . cp ../terraform-example-foundation/build/tf-wrapper.sh . @@ -607,7 +607,7 @@ Here you will configure a VPN Network tunnel to enable connectivity between the mv access_context.auto.example.tfvars access_context.auto.tfvars ``` -1. Update `common.auto.tfvars` file with values from your environment and bootstrap. See any of the envs folder [README.md](../3-networks-dual-svpc/envs/production/README.md) files for additional information on the values in the `common.auto.tfvars` file. +1. Update `common.auto.tfvars` file with values from your environment and bootstrap. See any of the envs folder [README.md](../3-networks-svpc/envs/production/README.md) files for additional information on the values in the `common.auto.tfvars` file. 1. Update `production.auto.tfvars` file with the `target_name_server_addresses`. 1. Update `access_context.auto.tfvars` file with the `access_context_manager_policy_id`. 1. Use `terraform output` to get the backend bucket and networks step Terraform Service Account values from gcp-bootstrap output. diff --git a/0-bootstrap/README-Terraform-Cloud.md b/0-bootstrap/README-Terraform-Cloud.md index 3956776c5..53b17c734 100644 --- a/0-bootstrap/README-Terraform-Cloud.md +++ b/0-bootstrap/README-Terraform-Cloud.md @@ -213,7 +213,7 @@ export the OAuth Token ID as an environment variable: 1. Run `terraform plan -input=false -out bootstrap_2.tfplan` 1. Run `terraform apply bootstrap_2.tfplan` -1. Run `terraform output` to get the email address of the terraform service accounts that will be used to run manual steps for `shared` environments in steps `3-networks-dual-svpc`, `3-networks-hub-and-spoke`, and `4-projects`. +1. Run `terraform output` to get the email address of the terraform service accounts that will be used to run manual steps for `shared` environments in steps `3-networks-svpc`, `3-networks-hub-and-spoke`, and `4-projects`. ```bash export network_step_sa=$(terraform output -raw networks_step_terraform_service_account_email) @@ -230,7 +230,7 @@ export the OAuth Token ID as an environment variable: echo "CI/CD Project ID = ${cicd_project_id}" ``` -1. Run `terraform output` to get the name of the TFC organization and export it as environment variables. `TF_CLOUD_ORGANIZATION` variable will be used by the `cloud` block in order to move the local Terraform's state to TFC and `TF_VAR_tfc_org_name` will be used to run manual steps for `shared` environments in steps `3-networks-dual-svpc`, `3-networks-hub-and-spoke`, and `4-projects` +1. Run `terraform output` to get the name of the TFC organization and export it as environment variables. `TF_CLOUD_ORGANIZATION` variable will be used by the `cloud` block in order to move the local Terraform's state to TFC and `TF_VAR_tfc_org_name` will be used to run manual steps for `shared` environments in steps `3-networks-svpc`, `3-networks-hub-and-spoke`, and `4-projects` ```bash export TF_CLOUD_ORGANIZATION=$(terraform output -raw tfc_org_name) @@ -441,7 +441,7 @@ See any of the envs folder [README.md](../2-environments/envs/production/README. 1. Review apply output in Terraform Cloud https://app.terraform.io/app/TFC-ORGANIZATION-NAME/workspaces/2-production/runs under `Run List` item. 1. You can now move to the instructions in the network stage. -To use the [Dual Shared VPC](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) network mode go to [Deploying step 3-networks-dual-svpc](#deploying-step-3-networks-dual-svpc), +To use the [Dual Shared VPC](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) network mode go to [Deploying step 3-networks-svpc](#deploying-step-3-networks-svpc), or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hub-and-spoke) to use the [Hub and Spoke](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke) network mode. 1. Before moving to the next step, go back to the parent directory. @@ -450,7 +450,7 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu cd .. ``` -## Deploying step 3-networks-dual-svpc +## Deploying step 3-networks-svpc **Note:** For all purposes we treat `shared` environment as `production` environment due to the possible impacts into `production`. So `3-production` TFC workspace have a [Run Trigger](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/settings/run-triggers) sourcing `3-shared` TFC workspace, which means that every time you successfully run an apply job in `3-shared` TFC workspace, a `Plan and apply` job will be triggered automatically for `3-production` TFC workspace. (All the applies will continue requiring manual approvals in TFC console). @@ -470,7 +470,7 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu 1. Copy contents of foundation to new repo. ```bash - cp -RT ../terraform-example-foundation/3-networks-dual-svpc/ . + cp -RT ../terraform-example-foundation/3-networks-svpc/ . cp -RT ../terraform-example-foundation/policy-library/ ./policy-library cp ../terraform-example-foundation/build/tf-wrapper.sh . chmod 755 ./tf-wrapper.sh @@ -498,8 +498,8 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu ``` 1. Update `common.auto.tfvars` file with values from your GCP environment. -See any of the envs folder [README.md](../3-networks-dual-svpc/envs/production/README.md#inputs) files for additional information on the values in the `common.auto.tfvars` file. -1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the restricted project. +See any of the envs folder [README.md](../3-networks-svpc/envs/production/README.md#inputs) files for additional information on the values in the `common.auto.tfvars` file. +1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the project. 1. You must manually plan and apply the `shared` environment from your (only once) since the `development`, `nonproduction` and `production` environments depend on it. @@ -649,7 +649,7 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th 1. Update `common.auto.tfvars` file with values from your GCP environment. See any of the envs folder [README.md](../3-networks-hub-and-spoke/envs/production/README.md#inputs) files for additional information on the values in the `common.auto.tfvars` file. -1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the restricted project. +1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the project. 1. You must manually plan and apply the `shared` environment (only once) since the `development`, `nonproduction` and `production` environments depend on it. diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md index afc92af12..15a339411 100644 --- a/0-bootstrap/README.md +++ b/0-bootstrap/README.md @@ -25,16 +25,16 @@ organizational policy. Google Cloud organization that you've created. -3-networks-dual-svpc -Sets up base and restricted shared VPCs with default DNS, NAT (optional), +3-networks-svpc +Sets up shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, on-premises Dedicated Interconnect, and baseline firewall rules for each environment. It also sets up the global DNS hub. 3-networks-hub-and-spoke -Sets up base and restricted shared VPCs with all the default configuration -found on step 3-networks-dual-svpc, but here the architecture will be based on the +Sets up shared VPCs with all the default configuration +found on step 3-networks-svpc, but here the architecture will be based on the Hub and Spoke network model. It also sets up the global DNS hub. @@ -254,7 +254,7 @@ The following steps introduce the steps to deploy with Cloud Build Alternatively terraform apply bootstrap.tfplan ``` -1. Run `terraform output` to get the email address of the terraform service accounts that will be used to run manual steps for `shared` environments in steps `3-networks-dual-svpc`, `3-networks-hub-and-spoke`, and `4-projects` and the state bucket that will be used by step 4-projects. +1. Run `terraform output` to get the email address of the terraform service accounts that will be used to run manual steps for `shared` environments in steps `3-networks-svpc`, `3-networks-hub-and-spoke`, and `4-projects` and the state bucket that will be used by step 4-projects. ```bash export network_step_sa=$(terraform output -raw networks_step_terraform_service_account_email) diff --git a/0-bootstrap/gitlab.tf.example b/0-bootstrap/gitlab.tf.example index afd5fd77c..aa68c4237 100644 --- a/0-bootstrap/gitlab.tf.example +++ b/0-bootstrap/gitlab.tf.example @@ -112,6 +112,7 @@ module "gitlab_oidc" { pool_id = "foundation-pool" provider_id = "foundation-gl-provider" sa_mapping = local.sa_mapping + attribute_condition = "assertion.user_login=='${var.gl_repos.owner}'" } resource "gitlab_project_variable" "variables" { @@ -174,3 +175,20 @@ resource "google_service_account_iam_member" "self_impersonate" { role = "roles/iam.serviceAccountTokenCreator" member = "serviceAccount:${google_service_account.terraform-env-sa[each.key].email}" } + +module "gcp_projects_state_bucket" { + source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" + version = "~> 9.0" + + name = "${var.bucket_prefix}-${module.seed_bootstrap.seed_project_id}-gcp-projects-tfstate" + project_id = module.seed_bootstrap.seed_project_id + location = var.default_region + force_destroy = var.bucket_force_destroy + + encryption = { + default_kms_key_name = local.state_bucket_kms_key + } + + depends_on = [module.seed_bootstrap.gcs_bucket_tfstate] +} + diff --git a/0-bootstrap/versions.tf b/0-bootstrap/versions.tf index 348361fe5..8129e9abf 100644 --- a/0-bootstrap/versions.tf +++ b/0-bootstrap/versions.tf @@ -19,14 +19,16 @@ terraform { required_providers { google = { // version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226 + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, != 4.31.0, < 7.0" + version = ">= 3.50, != 4.31.0, < 6.26.0" } google-beta = { // version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226 + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, != 4.31.0, < 7.0" + version = ">= 3.50, != 4.31.0, < 6.26.0" } // Un-comment gitlab required_providers when using gitlab CI/CD diff --git a/1-org/README.md b/1-org/README.md index cf5eac821..5bce9c13b 100644 --- a/1-org/README.md +++ b/1-org/README.md @@ -25,16 +25,16 @@ organizational policy. Google Cloud organization that you've created. -3-networks-dual-svpc -Sets up base and restricted shared VPCs with default DNS, NAT (optional), +3-networks-svpc +Sets up shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, on-premises Dedicated Interconnect, and baseline firewall rules for each environment. It also sets up the global DNS hub. 3-networks-hub-and-spoke -Sets up base and restricted shared VPCs with all the default configuration -found on step 3-networks-dual-svpc, but here the architecture will be based on the +Sets up shared VPCs with all the default configuration +found on step 3-networks-svpc, but here the architecture will be based on the hub-and-spoke network model. It also sets up the global DNS hub. diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md index 9233b2bba..8da1e2415 100644 --- a/1-org/envs/shared/README.md +++ b/1-org/envs/shared/README.md @@ -18,7 +18,7 @@ | log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `null` | no | | log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | 
object({
    is_locked             = bool
    retention_period_days = number
  })
| `null` | no | | log\_export\_storage\_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | `bool` | `false` | no | -| project\_budget | Budget configuration for projects.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    base_net_hub_budget_amount                  = optional(number, 1000)
    base_net_hub_alert_spent_percents           = optional(list(number), [1.2])
    base_net_hub_alert_pubsub_topic             = optional(string, null)
    base_net_hub_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    base_network_budget_amount                  = optional(number, 1000)
    base_network_alert_spent_percents           = optional(list(number), [1.2])
    base_network_alert_pubsub_topic             = optional(string, null)
    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    restricted_net_hub_budget_amount            = optional(number, 1000)
    restricted_net_hub_alert_spent_percents     = optional(list(number), [1.2])
    restricted_net_hub_alert_pubsub_topic       = optional(string, null)
    restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    restricted_network_budget_amount            = optional(number, 1000)
    restricted_network_alert_spent_percents     = optional(list(number), [1.2])
    restricted_network_alert_pubsub_topic       = optional(string, null)
    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    interconnect_budget_amount                  = optional(number, 1000)
    interconnect_alert_spent_percents           = optional(list(number), [1.2])
    interconnect_alert_pubsub_topic             = optional(string, null)
    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    org_secrets_budget_amount                   = optional(number, 1000)
    org_secrets_alert_spent_percents            = optional(list(number), [1.2])
    org_secrets_alert_pubsub_topic              = optional(string, null)
    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")
    org_billing_export_budget_amount            = optional(number, 1000)
    org_billing_export_alert_spent_percents     = optional(list(number), [1.2])
    org_billing_export_alert_pubsub_topic       = optional(string, null)
    org_billing_export_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    org_audit_logs_budget_amount                = optional(number, 1000)
    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])
    org_audit_logs_alert_pubsub_topic           = optional(string, null)
    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")
    common_kms_budget_amount                    = optional(number, 1000)
    common_kms_alert_spent_percents             = optional(list(number), [1.2])
    common_kms_alert_pubsub_topic               = optional(string, null)
    common_kms_budget_alert_spend_basis         = optional(string, "FORECASTED_SPEND")
    scc_notifications_budget_amount             = optional(number, 1000)
    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])
    scc_notifications_alert_pubsub_topic        = optional(string, null)
    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | +| project\_budget | Budget configuration for projects.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    net_hub_budget_amount                       = optional(number, 1000)
    net_hub_alert_spent_percents                = optional(list(number), [1.2])
    net_hub_alert_pubsub_topic                  = optional(string, null)
    net_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")
    shared_network_budget_amount                = optional(number, 1000)
    shared_network_alert_spent_percents         = optional(list(number), [1.2])
    shared_network_alert_pubsub_topic           = optional(string, null)
    shared_network_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")
    interconnect_budget_amount                  = optional(number, 1000)
    interconnect_alert_spent_percents           = optional(list(number), [1.2])
    interconnect_alert_pubsub_topic             = optional(string, null)
    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    org_secrets_budget_amount                   = optional(number, 1000)
    org_secrets_alert_spent_percents            = optional(list(number), [1.2])
    org_secrets_alert_pubsub_topic              = optional(string, null)
    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")
    org_billing_export_budget_amount            = optional(number, 1000)
    org_billing_export_alert_spent_percents     = optional(list(number), [1.2])
    org_billing_export_alert_pubsub_topic       = optional(string, null)
    org_billing_export_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    org_audit_logs_budget_amount                = optional(number, 1000)
    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])
    org_audit_logs_alert_pubsub_topic           = optional(string, null)
    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")
    common_kms_budget_amount                    = optional(number, 1000)
    common_kms_alert_spent_percents             = optional(list(number), [1.2])
    common_kms_alert_pubsub_topic               = optional(string, null)
    common_kms_budget_alert_spend_basis         = optional(string, "FORECASTED_SPEND")
    scc_notifications_budget_amount             = optional(number, 1000)
    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])
    scc_notifications_alert_pubsub_topic        = optional(string, null)
    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | | project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | | scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state = \"ACTIVE\""` | no | @@ -29,7 +29,6 @@ | Name | Description | |------|-------------| -| base\_net\_hub\_project\_id | The Base Network hub project ID | | billing\_sink\_names | The name of the sinks under billing account level. | | cai\_monitoring\_artifact\_registry | CAI Monitoring Cloud Function Artifact Registry name. | | cai\_monitoring\_asset\_feed | CAI Monitoring Cloud Function Organization Asset Feed name. | @@ -44,6 +43,8 @@ | logs\_export\_project\_logbucket\_name | The resource name for the Log Bucket created for the project destination. | | logs\_export\_pubsub\_topic | The Pub/Sub topic for destination of log exports | | logs\_export\_storage\_bucket\_name | The storage bucket for destination of log exports | +| net\_hub\_project\_id | The Network hub project ID | +| net\_hub\_project\_number | The Network hub project number | | network\_folder\_name | The network folder name. | | org\_audit\_logs\_project\_id | The org audit logs project ID. | | org\_billing\_export\_project\_id | The org billing export project ID | @@ -51,11 +52,9 @@ | org\_secrets\_project\_id | The org secrets project ID | | parent\_resource\_id | The parent resource id | | parent\_resource\_type | The parent resource type | -| restricted\_net\_hub\_project\_id | The Restricted Network hub project ID | -| restricted\_net\_hub\_project\_number | The Restricted Network hub project number | | scc\_notification\_name | Name of SCC Notification | | scc\_notifications\_project\_id | The SCC notifications project ID | -| shared\_vpc\_projects | Base and restricted shared VPC Projects info grouped by environment (development, nonproduction, production). | +| shared\_vpc\_projects | Shared VPC Projects info grouped by environment (development, nonproduction, production). | | tags | Tag Values to be applied on next steps. | diff --git a/1-org/envs/shared/outputs.tf b/1-org/envs/shared/outputs.tf index 5d7d1c986..df9e55da2 100644 --- a/1-org/envs/shared/outputs.tf +++ b/1-org/envs/shared/outputs.tf @@ -79,19 +79,14 @@ output "scc_notifications_project_id" { description = "The SCC notifications project ID" } -output "base_net_hub_project_id" { - value = try(module.base_network_hub[0].project_id, null) - description = "The Base Network hub project ID" +output "net_hub_project_id" { + value = try(module.network_hub[0].project_id, null) + description = "The Network hub project ID" } -output "restricted_net_hub_project_id" { - value = try(module.restricted_network_hub[0].project_id, null) - description = "The Restricted Network hub project ID" -} - -output "restricted_net_hub_project_number" { - value = try(module.restricted_network_hub[0].project_number, null) - description = "The Restricted Network hub project number" +output "net_hub_project_number" { + value = try(module.network_hub[0].project_number, null) + description = "The Network hub project number" } output "domains_to_allow" { @@ -130,8 +125,8 @@ output "tags" { } output "shared_vpc_projects" { - value = { for k, v in module.base_restricted_environment_network : k => v } - description = "Base and restricted shared VPC Projects info grouped by environment (development, nonproduction, production)." + value = { for k, v in module.environment_network : k => v } + description = "Shared VPC Projects info grouped by environment (development, nonproduction, production)." } output "cai_monitoring_artifact_registry" { diff --git a/1-org/envs/shared/projects.tf b/1-org/envs/shared/projects.tf index 5ae87ac57..5798fa6b1 100644 --- a/1-org/envs/shared/projects.tf +++ b/1-org/envs/shared/projects.tf @@ -234,10 +234,10 @@ module "scc_notifications" { } /****************************************** - Project for Base Network Hub + Project for Network Hub *****************************************/ -module "base_network_hub" { +module "network_hub" { source = "terraform-google-modules/project-factory/google" version = "~> 18.0" count = var.enable_hub_and_spoke ? 1 : 0 @@ -245,7 +245,7 @@ module "base_network_hub" { random_project_id = true random_project_id_length = 4 default_service_account = "deprivilege" - name = "${local.project_prefix}-net-hub-base" + name = "${local.project_prefix}-net-hub" org_id = local.org_id billing_account = local.billing_account folder_id = google_folder.network.id @@ -262,76 +262,25 @@ module "base_network_hub" { labels = { environment = "network" - application_name = "org-net-hub-base" + application_name = "org-net-hub" billing_code = "1234" primary_contact = "example1" secondary_contact = "example2" business_code = "shared" env_code = "net" - vpc = "base" + vpc = "svpc" } - budget_alert_pubsub_topic = var.project_budget.base_net_hub_alert_pubsub_topic - budget_alert_spent_percents = var.project_budget.base_net_hub_alert_spent_percents - budget_amount = var.project_budget.base_net_hub_budget_amount - budget_alert_spend_basis = var.project_budget.base_net_hub_budget_alert_spend_basis -} - -resource "google_project_iam_member" "network_sa_base" { - for_each = toset(var.enable_hub_and_spoke ? local.hub_and_spoke_roles : []) - - project = module.base_network_hub[0].project_id - role = each.key - member = "serviceAccount:${local.networks_step_terraform_service_account_email}" -} - -/****************************************** - Project for Restricted Network Hub -*****************************************/ - -module "restricted_network_hub" { - source = "terraform-google-modules/project-factory/google" - version = "~> 18.0" - count = var.enable_hub_and_spoke ? 1 : 0 - - random_project_id = true - random_project_id_length = 4 - default_service_account = "deprivilege" - name = "${local.project_prefix}-net-hub-restricted" - org_id = local.org_id - billing_account = local.billing_account - folder_id = google_folder.network.id - deletion_policy = var.project_deletion_policy - - activate_apis = [ - "compute.googleapis.com", - "dns.googleapis.com", - "servicenetworking.googleapis.com", - "logging.googleapis.com", - "cloudresourcemanager.googleapis.com", - "billingbudgets.googleapis.com" - ] - - labels = { - environment = "network" - application_name = "org-net-hub-restricted" - billing_code = "1234" - primary_contact = "example1" - secondary_contact = "example2" - business_code = "shared" - env_code = "net" - vpc = "restricted" - } - budget_alert_pubsub_topic = var.project_budget.restricted_net_hub_alert_pubsub_topic - budget_alert_spent_percents = var.project_budget.restricted_net_hub_alert_spent_percents - budget_amount = var.project_budget.restricted_net_hub_budget_amount - budget_alert_spend_basis = var.project_budget.restricted_net_hub_budget_alert_spend_basis + budget_alert_pubsub_topic = var.project_budget.net_hub_alert_pubsub_topic + budget_alert_spent_percents = var.project_budget.net_hub_alert_spent_percents + budget_amount = var.project_budget.net_hub_budget_amount + budget_alert_spend_basis = var.project_budget.net_hub_budget_alert_spend_basis } /************************************************************ - Base and Restricted Network Projects for each Environment +Network Project for each Environment ************************************************************/ -module "base_restricted_environment_network" { +module "environment_network" { source = "../../modules/network" for_each = local.environments @@ -346,14 +295,10 @@ module "base_restricted_environment_network" { env_code = each.value project_budget = { - base_network_budget_amount = var.project_budget.base_network_budget_amount - base_network_alert_spent_percents = var.project_budget.base_network_alert_spent_percents - base_network_alert_pubsub_topic = var.project_budget.base_network_alert_pubsub_topic - base_network_budget_alert_spend_basis = var.project_budget.base_network_budget_alert_spend_basis - restricted_network_budget_amount = var.project_budget.restricted_network_budget_amount - restricted_network_alert_spent_percents = var.project_budget.restricted_network_alert_spent_percents - restricted_network_alert_pubsub_topic = var.project_budget.restricted_network_alert_pubsub_topic - restricted_network_budget_alert_spend_basis = var.project_budget.restricted_network_budget_alert_spend_basis + network_budget_amount = var.project_budget.shared_network_budget_amount + network_alert_spent_percents = var.project_budget.shared_network_alert_spent_percents + network_alert_pubsub_topic = var.project_budget.shared_network_alert_pubsub_topic + network_budget_alert_spend_basis = var.project_budget.shared_network_budget_alert_spend_basis } } @@ -361,10 +306,10 @@ module "base_restricted_environment_network" { Roles granted to the networks SA for Hub and Spoke network topology *********************************************************************/ -resource "google_project_iam_member" "network_sa_restricted" { +resource "google_project_iam_member" "network_sa" { for_each = toset(var.enable_hub_and_spoke ? local.hub_and_spoke_roles : []) - project = module.restricted_network_hub[0].project_id + project = module.network_hub[0].project_id role = each.key member = "serviceAccount:${local.networks_step_terraform_service_account_email}" } diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index 929d213df..bc6fae1cf 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -97,22 +97,14 @@ variable "project_budget" { alert_spend_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). EOT type = object({ - base_net_hub_budget_amount = optional(number, 1000) - base_net_hub_alert_spent_percents = optional(list(number), [1.2]) - base_net_hub_alert_pubsub_topic = optional(string, null) - base_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") - base_network_budget_amount = optional(number, 1000) - base_network_alert_spent_percents = optional(list(number), [1.2]) - base_network_alert_pubsub_topic = optional(string, null) - base_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") - restricted_net_hub_budget_amount = optional(number, 1000) - restricted_net_hub_alert_spent_percents = optional(list(number), [1.2]) - restricted_net_hub_alert_pubsub_topic = optional(string, null) - restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") - restricted_network_budget_amount = optional(number, 1000) - restricted_network_alert_spent_percents = optional(list(number), [1.2]) - restricted_network_alert_pubsub_topic = optional(string, null) - restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") + net_hub_budget_amount = optional(number, 1000) + net_hub_alert_spent_percents = optional(list(number), [1.2]) + net_hub_alert_pubsub_topic = optional(string, null) + net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") + shared_network_budget_amount = optional(number, 1000) + shared_network_alert_spent_percents = optional(list(number), [1.2]) + shared_network_alert_pubsub_topic = optional(string, null) + shared_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") interconnect_budget_amount = optional(number, 1000) interconnect_alert_spent_percents = optional(list(number), [1.2]) interconnect_alert_pubsub_topic = optional(string, null) diff --git a/1-org/modules/network/main.tf b/1-org/modules/network/main.tf index 7e3ac03d4..4f6e566d8 100644 --- a/1-org/modules/network/main.tf +++ b/1-org/modules/network/main.tf @@ -18,50 +18,13 @@ Projects for Shared VPCs *****************************************/ -module "base_shared_vpc_host_project" { +module "shared_vpc_host_project" { source = "terraform-google-modules/project-factory/google" version = "~> 18.0" random_project_id = true random_project_id_length = 4 - name = format("%s-%s-shared-base", var.project_prefix, var.env_code) - org_id = var.org_id - billing_account = var.billing_account - folder_id = var.folder_id - disable_services_on_destroy = false - deletion_policy = var.project_deletion_policy - - activate_apis = [ - "compute.googleapis.com", - "dns.googleapis.com", - "servicenetworking.googleapis.com", - "container.googleapis.com", - "logging.googleapis.com", - "billingbudgets.googleapis.com" - ] - - labels = { - environment = var.env - application_name = "base-shared-vpc-host" - billing_code = "1234" - primary_contact = "example1" - secondary_contact = "example2" - business_code = "shared" - env_code = var.env_code - vpc = "base" - } - budget_alert_pubsub_topic = var.project_budget.base_network_alert_pubsub_topic - budget_alert_spent_percents = var.project_budget.base_network_alert_spent_percents - budget_amount = var.project_budget.base_network_budget_amount -} - -module "restricted_shared_vpc_host_project" { - source = "terraform-google-modules/project-factory/google" - version = "~> 18.0" - - random_project_id = true - random_project_id_length = 4 - name = format("%s-%s-shared-restricted", var.project_prefix, var.env_code) + name = format("%s-%s-svpc", var.project_prefix, var.env_code) org_id = var.org_id billing_account = var.billing_account folder_id = var.folder_id @@ -81,16 +44,16 @@ module "restricted_shared_vpc_host_project" { labels = { environment = var.env - application_name = "restricted-shared-vpc-host" + application_name = "shared-vpc-host" billing_code = "1234" primary_contact = "example1" secondary_contact = "example2" business_code = "shared" env_code = var.env_code - vpc = "restricted" } - budget_alert_pubsub_topic = var.project_budget.restricted_network_alert_pubsub_topic - budget_alert_spent_percents = var.project_budget.restricted_network_alert_spent_percents - budget_amount = var.project_budget.restricted_network_budget_amount - budget_alert_spend_basis = var.project_budget.restricted_network_budget_alert_spend_basis + + budget_alert_pubsub_topic = var.project_budget.shared_network_alert_pubsub_topic + budget_alert_spent_percents = var.project_budget.shared_network_alert_spent_percents + budget_amount = var.project_budget.shared_network_budget_amount + budget_alert_spend_basis = var.project_budget.shared_network_budget_alert_spend_basis } diff --git a/1-org/modules/network/outputs.tf b/1-org/modules/network/outputs.tf index 134e55240..91a08c6a7 100644 --- a/1-org/modules/network/outputs.tf +++ b/1-org/modules/network/outputs.tf @@ -14,22 +14,12 @@ * limitations under the License. */ -output "base_shared_vpc_project_id" { - description = "Project id for base shared VPC network." - value = module.base_shared_vpc_host_project.project_id +output "shared_vpc_project_id" { + description = "Project id for shared VPC network." + value = module.shared_vpc_host_project.project_id } -output "base_shared_vpc_project_number" { - description = "Project number for base shared VPC network." - value = module.base_shared_vpc_host_project.project_number -} - -output "restricted_shared_vpc_project_id" { - description = "Project id for restricted shared VPC network." - value = module.restricted_shared_vpc_host_project.project_id -} - -output "restricted_shared_vpc_project_number" { - description = "Project number for restricted shared VPC." - value = module.restricted_shared_vpc_host_project.project_number +output "shared_vpc_project_number" { + description = "Project number for shared VPC." + value = module.shared_vpc_host_project.project_number } diff --git a/1-org/modules/network/variables.tf b/1-org/modules/network/variables.tf index 32887bad5..c002de92f 100644 --- a/1-org/modules/network/variables.tf +++ b/1-org/modules/network/variables.tf @@ -59,14 +59,10 @@ variable "project_budget" { alert_pubsub_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`. EOT type = object({ - base_network_budget_amount = optional(number, 1000) - base_network_alert_spent_percents = optional(list(number), [1.2]) - base_network_alert_pubsub_topic = optional(string, null) - base_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") - restricted_network_budget_amount = optional(number, 1000) - restricted_network_alert_spent_percents = optional(list(number), [1.2]) - restricted_network_alert_pubsub_topic = optional(string, null) - restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") + shared_network_budget_amount = optional(number, 1000) + shared_network_alert_spent_percents = optional(list(number), [1.2]) + shared_network_alert_pubsub_topic = optional(string, null) + shared_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") }) default = {} } diff --git a/2-environments/README.md b/2-environments/README.md index 814b89896..a75598141 100644 --- a/2-environments/README.md +++ b/2-environments/README.md @@ -25,16 +25,16 @@ organizational policy. Google Cloud organization that you've created. -3-networks-dual-svpc -Sets up base and restricted shared VPCs with default DNS, NAT (optional), +3-networks-svpc +Sets shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, on-premises Dedicated Interconnect, and baseline firewall rules for each environment. It also sets up the global DNS hub. 3-networks-hub-and-spoke -Sets up base and restricted shared VPCs with all the default configuration -found on step 3-networks-dual-svpc, but here the architecture will be based on the +Sets up shared VPCs with all the default configuration +found on step 3-networks-svpc, but here the architecture will be based on the Hub and Spoke network model. It also sets up the global DNS hub @@ -167,7 +167,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get git push origin production ``` -1. You can now move to the instructions in the network step. To use the [Dual Shared VPC](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) network mode go to [3-networks-dual-svpc](../3-networks-dual-svpc/README.md), or go to [3-networks-hub-and-spoke](../3-networks-hub-and-spoke/README.md) to use the [Hub and Spoke](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke) network mode. +1. You can now move to the instructions in the network step. To use the [Dual Shared VPC](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) network mode go to [3-networks-svpc](../3-networks-svpc/README.md), or go to [3-networks-hub-and-spoke](../3-networks-hub-and-spoke/README.md) to use the [Hub and Spoke](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke) network mode. ### Deploying with Jenkins diff --git a/2-environments/envs/development/README.md b/2-environments/envs/development/README.md index 883e0f0bc..24b7a7c63 100644 --- a/2-environments/envs/development/README.md +++ b/2-environments/envs/development/README.md @@ -14,6 +14,7 @@ |------|-------------| | env\_folder | Environment folder created under parent. | | env\_kms\_project\_id | Project for environment Cloud Key Management Service (KMS). | +| env\_kms\_project\_number | Project Number for environment Cloud Key Management Service (KMS). | | env\_secrets\_project\_id | Project for environment related secrets. | diff --git a/2-environments/envs/development/outputs.tf b/2-environments/envs/development/outputs.tf index 5ffda4515..946657d94 100644 --- a/2-environments/envs/development/outputs.tf +++ b/2-environments/envs/development/outputs.tf @@ -28,3 +28,8 @@ output "env_kms_project_id" { description = "Project for environment Cloud Key Management Service (KMS)." value = module.env.env_kms_project_id } + +output "env_kms_project_number" { + description = "Project Number for environment Cloud Key Management Service (KMS)." + value = module.env.env_kms_project_number +} diff --git a/2-environments/envs/nonproduction/README.md b/2-environments/envs/nonproduction/README.md index 883e0f0bc..24b7a7c63 100644 --- a/2-environments/envs/nonproduction/README.md +++ b/2-environments/envs/nonproduction/README.md @@ -14,6 +14,7 @@ |------|-------------| | env\_folder | Environment folder created under parent. | | env\_kms\_project\_id | Project for environment Cloud Key Management Service (KMS). | +| env\_kms\_project\_number | Project Number for environment Cloud Key Management Service (KMS). | | env\_secrets\_project\_id | Project for environment related secrets. | diff --git a/2-environments/envs/nonproduction/outputs.tf b/2-environments/envs/nonproduction/outputs.tf index 5ffda4515..1ca8087d6 100644 --- a/2-environments/envs/nonproduction/outputs.tf +++ b/2-environments/envs/nonproduction/outputs.tf @@ -28,3 +28,9 @@ output "env_kms_project_id" { description = "Project for environment Cloud Key Management Service (KMS)." value = module.env.env_kms_project_id } + +output "env_kms_project_number" { + description = "Project Number for environment Cloud Key Management Service (KMS)." + value = module.env.env_kms_project_number +} + diff --git a/2-environments/envs/production/README.md b/2-environments/envs/production/README.md index ba77099ab..629d228db 100644 --- a/2-environments/envs/production/README.md +++ b/2-environments/envs/production/README.md @@ -16,6 +16,7 @@ | assured\_workload\_resources | Resources associated with the Assured Workload. | | env\_folder | Environment folder created under parent. | | env\_kms\_project\_id | Project for environment Cloud Key Management Service (KMS). | +| env\_kms\_project\_number | Project Number for environment Cloud Key Management Service (KMS). | | env\_secrets\_project\_id | Project for environment related secrets. | diff --git a/2-environments/envs/production/outputs.tf b/2-environments/envs/production/outputs.tf index 822cdb4fa..0d60ebe5f 100644 --- a/2-environments/envs/production/outputs.tf +++ b/2-environments/envs/production/outputs.tf @@ -29,6 +29,11 @@ output "env_kms_project_id" { value = module.env.env_kms_project_id } +output "env_kms_project_number" { + description = "Project Number for environment Cloud Key Management Service (KMS)." + value = module.env.env_kms_project_number +} + output "assured_workload_id" { description = "Assured Workload ID." value = module.env.assured_workload_id diff --git a/2-environments/modules/env_baseline/README.md b/2-environments/modules/env_baseline/README.md index 4a35926e3..8d9f8ecf1 100644 --- a/2-environments/modules/env_baseline/README.md +++ b/2-environments/modules/env_baseline/README.md @@ -7,7 +7,7 @@ | env | The environment to prepare (ex. development) | `string` | n/a | yes | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization (ex. d). | `string` | n/a | yes | | folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no | -| project\_budget | Budget configuration for projects.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    base_network_budget_amount                  = optional(number, 1000)
    base_network_alert_spent_percents           = optional(list(number), [1.2])
    base_network_alert_pubsub_topic             = optional(string, null)
    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    restricted_network_budget_amount            = optional(number, 1000)
    restricted_network_alert_spent_percents     = optional(list(number), [1.2])
    restricted_network_alert_pubsub_topic       = optional(string, null)
    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    secret_budget_amount                        = optional(number, 1000)
    secret_alert_spent_percents                 = optional(list(number), [1.2])
    secret_alert_pubsub_topic                   = optional(string, null)
    secret_budget_alert_spend_basis             = optional(string, "FORECASTED_SPEND")
    kms_budget_amount                           = optional(number, 1000)
    kms_alert_spent_percents                    = optional(list(number), [1.2])
    kms_alert_pubsub_topic                      = optional(string, null)
    kms_budget_alert_spend_basis                = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | +| project\_budget | Budget configuration for projects.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    shared_network_budget_amount            = optional(number, 1000)
    shared_network_alert_spent_percents     = optional(list(number), [1.2])
    shared_network_alert_pubsub_topic       = optional(string, null)
    shared_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    secret_budget_amount                    = optional(number, 1000)
    secret_alert_spent_percents             = optional(list(number), [1.2])
    secret_alert_pubsub_topic               = optional(string, null)
    secret_budget_alert_spend_basis         = optional(string, "FORECASTED_SPEND")
    kms_budget_amount                       = optional(number, 1000)
    kms_alert_spent_percents                = optional(list(number), [1.2])
    kms_alert_pubsub_topic                  = optional(string, null)
    kms_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | | project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes | @@ -20,6 +20,7 @@ | assured\_workload\_resources | Resources associated with the Assured Workload. | | env\_folder | Environment folder created under parent. | | env\_kms\_project\_id | Project for environment Cloud Key Management Service (KMS). | +| env\_kms\_project\_number | Project number for envinronment Cloud Key Management Service (KMS). | | env\_secrets\_project\_id | Project for environment secrets. | diff --git a/2-environments/modules/env_baseline/outputs.tf b/2-environments/modules/env_baseline/outputs.tf index 15cd2524f..b949becb9 100644 --- a/2-environments/modules/env_baseline/outputs.tf +++ b/2-environments/modules/env_baseline/outputs.tf @@ -29,6 +29,10 @@ output "env_kms_project_id" { value = module.env_kms.project_id } +output "env_kms_project_number" { + description = "Project number for envinronment Cloud Key Management Service (KMS)." + value = module.env_kms.project_number +} output "assured_workload_id" { description = "Assured Workload ID." diff --git a/2-environments/modules/env_baseline/variables.tf b/2-environments/modules/env_baseline/variables.tf index 81ab12a83..813708746 100644 --- a/2-environments/modules/env_baseline/variables.tf +++ b/2-environments/modules/env_baseline/variables.tf @@ -43,22 +43,18 @@ variable "project_budget" { alert_spend_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). EOT type = object({ - base_network_budget_amount = optional(number, 1000) - base_network_alert_spent_percents = optional(list(number), [1.2]) - base_network_alert_pubsub_topic = optional(string, null) - base_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") - restricted_network_budget_amount = optional(number, 1000) - restricted_network_alert_spent_percents = optional(list(number), [1.2]) - restricted_network_alert_pubsub_topic = optional(string, null) - restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") - secret_budget_amount = optional(number, 1000) - secret_alert_spent_percents = optional(list(number), [1.2]) - secret_alert_pubsub_topic = optional(string, null) - secret_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") - kms_budget_amount = optional(number, 1000) - kms_alert_spent_percents = optional(list(number), [1.2]) - kms_alert_pubsub_topic = optional(string, null) - kms_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") + shared_network_budget_amount = optional(number, 1000) + shared_network_alert_spent_percents = optional(list(number), [1.2]) + shared_network_alert_pubsub_topic = optional(string, null) + shared_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") + secret_budget_amount = optional(number, 1000) + secret_alert_spent_percents = optional(list(number), [1.2]) + secret_alert_pubsub_topic = optional(string, null) + secret_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") + kms_budget_amount = optional(number, 1000) + kms_alert_spent_percents = optional(list(number), [1.2]) + kms_alert_pubsub_topic = optional(string, null) + kms_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") }) default = {} } diff --git a/3-networks-dual-svpc/envs/development/main.tf b/3-networks-dual-svpc/envs/development/main.tf deleted file mode 100644 index 202dc8345..000000000 --- a/3-networks-dual-svpc/envs/development/main.tf +++ /dev/null @@ -1,98 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - env = "development" - environment_code = substr(local.env, 0, 1) - /* - * Base network ranges - */ - base_private_service_cidr = "10.16.8.0/21" - base_subnet_primary_ranges = { - (local.default_region1) = "10.0.64.0/18" - (local.default_region2) = "10.1.64.0/18" - } - base_subnet_proxy_ranges = { - (local.default_region1) = "10.18.2.0/23" - (local.default_region2) = "10.19.2.0/23" - } - base_subnet_secondary_ranges = { - (local.default_region1) = [ - { - range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.64.0/18" - }, - { - range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.65.64.0/18" - } - ] - } - /* - * Restricted network ranges - */ - restricted_private_service_cidr = "10.16.40.0/21" - restricted_subnet_primary_ranges = { - (local.default_region1) = "10.8.64.0/18" - (local.default_region2) = "10.9.64.0/18" - } - restricted_subnet_proxy_ranges = { - (local.default_region1) = "10.26.2.0/23" - (local.default_region2) = "10.27.2.0/23" - } - restricted_subnet_secondary_ranges = { - (local.default_region1) = [ - { - range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" - ip_cidr_range = "100.72.64.0/18" - }, - { - range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" - ip_cidr_range = "100.73.64.0/18" - } - ] - } -} - -module "base_env" { - source = "../../modules/base_env" - - env = local.env - environment_code = local.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - perimeter_additional_members = var.perimeter_additional_members - perimeter_additional_members_dry_run = var.perimeter_additional_members_dry_run - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - ingress_policies_dry_run = var.ingress_policies_dry_run - egress_policies = var.egress_policies - egress_policies_dry_run = var.egress_policies_dry_run - enable_partner_interconnect = false - base_private_service_cidr = local.base_private_service_cidr - base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_proxy_ranges = local.base_subnet_proxy_ranges - base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.17.0.2" - restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges - restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.17.0.6" - remote_state_bucket = var.remote_state_bucket - tfc_org_name = var.tfc_org_name -} diff --git a/3-networks-dual-svpc/envs/development/outputs.tf b/3-networks-dual-svpc/envs/development/outputs.tf deleted file mode 100644 index e71d3027e..000000000 --- a/3-networks-dual-svpc/envs/development/outputs.tf +++ /dev/null @@ -1,119 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -output "access_context_manager_policy_id" { - description = "Access Context Manager Policy ID." - value = var.access_context_manager_policy_id -} - -/********************* - Restricted Outputs -*********************/ - -output "restricted_host_project_id" { - value = module.base_env.restricted_host_project_id - description = "The restricted host project ID" -} - -output "restricted_network_name" { - value = module.base_env.restricted_network_name - description = "The name of the VPC being created" -} - -output "restricted_network_self_link" { - value = module.base_env.restricted_network_self_link - description = "The URI of the VPC being created" -} - -output "restricted_subnets_names" { - value = module.base_env.restricted_subnets_names - description = "The names of the subnets being created" -} - -output "restricted_subnets_ips" { - value = module.base_env.restricted_subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "restricted_subnets_self_links" { - value = module.base_env.restricted_subnets_self_links - description = "The self-links of subnets being created" -} - -output "restricted_subnets_secondary_ranges" { - value = module.base_env.restricted_subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} - -output "access_level_name" { - value = module.base_env.access_level_name - description = "Access context manager access level name" -} - -output "access_level_name_dry_run" { - value = module.base_env.access_level_name_dry_run - description = "Access context manager access level name for the dry-run perimeter" -} - -output "enforce_vpcsc" { - value = module.base_env.enforce_vpcsc - description = "Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases." -} - -output "restricted_service_perimeter_name" { - value = module.base_env.restricted_service_perimeter_name - description = "Access context manager service perimeter name" -} - - -/****************************************** - Private Outputs -*****************************************/ - -output "base_host_project_id" { - value = module.base_env.base_host_project_id - description = "The base host project ID" -} - -output "base_network_name" { - value = module.base_env.base_network_name - description = "The name of the VPC being created" -} - -output "base_network_self_link" { - value = module.base_env.base_network_self_link - description = "The URI of the VPC being created" -} - -output "base_subnets_names" { - value = module.base_env.base_subnets_names - description = "The names of the subnets being created" -} - -output "base_subnets_ips" { - value = module.base_env.base_subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "base_subnets_self_links" { - value = module.base_env.base_subnets_self_links - description = "The self-links of subnets being created" -} - -output "base_subnets_secondary_ranges" { - value = module.base_env.base_subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} diff --git a/3-networks-dual-svpc/envs/nonproduction/main.tf b/3-networks-dual-svpc/envs/nonproduction/main.tf deleted file mode 100644 index 6505a4478..000000000 --- a/3-networks-dual-svpc/envs/nonproduction/main.tf +++ /dev/null @@ -1,98 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - env = "nonproduction" - environment_code = substr(local.env, 0, 1) - /* - * Base network ranges - */ - base_private_service_cidr = "10.16.16.0/21" - base_subnet_primary_ranges = { - (local.default_region1) = "10.0.128.0/18" - (local.default_region2) = "10.1.128.0/18" - } - base_subnet_proxy_ranges = { - (local.default_region1) = "10.18.4.0/23" - (local.default_region2) = "10.19.4.0/23" - } - base_subnet_secondary_ranges = { - (local.default_region1) = [ - { - range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.128.0/18" - }, - { - range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.65.128.0/18" - } - ] - } - /* - * Restricted network ranges - */ - restricted_private_service_cidr = "10.16.48.0/21" - restricted_subnet_primary_ranges = { - (local.default_region1) = "10.8.128.0/18" - (local.default_region2) = "10.9.128.0/18" - } - restricted_subnet_proxy_ranges = { - (local.default_region1) = "10.26.4.0/23" - (local.default_region2) = "10.27.4.0/23" - } - restricted_subnet_secondary_ranges = { - (local.default_region1) = [ - { - range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" - ip_cidr_range = "100.72.128.0/18" - }, - { - range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" - ip_cidr_range = "100.73.128.0/18" - } - ] - } -} - -module "base_env" { - source = "../../modules/base_env" - - env = local.env - environment_code = local.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - perimeter_additional_members = var.perimeter_additional_members - perimeter_additional_members_dry_run = var.perimeter_additional_members_dry_run - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - ingress_policies_dry_run = var.ingress_policies_dry_run - egress_policies = var.egress_policies - egress_policies_dry_run = var.egress_policies_dry_run - enable_partner_interconnect = false - base_private_service_cidr = local.base_private_service_cidr - base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_proxy_ranges = local.base_subnet_proxy_ranges - base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.17.0.3" - restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges - restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.17.0.7" - remote_state_bucket = var.remote_state_bucket - tfc_org_name = var.tfc_org_name -} diff --git a/3-networks-dual-svpc/envs/nonproduction/outputs.tf b/3-networks-dual-svpc/envs/nonproduction/outputs.tf deleted file mode 100644 index ae890e4d2..000000000 --- a/3-networks-dual-svpc/envs/nonproduction/outputs.tf +++ /dev/null @@ -1,118 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -output "access_context_manager_policy_id" { - description = "Access Context Manager Policy ID." - value = var.access_context_manager_policy_id -} - -/********************* - Restricted Outputs -*********************/ - -output "restricted_host_project_id" { - value = module.base_env.restricted_host_project_id - description = "The restricted host project ID" -} - -output "restricted_network_name" { - value = module.base_env.restricted_network_name - description = "The name of the VPC being created" -} - -output "restricted_network_self_link" { - value = module.base_env.restricted_network_self_link - description = "The URI of the VPC being created" -} - -output "restricted_subnets_names" { - value = module.base_env.restricted_subnets_names - description = "The names of the subnets being created" -} - -output "restricted_subnets_ips" { - value = module.base_env.restricted_subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "restricted_subnets_self_links" { - value = module.base_env.restricted_subnets_self_links - description = "The self-links of subnets being created" -} - -output "restricted_subnets_secondary_ranges" { - value = module.base_env.restricted_subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} - -output "access_level_name" { - value = module.base_env.access_level_name - description = "Access context manager access level name" -} - -output "access_level_name_dry_run" { - value = module.base_env.access_level_name_dry_run - description = "Access context manager access level name for the dry-run perimeter" -} - -output "enforce_vpcsc" { - value = module.base_env.enforce_vpcsc - description = "Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases." -} - -output "restricted_service_perimeter_name" { - value = module.base_env.restricted_service_perimeter_name - description = "Access context manager service perimeter name" -} - -/****************************************** - Private Outputs -*****************************************/ - -output "base_host_project_id" { - value = module.base_env.base_host_project_id - description = "The base host project ID" -} - -output "base_network_name" { - value = module.base_env.base_network_name - description = "The name of the VPC being created" -} - -output "base_network_self_link" { - value = module.base_env.base_network_self_link - description = "The URI of the VPC being created" -} - -output "base_subnets_names" { - value = module.base_env.base_subnets_names - description = "The names of the subnets being created" -} - -output "base_subnets_ips" { - value = module.base_env.base_subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "base_subnets_self_links" { - value = module.base_env.base_subnets_self_links - description = "The self-links of subnets being created" -} - -output "base_subnets_secondary_ranges" { - value = module.base_env.base_subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf deleted file mode 100644 index e68a0454e..000000000 --- a/3-networks-dual-svpc/envs/production/main.tf +++ /dev/null @@ -1,99 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - env = "production" - environment_code = substr(local.env, 0, 1) - /* - * Base network ranges - */ - base_private_service_cidr = "10.16.24.0/21" - base_subnet_primary_ranges = { - (local.default_region1) = "10.0.192.0/18" - (local.default_region2) = "10.1.192.0/18" - } - base_subnet_proxy_ranges = { - (local.default_region1) = "10.18.6.0/23" - (local.default_region2) = "10.19.6.0/23" - } - base_subnet_secondary_ranges = { - (local.default_region1) = [ - { - range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.192.0/18" - }, - { - range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.65.192.0/18" - } - ] - } - /* - * Restricted network ranges - */ - restricted_private_service_cidr = "10.16.56.0/21" - restricted_subnet_primary_ranges = { - (local.default_region1) = "10.8.192.0/18" - (local.default_region2) = "10.9.192.0/18" - } - restricted_subnet_proxy_ranges = { - (local.default_region1) = "10.26.6.0/23" - (local.default_region2) = "10.27.6.0/23" - } - restricted_subnet_secondary_ranges = { - (local.default_region1) = [ - { - range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" - ip_cidr_range = "100.72.192.0/18" - }, - { - range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" - ip_cidr_range = "100.73.192.0/18" - } - ] - } -} - -module "base_env" { - source = "../../modules/base_env" - - env = local.env - environment_code = local.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - perimeter_additional_members = var.perimeter_additional_members - perimeter_additional_members_dry_run = var.perimeter_additional_members_dry_run - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - ingress_policies_dry_run = var.ingress_policies_dry_run - egress_policies = var.egress_policies - egress_policies_dry_run = var.egress_policies_dry_run - enable_partner_interconnect = false - base_private_service_cidr = local.base_private_service_cidr - base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_proxy_ranges = local.base_subnet_proxy_ranges - base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.17.0.4" - restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges - restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.17.0.8" - remote_state_bucket = var.remote_state_bucket - tfc_org_name = var.tfc_org_name - target_name_server_addresses = var.target_name_server_addresses -} diff --git a/3-networks-dual-svpc/envs/production/outputs.tf b/3-networks-dual-svpc/envs/production/outputs.tf deleted file mode 100644 index ae890e4d2..000000000 --- a/3-networks-dual-svpc/envs/production/outputs.tf +++ /dev/null @@ -1,118 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -output "access_context_manager_policy_id" { - description = "Access Context Manager Policy ID." - value = var.access_context_manager_policy_id -} - -/********************* - Restricted Outputs -*********************/ - -output "restricted_host_project_id" { - value = module.base_env.restricted_host_project_id - description = "The restricted host project ID" -} - -output "restricted_network_name" { - value = module.base_env.restricted_network_name - description = "The name of the VPC being created" -} - -output "restricted_network_self_link" { - value = module.base_env.restricted_network_self_link - description = "The URI of the VPC being created" -} - -output "restricted_subnets_names" { - value = module.base_env.restricted_subnets_names - description = "The names of the subnets being created" -} - -output "restricted_subnets_ips" { - value = module.base_env.restricted_subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "restricted_subnets_self_links" { - value = module.base_env.restricted_subnets_self_links - description = "The self-links of subnets being created" -} - -output "restricted_subnets_secondary_ranges" { - value = module.base_env.restricted_subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} - -output "access_level_name" { - value = module.base_env.access_level_name - description = "Access context manager access level name" -} - -output "access_level_name_dry_run" { - value = module.base_env.access_level_name_dry_run - description = "Access context manager access level name for the dry-run perimeter" -} - -output "enforce_vpcsc" { - value = module.base_env.enforce_vpcsc - description = "Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases." -} - -output "restricted_service_perimeter_name" { - value = module.base_env.restricted_service_perimeter_name - description = "Access context manager service perimeter name" -} - -/****************************************** - Private Outputs -*****************************************/ - -output "base_host_project_id" { - value = module.base_env.base_host_project_id - description = "The base host project ID" -} - -output "base_network_name" { - value = module.base_env.base_network_name - description = "The name of the VPC being created" -} - -output "base_network_self_link" { - value = module.base_env.base_network_self_link - description = "The URI of the VPC being created" -} - -output "base_subnets_names" { - value = module.base_env.base_subnets_names - description = "The names of the subnets being created" -} - -output "base_subnets_ips" { - value = module.base_env.base_subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "base_subnets_self_links" { - value = module.base_env.base_subnets_self_links - description = "The self-links of subnets being created" -} - -output "base_subnets_secondary_ranges" { - value = module.base_env.base_subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} diff --git a/3-networks-dual-svpc/modules/base_env/outputs.tf b/3-networks-dual-svpc/modules/base_env/outputs.tf deleted file mode 100644 index 2b8044a12..000000000 --- a/3-networks-dual-svpc/modules/base_env/outputs.tf +++ /dev/null @@ -1,132 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -output "target_name_server_addresses" { - value = var.target_name_server_addresses - description = "List of IPv4 addresses of the target name servers for the forwarding zone configuration. These IP addresses should point to the name server responsible for replying to DNS queries." -} - - -/********************* - Restricted Outputs -*********************/ - -output "restricted_dns_project_id" { - value = local.restricted_dns_project_id - description = "The restricted DNS project ID" -} - -output "restricted_host_project_id" { - value = local.restricted_project_id - description = "The restricted host project ID" -} - -output "restricted_network_name" { - value = module.restricted_shared_vpc.network_name - description = "The name of the VPC being created" -} - -output "restricted_network_self_link" { - value = module.restricted_shared_vpc.network_self_link - description = "The URI of the VPC being created" -} - -output "restricted_subnets_names" { - value = module.restricted_shared_vpc.subnets_names - description = "The names of the subnets being created" -} - -output "restricted_subnets_ips" { - value = module.restricted_shared_vpc.subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "restricted_subnets_self_links" { - value = module.restricted_shared_vpc.subnets_self_links - description = "The self-links of subnets being created" -} - -output "restricted_subnets_secondary_ranges" { - value = module.restricted_shared_vpc.subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} - -output "access_level_name" { - value = module.restricted_shared_vpc.access_level_name - description = "Access context manager access level name for the enforced perimeter" -} - -output "access_level_name_dry_run" { - value = module.restricted_shared_vpc.access_level_name_dry_run - description = "Access context manager access level name for the dry-run perimeter" -} - -output "enforce_vpcsc" { - value = module.restricted_shared_vpc.enforce_vpcsc - description = "Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases." -} - -output "restricted_service_perimeter_name" { - value = module.restricted_shared_vpc.service_perimeter_name - description = "Access context manager service perimeter name for the enforced perimeter" -} - - - -/****************************************** - Private Outputs -*****************************************/ - -output "base_dns_project_id" { - value = local.base_dns_project_id - description = "The base DNS project ID" -} - -output "base_host_project_id" { - value = local.base_project_id - description = "The base host project ID" -} - -output "base_network_name" { - value = module.base_shared_vpc.network_name - description = "The name of the VPC being created" -} - -output "base_network_self_link" { - value = module.base_shared_vpc.network_self_link - description = "The URI of the VPC being created" -} - -output "base_subnets_names" { - value = module.base_shared_vpc.subnets_names - description = "The names of the subnets being created" -} - -output "base_subnets_ips" { - value = module.base_shared_vpc.subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "base_subnets_self_links" { - value = module.base_shared_vpc.subnets_self_links - description = "The self-links of subnets being created" -} - -output "base_subnets_secondary_ranges" { - value = module.base_shared_vpc.subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} - diff --git a/3-networks-dual-svpc/modules/base_env/partner_interconnect.tf.example b/3-networks-dual-svpc/modules/base_env/partner_interconnect.tf.example deleted file mode 100644 index c5e616db7..000000000 --- a/3-networks-dual-svpc/modules/base_env/partner_interconnect.tf.example +++ /dev/null @@ -1,86 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "shared_restricted_interconnect" { - source = "../partner_interconnect" - - attachment_project_id = local.restricted_project_id - vpc_name = "${var.environment_code}-shared-restricted" - preactivate = true - - region1 = var.default_region1 - region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name - region1_interconnect1_location = "las-zone1-770" - region1_interconnect1_onprem_dc = "onprem-dc1" - region1_router2_name = module.restricted_shared_vpc.region1_router2.router.name - region1_interconnect2_location = "las-zone1-770" - region1_interconnect2_onprem_dc = "onprem-dc2" - - region2 = var.default_region2 - region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name - region2_interconnect1_location = "lax-zone2-19" - region2_interconnect1_onprem_dc = "onprem-dc3" - region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name - region2_interconnect2_location = "lax-zone1-403" - region2_interconnect2_onprem_dc = "onprem-dc4" - - cloud_router_labels = { - vlan_1 = "cr5", - vlan_2 = "cr6", - vlan_3 = "cr7", - vlan_4 = "cr8" - } - - depends_on = [ - module.restricted_shared_vpc - ] -} - -module "shared_base_interconnect" { - source = "../partner_interconnect" - - attachment_project_id = local.base_project_id - vpc_name = "${var.environment_code}-shared-base" - preactivate = true - - region1 = var.default_region1 - region1_router1_name = module.base_shared_vpc.region1_router1.router.name - region1_interconnect1_location = "las-zone1-770" - region1_interconnect1_onprem_dc = "onprem-dc1" - region1_router2_name = module.base_shared_vpc.region1_router2.router.name - region1_interconnect2_location = "las-zone1-770" - region1_interconnect2_onprem_dc = "onprem-dc2" - - region2 = var.default_region2 - region2_router1_name = module.base_shared_vpc.region2_router1.router.name - region2_interconnect1_location = "lax-zone2-19" - region2_interconnect1_onprem_dc = "onprem-dc3" - region2_router2_name = module.base_shared_vpc.region2_router2.router.name - region2_interconnect2_location = "lax-zone1-403" - region2_interconnect2_onprem_dc = "onprem-dc4" - - - cloud_router_labels = { - vlan_1 = "cr1", - vlan_2 = "cr2", - vlan_3 = "cr3", - vlan_4 = "cr4" - } - - depends_on = [ - module.base_shared_vpc - ] -} diff --git a/3-networks-dual-svpc/modules/base_env/vpn.tf.example b/3-networks-dual-svpc/modules/base_env/vpn.tf.example deleted file mode 100644 index 355134e37..000000000 --- a/3-networks-dual-svpc/modules/base_env/vpn.tf.example +++ /dev/null @@ -1,122 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - env_secret_project_id = data.terraform_remote_state.environments_env.outputs.env_secrets_project_id -} - -data "terraform_remote_state" "environments_env" { - backend = "gcs" - - config = { - bucket = var.remote_state_bucket - prefix = "terraform/environments/${var.env}" - } -} - -module "shared_base_vpn" { - source = "../vpn-ha" - - project_id = local.base_project_id - env_secret_project_id = local.env_secret_project_id - default_region1 = var.default_region1 - default_region2 = var.default_region2 - vpc_name = "${var.environment_code}-shared-base" - region1_router1_name = module.base_shared_vpc.region1_router1.router.name - region1_router2_name = module.base_shared_vpc.region1_router2.router.name - region2_router1_name = module.base_shared_vpc.region2_router1.router.name - region2_router2_name = module.base_shared_vpc.region2_router2.router.name - vpn_psk_secret_name = "" - - on_prem_router_ip_address1 = "<8.8.8.8>" # on-prem router ip address 1 - on_prem_router_ip_address2 = "<8.8.8.8>" # on-prem router ip address 2 - bgp_peer_asn = "64515" - - region1_router1_tunnel0_bgp_peer_address = "169.254.1.1" - region1_router1_tunnel0_bgp_peer_range = "169.254.1.2/30" - - region1_router1_tunnel1_bgp_peer_address = "169.254.2.1" - region1_router1_tunnel1_bgp_peer_range = "169.254.2.2/30" - - region1_router2_tunnel0_bgp_peer_address = "169.254.4.1" - region1_router2_tunnel0_bgp_peer_range = "169.254.4.2/30" - - region1_router2_tunnel1_bgp_peer_address = "169.254.6.1" - region1_router2_tunnel1_bgp_peer_range = "169.254.6.2/30" - - region2_router1_tunnel0_bgp_peer_address = "169.254.8.1" - region2_router1_tunnel0_bgp_peer_range = "169.254.8.2/30" - - region2_router1_tunnel1_bgp_peer_address = "169.254.10.1" - region2_router1_tunnel1_bgp_peer_range = "169.254.10.2/30" - - region2_router2_tunnel0_bgp_peer_address = "169.254.12.1" - region2_router2_tunnel0_bgp_peer_range = "169.254.12.2/30" - - region2_router2_tunnel1_bgp_peer_address = "169.254.14.1" - region2_router2_tunnel1_bgp_peer_range = "169.254.14.2/30" - - depends_on = [ - module.base_shared_vpc - ] -} - -module "shared_restricted_vpn" { - source = "../vpn-ha" - - project_id = local.restricted_project_id - env_secret_project_id = local.env_secret_project_id - default_region1 = var.default_region1 - default_region2 = var.default_region2 - vpc_name = "${var.environment_code}-shared-restricted" - region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name - region1_router2_name = module.restricted_shared_vpc.region1_router2.router.name - region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name - region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name - vpn_psk_secret_name = "" - - on_prem_router_ip_address1 = "<8.8.8.8>" # on-prem router ip address 1 - on_prem_router_ip_address2 = "<8.8.8.8>" # on-prem router ip address 2 - bgp_peer_asn = "64515" - - region1_router1_tunnel0_bgp_peer_address = "169.254.1.1" - region1_router1_tunnel0_bgp_peer_range = "169.254.1.2/30" - - region1_router1_tunnel1_bgp_peer_address = "169.254.2.1" - region1_router1_tunnel1_bgp_peer_range = "169.254.2.2/30" - - region1_router2_tunnel0_bgp_peer_address = "169.254.4.1" - region1_router2_tunnel0_bgp_peer_range = "169.254.4.2/30" - - region1_router2_tunnel1_bgp_peer_address = "169.254.6.1" - region1_router2_tunnel1_bgp_peer_range = "169.254.6.2/30" - - region2_router1_tunnel0_bgp_peer_address = "169.254.8.1" - region2_router1_tunnel0_bgp_peer_range = "169.254.8.2/30" - - region2_router1_tunnel1_bgp_peer_address = "169.254.10.1" - region2_router1_tunnel1_bgp_peer_range = "169.254.10.2/30" - - region2_router2_tunnel0_bgp_peer_address = "169.254.12.1" - region2_router2_tunnel0_bgp_peer_range = "169.254.12.2/30" - - region2_router2_tunnel1_bgp_peer_address = "169.254.14.1" - region2_router2_tunnel1_bgp_peer_range = "169.254.14.2/30" - - depends_on = [ - module.restricted_shared_vpc - ] -} diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md deleted file mode 100644 index 6636bf604..000000000 --- a/3-networks-dual-svpc/modules/base_shared_vpc/README.md +++ /dev/null @@ -1,47 +0,0 @@ - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| base\_dns\_project\_id | Project ID for DNS Base Shared. | `string` | `""` | no | -| base\_network\_name | The name of the VPC being created | `string` | `""` | no | -| bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes | -| default\_region1 | Default region 1 for subnets and Cloud Routers | `string` | n/a | yes | -| default\_region2 | Default region 2 for subnets and Cloud Routers | `string` | n/a | yes | -| dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | -| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | -| domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | -| enable\_all\_vpc\_internal\_traffic | Enable firewall policy rule to allow internal traffic (ingress and egress). | `bool` | `false` | no | -| environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes | -| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | -| nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no | -| nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no | -| nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT. | `number` | `2` | no | -| nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no | -| private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | -| private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint | `string` | n/a | yes | -| project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | -| secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | -| subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | -| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | -| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| network\_name | The name of the VPC being created | -| network\_self\_link | The URI of the VPC being created | -| region1\_router1 | Router 1 for Region 1 | -| region1\_router2 | Router 2 for Region 1 | -| region2\_router1 | Router 1 for Region 2 | -| region2\_router2 | Router 2 for Region 2 | -| subnets\_flow\_logs | Whether the subnets have VPC flow logs enabled | -| subnets\_ips | The IPs and CIDRs of the subnets being created | -| subnets\_names | The names of the subnets being created | -| subnets\_private\_access | Whether the subnets have access to Google API's without a public IP | -| subnets\_regions | The region where the subnets will be created | -| subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| subnets\_self\_links | The self-links of subnets being created | - - diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/firewall.tf b/3-networks-dual-svpc/modules/base_shared_vpc/firewall.tf deleted file mode 100644 index 57764a609..000000000 --- a/3-networks-dual-svpc/modules/base_shared_vpc/firewall.tf +++ /dev/null @@ -1,102 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/****************************************** - Mandatory and optional firewall rules - *****************************************/ -module "firewall_rules" { - source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 10.0" - - project_id = var.project_id - policy_name = "fp-${var.environment_code}-dual-svpc-base-firewalls" - description = "Firewall rules for base dual shared vpc: ${module.main.network_name}." - target_vpcs = ["projects/${var.project_id}/global/networks/${module.main.network_name}"] - - rules = concat( - [ - { - priority = "65530" - direction = "EGRESS" - action = "deny" - rule_name = "fw-${var.environment_code}-shared-base-65530-e-d-all-all-all" - description = "Lower priority rule to deny all egress traffic." - enable_logging = var.firewall_enable_logging - match = { - dest_ip_ranges = ["0.0.0.0/0"] - layer4_configs = [ - { - ip_protocol = "all" - }, - ] - } - }, - { - priority = "1000" - direction = "EGRESS" - action = "allow" - rule_name = "fw-${var.environment_code}-shared-base-1000-e-a-allow-google-apis-all-tcp-443" - description = "Lower priority rule to allow private google apis on TCP port 443." - enable_logging = var.firewall_enable_logging - match = { - dest_ip_ranges = [local.private_googleapis_cidr] - layer4_configs = [ - { - ip_protocol = "tcp" - ports = ["443"] - }, - ] - } - } - ], - !var.enable_all_vpc_internal_traffic ? [] : [ - { - priority = "10000" - direction = "EGRESS" - action = "allow" - rule_name = "fw-${var.environment_code}-shared-base-10000-e-a-all-all-all" - description = "Allow all egress to the provided IP range." - enable_logging = var.firewall_enable_logging - match = { - dest_ip_ranges = module.main.subnets_ips - layer4_configs = [ - { - ip_protocol = "all" - }, - ] - } - } - ], - !var.enable_all_vpc_internal_traffic ? [] : [ - { - priority = "10001" - direction = "INGRESS" - action = "allow" - rule_name = "fw-${var.environment_code}-shared-base-10001-i-a-all" - description = "Allow all ingress to the provided IP range." - enable_logging = var.firewall_enable_logging - match = { - src_ip_ranges = module.main.subnets_ips - layer4_configs = [ - { - ip_protocol = "all" - }, - ] - } - } - ] - ) -} diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf deleted file mode 100644 index d5ad2522c..000000000 --- a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf +++ /dev/null @@ -1,156 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - vpc_name = "${var.environment_code}-shared-base" - network_name = "vpc-${local.vpc_name}" - private_googleapis_cidr = module.private_service_connect.private_service_connect_ip - google_forward_source_range = "35.199.192.0/19" - advertised_ip = var.environment_code == "p" ? [{ range = local.google_forward_source_range }, { range = local.private_googleapis_cidr }] : [{ range = local.private_googleapis_cidr }] - -} - -/****************************************** - Shared VPC configuration - *****************************************/ - -module "main" { - source = "terraform-google-modules/network/google" - version = "~> 10.0" - - project_id = var.project_id - network_name = local.network_name - shared_vpc_host = "true" - delete_default_internet_gateway_routes = "true" - - subnets = var.subnets - secondary_ranges = var.secondary_ranges - - routes = concat( - var.nat_enabled ? - [ - { - name = "rt-${local.vpc_name}-1000-egress-internet-default" - description = "Tag based route through IGW to access internet" - destination_range = "0.0.0.0/0" - tags = "egress-internet" - next_hop_internet = "true" - priority = "1000" - } - ] - : [], - var.windows_activation_enabled ? - [{ - name = "rt-${local.vpc_name}-1000-all-default-windows-kms" - description = "Route through IGW to allow Windows KMS activation for GCP." - destination_range = "35.190.247.13/32" - next_hop_internet = "true" - priority = "1000" - } - ] - : [] - ) -} - - -/*************************************************************** - Configure Service Networking for Cloud SQL & future services. - **************************************************************/ - -resource "google_compute_global_address" "private_service_access_address" { - count = var.private_service_cidr != null ? 1 : 0 - name = "ga-${local.vpc_name}-vpc-peering-internal" - project = var.project_id - purpose = "VPC_PEERING" - address_type = "INTERNAL" - address = element(split("/", var.private_service_cidr), 0) - prefix_length = element(split("/", var.private_service_cidr), 1) - network = module.main.network_self_link - -} - -resource "google_service_networking_connection" "private_vpc_connection" { - count = var.private_service_cidr != null ? 1 : 0 - network = module.main.network_self_link - service = "servicenetworking.googleapis.com" - reserved_peering_ranges = [google_compute_global_address.private_service_access_address[0].name] -} - -/************************************ - Router to advertise shared VPC - subnetworks and Google Private API -************************************/ - -module "region1_router1" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - - name = "cr-${local.vpc_name}-${var.default_region1}-cr1" - project = var.project_id - network = module.main.network_name - region = var.default_region1 - bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = local.advertised_ip - } -} - -module "region1_router2" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - - name = "cr-${local.vpc_name}-${var.default_region1}-cr2" - project = var.project_id - network = module.main.network_name - region = var.default_region1 - bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = local.advertised_ip - } -} - -module "region2_router1" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - - name = "cr-${local.vpc_name}-${var.default_region2}-cr3" - project = var.project_id - network = module.main.network_name - region = var.default_region2 - bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = local.advertised_ip - } -} - -module "region2_router2" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - - name = "cr-${local.vpc_name}-${var.default_region2}-cr4" - project = var.project_id - network = module.main.network_name - region = var.default_region2 - bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = local.advertised_ip - } -} - diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/nat.tf b/3-networks-dual-svpc/modules/base_shared_vpc/nat.tf deleted file mode 100644 index 600a06f8c..000000000 --- a/3-networks-dual-svpc/modules/base_shared_vpc/nat.tf +++ /dev/null @@ -1,90 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - -/****************************************** - NAT Cloud Router & NAT config - *****************************************/ - -resource "google_compute_router" "nat_router_region1" { - count = var.nat_enabled ? 1 : 0 - name = "cr-${local.vpc_name}-${var.default_region1}-nat-router" - project = var.project_id - region = var.default_region1 - network = module.main.network_self_link - - bgp { - asn = var.nat_bgp_asn - } -} - -resource "google_compute_address" "nat_external_addresses_region1" { - count = var.nat_enabled ? var.nat_num_addresses_region1 : 0 - project = var.project_id - name = "ca-${local.vpc_name}-${var.default_region1}-${count.index}" - region = var.default_region1 -} - -resource "google_compute_router_nat" "egress_nat_region1" { - count = var.nat_enabled ? 1 : 0 - name = "rn-${local.vpc_name}-${var.default_region1}-egress" - project = var.project_id - router = google_compute_router.nat_router_region1[0].name - region = var.default_region1 - nat_ip_allocate_option = "MANUAL_ONLY" - nat_ips = google_compute_address.nat_external_addresses_region1.*.self_link - source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" - - log_config { - filter = "TRANSLATIONS_ONLY" - enable = true - } -} - -resource "google_compute_router" "nat_router_region2" { - count = var.nat_enabled ? 1 : 0 - name = "cr-${local.vpc_name}-${var.default_region2}-nat-router" - project = var.project_id - region = var.default_region2 - network = module.main.network_self_link - - bgp { - asn = var.nat_bgp_asn - } -} - -resource "google_compute_address" "nat_external_addresses_region2" { - count = var.nat_enabled ? var.nat_num_addresses_region2 : 0 - project = var.project_id - name = "ca-${local.vpc_name}-${var.default_region2}-${count.index}" - region = var.default_region2 -} - -resource "google_compute_router_nat" "egress_nat2" { - count = var.nat_enabled ? 1 : 0 - name = "rn-${local.vpc_name}-${var.default_region2}-egress" - project = var.project_id - router = google_compute_router.nat_router_region2[0].name - region = var.default_region2 - nat_ip_allocate_option = "MANUAL_ONLY" - nat_ips = google_compute_address.nat_external_addresses_region2.*.self_link - source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" - - log_config { - filter = "TRANSLATIONS_ONLY" - enable = true - } -} diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/outputs.tf b/3-networks-dual-svpc/modules/base_shared_vpc/outputs.tf deleted file mode 100644 index f2e9e6eeb..000000000 --- a/3-networks-dual-svpc/modules/base_shared_vpc/outputs.tf +++ /dev/null @@ -1,82 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - -output "network_name" { - value = module.main.network_name - description = "The name of the VPC being created" -} - -output "network_self_link" { - value = module.main.network_self_link - description = "The URI of the VPC being created" -} - -output "subnets_names" { - value = module.main.subnets_names - description = "The names of the subnets being created" -} - -output "subnets_ips" { - value = module.main.subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "subnets_self_links" { - value = module.main.subnets_self_links - description = "The self-links of subnets being created" -} - -output "subnets_regions" { - value = module.main.subnets_regions - description = "The region where the subnets will be created" -} - -output "subnets_private_access" { - value = module.main.subnets_private_access - description = "Whether the subnets have access to Google API's without a public IP" -} - -output "subnets_flow_logs" { - value = module.main.subnets_flow_logs - description = "Whether the subnets have VPC flow logs enabled" -} - -output "subnets_secondary_ranges" { - value = module.main.subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} - -output "region1_router1" { - value = module.region1_router1 - description = "Router 1 for Region 1" -} - -output "region1_router2" { - value = module.region1_router2 - description = "Router 2 for Region 1" -} - -output "region2_router1" { - value = module.region2_router1 - description = "Router 1 for Region 2" -} - -output "region2_router2" { - value = module.region2_router2 - description = "Router 2 for Region 2" -} - diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf b/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf deleted file mode 100644 index 0052c3009..000000000 --- a/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf +++ /dev/null @@ -1,28 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - -module "private_service_connect" { - source = "terraform-google-modules/network/google//modules/private-service-connect" - version = "~> 10.0" - - project_id = var.project_id - dns_code = "dz-${var.environment_code}-shared-base" - network_self_link = module.main.network_self_link - private_service_connect_ip = var.private_service_connect_ip - forwarding_rule_target = "all-apis" - service_directory_region = var.default_region1 -} diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf deleted file mode 100644 index d1cab59d4..000000000 --- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf +++ /dev/null @@ -1,158 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "base_dns_project_id" { - description = "Project ID for DNS Base Shared." - type = string - default = "" -} - -variable "target_name_server_addresses" { - description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." - type = list(map(any)) -} - -variable "base_network_name" { - type = string - description = "The name of the VPC being created" - default = "" -} - -variable "project_id" { - type = string - description = "Project ID for Private Shared VPC." -} - - -variable "environment_code" { - type = string - description = "A short form of the folder level resources (environment) within the Google Cloud organization." -} - -variable "default_region1" { - type = string - description = "Default region 1 for subnets and Cloud Routers" -} - -variable "default_region2" { - type = string - description = "Default region 2 for subnets and Cloud Routers" -} - -variable "nat_enabled" { - type = bool - description = "Toggle creation of NAT cloud router." - default = false -} - -variable "nat_bgp_asn" { - type = number - description = "BGP ASN for first NAT cloud routes." - default = 64514 -} - -variable "nat_num_addresses_region1" { - type = number - description = "Number of external IPs to reserve for first Cloud NAT." - default = 2 -} - -variable "nat_num_addresses_region2" { - type = number - description = "Number of external IPs to reserve for second Cloud NAT." - default = 2 -} - -variable "bgp_asn_subnet" { - type = number - description = "BGP ASN for Subnets cloud routers." -} - -variable "subnets" { - type = list(object({ - subnet_name = string - subnet_ip = string - subnet_region = string - subnet_private_access = optional(string, "false") - subnet_private_ipv6_access = optional(string) - subnet_flow_logs = optional(string, "false") - subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC") - subnet_flow_logs_sampling = optional(string, "0.5") - subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA") - subnet_flow_logs_filter = optional(string, "true") - subnet_flow_logs_metadata_fields = optional(list(string), []) - description = optional(string) - purpose = optional(string) - role = optional(string) - stack_type = optional(string) - ipv6_access_type = optional(string) - })) - description = "The list of subnets being created" - default = [] -} - -variable "secondary_ranges" { - type = map(list(object({ range_name = string, ip_cidr_range = string }))) - description = "Secondary ranges that will be used in some of the subnets" - default = {} -} - -variable "dns_enable_inbound_forwarding" { - type = bool - description = "Toggle inbound query forwarding for VPC DNS." - default = true -} - -variable "dns_enable_logging" { - type = bool - description = "Toggle DNS logging for VPC DNS." - default = true -} - -variable "firewall_enable_logging" { - type = bool - description = "Toggle firewall logging for VPC Firewalls." - default = true -} - -variable "domain" { - type = string - description = "The DNS name of peering managed zone, for instance 'example.com.'" -} - -variable "private_service_cidr" { - type = string - description = "CIDR range for private service networking. Used for Cloud SQL and other managed services." - default = null -} - -variable "private_service_connect_ip" { - type = string - description = "Internal IP to be used as the private service connect endpoint" -} - -variable "windows_activation_enabled" { - type = bool - description = "Enable Windows license activation for Windows workloads." - default = false -} - -variable "enable_all_vpc_internal_traffic" { - type = bool - description = "Enable firewall policy rule to allow internal traffic (ingress and egress)." - default = false -} - diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/versions.tf b/3-networks-dual-svpc/modules/base_shared_vpc/versions.tf deleted file mode 100644 index 4624e5927..000000000 --- a/3-networks-dual-svpc/modules/base_shared_vpc/versions.tf +++ /dev/null @@ -1,37 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - required_version = ">= 0.13" - required_providers { - google = { - source = "hashicorp/google" - version = ">= 3.50" - } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 3.50" - } - } - - provider_meta "google" { - module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v4.1.0" - } - - provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v4.1.0" - } -} diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf deleted file mode 100644 index 85b190d82..000000000 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf +++ /dev/null @@ -1,79 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/****************************************** - Default DNS Policy - *****************************************/ - -resource "google_dns_policy" "default_policy" { - project = var.project_id - name = "dp-${var.environment_code}-shared-restricted-default-policy" - enable_inbound_forwarding = var.dns_enable_inbound_forwarding - enable_logging = var.dns_enable_logging - networks { - network_url = module.main.network_self_link - } -} - -/****************************************** - Creates DNS Peering to DNS HUB -*****************************************/ -data "google_compute_network" "vpc_dns_hub" { - - count = var.environment_code != "p" ? 1 : 0 - - name = "vpc-p-shared-restricted" - project = var.restricted_dns_project_id -} - -module "peering_zone" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" - - count = var.environment_code != "p" ? 1 : 0 - - project_id = var.project_id - type = "peering" - name = "dz-${var.environment_code}-shared-restricted-to-dns-hub" - domain = var.domain - description = "Private DNS peering zone." - - private_visibility_config_networks = [ - module.main.network_self_link - ] - target_network = data.google_compute_network.vpc_dns_hub[0].self_link -} - -/****************************************** - DNS Forwarding -*****************************************/ -module "dns_forwarding_zone" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" - - count = var.environment_code == "p" ? 1 : 0 - - project_id = var.project_id - type = "forwarding" - name = "fz-dns-hub" - domain = var.domain - - private_visibility_config_networks = [ - module.main.network_self_link - ] - target_name_server_addresses = var.target_name_server_addresses -} - diff --git a/3-networks-hub-and-spoke/README.md b/3-networks-hub-and-spoke/README.md index 2607a7e7c..362ceb08c 100644 --- a/3-networks-hub-and-spoke/README.md +++ b/3-networks-hub-and-spoke/README.md @@ -25,16 +25,16 @@ organizational policy. Google Cloud organization that you've created. -3-networks-dual-svpc -Sets up base and restricted shared VPCs with default DNS, NAT (optional), +3-networks-svpc +Sets up shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, on-premises Dedicated Interconnect, and baseline firewall rules for each environment. It also sets up the global DNS hub. 3-networks-hub-and-spoke (this file) -Sets up base and restricted shared VPCs with all the default configuration -found on step 3-networks-dual-svpc, but here the architecture will be based on the +Sets up shared VPCs with all the default configuration +found on step 3-networks-svpc, but here the architecture will be based on the Hub and Spoke network model. It also sets up the global DNS hub @@ -58,7 +58,7 @@ For an overview of the architecture and the parts, see the The purpose of this step is to: - Set up the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones). -- Set up base and restricted Hubs and it corresponding Spokes. With default DNS, NAT (optional), Private Service networking, VPC Service Controls (optional), on-premises Dedicated or Partner Interconnect, and baseline firewall rules for each environment. +- Set up the Hub and it corresponding Spokes. With default DNS, NAT (optional), Private Service networking, VPC Service Controls (optional), on-premises Dedicated or Partner Interconnect, and baseline firewall rules for each environment. ## Prerequisites @@ -96,7 +96,7 @@ To enable **Hub and Spoke** transitivity set the variable `enable_hub_and_spoke_ **Note:** The default `allow-transitivity-ingress` firewall rule will create Security Command Center (SCC) findings because it allows ingress for all ports and protocols in the [Shared Address Space CIDR Block](https://en.wikipedia.org/wiki/IPv4_shared_address_space) set in this rule. Because of this, you should update the implemented network access controls between spokes with valid values for your environment through the [firewall functionality](./modules/transitivity/main.tf#L142) of the corresponding NVAs to make them more restrictive. -To see the version that makes use of the **Dual Shared VPC** architecture mode check the step [3-networks-dual-svpc](../3-networks-dual-svpc). +To see the version that makes use of the **Dual Shared VPC** architecture mode check the step [3-networks-svpc](../3-networks-svpc). ### Using Dedicated Interconnect @@ -133,10 +133,10 @@ If you are not able to use Dedicated or Partner Interconnect, you can also use a 1. Create secret for VPN restricted pre-shared key and grant required roles to Networks terraform service account. ```bash - echo '' | gcloud secrets create --project --replication-policy=automatic --data-file=- + echo '' | gcloud secrets create --project --replication-policy=automatic --data-file=- - gcloud secrets add-iam-policy-binding --member='serviceAccount:' --role='roles/secretmanager.viewer' --project - gcloud secrets add-iam-policy-binding --member='serviceAccount:' --role='roles/secretmanager.secretAccessor' --project + gcloud secrets add-iam-policy-binding --member='serviceAccount:' --role='roles/secretmanager.viewer' --project + gcloud secrets add-iam-policy-binding --member='serviceAccount:' --role='roles/secretmanager.secretAccessor' --project ``` 1. In the file `vpn.tf`, update the values for `environment`, `vpn_psk_secret_name`, `on_prem_router_ip_address1`, `on_prem_router_ip_address2` and `bgp_peer_asn`. @@ -450,6 +450,6 @@ unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT Because enabling VPC Service Controls can be a disruptive process, this repo configures VPC Service Controls perimeters in dry run mode by default. This configuration will service traffic that crosses the security perimeter (API requests that originate from inside your perimeter communicating with external resources, or API requests from external resources communicating with resources inside your perimeter) but still allow service traffic normally. -When you are ready to enforce VPC Service Controls, we recommend that you review the guidance at [Best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable). After you have added the necessary exceptions and are confident that VPC Service Controls will not disrupt your intended operations, set the variable `enforce_vpcsc` under the module `restricted_shared_vpc` to `true` and re-apply this stage. Then re-apply the 4-projects stage, which will inherit the new setting and include those projects inside the enforced perimeter. +When you are ready to enforce VPC Service Controls, we recommend that you review the guidance at [Best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable). After you have added the necessary exceptions and are confident that VPC Service Controls will not disrupt your intended operations, set the variable `enforce_vpcsc` under the module `shared_vpc` to `true` and re-apply this stage. Then re-apply the 4-projects stage, which will inherit the new setting and include those projects inside the enforced perimeter. When you need to make changes to an existing enforced perimeter, you can test safely by modifying the configuration of the dry run perimeter. This will log traffic denied by the dry run perimeter without impacting whether the enforced perimeter allows or denies traffic. diff --git a/3-networks-hub-and-spoke/envs/development/README.md b/3-networks-hub-and-spoke/envs/development/README.md index baa2d7ed3..bd29e7c80 100644 --- a/3-networks-hub-and-spoke/envs/development/README.md +++ b/3-networks-hub-and-spoke/envs/development/README.md @@ -1,6 +1,6 @@ # 3-networks-hub-and-spoke/development -The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment nonproduction. This version of the Network step will makes usage of the Hub and Spoke network architecture. +The purpose of this step is to set up shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment nonproduction. This version of the Network step will makes usage of the Hub and Spoke network architecture. ## Prerequisites @@ -34,21 +34,14 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | access\_level\_name | Access context manager access level name | | access\_level\_name\_dry\_run | Access context manager access level name for the dry-run perimeter | -| base\_host\_project\_id | The base host project ID | -| base\_network\_name | The name of the VPC being created | -| base\_network\_self\_link | The URI of the VPC being created | -| base\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| base\_subnets\_names | The names of the subnets being created | -| base\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| base\_subnets\_self\_links | The self-links of subnets being created | | enforce\_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. | -| restricted\_host\_project\_id | The restricted host project ID | -| restricted\_network\_name | The name of the VPC being created | -| restricted\_network\_self\_link | The URI of the VPC being created | -| restricted\_service\_perimeter\_name | Access context manager service perimeter name | -| restricted\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| restricted\_subnets\_names | The names of the subnets being created | -| restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| restricted\_subnets\_self\_links | The self-links of subnets being created | +| network\_name | The name of the VPC being created | +| network\_self\_link | The URI of the VPC being created | +| service\_perimeter\_name | Access context manager service perimeter name | +| shared\_vpc\_host\_project\_id | The host project ID | +| subnets\_ips | The IPs and CIDRs of the subnets being created | +| subnets\_names | The names of the subnets being created | +| subnets\_secondary\_ranges | The secondary ranges associated with these subnets | +| subnets\_self\_links | The self-links of subnets being created | diff --git a/3-networks-hub-and-spoke/envs/development/main.tf b/3-networks-hub-and-spoke/envs/development/main.tf index db7388fc8..1b5b2c35f 100644 --- a/3-networks-hub-and-spoke/envs/development/main.tf +++ b/3-networks-hub-and-spoke/envs/development/main.tf @@ -17,51 +17,24 @@ locals { env = "development" environment_code = substr(local.env, 0, 1) - /* - * Base network ranges - */ - base_private_service_cidr = "10.16.8.0/21" - base_subnet_primary_ranges = { - (local.default_region1) = "10.0.64.0/18" - (local.default_region2) = "10.1.64.0/18" - } - base_subnet_proxy_ranges = { - (local.default_region1) = "10.18.2.0/23" - (local.default_region2) = "10.19.2.0/23" - } - base_subnet_secondary_ranges = { - (local.default_region1) = [ - { - range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.64.0/18" - }, - { - range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.65.64.0/18" - } - ] - } - /* - * Restricted network ranges - */ - restricted_private_service_cidr = "10.16.40.0/21" - restricted_subnet_primary_ranges = { + private_service_cidr = "10.16.40.0/21" + subnet_primary_ranges = { (local.default_region1) = "10.8.64.0/18" (local.default_region2) = "10.9.64.0/18" } - restricted_subnet_proxy_ranges = { + subnet_proxy_ranges = { (local.default_region1) = "10.26.2.0/23" (local.default_region2) = "10.27.2.0/23" } - restricted_subnet_secondary_ranges = { + subnet_secondary_ranges = { (local.default_region1) = [ { - range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" + range_name = "rn-${local.environment_code}-svpc-${local.default_region1}-gke-pod" ip_cidr_range = "100.72.64.0/18" }, { - range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" + range_name = "rn-${local.environment_code}-svpc-${local.default_region1}-gke-svc" ip_cidr_range = "100.73.64.0/18" } ] @@ -71,27 +44,22 @@ locals { module "base_env" { source = "../../modules/base_env" - env = local.env - environment_code = local.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - perimeter_additional_members = var.perimeter_additional_members - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - egress_policies = var.egress_policies - enable_partner_interconnect = false - enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity - base_private_service_cidr = local.base_private_service_cidr - base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_proxy_ranges = local.base_subnet_proxy_ranges - base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.17.0.2" - restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges - restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.17.0.6" - remote_state_bucket = var.remote_state_bucket - tfc_org_name = var.tfc_org_name + env = local.env + environment_code = local.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + perimeter_additional_members = var.perimeter_additional_members + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + egress_policies = var.egress_policies + enable_partner_interconnect = false + enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity + private_service_cidr = local.private_service_cidr + subnet_primary_ranges = local.subnet_primary_ranges + subnet_proxy_ranges = local.subnet_proxy_ranges + subnet_secondary_ranges = local.subnet_secondary_ranges + private_service_connect_ip = "10.17.0.6" + remote_state_bucket = var.remote_state_bucket + tfc_org_name = var.tfc_org_name } diff --git a/3-networks-hub-and-spoke/envs/development/outputs.tf b/3-networks-hub-and-spoke/envs/development/outputs.tf index 3e4d2a97e..7dacea96e 100644 --- a/3-networks-hub-and-spoke/envs/development/outputs.tf +++ b/3-networks-hub-and-spoke/envs/development/outputs.tf @@ -19,42 +19,38 @@ output "access_context_manager_policy_id" { value = var.access_context_manager_policy_id } -/********************* - Restricted Outputs -*********************/ - -output "restricted_host_project_id" { - value = module.base_env.restricted_host_project_id - description = "The restricted host project ID" +output "shared_vpc_host_project_id" { + value = module.base_env.shared_vpc_host_project_id + description = "The host project ID" } -output "restricted_network_name" { - value = module.base_env.restricted_network_name +output "network_name" { + value = module.base_env.network_name description = "The name of the VPC being created" } -output "restricted_network_self_link" { - value = module.base_env.restricted_network_self_link +output "network_self_link" { + value = module.base_env.network_self_link description = "The URI of the VPC being created" } -output "restricted_subnets_names" { - value = module.base_env.restricted_subnets_names +output "subnets_names" { + value = module.base_env.subnets_names description = "The names of the subnets being created" } -output "restricted_subnets_ips" { - value = module.base_env.restricted_subnets_ips +output "subnets_ips" { + value = module.base_env.subnets_ips description = "The IPs and CIDRs of the subnets being created" } -output "restricted_subnets_self_links" { - value = module.base_env.restricted_subnets_self_links +output "subnets_self_links" { + value = module.base_env.subnets_self_links description = "The self-links of subnets being created" } -output "restricted_subnets_secondary_ranges" { - value = module.base_env.restricted_subnets_secondary_ranges +output "subnets_secondary_ranges" { + value = module.base_env.subnets_secondary_ranges description = "The secondary ranges associated with these subnets" } @@ -73,46 +69,7 @@ output "enforce_vpcsc" { description = "Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases." } -output "restricted_service_perimeter_name" { - value = module.base_env.restricted_service_perimeter_name +output "service_perimeter_name" { + value = module.base_env.service_perimeter_name description = "Access context manager service perimeter name" } - -/****************************************** - Private Outputs -*****************************************/ - -output "base_host_project_id" { - value = module.base_env.base_host_project_id - description = "The base host project ID" -} - -output "base_network_name" { - value = module.base_env.base_network_name - description = "The name of the VPC being created" -} - -output "base_network_self_link" { - value = module.base_env.base_network_self_link - description = "The URI of the VPC being created" -} - -output "base_subnets_names" { - value = module.base_env.base_subnets_names - description = "The names of the subnets being created" -} - -output "base_subnets_ips" { - value = module.base_env.base_subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "base_subnets_self_links" { - value = module.base_env.base_subnets_self_links - description = "The self-links of subnets being created" -} - -output "base_subnets_secondary_ranges" { - value = module.base_env.base_subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} diff --git a/3-networks-hub-and-spoke/envs/development/versions.tf b/3-networks-hub-and-spoke/envs/development/versions.tf index 6256afb3a..b04474822 100644 --- a/3-networks-hub-and-spoke/envs/development/versions.tf +++ b/3-networks-hub-and-spoke/envs/development/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } } } diff --git a/3-networks-hub-and-spoke/envs/nonproduction/README.md b/3-networks-hub-and-spoke/envs/nonproduction/README.md index 60c54d913..3447d2f68 100644 --- a/3-networks-hub-and-spoke/envs/nonproduction/README.md +++ b/3-networks-hub-and-spoke/envs/nonproduction/README.md @@ -1,6 +1,6 @@ # 3-networks-hub-and-spoke/nonproduction -The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment nonproduction. This version of the Network step will makes usage of the Hub and Spoke network architecture. +The purpose of this step is to set up shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment nonproduction. This version of the Network step will makes usage of the Hub and Spoke network architecture. ## Prerequisites @@ -34,21 +34,14 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | access\_level\_name | Access context manager access level name | | access\_level\_name\_dry\_run | Access context manager access level name for the dry-run perimeter | -| base\_host\_project\_id | The base host project ID | -| base\_network\_name | The name of the VPC being created | -| base\_network\_self\_link | The URI of the VPC being created | -| base\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| base\_subnets\_names | The names of the subnets being created | -| base\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| base\_subnets\_self\_links | The self-links of subnets being created | | enforce\_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. | -| restricted\_host\_project\_id | The restricted host project ID | -| restricted\_network\_name | The name of the VPC being created | -| restricted\_network\_self\_link | The URI of the VPC being created | -| restricted\_service\_perimeter\_name | Access context manager service perimeter name | -| restricted\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| restricted\_subnets\_names | The names of the subnets being created | -| restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| restricted\_subnets\_self\_links | The self-links of subnets being created | +| network\_name | The name of the VPC being created | +| network\_self\_link | The URI of the VPC being created | +| service\_perimeter\_name | Access context manager service perimeter name | +| shared\_vpc\_host\_project\_id | The shared vpc host project ID | +| subnets\_ips | The IPs and CIDRs of the subnets being created | +| subnets\_names | The names of the subnets being created | +| subnets\_secondary\_ranges | The secondary ranges associated with these subnets | +| subnets\_self\_links | The self-links of subnets being created | diff --git a/3-networks-hub-and-spoke/envs/nonproduction/main.tf b/3-networks-hub-and-spoke/envs/nonproduction/main.tf index dffcd5170..954060efc 100644 --- a/3-networks-hub-and-spoke/envs/nonproduction/main.tf +++ b/3-networks-hub-and-spoke/envs/nonproduction/main.tf @@ -17,50 +17,24 @@ locals { env = "nonproduction" environment_code = substr(local.env, 0, 1) - /* - * Base network ranges - */ - base_private_service_cidr = "10.16.16.0/21" - base_subnet_primary_ranges = { - (local.default_region1) = "10.0.128.0/18" - (local.default_region2) = "10.1.128.0/18" - } - base_subnet_proxy_ranges = { - (local.default_region1) = "10.18.4.0/23" - (local.default_region2) = "10.19.4.0/23" - } - base_subnet_secondary_ranges = { - (local.default_region1) = [ - { - range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.128.0/18" - }, - { - range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.65.128.0/18" - } - ] - } - /* - * Restricted network ranges - */ - restricted_private_service_cidr = "10.16.48.0/21" - restricted_subnet_primary_ranges = { + + private_service_cidr = "10.16.48.0/21" + subnet_primary_ranges = { (local.default_region1) = "10.8.128.0/18" (local.default_region2) = "10.9.128.0/18" } - restricted_subnet_proxy_ranges = { + subnet_proxy_ranges = { (local.default_region1) = "10.26.4.0/23" (local.default_region2) = "10.27.4.0/23" } - restricted_subnet_secondary_ranges = { + subnet_secondary_ranges = { (local.default_region1) = [ { - range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" + range_name = "rn-${local.environment_code}-svpc-${local.default_region1}-gke-pod" ip_cidr_range = "100.72.128.0/18" }, { - range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" + range_name = "rn-${local.environment_code}-svpc-${local.default_region1}-gke-svc" ip_cidr_range = "100.73.128.0/18" } ] @@ -70,30 +44,25 @@ locals { module "base_env" { source = "../../modules/base_env" - env = local.env - environment_code = local.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - perimeter_additional_members = var.perimeter_additional_members - perimeter_additional_members_dry_run = var.perimeter_additional_members_dry_run - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - ingress_policies_dry_run = var.ingress_policies_dry_run - egress_policies = var.egress_policies - egress_policies_dry_run = var.egress_policies_dry_run - enable_partner_interconnect = false - enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity - base_private_service_cidr = local.base_private_service_cidr - base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_proxy_ranges = local.base_subnet_proxy_ranges - base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.17.0.3" - restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges - restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.17.0.7" - remote_state_bucket = var.remote_state_bucket - tfc_org_name = var.tfc_org_name + env = local.env + environment_code = local.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + perimeter_additional_members = var.perimeter_additional_members + perimeter_additional_members_dry_run = var.perimeter_additional_members_dry_run + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + ingress_policies_dry_run = var.ingress_policies_dry_run + egress_policies = var.egress_policies + egress_policies_dry_run = var.egress_policies_dry_run + enable_partner_interconnect = false + enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity + private_service_cidr = local.private_service_cidr + subnet_primary_ranges = local.subnet_primary_ranges + subnet_proxy_ranges = local.subnet_proxy_ranges + subnet_secondary_ranges = local.subnet_secondary_ranges + private_service_connect_ip = "10.17.0.7" + remote_state_bucket = var.remote_state_bucket + tfc_org_name = var.tfc_org_name } diff --git a/3-networks-hub-and-spoke/envs/nonproduction/outputs.tf b/3-networks-hub-and-spoke/envs/nonproduction/outputs.tf index 3e4d2a97e..700e37837 100644 --- a/3-networks-hub-and-spoke/envs/nonproduction/outputs.tf +++ b/3-networks-hub-and-spoke/envs/nonproduction/outputs.tf @@ -19,42 +19,38 @@ output "access_context_manager_policy_id" { value = var.access_context_manager_policy_id } -/********************* - Restricted Outputs -*********************/ - -output "restricted_host_project_id" { - value = module.base_env.restricted_host_project_id - description = "The restricted host project ID" +output "shared_vpc_host_project_id" { + value = module.base_env.shared_vpc_host_project_id + description = "The shared vpc host project ID" } -output "restricted_network_name" { - value = module.base_env.restricted_network_name +output "network_name" { + value = module.base_env.network_name description = "The name of the VPC being created" } -output "restricted_network_self_link" { - value = module.base_env.restricted_network_self_link +output "network_self_link" { + value = module.base_env.network_self_link description = "The URI of the VPC being created" } -output "restricted_subnets_names" { - value = module.base_env.restricted_subnets_names +output "subnets_names" { + value = module.base_env.subnets_names description = "The names of the subnets being created" } -output "restricted_subnets_ips" { - value = module.base_env.restricted_subnets_ips +output "subnets_ips" { + value = module.base_env.subnets_ips description = "The IPs and CIDRs of the subnets being created" } -output "restricted_subnets_self_links" { - value = module.base_env.restricted_subnets_self_links +output "subnets_self_links" { + value = module.base_env.subnets_self_links description = "The self-links of subnets being created" } -output "restricted_subnets_secondary_ranges" { - value = module.base_env.restricted_subnets_secondary_ranges +output "subnets_secondary_ranges" { + value = module.base_env.subnets_secondary_ranges description = "The secondary ranges associated with these subnets" } @@ -73,46 +69,7 @@ output "enforce_vpcsc" { description = "Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases." } -output "restricted_service_perimeter_name" { - value = module.base_env.restricted_service_perimeter_name +output "service_perimeter_name" { + value = module.base_env.service_perimeter_name description = "Access context manager service perimeter name" } - -/****************************************** - Private Outputs -*****************************************/ - -output "base_host_project_id" { - value = module.base_env.base_host_project_id - description = "The base host project ID" -} - -output "base_network_name" { - value = module.base_env.base_network_name - description = "The name of the VPC being created" -} - -output "base_network_self_link" { - value = module.base_env.base_network_self_link - description = "The URI of the VPC being created" -} - -output "base_subnets_names" { - value = module.base_env.base_subnets_names - description = "The names of the subnets being created" -} - -output "base_subnets_ips" { - value = module.base_env.base_subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "base_subnets_self_links" { - value = module.base_env.base_subnets_self_links - description = "The self-links of subnets being created" -} - -output "base_subnets_secondary_ranges" { - value = module.base_env.base_subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} diff --git a/3-networks-hub-and-spoke/envs/nonproduction/versions.tf b/3-networks-hub-and-spoke/envs/nonproduction/versions.tf index 6256afb3a..b04474822 100644 --- a/3-networks-hub-and-spoke/envs/nonproduction/versions.tf +++ b/3-networks-hub-and-spoke/envs/nonproduction/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } } } diff --git a/3-networks-hub-and-spoke/envs/production/README.md b/3-networks-hub-and-spoke/envs/production/README.md index 1ba5a652c..e1e62e277 100644 --- a/3-networks-hub-and-spoke/envs/production/README.md +++ b/3-networks-hub-and-spoke/envs/production/README.md @@ -1,6 +1,6 @@ # 3-networks-hub-and-spoke/production -The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment nonproduction. This version of the Network step will makes usage of the Hub and Spoke network architecture. +The purpose of this step is to set up shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment nonproduction. This version of the Network step will makes usage of the Hub and Spoke network architecture. ## Prerequisites @@ -34,21 +34,14 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | access\_level\_name | Access context manager access level name | | access\_level\_name\_dry\_run | Access context manager access level name for the dry-run perimeter | -| base\_host\_project\_id | The base host project ID | -| base\_network\_name | The name of the VPC being created | -| base\_network\_self\_link | The URI of the VPC being created | -| base\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| base\_subnets\_names | The names of the subnets being created | -| base\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| base\_subnets\_self\_links | The self-links of subnets being created | | enforce\_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. | -| restricted\_host\_project\_id | The restricted host project ID | -| restricted\_network\_name | The name of the VPC being created | -| restricted\_network\_self\_link | The URI of the VPC being created | -| restricted\_service\_perimeter\_name | Access context manager service perimeter name | -| restricted\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| restricted\_subnets\_names | The names of the subnets being created | -| restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| restricted\_subnets\_self\_links | The self-links of subnets being created | +| network\_name | The name of the VPC being created | +| network\_self\_link | The URI of the VPC being created | +| service\_perimeter\_name | Access context manager service perimeter name | +| shared\_vpc\_host\_project\_id | The shared vpc host project ID | +| subnets\_ips | The IPs and CIDRs of the subnets being created | +| subnets\_names | The names of the subnets being created | +| subnets\_secondary\_ranges | The secondary ranges associated with these subnets | +| subnets\_self\_links | The self-links of subnets being created | diff --git a/3-networks-hub-and-spoke/envs/production/main.tf b/3-networks-hub-and-spoke/envs/production/main.tf index cd464258c..9cf7ffdb3 100644 --- a/3-networks-hub-and-spoke/envs/production/main.tf +++ b/3-networks-hub-and-spoke/envs/production/main.tf @@ -17,50 +17,24 @@ locals { env = "production" environment_code = substr(local.env, 0, 1) - /* - * Base network ranges - */ - base_private_service_cidr = "10.16.24.0/21" - base_subnet_primary_ranges = { - (local.default_region1) = "10.0.192.0/18" - (local.default_region2) = "10.1.192.0/18" - } - base_subnet_proxy_ranges = { - (local.default_region1) = "10.18.6.0/23" - (local.default_region2) = "10.19.6.0/23" - } - base_subnet_secondary_ranges = { - (local.default_region1) = [ - { - range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.192.0/18" - }, - { - range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.65.192.0/18" - } - ] - } - /* - * Restricted network ranges - */ - restricted_private_service_cidr = "10.16.56.0/21" - restricted_subnet_primary_ranges = { + + private_service_cidr = "10.16.56.0/21" + subnet_primary_ranges = { (local.default_region1) = "10.8.192.0/18" (local.default_region2) = "10.9.192.0/18" } - restricted_subnet_proxy_ranges = { + subnet_proxy_ranges = { (local.default_region1) = "10.26.6.0/23" (local.default_region2) = "10.27.6.0/23" } - restricted_subnet_secondary_ranges = { + subnet_secondary_ranges = { (local.default_region1) = [ { - range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" + range_name = "rn-${local.environment_code}-svpc-${local.default_region1}-gke-pod" ip_cidr_range = "100.72.192.0/18" }, { - range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" + range_name = "rn-${local.environment_code}-svpc-${local.default_region1}-gke-svc" ip_cidr_range = "100.73.192.0/18" } ] @@ -70,30 +44,25 @@ locals { module "base_env" { source = "../../modules/base_env" - env = local.env - environment_code = local.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - perimeter_additional_members = var.perimeter_additional_members - perimeter_additional_members_dry_run = var.perimeter_additional_members_dry_run - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - ingress_policies_dry_run = var.ingress_policies_dry_run - egress_policies = var.egress_policies - egress_policies_dry_run = var.egress_policies_dry_run - enable_partner_interconnect = false - enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity - base_private_service_cidr = local.base_private_service_cidr - base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_proxy_ranges = local.base_subnet_proxy_ranges - base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.17.0.4" - restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges - restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.17.0.8" - remote_state_bucket = var.remote_state_bucket - tfc_org_name = var.tfc_org_name + env = local.env + environment_code = local.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + perimeter_additional_members = var.perimeter_additional_members + perimeter_additional_members_dry_run = var.perimeter_additional_members_dry_run + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + ingress_policies_dry_run = var.ingress_policies_dry_run + egress_policies = var.egress_policies + egress_policies_dry_run = var.egress_policies_dry_run + enable_partner_interconnect = false + enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity + private_service_cidr = local.private_service_cidr + subnet_primary_ranges = local.subnet_primary_ranges + subnet_proxy_ranges = local.subnet_proxy_ranges + subnet_secondary_ranges = local.subnet_secondary_ranges + private_service_connect_ip = "10.17.0.8" + remote_state_bucket = var.remote_state_bucket + tfc_org_name = var.tfc_org_name } diff --git a/3-networks-hub-and-spoke/envs/production/outputs.tf b/3-networks-hub-and-spoke/envs/production/outputs.tf index 3e4d2a97e..700e37837 100644 --- a/3-networks-hub-and-spoke/envs/production/outputs.tf +++ b/3-networks-hub-and-spoke/envs/production/outputs.tf @@ -19,42 +19,38 @@ output "access_context_manager_policy_id" { value = var.access_context_manager_policy_id } -/********************* - Restricted Outputs -*********************/ - -output "restricted_host_project_id" { - value = module.base_env.restricted_host_project_id - description = "The restricted host project ID" +output "shared_vpc_host_project_id" { + value = module.base_env.shared_vpc_host_project_id + description = "The shared vpc host project ID" } -output "restricted_network_name" { - value = module.base_env.restricted_network_name +output "network_name" { + value = module.base_env.network_name description = "The name of the VPC being created" } -output "restricted_network_self_link" { - value = module.base_env.restricted_network_self_link +output "network_self_link" { + value = module.base_env.network_self_link description = "The URI of the VPC being created" } -output "restricted_subnets_names" { - value = module.base_env.restricted_subnets_names +output "subnets_names" { + value = module.base_env.subnets_names description = "The names of the subnets being created" } -output "restricted_subnets_ips" { - value = module.base_env.restricted_subnets_ips +output "subnets_ips" { + value = module.base_env.subnets_ips description = "The IPs and CIDRs of the subnets being created" } -output "restricted_subnets_self_links" { - value = module.base_env.restricted_subnets_self_links +output "subnets_self_links" { + value = module.base_env.subnets_self_links description = "The self-links of subnets being created" } -output "restricted_subnets_secondary_ranges" { - value = module.base_env.restricted_subnets_secondary_ranges +output "subnets_secondary_ranges" { + value = module.base_env.subnets_secondary_ranges description = "The secondary ranges associated with these subnets" } @@ -73,46 +69,7 @@ output "enforce_vpcsc" { description = "Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases." } -output "restricted_service_perimeter_name" { - value = module.base_env.restricted_service_perimeter_name +output "service_perimeter_name" { + value = module.base_env.service_perimeter_name description = "Access context manager service perimeter name" } - -/****************************************** - Private Outputs -*****************************************/ - -output "base_host_project_id" { - value = module.base_env.base_host_project_id - description = "The base host project ID" -} - -output "base_network_name" { - value = module.base_env.base_network_name - description = "The name of the VPC being created" -} - -output "base_network_self_link" { - value = module.base_env.base_network_self_link - description = "The URI of the VPC being created" -} - -output "base_subnets_names" { - value = module.base_env.base_subnets_names - description = "The names of the subnets being created" -} - -output "base_subnets_ips" { - value = module.base_env.base_subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "base_subnets_self_links" { - value = module.base_env.base_subnets_self_links - description = "The self-links of subnets being created" -} - -output "base_subnets_secondary_ranges" { - value = module.base_env.base_subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} diff --git a/3-networks-hub-and-spoke/envs/production/versions.tf b/3-networks-hub-and-spoke/envs/production/versions.tf index 6256afb3a..b04474822 100644 --- a/3-networks-hub-and-spoke/envs/production/versions.tf +++ b/3-networks-hub-and-spoke/envs/production/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } } } diff --git a/3-networks-hub-and-spoke/envs/shared/README.md b/3-networks-hub-and-spoke/envs/shared/README.md index 73394b3e5..4dce69797 100644 --- a/3-networks-hub-and-spoke/envs/shared/README.md +++ b/3-networks-hub-and-spoke/envs/shared/README.md @@ -13,15 +13,6 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | -| base\_hub\_dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for Base Hub VPC DNS. | `bool` | `true` | no | -| base\_hub\_dns\_enable\_logging | Toggle DNS logging for Base Hub VPC DNS. | `bool` | `true` | no | -| base\_hub\_firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls in Base Hub VPC. | `bool` | `true` | no | -| base\_hub\_nat\_bgp\_asn | BGP ASN for first NAT cloud routes in Base Hub. | `number` | `64514` | no | -| base\_hub\_nat\_enabled | Toggle creation of NAT cloud router in Base Hub. | `bool` | `false` | no | -| base\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Base Hub. | `number` | `2` | no | -| base\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Base Hub. | `number` | `2` | no | -| base\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Base Hub | `bool` | `false` | no | -| base\_vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    enable_logging       = optional(string, "true")
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | | bgp\_asn\_dns | BGP Autonomous System Number (ASN). | `number` | `64667` | no | | custom\_restricted\_services | List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | @@ -32,31 +23,28 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google. | enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no | | enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no | | firewall\_policies\_enable\_logging | Toggle hierarchical firewall logging. | `bool` | `true` | no | +| hub\_dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for Shared Hub VPC DNS. | `bool` | `true` | no | +| hub\_dns\_enable\_logging | Toggle DNS logging for Shared Hub VPC DNS. | `bool` | `true` | no | +| hub\_firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls in Shared Hub VPC. | `bool` | `true` | no | +| hub\_nat\_bgp\_asn | BGP ASN for first NAT cloud routes in Shared Hub. | `number` | `64514` | no | +| hub\_nat\_enabled | Toggle creation of NAT cloud router in Shared Hub. | `bool` | `false` | no | +| hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Shared Hub. | `number` | `2` | no | +| hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Shared Hub. | `number` | `2` | no | +| hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Shared Hub. | `bool` | `false` | no | | ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.

Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | -| perimeter\_additional\_members | The list of additional members to be added to the perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | n/a | yes | +| perimeter\_additional\_members | The list of additional members to be added to the perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the Shared perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | n/a | yes | | preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | -| restricted\_hub\_dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for Restricted Hub VPC DNS. | `bool` | `true` | no | -| restricted\_hub\_dns\_enable\_logging | Toggle DNS logging for Restricted Hub VPC DNS. | `bool` | `true` | no | -| restricted\_hub\_firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls in Restricted Hub VPC. | `bool` | `true` | no | -| restricted\_hub\_nat\_bgp\_asn | BGP ASN for first NAT cloud routes in Restricted Hub. | `number` | `64514` | no | -| restricted\_hub\_nat\_enabled | Toggle creation of NAT cloud router in Restricted Hub. | `bool` | `false` | no | -| restricted\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Restricted Hub. | `number` | `2` | no | -| restricted\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Restricted Hub. | `number` | `2` | no | -| restricted\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Restricted Hub. | `bool` | `false` | no | -| restricted\_vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    enable_logging       = optional(string, "true")
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | | target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | +| vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    enable_logging       = optional(string, "true")
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | ## Outputs | Name | Description | |------|-------------| -| base\_dns\_policy | The name of the DNS policy being created | -| base\_host\_project\_id | The base host project ID | -| base\_network\_name | The name of the VPC being created | -| restricted\_dns\_policy | The name of the DNS policy being created | -| restricted\_host\_project\_id | The restricted host project ID | -| restricted\_network\_name | The name of the VPC being created | +| dns\_policy | The name of the DNS policy being created | +| network\_name | The name of the Shared VPC being created | +| shared\_vpc\_host\_project\_id | The host project ID | diff --git a/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example b/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example index c4486e270..eecb19003 100644 --- a/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example +++ b/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example @@ -15,20 +15,20 @@ */ -module "shared_restricted_interconnect" { +module "shared_vpc_interconnect" { source = "../../modules/dedicated_interconnect" - vpc_name = "c-shared-restricted" - interconnect_project_id = local.restricted_net_hub_project_id + vpc_name = "c-svpc" + interconnect_project_id = local.net_hub_project_id region1 = local.default_region1 - region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name + region1_router1_name = module.shared_vpc.region1_router1.router.name region1_interconnect1_candidate_subnets = ["169.254.0.32/29"] region1_interconnect1_vlan_tag8021q = "3921" region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1" region1_interconnect1_location = "las-zone1-770" region1_interconnect1_onprem_dc = "onprem-dc-1" - region1_router2_name = module.restricted_shared_vpc.region1_router2.router.name + region1_router2_name = module.shared_vpc.region1_router2.router.name region1_interconnect2_candidate_subnets = ["169.254.0.40/29"] region1_interconnect2_vlan_tag8021q = "3922" region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2" @@ -36,13 +36,13 @@ module "shared_restricted_interconnect" { region1_interconnect2_onprem_dc = "onprem-dc-2" region2 = local.default_region2 - region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name + region2_router1_name = module.shared_vpc.region2_router1.router.name region2_interconnect1_candidate_subnets = ["169.254.0.48/29"] region2_interconnect1_vlan_tag8021q = "3923" region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3" region2_interconnect1_location = "lax-zone2-19" region2_interconnect1_onprem_dc = "onprem-dc-3" - region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name + region2_router2_name = module.shared_vpc.region2_router2.router.name region2_interconnect2_candidate_subnets = ["169.254.0.56/29"] region2_interconnect2_vlan_tag8021q = "3924" region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4" @@ -60,56 +60,6 @@ module "shared_restricted_interconnect" { } depends_on = [ - module.restricted_shared_vpc - ] -} - -module "shared_base_interconnect" { - source = "../../modules/dedicated_interconnect" - - vpc_name = "c-shared-base" - interconnect_project_id = local.base_net_hub_project_id - - region1 = local.default_region1 - region1_router1_name = module.base_shared_vpc.region1_router1.router.name - region1_interconnect1_candidate_subnets = ["169.254.0.64/29"] - region1_interconnect1_vlan_tag8021q = "3925" - region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1" - region1_interconnect1_location = "las-zone1-770" - region1_interconnect1_onprem_dc = "onprem-dc-1" - region1_router2_name = module.base_shared_vpc.region1_router2.router.name - region1_interconnect2_candidate_subnets = ["169.254.0.72/29"] - region1_interconnect2_vlan_tag8021q = "3926" - region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2" - region1_interconnect2_location = "las-zone1-770" - region1_interconnect2_onprem_dc = "onprem-dc-2" - - region2 = local.default_region2 - region2_router1_name = module.base_shared_vpc.region2_router1.router.name - region2_interconnect1_candidate_subnets = ["169.254.0.80/29"] - region2_interconnect1_vlan_tag8021q = "3927" - region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3" - region2_interconnect1_location = "lax-zone2-19" - region2_interconnect1_onprem_dc = "onprem-dc-3" - region2_router2_name = module.base_shared_vpc.region2_router2.router.name - region2_interconnect2_candidate_subnets = ["169.254.0.88/29"] - region2_interconnect2_vlan_tag8021q = "3928" - region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4" - region2_interconnect2_location = "lax-zone1-403" - region2_interconnect2_onprem_dc = "onprem-dc-4" - - - peer_asn = "64515" - peer_name = "interconnect-peer" - - cloud_router_labels = { - vlan_1 = "cr1", - vlan_2 = "cr2", - vlan_3 = "cr3", - vlan_4 = "cr4" - } - - depends_on = [ - module.base_shared_vpc + module.shared_vpc ] } diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf index 049128b09..33ed49752 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf @@ -16,17 +16,8 @@ locals { enable_transitivity = var.enable_hub_and_spoke_transitivity - base_regional_aggregates = { - (local.default_region1) = [ - "10.0.0.0/16", - "100.64.0.0/16" - ] - (local.default_region2) = [ - "10.1.0.0/16", - "100.65.0.0/16" - ] - } - restricted_regional_aggregates = { + + regional_aggregates = { (local.default_region1) = [ "10.8.0.0/16", "100.72.0.0/16" @@ -39,54 +30,19 @@ locals { } /* - * Base Network Transitivity - */ - -module "base_transitivity" { - source = "../../modules/transitivity" - count = local.enable_transitivity ? 1 : 0 - - project_id = local.base_net_hub_project_id - regions = keys(local.base_subnet_primary_ranges) - vpc_name = module.base_shared_vpc.network_name - gw_subnets = { for region in keys(local.base_subnet_primary_ranges) : region => "sb-c-shared-base-hub-${region}" } - regional_aggregates = local.base_regional_aggregates - firewall_policy = module.base_shared_vpc.firewall_policy - commands = [ - # Accept all ICMP (troubleshooting) - "iptables -A INPUT -p icmp -j ACCEPT", - # Accept SSH local traffic to the eth0 interface (health checking) - "iptables -A INPUT -p tcp --dport 22 -d $(curl -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip) -j ACCEPT", - # Drop everything else - "iptables -A INPUT -j DROP", - # Accept all return transit traffic for established flows - "iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT", - # Accept all transit traffic from internal ranges - # Replace by actual multiple source/destination/proto/ports rules for fine-grained ACLs. - "iptables -A FORWARD -s ${join(",", flatten(values(local.base_regional_aggregates)))} -d ${join(",", flatten(values(local.base_regional_aggregates)))} -j ACCEPT", - # Drop everything else - "iptables -A FORWARD -j DROP", - # SNAT traffic not to the local eth0 interface - "iptables -t nat -A POSTROUTING ! -d $(curl -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip) -j MASQUERADE", - ] - - depends_on = [module.base_shared_vpc] -} - -/* - * Restricted Network Transitivity + * Network Transitivity */ -module "restricted_transitivity" { +module "network_transitivity" { source = "../../modules/transitivity" count = local.enable_transitivity ? 1 : 0 - project_id = local.restricted_net_hub_project_id - regions = keys(local.restricted_subnet_primary_ranges) - vpc_name = module.restricted_shared_vpc.network_name - gw_subnets = { for region in keys(local.restricted_subnet_primary_ranges) : region => "sb-c-shared-restricted-hub-${region}" } - regional_aggregates = local.restricted_regional_aggregates - firewall_policy = module.restricted_shared_vpc.firewall_policy + project_id = local.net_hub_project_id + regions = keys(local.subnet_primary_ranges) + vpc_name = module.shared_vpc.network_name + gw_subnets = { for region in keys(local.subnet_primary_ranges) : region => "sb-c-svpc-hub-${region}" } + regional_aggregates = local.regional_aggregates + firewall_policy = module.shared_vpc.firewall_policy commands = [ # Accept all ICMP (troubleshooting) "iptables -A INPUT -p icmp -j ACCEPT", @@ -98,12 +54,12 @@ module "restricted_transitivity" { "iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT", # Accept all transit traffic from internal ranges # Replace by actual multiple source/destination/proto/ports rules for fine-grained ACLs. - "iptables -A FORWARD -s ${join(",", flatten(values(local.restricted_regional_aggregates)))} -d ${join(",", flatten(values(local.restricted_regional_aggregates)))} -j ACCEPT", + "iptables -A FORWARD -s ${join(",", flatten(values(local.regional_aggregates)))} -d ${join(",", flatten(values(local.regional_aggregates)))} -j ACCEPT", # Drop everything else "iptables -A FORWARD -j DROP", # SNAT traffic not to the local eth0 interface "iptables -t nat -A POSTROUTING ! -d $(curl -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip) -j MASQUERADE", ] - depends_on = [module.restricted_shared_vpc] + depends_on = [module.shared_vpc] } diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index dcffa010d..084f7d386 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -15,25 +15,12 @@ */ locals { - /* - * Base network ranges - */ - base_subnet_primary_ranges = { - (local.default_region1) = "10.0.0.0/18" - (local.default_region2) = "10.1.0.0/18" - } - base_subnet_proxy_ranges = { - (local.default_region1) = "10.18.0.0/23" - (local.default_region2) = "10.19.0.0/23" - } - /* - * Restricted network ranges - */ - restricted_subnet_primary_ranges = { + + subnet_primary_ranges = { (local.default_region1) = "10.8.0.0/18" (local.default_region2) = "10.9.0.0/18" } - restricted_subnet_proxy_ranges = { + subnet_proxy_ranges = { (local.default_region1) = "10.26.0.0/23" (local.default_region2) = "10.27.0.0/23" } @@ -168,89 +155,14 @@ locals { } /****************************************** - Base Network VPC -*****************************************/ - -module "base_shared_vpc" { - source = "../../modules/base_shared_vpc" - - project_id = local.base_net_hub_project_id - environment_code = local.environment_code - private_service_connect_ip = "10.17.0.1" - bgp_asn_subnet = local.bgp_asn_number - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - dns_enable_inbound_forwarding = var.base_hub_dns_enable_inbound_forwarding - dns_enable_logging = var.base_hub_dns_enable_logging - firewall_enable_logging = var.base_hub_firewall_enable_logging - nat_enabled = var.base_hub_nat_enabled - nat_bgp_asn = var.base_hub_nat_bgp_asn - nat_num_addresses_region1 = var.base_hub_nat_num_addresses_region1 - nat_num_addresses_region2 = var.base_hub_nat_num_addresses_region2 - windows_activation_enabled = var.base_hub_windows_activation_enabled - target_name_server_addresses = var.target_name_server_addresses - mode = "hub" - - subnets = [ - { - subnet_name = "sb-c-shared-base-hub-${local.default_region1}" - subnet_ip = local.base_subnet_primary_ranges[local.default_region1] - subnet_region = local.default_region1 - subnet_private_access = "true" - subnet_flow_logs = var.base_vpc_flow_logs.enable_logging - subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr - description = "Base network hub subnet for ${local.default_region1}" - }, - { - subnet_name = "sb-c-shared-base-hub-${local.default_region2}" - subnet_ip = local.base_subnet_primary_ranges[local.default_region2] - subnet_region = local.default_region2 - subnet_private_access = "true" - subnet_flow_logs = var.base_vpc_flow_logs.enable_logging - subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr - description = "Base network hub subnet for ${local.default_region2}" - }, - { - subnet_name = "sb-c-shared-base-hub-${local.default_region1}-proxy" - subnet_ip = local.base_subnet_proxy_ranges[local.default_region1] - subnet_region = local.default_region1 - subnet_flow_logs = false - description = "Base network hub proxy-only subnet for ${local.default_region1}" - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" - }, - { - subnet_name = "sb-c-shared-base-hub-${local.default_region2}-proxy" - subnet_ip = local.base_subnet_proxy_ranges[local.default_region2] - subnet_region = local.default_region2 - subnet_flow_logs = false - description = "Base network hub proxy-only subnet for ${local.default_region2}" - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" - } - ] - secondary_ranges = {} - -} - -/****************************************** - Restricted Network VPC + Shared Network VPC *****************************************/ -module "restricted_shared_vpc" { - source = "../../modules/restricted_shared_vpc" +module "shared_vpc" { + source = "../../modules/shared_vpc" - project_id = local.restricted_net_hub_project_id - project_number = local.restricted_net_hub_project_number + project_id = local.net_hub_project_id + project_number = local.net_hub_project_number environment_code = local.environment_code private_service_connect_ip = "10.17.0.5" access_context_manager_policy_id = var.access_context_manager_policy_id @@ -270,59 +182,59 @@ module "restricted_shared_vpc" { default_region1 = local.default_region1 default_region2 = local.default_region2 domain = var.domain - dns_enable_inbound_forwarding = var.restricted_hub_dns_enable_inbound_forwarding - dns_enable_logging = var.restricted_hub_dns_enable_logging - firewall_enable_logging = var.restricted_hub_firewall_enable_logging - nat_enabled = var.restricted_hub_nat_enabled - nat_bgp_asn = var.restricted_hub_nat_bgp_asn - nat_num_addresses_region1 = var.restricted_hub_nat_num_addresses_region1 - nat_num_addresses_region2 = var.restricted_hub_nat_num_addresses_region2 - windows_activation_enabled = var.restricted_hub_windows_activation_enabled + dns_enable_inbound_forwarding = var.hub_dns_enable_inbound_forwarding + dns_enable_logging = var.hub_dns_enable_logging + firewall_enable_logging = var.hub_firewall_enable_logging + nat_enabled = var.hub_nat_enabled + nat_bgp_asn = var.hub_nat_bgp_asn + nat_num_addresses_region1 = var.hub_nat_num_addresses_region1 + nat_num_addresses_region2 = var.hub_nat_num_addresses_region2 + windows_activation_enabled = var.hub_windows_activation_enabled target_name_server_addresses = var.target_name_server_addresses mode = "hub" subnets = [ { - subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}" - subnet_ip = local.restricted_subnet_primary_ranges[local.default_region1] + subnet_name = "sb-c-svpc-hub-${local.default_region1}" + subnet_ip = local.subnet_primary_ranges[local.default_region1] subnet_region = local.default_region1 subnet_private_access = "true" - subnet_flow_logs = var.restricted_vpc_flow_logs.enable_logging - subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr - description = "Restricted network hub subnet for ${local.default_region1}" + subnet_flow_logs = var.vpc_flow_logs.enable_logging + subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval + subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling + subnet_flow_logs_metadata = var.vpc_flow_logs.metadata + subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields + subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr + description = "Network hub subnet for ${local.default_region1}" }, { - subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}" - subnet_ip = local.restricted_subnet_primary_ranges[local.default_region2] + subnet_name = "sb-c-svpc-hub-${local.default_region2}" + subnet_ip = local.subnet_primary_ranges[local.default_region2] subnet_region = local.default_region2 subnet_private_access = "true" - subnet_flow_logs = var.restricted_vpc_flow_logs.enable_logging - subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr - description = "Restricted network hub subnet for ${local.default_region2}" + subnet_flow_logs = var.vpc_flow_logs.enable_logging + subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval + subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling + subnet_flow_logs_metadata = var.vpc_flow_logs.metadata + subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields + subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr + description = "Network hub subnet for ${local.default_region2}" }, { - subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}-proxy" - subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region1] + subnet_name = "sb-c-svpc-hub-${local.default_region1}-proxy" + subnet_ip = local.subnet_proxy_ranges[local.default_region1] subnet_region = local.default_region1 subnet_flow_logs = false - description = "Restricted network hub proxy-only subnet for ${local.default_region1}" + description = "Network hub proxy-only subnet for ${local.default_region1}" role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}-proxy" - subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region2] + subnet_name = "sb-c-svpc-hub-${local.default_region2}-proxy" + subnet_ip = local.subnet_proxy_ranges[local.default_region2] subnet_region = local.default_region2 subnet_flow_logs = false - description = "Restricted network hub proxy-only subnet for ${local.default_region2}" + description = "Network hub proxy-only subnet for ${local.default_region2}" role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" } diff --git a/3-networks-hub-and-spoke/envs/shared/outputs.tf b/3-networks-hub-and-spoke/envs/shared/outputs.tf index 6af4101cf..8a633f925 100644 --- a/3-networks-hub-and-spoke/envs/shared/outputs.tf +++ b/3-networks-hub-and-spoke/envs/shared/outputs.tf @@ -14,32 +14,17 @@ * limitations under the License. */ -output "restricted_host_project_id" { - value = local.restricted_net_hub_project_id - description = "The restricted host project ID" +output "shared_vpc_host_project_id" { + value = local.net_hub_project_id + description = "The host project ID" } -output "base_host_project_id" { - value = local.base_net_hub_project_id - description = "The base host project ID" +output "network_name" { + value = module.shared_vpc.network_name + description = "The name of the Shared VPC being created" } -output "base_network_name" { - value = module.base_shared_vpc.network_name - description = "The name of the VPC being created" -} - -output "restricted_network_name" { - value = module.restricted_shared_vpc.network_name - description = "The name of the VPC being created" -} - -output "base_dns_policy" { - value = module.base_shared_vpc.base_dns_policy - description = "The name of the DNS policy being created" -} - -output "restricted_dns_policy" { - value = module.restricted_shared_vpc.restricted_dns_policy +output "dns_policy" { + value = module.shared_vpc.dns_policy description = "The name of the DNS policy being created" } diff --git a/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example b/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example index 92cd21dde..671707c00 100644 --- a/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example +++ b/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example @@ -15,26 +15,26 @@ */ -module "shared_restricted_interconnect" { +module "shared_interconnect" { source = "../../modules/partner_interconnect" - attachment_project_id = local.restricted_net_hub_project_id - vpc_name = "${local.environment_code}-shared-restricted" + attachment_project_id = local.net_hub_project_id + vpc_name = "${local.environment_code}-svpc" preactivate = var.preactivate_partner_interconnect region1 = local.default_region1 - region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name + region1_router1_name = module.shared_vpc.region1_router1.router.name region1_interconnect1_location = "las-zone1-770" region1_interconnect1_onprem_dc = "onprem-dc1" - region1_router2_name = module.restricted_shared_vpc.region1_router2.router.name + region1_router2_name = module.shared_vpc.region1_router2.router.name region1_interconnect2_location = "las-zone1-770" region1_interconnect2_onprem_dc = "onprem-dc2" region2 = local.default_region2 - region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name + region2_router1_name = module.shared_vpc.region2_router1.router.name region2_interconnect1_location = "lax-zone2-19" region2_interconnect1_onprem_dc = "onprem-dc3" - region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name + region2_router2_name = module.shared_vpc.region2_router2.router.name region2_interconnect2_location = "lax-zone1-403" region2_interconnect2_onprem_dc = "onprem-dc4" @@ -45,34 +45,3 @@ module "shared_restricted_interconnect" { vlan_4 = "cr8" } } - -module "shared_base_interconnect" { - source = "../../modules/partner_interconnect" - - attachment_project_id = local.base_net_hub_project_id - vpc_name = "${local.environment_code}-shared-base" - preactivate = var.preactivate_partner_interconnect - - region1 = local.default_region1 - region1_router1_name = module.base_shared_vpc.region1_router1.router.name - region1_interconnect1_location = "las-zone1-770" - region1_interconnect1_onprem_dc = "onprem-dc1" - region1_router2_name = module.base_shared_vpc.region1_router2.router.name - region1_interconnect2_location = "las-zone1-770" - region1_interconnect2_onprem_dc = "onprem-dc2" - - region2 = local.default_region2 - region2_router1_name = module.base_shared_vpc.region2_router1.router.name - region2_interconnect1_location = "lax-zone2-19" - region2_interconnect1_onprem_dc = "onprem-dc3" - region2_router2_name = module.base_shared_vpc.region2_router2.router.name - region2_interconnect2_location = "lax-zone1-403" - region2_interconnect2_onprem_dc = "onprem-dc4" - - cloud_router_labels = { - vlan_1 = "cr1", - vlan_2 = "cr2", - vlan_3 = "cr3", - vlan_4 = "cr4" - } -} diff --git a/3-networks-hub-and-spoke/envs/shared/remote.tf b/3-networks-hub-and-spoke/envs/shared/remote.tf index 78e898578..490877bd6 100644 --- a/3-networks-hub-and-spoke/envs/shared/remote.tf +++ b/3-networks-hub-and-spoke/envs/shared/remote.tf @@ -15,29 +15,28 @@ */ locals { - interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id - interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder - org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id - billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account - default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region - default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region - default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 - project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix - folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id - bootstrap_folder_name = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name - common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name - network_folder_name = data.terraform_remote_state.org.outputs.network_folder_name - development_folder_name = data.terraform_remote_state.env_development.outputs.env_folder - nonproduction_folder_name = data.terraform_remote_state.env_nonproduction.outputs.env_folder - production_folder_name = data.terraform_remote_state.env_production.outputs.env_folder - base_net_hub_project_id = data.terraform_remote_state.org.outputs.base_net_hub_project_id - restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id - restricted_net_hub_project_number = data.terraform_remote_state.org.outputs.restricted_net_hub_project_number - organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email - networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email - projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email + interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id + interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account + default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 + project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id + bootstrap_folder_name = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name + common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name + network_folder_name = data.terraform_remote_state.org.outputs.network_folder_name + development_folder_name = data.terraform_remote_state.env_development.outputs.env_folder + nonproduction_folder_name = data.terraform_remote_state.env_nonproduction.outputs.env_folder + production_folder_name = data.terraform_remote_state.env_production.outputs.env_folder + net_hub_project_id = data.terraform_remote_state.org.outputs.net_hub_project_id + net_hub_project_number = data.terraform_remote_state.org.outputs.net_hub_project_number + organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email + networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email + projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email } data "terraform_remote_state" "bootstrap" { diff --git a/3-networks-hub-and-spoke/envs/shared/remote.tf.cloud.example b/3-networks-hub-and-spoke/envs/shared/remote.tf.cloud.example index f609c65e4..9eda763db 100644 --- a/3-networks-hub-and-spoke/envs/shared/remote.tf.cloud.example +++ b/3-networks-hub-and-spoke/envs/shared/remote.tf.cloud.example @@ -30,11 +30,10 @@ locals { common_folder_name = data.tfe_outputs.org.nonsensitive_values.common_folder_name network_folder_name = data.tfe_outputs.org.nonsensitive_values.network_folder_name development_folder_name = data.tfe_outputs.env_development.nonsensitive_values.env_folder - nonproduction_folder_name = data.tfe_outputs.env_nonproduction.nonsensitive_values.env_folder + nonproduction_folder_name = data.tfe_outputs.env_nonproduction.nonsensitive_values.env_folder production_folder_name = data.tfe_outputs.env_production.nonsensitive_values.env_folder - base_net_hub_project_id = data.tfe_outputs.org.nonsensitive_values.base_net_hub_project_id - restricted_net_hub_project_id = data.tfe_outputs.org.nonsensitive_values.restricted_net_hub_project_id - restricted_net_hub_project_number = data.tfe_outputs.org.nonsensitive_values.restricted_net_hub_project_number + net_hub_project_id = data.tfe_outputs.org.nonsensitive_values.net_hub_project_id + net_hub_project_number = data.tfe_outputs.org.nonsensitive_values.net_hub_project_number organization_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.organization_step_terraform_service_account_email networks_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.networks_step_terraform_service_account_email projects_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.projects_step_terraform_service_account_email diff --git a/3-networks-hub-and-spoke/envs/shared/variables.tf b/3-networks-hub-and-spoke/envs/shared/variables.tf index 65f70ee84..42bcc7530 100644 --- a/3-networks-hub-and-spoke/envs/shared/variables.tf +++ b/3-networks-hub-and-spoke/envs/shared/variables.tf @@ -20,7 +20,7 @@ variable "remote_state_bucket" { } variable "perimeter_additional_members" { - description = "The list of additional members to be added to the perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`." + description = "The list of additional members to be added to the perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the Shared perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`." type = list(string) } @@ -71,123 +71,55 @@ variable "target_name_server_addresses" { type = list(map(any)) } -variable "base_hub_windows_activation_enabled" { +variable "hub_windows_activation_enabled" { type = bool - description = "Enable Windows license activation for Windows workloads in Base Hub" + description = "Enable Windows license activation for Windows workloads in Shared Hub." default = false } -variable "restricted_hub_windows_activation_enabled" { +variable "hub_dns_enable_inbound_forwarding" { type = bool - description = "Enable Windows license activation for Windows workloads in Restricted Hub." - default = false -} - -variable "base_hub_dns_enable_inbound_forwarding" { - type = bool - description = "Toggle inbound query forwarding for Base Hub VPC DNS." - default = true -} - -variable "restricted_hub_dns_enable_inbound_forwarding" { - type = bool - description = "Toggle inbound query forwarding for Restricted Hub VPC DNS." - default = true -} - -variable "base_hub_dns_enable_logging" { - type = bool - description = "Toggle DNS logging for Base Hub VPC DNS." - default = true -} - -variable "restricted_hub_dns_enable_logging" { - type = bool - description = "Toggle DNS logging for Restricted Hub VPC DNS." + description = "Toggle inbound query forwarding for Shared Hub VPC DNS." default = true } -variable "base_hub_firewall_enable_logging" { +variable "hub_dns_enable_logging" { type = bool - description = "Toggle firewall logging for VPC Firewalls in Base Hub VPC." + description = "Toggle DNS logging for Shared Hub VPC DNS." default = true } -variable "restricted_hub_firewall_enable_logging" { +variable "hub_firewall_enable_logging" { type = bool - description = "Toggle firewall logging for VPC Firewalls in Restricted Hub VPC." + description = "Toggle firewall logging for VPC Firewalls in Shared Hub VPC." default = true } -variable "base_hub_nat_enabled" { - type = bool - description = "Toggle creation of NAT cloud router in Base Hub." - default = false -} - -variable "restricted_hub_nat_enabled" { +variable "hub_nat_enabled" { type = bool - description = "Toggle creation of NAT cloud router in Restricted Hub." + description = "Toggle creation of NAT cloud router in Shared Hub." default = false } -variable "base_hub_nat_bgp_asn" { +variable "hub_nat_bgp_asn" { type = number - description = "BGP ASN for first NAT cloud routes in Base Hub." + description = "BGP ASN for first NAT cloud routes in Shared Hub." default = 64514 } -variable "restricted_hub_nat_bgp_asn" { +variable "hub_nat_num_addresses_region1" { type = number - description = "BGP ASN for first NAT cloud routes in Restricted Hub." - default = 64514 -} - -variable "base_hub_nat_num_addresses_region1" { - type = number - description = "Number of external IPs to reserve for first Cloud NAT in Base Hub." + description = "Number of external IPs to reserve for first Cloud NAT in Shared Hub." default = 2 } -variable "restricted_hub_nat_num_addresses_region1" { +variable "hub_nat_num_addresses_region2" { type = number - description = "Number of external IPs to reserve for first Cloud NAT in Restricted Hub." + description = "Number of external IPs to reserve for second Cloud NAT in Shared Hub." default = 2 } -variable "base_hub_nat_num_addresses_region2" { - type = number - description = "Number of external IPs to reserve for second Cloud NAT in Base Hub." - default = 2 -} - -variable "restricted_hub_nat_num_addresses_region2" { - type = number - description = "Number of external IPs to reserve for second Cloud NAT in Restricted Hub." - default = 2 -} - -variable "base_vpc_flow_logs" { - description = < flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | | custom\_restricted\_services | List of custom services to be protected by the enforced VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no | | custom\_restricted\_services\_dry\_run | List of custom services to be protected by the dry-run VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no | | default\_region1 | First subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes | @@ -26,15 +20,15 @@ | ingress\_policies\_dry\_run | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.

Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | +| private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Shared Vpc. | `string` | n/a | yes | +| private\_service\_connect\_ip | The subnet internal IP to be used as the private service connect endpoint in the Shared VPC | `string` | n/a | yes | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | -| restricted\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Restricted Shared Vpc. | `string` | n/a | yes | -| restricted\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Restricted Shared VPC | `string` | n/a | yes | -| restricted\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | -| restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | -| restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes | -| restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | +| subnet\_primary\_ranges | The subnet primary IPTs ranges to the Shared Vpc. | `map(string)` | n/a | yes | +| subnet\_proxy\_ranges | The proxy-only subnet primary IPTs ranges to the Shared Vpc. | `map(string)` | n/a | yes | +| subnet\_secondary\_ranges | The subnet secondary IPTs ranges to the Shared Vpc | `map(list(map(string)))` | n/a | yes | | target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | `[]` | no | | tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes | +| vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | ## Outputs @@ -42,22 +36,15 @@ |------|-------------| | access\_level\_name | Access context manager access level name for the enforced perimeter | | access\_level\_name\_dry\_run | Access context manager access level name for the dry-run perimeter | -| base\_host\_project\_id | The base host project ID | -| base\_network\_name | The name of the VPC being created | -| base\_network\_self\_link | The URI of the VPC being created | -| base\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| base\_subnets\_names | The names of the subnets being created | -| base\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| base\_subnets\_self\_links | The self-links of subnets being created | | enforce\_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. | -| restricted\_host\_project\_id | The restricted host project ID | -| restricted\_network\_name | The name of the VPC being created | -| restricted\_network\_self\_link | The URI of the VPC being created | -| restricted\_service\_perimeter\_name | Access context manager service perimeter name for the enforced perimeter | -| restricted\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| restricted\_subnets\_names | The names of the subnets being created | -| restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| restricted\_subnets\_self\_links | The self-links of subnets being created | +| network\_name | The name of the VPC being created | +| network\_self\_link | The URI of the VPC being created | +| service\_perimeter\_name | Access context manager service perimeter name for the enforced perimeter | +| shared\_vpc\_host\_project\_id | The host project ID | +| subnets\_ips | The IPs and CIDRs of the subnets being created | +| subnets\_names | The names of the subnets being created | +| subnets\_secondary\_ranges | The secondary ranges associated with these subnets | +| subnets\_self\_links | The self-links of subnets being created | | target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration | diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index a50e05619..60e34e5af 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -18,16 +18,8 @@ locals { bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" enable_transitivity = var.enable_hub_and_spoke_transitivity - /* - * Base network ranges - */ - base_subnet_aggregates = ["10.0.0.0/18", "10.1.0.0/18", "100.64.0.0/18", "100.65.0.0/18"] - base_hub_subnet_ranges = ["10.0.0.0/24", "10.1.0.0/24"] - /* - * Restricted network ranges - */ - restricted_subnet_aggregates = ["10.8.0.0/18", "10.9.0.0/18", "100.72.0.0/18", "100.73.0.0/18"] - restricted_hub_subnet_ranges = ["10.8.0.0/24", "10.9.0.0/24"] + subnet_aggregates = ["10.8.0.0/18", "10.9.0.0/18", "100.72.0.0/18", "100.73.0.0/18"] + hub_subnet_ranges = ["10.8.0.0/24", "10.9.0.0/24"] supported_restricted_service = [ "accessapproval.googleapis.com", @@ -159,19 +151,19 @@ locals { } /****************************************** - Restricted shared VPC + Shared VPC *****************************************/ -module "restricted_shared_vpc" { - source = "../restricted_shared_vpc" +module "shared_vpc" { + source = "../shared_vpc" - project_id = local.restricted_project_id - project_number = local.restricted_project_number - restricted_net_hub_project_id = local.restricted_net_hub_project_id - restricted_net_hub_project_number = local.restricted_net_hub_project_number - environment_code = var.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - restricted_services = local.restricted_services - restricted_services_dry_run = local.restricted_services_dry_run + project_id = local.shared_vpc_project_id + project_number = local.shared_vpc_project_number + net_hub_project_id = local.net_hub_project_id + net_hub_project_number = local.net_hub_project_number + environment_code = var.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + restricted_services = local.restricted_services + restricted_services_dry_run = local.restricted_services_dry_run members = distinct(concat([ "serviceAccount:${local.networks_service_account}", "serviceAccount:${local.projects_service_account}", @@ -182,8 +174,8 @@ module "restricted_shared_vpc" { "serviceAccount:${local.projects_service_account}", "serviceAccount:${local.organization_service_account}", ], var.perimeter_additional_members)) - private_service_cidr = var.restricted_private_service_cidr - private_service_connect_ip = var.restricted_private_service_connect_ip + private_service_cidr = var.private_service_cidr + private_service_connect_ip = var.private_service_connect_ip ingress_policies = var.ingress_policies egress_policies = var.egress_policies bgp_asn_subnet = local.bgp_asn_number @@ -195,34 +187,34 @@ module "restricted_shared_vpc" { subnets = [ { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}" - subnet_ip = var.restricted_subnet_primary_ranges[var.default_region1] + subnet_name = "sb-${var.environment_code}-svpc-${var.default_region1}" + subnet_ip = var.subnet_primary_ranges[var.default_region1] subnet_region = var.default_region1 subnet_private_access = "true" subnet_flow_logs = true - subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr + subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval + subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling + subnet_flow_logs_metadata = var.vpc_flow_logs.metadata + subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields + subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr description = "First ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}" - subnet_ip = var.restricted_subnet_primary_ranges[var.default_region2] + subnet_name = "sb-${var.environment_code}-svpc-${var.default_region2}" + subnet_ip = var.subnet_primary_ranges[var.default_region2] subnet_region = var.default_region2 subnet_private_access = "true" subnet_flow_logs = true - subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr + subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval + subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling + subnet_flow_logs_metadata = var.vpc_flow_logs.metadata + subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields + subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" - subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] + subnet_name = "sb-${var.environment_code}-svpc-${var.default_region1}-proxy" + subnet_ip = var.subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 subnet_flow_logs = false description = "First ${var.env} proxy-only subnet example." @@ -230,8 +222,8 @@ module "restricted_shared_vpc" { purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" - subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] + subnet_name = "sb-${var.environment_code}-svpc-${var.default_region2}-proxy" + subnet_ip = var.subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 subnet_flow_logs = false description = "Second ${var.env} proxy-only subnet example." @@ -240,76 +232,6 @@ module "restricted_shared_vpc" { } ] secondary_ranges = { - "sb-${var.environment_code}-shared-restricted-${var.default_region1}" = var.restricted_subnet_secondary_ranges[var.default_region1] - } -} - -/****************************************** - Base shared VPC -*****************************************/ - -module "base_shared_vpc" { - source = "../base_shared_vpc" - - project_id = local.base_project_id - base_net_hub_project_id = local.base_net_hub_project_id - environment_code = var.environment_code - private_service_cidr = var.base_private_service_cidr - private_service_connect_ip = var.base_private_service_connect_ip - default_region1 = var.default_region1 - default_region2 = var.default_region2 - domain = var.domain - bgp_asn_subnet = local.bgp_asn_number - mode = "spoke" - target_name_server_addresses = var.target_name_server_addresses - - subnets = [ - { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}" - subnet_ip = var.base_subnet_primary_ranges[var.default_region1] - subnet_region = var.default_region1 - subnet_private_access = "true" - subnet_flow_logs = true - subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr - description = "First ${var.env} subnet example." - }, - { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}" - subnet_ip = var.base_subnet_primary_ranges[var.default_region2] - subnet_region = var.default_region2 - subnet_private_access = "true" - subnet_flow_logs = true - subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr - description = "Second ${var.env} subnet example." - }, - { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" - subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] - subnet_region = var.default_region1 - description = "First ${var.env} proxy-only subnet example." - subnet_flow_logs = false - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" - }, - { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" - subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] - subnet_region = var.default_region2 - description = "Second ${var.env} proxy-only subnet example." - subnet_flow_logs = false - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" - } - ] - secondary_ranges = { - "sb-${var.environment_code}-shared-base-${var.default_region1}" = var.base_subnet_secondary_ranges[var.default_region1] + "sb-${var.environment_code}-svpc-${var.default_region1}" = var.subnet_secondary_ranges[var.default_region1] } } diff --git a/3-networks-hub-and-spoke/modules/base_env/outputs.tf b/3-networks-hub-and-spoke/modules/base_env/outputs.tf index 053c1c134..e4e7217d9 100644 --- a/3-networks-hub-and-spoke/modules/base_env/outputs.tf +++ b/3-networks-hub-and-spoke/modules/base_env/outputs.tf @@ -19,102 +19,57 @@ output "target_name_server_addresses" { description = "List of IPv4 address of target name servers for the forwarding zone configuration" } -/********************* - Restricted Outputs -*********************/ - -output "restricted_host_project_id" { - value = local.restricted_project_id - description = "The restricted host project ID" +output "shared_vpc_host_project_id" { + value = local.shared_vpc_project_id + description = "The host project ID" } -output "restricted_network_name" { - value = module.restricted_shared_vpc.network_name +output "network_name" { + value = module.shared_vpc.network_name description = "The name of the VPC being created" } -output "restricted_network_self_link" { - value = module.restricted_shared_vpc.network_self_link +output "network_self_link" { + value = module.shared_vpc.network_self_link description = "The URI of the VPC being created" } -output "restricted_subnets_names" { - value = module.restricted_shared_vpc.subnets_names +output "subnets_names" { + value = module.shared_vpc.subnets_names description = "The names of the subnets being created" } -output "restricted_subnets_ips" { - value = module.restricted_shared_vpc.subnets_ips +output "subnets_ips" { + value = module.shared_vpc.subnets_ips description = "The IPs and CIDRs of the subnets being created" } -output "restricted_subnets_self_links" { - value = module.restricted_shared_vpc.subnets_self_links +output "subnets_self_links" { + value = module.shared_vpc.subnets_self_links description = "The self-links of subnets being created" } -output "restricted_subnets_secondary_ranges" { - value = module.restricted_shared_vpc.subnets_secondary_ranges +output "subnets_secondary_ranges" { + value = module.shared_vpc.subnets_secondary_ranges description = "The secondary ranges associated with these subnets" } output "access_level_name" { - value = module.restricted_shared_vpc.access_level_name + value = module.shared_vpc.access_level_name description = "Access context manager access level name for the enforced perimeter" } output "access_level_name_dry_run" { - value = module.restricted_shared_vpc.access_level_name_dry_run + value = module.shared_vpc.access_level_name_dry_run description = "Access context manager access level name for the dry-run perimeter" } output "enforce_vpcsc" { - value = module.restricted_shared_vpc.enforce_vpcsc + value = module.shared_vpc.enforce_vpcsc description = "Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases." } -output "restricted_service_perimeter_name" { - value = module.restricted_shared_vpc.service_perimeter_name +output "service_perimeter_name" { + value = module.shared_vpc.service_perimeter_name description = "Access context manager service perimeter name for the enforced perimeter" } - - - -/****************************************** - Private Outputs -*****************************************/ - -output "base_host_project_id" { - value = local.base_project_id - description = "The base host project ID" -} - -output "base_network_name" { - value = module.base_shared_vpc.network_name - description = "The name of the VPC being created" -} - -output "base_network_self_link" { - value = module.base_shared_vpc.network_self_link - description = "The URI of the VPC being created" -} - -output "base_subnets_names" { - value = module.base_shared_vpc.subnets_names - description = "The names of the subnets being created" -} - -output "base_subnets_ips" { - value = module.base_shared_vpc.subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "base_subnets_self_links" { - value = module.base_shared_vpc.subnets_self_links - description = "The self-links of subnets being created" -} - -output "base_subnets_secondary_ranges" { - value = module.base_shared_vpc.subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} diff --git a/3-networks-hub-and-spoke/modules/base_env/remote.tf b/3-networks-hub-and-spoke/modules/base_env/remote.tf index 8a6e50259..535fbeb03 100644 --- a/3-networks-hub-and-spoke/modules/base_env/remote.tf +++ b/3-networks-hub-and-spoke/modules/base_env/remote.tf @@ -15,15 +15,13 @@ */ locals { - restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id - restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number - base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id - base_net_hub_project_id = data.terraform_remote_state.org.outputs.base_net_hub_project_id - restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id - restricted_net_hub_project_number = data.terraform_remote_state.org.outputs.restricted_net_hub_project_number - organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email - networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email - projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email + shared_vpc_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].shared_vpc_project_id + shared_vpc_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].shared_vpc_project_number + net_hub_project_id = data.terraform_remote_state.org.outputs.net_hub_project_id + net_hub_project_number = data.terraform_remote_state.org.outputs.net_hub_project_number + organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email + networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email + projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email } data "terraform_remote_state" "bootstrap" { diff --git a/3-networks-hub-and-spoke/modules/base_env/remote.tf.cloud.example b/3-networks-hub-and-spoke/modules/base_env/remote.tf.cloud.example index 05eefabbe..c8e364f67 100644 --- a/3-networks-hub-and-spoke/modules/base_env/remote.tf.cloud.example +++ b/3-networks-hub-and-spoke/modules/base_env/remote.tf.cloud.example @@ -15,12 +15,10 @@ */ locals { - restricted_project_id = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].restricted_shared_vpc_project_id - restricted_project_number = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].restricted_shared_vpc_project_number - base_project_id = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].base_shared_vpc_project_id - base_net_hub_project_id = data.tfe_outputs.org.nonsensitive_values.base_net_hub_project_id - restricted_net_hub_project_id = data.tfe_outputs.org.nonsensitive_values.restricted_net_hub_project_id - restricted_net_hub_project_number = data.tfe_outputs.org.nonsensitive_values.restricted_net_hub_project_number + project_id = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].project_id + project_number = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].shared_vpc_project_number + net_hub_project_id = data.tfe_outputs.org.nonsensitive_values.net_hub_project_id + net_hub_project_number = data.tfe_outputs.org.nonsensitive_values.net_hub_project_number organization_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.organization_step_terraform_service_account_email networks_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.networks_step_terraform_service_account_email projects_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.projects_step_terraform_service_account_email diff --git a/3-networks-hub-and-spoke/modules/base_env/variables.tf b/3-networks-hub-and-spoke/modules/base_env/variables.tf index aa4cdef97..3c9ce405c 100644 --- a/3-networks-hub-and-spoke/modules/base_env/variables.tf +++ b/3-networks-hub-and-spoke/modules/base_env/variables.tf @@ -73,75 +73,32 @@ variable "enable_hub_and_spoke_transitivity" { default = false } -variable "base_private_service_cidr" { +variable "private_service_cidr" { type = string - description = "CIDR range for private service networking. Used for Cloud SQL and other managed services in the Base Shared Vpc." + description = "CIDR range for private service networking. Used for Cloud SQL and other managed services in the Shared Vpc." } -variable "base_subnet_primary_ranges" { +variable "subnet_primary_ranges" { type = map(string) - description = "The base subnet primary IPTs ranges to the Base Shared Vpc." + description = "The subnet primary IPTs ranges to the Shared Vpc." } -variable "base_subnet_proxy_ranges" { +variable "subnet_proxy_ranges" { type = map(string) - description = "The base proxy-only subnet primary IPTs ranges to the Base Shared Vpc." + description = "The proxy-only subnet primary IPTs ranges to the Shared Vpc." } -variable "base_subnet_secondary_ranges" { +variable "subnet_secondary_ranges" { type = map(list(map(string))) - description = "The base subnet secondary IPTs ranges to the Base Shared Vpc." + description = "The subnet secondary IPTs ranges to the Shared Vpc" } -variable "base_private_service_connect_ip" { +variable "private_service_connect_ip" { type = string - description = "The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC" + description = "The subnet internal IP to be used as the private service connect endpoint in the Shared VPC" } -variable "base_vpc_flow_logs" { - description = < -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| base\_net\_hub\_project\_id | The base net hub project ID | `string` | `""` | no | -| bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes | -| default\_region1 | Default region 1 for subnets and Cloud Routers | `string` | n/a | yes | -| default\_region2 | Default region 2 for subnets and Cloud Routers | `string` | n/a | yes | -| dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | -| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | -| domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | -| enable\_all\_vpc\_internal\_traffic | Enable firewall policy rule to allow internal traffic (ingress and egress). | `bool` | `false` | no | -| enable\_transitivity\_traffic | Enable a firewall policy rule to allow traffic between Hub and Spokes (ingress only). | `bool` | `true` | no | -| environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes | -| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | -| mode | Network deployment mode, should be set to `hub` or `spoke` when `enable_hub_and_spoke` architecture chosen, keep as `null` otherwise. | `string` | `null` | no | -| nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no | -| nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no | -| nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT. | `number` | `2` | no | -| nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no | -| private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | -| private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | -| project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | -| secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | -| subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | -| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | -| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| base\_dns\_policy | The name of the DNS policy being created | -| firewall\_policy | Policy created for firewall policy rules. | -| network\_name | The name of the VPC being created | -| network\_self\_link | The URI of the VPC being created | -| region1\_router1 | Router 1 for Region 1 | -| region1\_router2 | Router 2 for Region 1 | -| region2\_router1 | Router 1 for Region 2 | -| region2\_router2 | Router 2 for Region 2 | -| subnets\_flow\_logs | Whether the subnets have VPC flow logs enabled | -| subnets\_ips | The IPs and CIDRs of the subnets being created | -| subnets\_names | The names of the subnets being created | -| subnets\_private\_access | Whether the subnets have access to Google API's without a public IP | -| subnets\_regions | The region where the subnets will be created | -| subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| subnets\_self\_links | The self-links of subnets being created | - - diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/firewall.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/firewall.tf deleted file mode 100644 index 94dbe7b31..000000000 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/firewall.tf +++ /dev/null @@ -1,102 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/****************************************** - Mandatory and optional firewall rules - *****************************************/ -module "firewall_rules" { - source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 10.0" - - project_id = var.project_id - policy_name = "fp-${var.environment_code}-hub-and-spoke-base-firewalls" - description = "Firewall rules for base hub and spoke shared vpc: ${module.main.network_name}." - target_vpcs = ["projects/${var.project_id}/global/networks/${module.main.network_name}"] - - rules = concat( - [ - { - priority = "65530" - direction = "EGRESS" - action = "deny" - rule_name = "fw-${var.environment_code}-shared-base-65530-e-d-all-all-all" - description = "Lower priority rule to deny all egress traffic." - enable_logging = var.firewall_enable_logging - match = { - dest_ip_ranges = ["0.0.0.0/0"] - layer4_configs = [ - { - ip_protocol = "all" - }, - ] - } - }, - { - priority = "1000" - direction = "EGRESS" - action = "allow" - rule_name = "fw-${var.environment_code}-shared-base-1000-e-a-allow-google-apis-all-tcp-443" - description = "Lower priority rule to allow private google apis on TCP port 443." - enable_logging = var.firewall_enable_logging - match = { - dest_ip_ranges = [local.private_googleapis_cidr] - layer4_configs = [ - { - ip_protocol = "tcp" - ports = ["443"] - }, - ] - } - } - ], - !var.enable_all_vpc_internal_traffic ? [] : [ - { - priority = "10000" - direction = "EGRESS" - action = "allow" - rule_name = "fw-${var.environment_code}-shared-base-10000-e-a-all-all-all" - description = "Allow all egress to the provided IP range." - enable_logging = var.firewall_enable_logging - match = { - dest_ip_ranges = module.main.subnets_ips - layer4_configs = [ - { - ip_protocol = "all" - }, - ] - } - } - ], - !var.enable_all_vpc_internal_traffic ? [] : [ - { - priority = "10001" - direction = "INGRESS" - action = "allow" - rule_name = "fw-${var.environment_code}-shared-base-10001-i-a-all" - description = "Allow all ingress to the provided IP range." - enable_logging = var.firewall_enable_logging - match = { - src_ip_ranges = module.main.subnets_ips - layer4_configs = [ - { - ip_protocol = "all" - }, - ] - } - } - ] - ) -} diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf deleted file mode 100644 index 5be4fb015..000000000 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ /dev/null @@ -1,182 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke" - vpc_name = "${var.environment_code}-shared-base${local.mode}" - network_name = "vpc-${local.vpc_name}" - private_googleapis_cidr = module.private_service_connect.private_service_connect_ip - google_forward_source_range = "35.199.192.0/19" - advertised_ip = var.environment_code == "c" ? [{ range = local.google_forward_source_range }, { range = local.private_googleapis_cidr }] : [{ range = local.private_googleapis_cidr }] - -} - -/****************************************** - Shared VPC configuration - *****************************************/ - -module "main" { - source = "terraform-google-modules/network/google" - version = "~> 10.0" - - project_id = var.project_id - network_name = local.network_name - shared_vpc_host = "true" - delete_default_internet_gateway_routes = "true" - - subnets = var.subnets - secondary_ranges = var.secondary_ranges - - routes = concat( - var.nat_enabled ? - [ - { - name = "rt-${local.vpc_name}-1000-egress-internet-default" - description = "Tag based route through IGW to access internet" - destination_range = "0.0.0.0/0" - tags = "egress-internet" - next_hop_internet = "true" - priority = "1000" - } - ] - : [], - var.windows_activation_enabled ? - [{ - name = "rt-${local.vpc_name}-1000-all-default-windows-kms" - description = "Route through IGW to allow Windows KMS activation for GCP." - destination_range = "35.190.247.13/32" - next_hop_internet = "true" - priority = "1000" - } - ] - : [] - ) -} - -/*************************************************************** - VPC Peering Configuration - **************************************************************/ -data "google_compute_network" "vpc_base_net_hub" { - count = var.mode == "spoke" ? 1 : 0 - name = "vpc-c-shared-base-hub" - project = var.base_net_hub_project_id -} - -module "peering" { - source = "terraform-google-modules/network/google//modules/network-peering" - version = "~> 10.0" - count = var.mode == "spoke" ? 1 : 0 - - prefix = "np" - local_network = module.main.network_self_link - peer_network = data.google_compute_network.vpc_base_net_hub[0].self_link - export_peer_custom_routes = true -} - -/*************************************************************** - Configure Service Networking for Cloud SQL & future services. - **************************************************************/ - -resource "google_compute_global_address" "private_service_access_address" { - count = var.private_service_cidr != null ? 1 : 0 - name = "ga-${local.vpc_name}-vpc-peering-internal" - project = var.project_id - purpose = "VPC_PEERING" - address_type = "INTERNAL" - address = element(split("/", var.private_service_cidr), 0) - prefix_length = element(split("/", var.private_service_cidr), 1) - network = module.main.network_self_link - - depends_on = [module.peering] -} - -resource "google_service_networking_connection" "private_vpc_connection" { - count = var.private_service_cidr != null ? 1 : 0 - network = module.main.network_self_link - service = "servicenetworking.googleapis.com" - reserved_peering_ranges = [google_compute_global_address.private_service_access_address[0].name] - - depends_on = [module.peering] -} - -/************************************ - Router to advertise shared VPC - subnetworks and Google Private API -************************************/ - -module "region1_router1" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - count = var.mode != "spoke" ? 1 : 0 - - name = "cr-${local.vpc_name}-${var.default_region1}-cr1" - project = var.project_id - network = module.main.network_name - region = var.default_region1 - bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = local.advertised_ip - } -} - -module "region1_router2" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - count = var.mode != "spoke" ? 1 : 0 - - name = "cr-${local.vpc_name}-${var.default_region1}-cr2" - project = var.project_id - network = module.main.network_name - region = var.default_region1 - bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = local.advertised_ip - } -} - -module "region2_router1" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - count = var.mode != "spoke" ? 1 : 0 - - name = "cr-${local.vpc_name}-${var.default_region2}-cr3" - project = var.project_id - network = module.main.network_name - region = var.default_region2 - bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = local.advertised_ip - } -} - -module "region2_router2" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - count = var.mode != "spoke" ? 1 : 0 - - name = "cr-${local.vpc_name}-${var.default_region2}-cr4" - project = var.project_id - network = module.main.network_name - region = var.default_region2 - bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = local.advertised_ip - } -} diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/nat.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/nat.tf deleted file mode 100644 index dc0b49c4d..000000000 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/nat.tf +++ /dev/null @@ -1,90 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - -/****************************************** - NAT Cloud Router & NAT config - *****************************************/ - -resource "google_compute_router" "nat_router_region1" { - count = var.nat_enabled ? 1 : 0 - name = "cr-${local.vpc_name}-${var.default_region1}-nat-router" - project = var.project_id - region = var.default_region1 - network = module.main.network_self_link - - bgp { - asn = var.nat_bgp_asn - } -} - -resource "google_compute_address" "nat_external_addresses_region1" { - count = var.nat_enabled ? var.nat_num_addresses_region1 : 0 - project = var.project_id - name = "ca-${local.vpc_name}-${var.default_region1}-${count.index}" - region = var.default_region1 -} - -resource "google_compute_router_nat" "egress_nat_region1" { - count = var.nat_enabled ? 1 : 0 - name = "rn-${local.vpc_name}-${var.default_region1}-egress" - project = var.project_id - router = google_compute_router.nat_router_region1[0].name - region = var.default_region1 - nat_ip_allocate_option = "MANUAL_ONLY" - nat_ips = google_compute_address.nat_external_addresses_region1.*.self_link - source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" - - log_config { - filter = "TRANSLATIONS_ONLY" - enable = true - } -} - -resource "google_compute_router" "nat_router_region2" { - count = var.nat_enabled ? 1 : 0 - name = "cr-${local.vpc_name}-${var.default_region2}-nat-router" - project = var.project_id - region = var.default_region2 - network = module.main.network_self_link - - bgp { - asn = var.nat_bgp_asn - } -} - -resource "google_compute_address" "nat_external_addresses_region2" { - count = var.nat_enabled ? var.nat_num_addresses_region2 : 0 - project = var.project_id - name = "ca-${local.vpc_name}-${var.default_region2}-${count.index}" - region = var.default_region2 -} - -resource "google_compute_router_nat" "egress_nat2" { - count = var.nat_enabled ? 1 : 0 - name = "rn-${local.vpc_name}-${var.default_region2}-egress" - project = var.project_id - router = google_compute_router.nat_router_region2[0].name - region = var.default_region2 - nat_ip_allocate_option = "MANUAL_ONLY" - nat_ips = google_compute_address.nat_external_addresses_region2.*.self_link - source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" - - log_config { - filter = "TRANSLATIONS_ONLY" - enable = true - } -} diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf deleted file mode 100644 index 3d13190d7..000000000 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf +++ /dev/null @@ -1,90 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -output "network_name" { - value = module.main.network_name - description = "The name of the VPC being created" -} - -output "base_dns_policy" { - value = google_dns_policy.default_policy.name - description = "The name of the DNS policy being created" -} - -output "network_self_link" { - value = module.main.network_self_link - description = "The URI of the VPC being created" -} - -output "subnets_names" { - value = module.main.subnets_names - description = "The names of the subnets being created" -} - -output "subnets_ips" { - value = module.main.subnets_ips - description = "The IPs and CIDRs of the subnets being created" -} - -output "subnets_self_links" { - value = module.main.subnets_self_links - description = "The self-links of subnets being created" -} - -output "subnets_regions" { - value = module.main.subnets_regions - description = "The region where the subnets will be created" -} - -output "subnets_private_access" { - value = module.main.subnets_private_access - description = "Whether the subnets have access to Google API's without a public IP" -} - -output "subnets_flow_logs" { - value = module.main.subnets_flow_logs - description = "Whether the subnets have VPC flow logs enabled" -} - -output "subnets_secondary_ranges" { - value = module.main.subnets_secondary_ranges - description = "The secondary ranges associated with these subnets" -} - -output "region1_router1" { - value = try(module.region1_router1[0], null) - description = "Router 1 for Region 1" -} - -output "region1_router2" { - value = try(module.region1_router2[0], null) - description = "Router 2 for Region 1" -} - -output "region2_router1" { - value = try(module.region2_router1[0], null) - description = "Router 1 for Region 2" -} - -output "region2_router2" { - value = try(module.region2_router2[0], null) - description = "Router 2 for Region 2" -} - -output "firewall_policy" { - value = module.firewall_rules.fw_policy[0].name - description = "Policy created for firewall policy rules." -} diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf deleted file mode 100644 index c18e514e6..000000000 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf +++ /dev/null @@ -1,27 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - -module "private_service_connect" { - source = "terraform-google-modules/network/google//modules/private-service-connect" - version = "~> 10.0" - - project_id = var.project_id - dns_code = "dz-${var.environment_code}-shared-base" - network_self_link = module.main.network_self_link - private_service_connect_ip = var.private_service_connect_ip - forwarding_rule_target = "all-apis" -} diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf deleted file mode 100644 index ed45d3a9a..000000000 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf +++ /dev/null @@ -1,162 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "target_name_server_addresses" { - description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." - type = list(map(any)) -} - -variable "project_id" { - type = string - description = "Project ID for Private Shared VPC." -} - -variable "base_net_hub_project_id" { - type = string - description = "The base net hub project ID" - default = "" -} - -variable "mode" { - type = string - description = "Network deployment mode, should be set to `hub` or `spoke` when `enable_hub_and_spoke` architecture chosen, keep as `null` otherwise." - default = null -} - -variable "environment_code" { - type = string - description = "A short form of the folder level resources (environment) within the Google Cloud organization." -} - -variable "default_region1" { - type = string - description = "Default region 1 for subnets and Cloud Routers" -} - -variable "default_region2" { - type = string - description = "Default region 2 for subnets and Cloud Routers" -} - -variable "nat_enabled" { - type = bool - description = "Toggle creation of NAT cloud router." - default = false -} - -variable "nat_bgp_asn" { - type = number - description = "BGP ASN for first NAT cloud routes." - default = 64514 -} - -variable "nat_num_addresses_region1" { - type = number - description = "Number of external IPs to reserve for first Cloud NAT." - default = 2 -} - -variable "nat_num_addresses_region2" { - type = number - description = "Number of external IPs to reserve for second Cloud NAT." - default = 2 -} - -variable "bgp_asn_subnet" { - type = number - description = "BGP ASN for Subnets cloud routers." -} - -variable "subnets" { - type = list(object({ - subnet_name = string - subnet_ip = string - subnet_region = string - subnet_private_access = optional(string, "false") - subnet_private_ipv6_access = optional(string) - subnet_flow_logs = optional(string, "false") - subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC") - subnet_flow_logs_sampling = optional(string, "0.5") - subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA") - subnet_flow_logs_filter = optional(string, "true") - subnet_flow_logs_metadata_fields = optional(list(string), []) - description = optional(string) - purpose = optional(string) - role = optional(string) - stack_type = optional(string) - ipv6_access_type = optional(string) - })) - description = "The list of subnets being created" - default = [] -} - -variable "secondary_ranges" { - type = map(list(object({ range_name = string, ip_cidr_range = string }))) - description = "Secondary ranges that will be used in some of the subnets" - default = {} -} - -variable "dns_enable_inbound_forwarding" { - type = bool - description = "Toggle inbound query forwarding for VPC DNS." - default = true -} - -variable "dns_enable_logging" { - type = bool - description = "Toggle DNS logging for VPC DNS." - default = true -} - -variable "firewall_enable_logging" { - type = bool - description = "Toggle firewall logging for VPC Firewalls." - default = true -} - -variable "domain" { - type = string - description = "The DNS name of peering managed zone, for instance 'example.com.'" -} - -variable "private_service_cidr" { - type = string - description = "CIDR range for private service networking. Used for Cloud SQL and other managed services." - default = null -} - -variable "private_service_connect_ip" { - type = string - description = "Internal IP to be used as the private service connect endpoint." -} - -variable "windows_activation_enabled" { - type = bool - description = "Enable Windows license activation for Windows workloads." - default = false -} - -variable "enable_all_vpc_internal_traffic" { - type = bool - description = "Enable firewall policy rule to allow internal traffic (ingress and egress)." - default = false -} - -variable "enable_transitivity_traffic" { - type = bool - description = "Enable a firewall policy rule to allow traffic between Hub and Spokes (ingress only)." - default = true -} diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/versions.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/versions.tf deleted file mode 100644 index bcffc4274..000000000 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/versions.tf +++ /dev/null @@ -1,37 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - required_version = ">= 0.13" - required_providers { - google = { - source = "hashicorp/google" - version = ">= 3.50" - } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 3.50" - } - } - - provider_meta "google" { - module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v4.1.0" - } - - provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v4.1.0" - } -} diff --git a/3-networks-hub-and-spoke/modules/dedicated_interconnect/versions.tf b/3-networks-hub-and-spoke/modules/dedicated_interconnect/versions.tf index 4b50cfdd2..e0f5555f4 100644 --- a/3-networks-hub-and-spoke/modules/dedicated_interconnect/versions.tf +++ b/3-networks-hub-and-spoke/modules/dedicated_interconnect/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } } diff --git a/3-networks-hub-and-spoke/modules/hierarchical_firewall_policy/versions.tf b/3-networks-hub-and-spoke/modules/hierarchical_firewall_policy/versions.tf index 8f6a8235a..3101ab902 100644 --- a/3-networks-hub-and-spoke/modules/hierarchical_firewall_policy/versions.tf +++ b/3-networks-hub-and-spoke/modules/hierarchical_firewall_policy/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.82" + version = ">= 3.82, < 6.26.0" } google-beta = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.82" + version = ">= 3.82, < 6.26.0" } random = { source = "hashicorp/random" diff --git a/3-networks-hub-and-spoke/modules/partner_interconnect/README.md b/3-networks-hub-and-spoke/modules/partner_interconnect/README.md index 5eb809ad6..1a9005cd2 100644 --- a/3-networks-hub-and-spoke/modules/partner_interconnect/README.md +++ b/3-networks-hub-and-spoke/modules/partner_interconnect/README.md @@ -4,7 +4,7 @@ This module implements the recommendation proposed in [Establishing 99.99% Avail ## Prerequisites -1. Provisioning of four [VLAN attachments](https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview) in the Hub project in the specified environment. That would be the `prj-c-{base|restricted}-net-hub` and `prj-net-dns` under the folder `fldr-common` in case of Hub and Spoke architecture. +1. Provisioning of four [VLAN attachments](https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview) in the Hub project in the specified environment. That would be the `prj-c-svpc-net-hub` and `prj-net-dns` under the folder `fldr-common` in case of Hub and Spoke architecture. ## Usage diff --git a/3-networks-hub-and-spoke/modules/partner_interconnect/versions.tf b/3-networks-hub-and-spoke/modules/partner_interconnect/versions.tf index e363eb942..7eb80374d 100644 --- a/3-networks-hub-and-spoke/modules/partner_interconnect/versions.tf +++ b/3-networks-hub-and-spoke/modules/partner_interconnect/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } } diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf deleted file mode 100644 index e9dadbb59..000000000 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf +++ /dev/null @@ -1,71 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/****************************************** - Default DNS Policy - *****************************************/ - -resource "google_dns_policy" "default_policy" { - project = var.project_id - name = "dp-${var.environment_code}-shared-restricted-default-policy" - enable_inbound_forwarding = var.dns_enable_inbound_forwarding - enable_logging = var.dns_enable_logging - networks { - network_url = module.main.network_self_link - } -} - -/****************************************** - Creates DNS Peering to DNS HUB -*****************************************/ - -module "peering_zone" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" - - count = var.mode == "spoke" ? 1 : 0 - - project_id = var.project_id - type = "peering" - name = "dz-${var.environment_code}-shared-restricted-to-dns-hub" - domain = var.domain - description = "Private DNS peering zone." - - private_visibility_config_networks = [ - module.main.network_self_link - ] - target_network = data.google_compute_network.vpc_restricted_net_hub[0].self_link -} - -/****************************************** - DNS Forwarding -*****************************************/ -module "dns_forwarding_zone" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" - - count = var.mode != "spoke" ? 1 : 0 - - project_id = var.project_id - type = "forwarding" - name = "fz-dns-hub" - domain = var.domain - - private_visibility_config_networks = [ - module.main.network_self_link - ] - target_name_server_addresses = var.target_name_server_addresses -} diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/shared_vpc/README.md similarity index 95% rename from 3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md rename to 3-networks-hub-and-spoke/modules/shared_vpc/README.md index 130845c51..136459732 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/shared_vpc/README.md @@ -26,12 +26,12 @@ | nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no | | nat\_num\_addresses\_region1 | Number of external IPs to reserve for region 1 Cloud NAT. | `number` | `2` | no | | nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no | +| net\_hub\_project\_id | The net hub project ID | `string` | `""` | no | +| net\_hub\_project\_number | The net hub project number | `string` | `""` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | -| project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | -| project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | -| restricted\_net\_hub\_project\_id | The restricted net hub project ID | `string` | `""` | no | -| restricted\_net\_hub\_project\_number | The restricted net hub project number | `string` | `""` | no | +| project\_id | Project ID for Shared VPC. | `string` | n/a | yes | +| project\_number | Project number for Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | | restricted\_services | List of services to restrict in an enforced perimeter. | `list(string)` | n/a | yes | | restricted\_services\_dry\_run | List of services to restrict in a dry-run perimeter. | `list(string)` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | @@ -45,6 +45,7 @@ |------|-------------| | access\_level\_name | Access context manager access level name for the enforced perimeter | | access\_level\_name\_dry\_run | Access context manager access level name for the dry-run perimeter | +| dns\_policy | The name of the DNS policy being created | | enforce\_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. | | firewall\_policy | Policy created for firewall policy rules. | | network\_name | The name of the VPC being created | @@ -53,7 +54,6 @@ | region1\_router2 | Router 2 for Region 1 | | region2\_router1 | Router 1 for Region 2 | | region2\_router2 | Router 2 for Region 2 | -| restricted\_dns\_policy | The name of the DNS policy being created | | service\_perimeter\_name | Access context manager service perimeter name for the enforced perimeter | | subnets\_ips | The IPs and CIDRs of the subnets being created | | subnets\_names | The names of the subnets being created | diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/shared_vpc/dns.tf similarity index 89% rename from 3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf rename to 3-networks-hub-and-spoke/modules/shared_vpc/dns.tf index 355031822..657467d8c 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/shared_vpc/dns.tf @@ -20,7 +20,7 @@ resource "google_dns_policy" "default_policy" { project = var.project_id - name = "dp-${var.environment_code}-shared-base-default-policy" + name = "dp-${var.environment_code}-svpc-default-policy" enable_inbound_forwarding = var.dns_enable_inbound_forwarding enable_logging = var.dns_enable_logging networks { @@ -40,14 +40,14 @@ module "peering_zone" { project_id = var.project_id type = "peering" - name = "dz-${var.environment_code}-shared-base-to-dns-hub" + name = "dz-${var.environment_code}-svpc-to-dns-hub" domain = var.domain description = "Private DNS peering zone." private_visibility_config_networks = [ module.main.network_self_link ] - target_network = data.google_compute_network.vpc_base_net_hub[0].self_link + target_network = data.google_compute_network.vpc_net_hub[0].self_link } /****************************************** diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/firewall.tf b/3-networks-hub-and-spoke/modules/shared_vpc/firewall.tf similarity index 83% rename from 3-networks-hub-and-spoke/modules/restricted_shared_vpc/firewall.tf rename to 3-networks-hub-and-spoke/modules/shared_vpc/firewall.tf index 5e2a9be25..d8a311090 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/firewall.tf +++ b/3-networks-hub-and-spoke/modules/shared_vpc/firewall.tf @@ -23,8 +23,8 @@ module "firewall_rules" { version = "~> 10.0" project_id = var.project_id - policy_name = "fp-${var.environment_code}-hub-and-spoke-restricted-firewalls" - description = "Firewall rules for restricted hub and spoke shared vpc: ${module.main.network_name}." + policy_name = "fp-${var.environment_code}-hub-and-spoke-firewalls" + description = "Firewall rules for hub and spoke shared vpc: ${module.main.network_name}." target_vpcs = ["projects/${var.project_id}/global/networks/${module.main.network_name}"] rules = concat( @@ -33,7 +33,7 @@ module "firewall_rules" { priority = "65530" direction = "EGRESS" action = "deny" - rule_name = "fw-${var.environment_code}-shared-restricted-65530-e-d-all-all-all" + rule_name = "fw-${var.environment_code}-svpc-65530-e-d-all-all-all" description = "Lower priority rule to deny all egress traffic." enable_logging = var.firewall_enable_logging match = { @@ -49,7 +49,7 @@ module "firewall_rules" { priority = "1000" direction = "EGRESS" action = "allow" - rule_name = "fw-${var.environment_code}-shared-restricted-1000-e-a-allow-google-apis-all-tcp-443" + rule_name = "fw-${var.environment_code}-svpc-1000-e-a-allow-google-apis-all-tcp-443" description = "Lower priority rule to allow restricted google apis on TCP port 443." enable_logging = var.firewall_enable_logging match = { @@ -68,7 +68,7 @@ module "firewall_rules" { priority = "10000" direction = "EGRESS" action = "allow" - rule_name = "fw-${var.environment_code}-shared-base-10000-e-a-all-all-all" + rule_name = "fw-${var.environment_code}-svpc-10000-e-a-all-all-all" description = "Allow all egress to the provided IP range." enable_logging = var.firewall_enable_logging match = { @@ -86,7 +86,7 @@ module "firewall_rules" { priority = "10001" direction = "INGRESS" action = "allow" - rule_name = "fw-${var.environment_code}-shared-base-10001-i-a-all" + rule_name = "fw-${var.environment_code}-svpc-10001-i-a-all" description = "Allow all ingress to the provided IP range." enable_logging = var.firewall_enable_logging match = { diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/shared_vpc/main.tf similarity index 94% rename from 3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf rename to 3-networks-hub-and-spoke/modules/shared_vpc/main.tf index eeafe07bf..243df845a 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/shared_vpc/main.tf @@ -16,7 +16,7 @@ locals { mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke" - vpc_name = "${var.environment_code}-shared-restricted${local.mode}" + vpc_name = "${var.environment_code}-svpc${local.mode}" network_name = "vpc-${local.vpc_name}" restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip google_forward_source_range = "35.199.192.0/19" @@ -69,11 +69,11 @@ module "main" { /*************************************************************** VPC Peering Configuration **************************************************************/ -data "google_compute_network" "vpc_restricted_net_hub" { +data "google_compute_network" "vpc_net_hub" { count = var.mode == "spoke" ? 1 : 0 - name = "vpc-c-shared-restricted-hub" - project = var.restricted_net_hub_project_id + name = "vpc-c-svpc-hub" + project = var.net_hub_project_id } module "peering" { @@ -83,7 +83,7 @@ module "peering" { prefix = "np" local_network = module.main.network_self_link - peer_network = data.google_compute_network.vpc_restricted_net_hub[0].self_link + peer_network = data.google_compute_network.vpc_net_hub[0].self_link export_peer_custom_routes = true } diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/nat.tf b/3-networks-hub-and-spoke/modules/shared_vpc/nat.tf similarity index 100% rename from 3-networks-hub-and-spoke/modules/restricted_shared_vpc/nat.tf rename to 3-networks-hub-and-spoke/modules/shared_vpc/nat.tf diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf b/3-networks-hub-and-spoke/modules/shared_vpc/outputs.tf similarity index 99% rename from 3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf rename to 3-networks-hub-and-spoke/modules/shared_vpc/outputs.tf index 442fc44dc..617c987fd 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf +++ b/3-networks-hub-and-spoke/modules/shared_vpc/outputs.tf @@ -19,7 +19,7 @@ output "network_name" { description = "The name of the VPC being created" } -output "restricted_dns_policy" { +output "dns_policy" { value = google_dns_policy.default_policy.name description = "The name of the DNS policy being created" } diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/private_service_connect.tf b/3-networks-hub-and-spoke/modules/shared_vpc/private_service_connect.tf similarity index 92% rename from 3-networks-hub-and-spoke/modules/restricted_shared_vpc/private_service_connect.tf rename to 3-networks-hub-and-spoke/modules/shared_vpc/private_service_connect.tf index 99a49440c..409912772 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/private_service_connect.tf +++ b/3-networks-hub-and-spoke/modules/shared_vpc/private_service_connect.tf @@ -20,7 +20,7 @@ module "private_service_connect" { version = "~> 10.0" project_id = var.project_id - dns_code = "dz-${var.environment_code}-shared-restricted" + dns_code = "dz-${var.environment_code}-svpc" network_self_link = module.main.network_self_link private_service_connect_ip = var.private_service_connect_ip forwarding_rule_target = "vpc-sc" diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/service_control.tf b/3-networks-hub-and-spoke/modules/shared_vpc/service_control.tf similarity index 97% rename from 3-networks-hub-and-spoke/modules/restricted_shared_vpc/service_control.tf rename to 3-networks-hub-and-spoke/modules/shared_vpc/service_control.tf index 4772a396c..42921e0f5 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/service_control.tf +++ b/3-networks-hub-and-spoke/modules/shared_vpc/service_control.tf @@ -15,7 +15,7 @@ */ locals { - prefix = "${var.environment_code}_shared_restricted" + prefix = "${var.environment_code}_shared_vpc" access_level_name = "alp_${local.prefix}_members_${random_id.random_access_level_suffix.hex}" access_level_name_dry_run = "alp_${local.prefix}_members_dry_run_${random_id.random_access_level_suffix.hex}" perimeter_name = "sp_${local.prefix}_default_perimeter_${random_id.random_access_level_suffix.hex}" @@ -112,7 +112,7 @@ resource "google_access_context_manager_service_perimeter" "bridge_to_network_hu use_explicit_dry_run_spec = var.enforce_vpcsc ? false : true status { - resources = var.enforce_vpcsc ? formatlist("projects/%s", [var.project_number, var.restricted_net_hub_project_number]) : [] + resources = var.enforce_vpcsc ? formatlist("projects/%s", [var.project_number, var.net_hub_project_number]) : [] } depends_on = [module.regular_service_perimeter] diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/shared_vpc/variables.tf similarity index 96% rename from 3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf rename to 3-networks-hub-and-spoke/modules/shared_vpc/variables.tf index 4814ff734..043bf5649 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-hub-and-spoke/modules/shared_vpc/variables.tf @@ -26,23 +26,23 @@ variable "access_context_manager_policy_id" { variable "project_id" { type = string - description = "Project ID for Restricted Shared VPC." + description = "Project ID for Shared VPC." } variable "project_number" { type = number - description = "Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter." + description = "Project number for Shared VPC. It is the project INSIDE the regular service perimeter." } -variable "restricted_net_hub_project_id" { +variable "net_hub_project_id" { type = string - description = "The restricted net hub project ID" + description = "The net hub project ID" default = "" } -variable "restricted_net_hub_project_number" { +variable "net_hub_project_number" { type = string - description = "The restricted net hub project number" + description = "The net hub project number" default = "" } diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/versions.tf b/3-networks-hub-and-spoke/modules/shared_vpc/versions.tf similarity index 89% rename from 3-networks-hub-and-spoke/modules/restricted_shared_vpc/versions.tf rename to 3-networks-hub-and-spoke/modules/shared_vpc/versions.tf index 4277a2715..2193f4688 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/versions.tf +++ b/3-networks-hub-and-spoke/modules/shared_vpc/versions.tf @@ -19,11 +19,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } random = { source = "hashicorp/random" @@ -31,10 +31,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v4.1.0" + module_name = "blueprints/terraform/terraform-example-foundation:shared_vpc/v4.1.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v4.1.0" + module_name = "blueprints/terraform/terraform-example-foundation:shared_vpc/v4.1.0" } } diff --git a/3-networks-hub-and-spoke/modules/transitivity/versions.tf b/3-networks-hub-and-spoke/modules/transitivity/versions.tf index 5f77b730f..d70c918f4 100644 --- a/3-networks-hub-and-spoke/modules/transitivity/versions.tf +++ b/3-networks-hub-and-spoke/modules/transitivity/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } } diff --git a/3-networks-dual-svpc/.gitignore b/3-networks-svpc/.gitignore similarity index 100% rename from 3-networks-dual-svpc/.gitignore rename to 3-networks-svpc/.gitignore diff --git a/3-networks-dual-svpc/README.md b/3-networks-svpc/README.md similarity index 91% rename from 3-networks-dual-svpc/README.md rename to 3-networks-svpc/README.md index f545f1c4e..b8e3a29f2 100644 --- a/3-networks-dual-svpc/README.md +++ b/3-networks-svpc/README.md @@ -1,4 +1,4 @@ -# 3-networks-dual-svpc +# 3-networks-svpc This repo is part of a multi-part guide that shows how to configure and deploy the example.com reference architecture described in @@ -25,16 +25,16 @@ organizational policy. Google Cloud organization that you've created. -3-networks-dual-svpc (this file) -Sets up base and restricted shared VPCs with default DNS, NAT (optional), +3-networks-svpc (this file) +Sets up shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, on-premises Dedicated Interconnect, and baseline firewall rules for each environment. It also sets up the global DNS hub. 3-networks-hub-and-spoke -Sets up base and restricted shared VPCs with all the default configuration -found on step 3-networks-dual-svpc, but here the architecture will be based on the +Sets up shared VPCs with all the default configuration +found on step 3-networks-svpc, but here the architecture will be based on the Hub and Spoke network model. It also sets up the global DNS hub @@ -58,7 +58,7 @@ For an overview of the architecture and the parts, see the The purpose of this step is to: - Set up the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones). -- Set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC Service Controls (optional), on-premises Dedicated or Partner Interconnect, and baseline firewall rules for each environment. +- Shared VPCs with default DNS, NAT (optional), Private Service networking, VPC Service Controls (optional), on-premises Dedicated or Partner Interconnect, and baseline firewall rules for each environment. ## Prerequisites @@ -93,9 +93,9 @@ This step makes use of the **Dual Shared VPC** architecture, and more details ca If you provisioned the prerequisites listed in the [Dedicated Interconnect README](./modules/dedicated_interconnect/README.md), follow these steps to enable Dedicated Interconnect to access on-premises resources. -1. Rename `interconnect.tf.example` to `interconnect.tf` in the shared envs folder in `3-networks-dual-svpc/envs/shared` +1. Rename `interconnect.tf.example` to `interconnect.tf` in the shared envs folder in `3-networks-svpc/envs/shared` 1. Update the file `interconnect.tf` with values that are valid for your environment for the interconnects, locations, candidate subnetworks, vlan_tag8021q and peer info. -1. Rename `interconnect.tf.example` to `interconnect.tf` in base_env folder in `3-networks-dual-svpc/modules/base_env`. +1. Rename `interconnect.tf.example` to `interconnect.tf` in base_env folder in `3-networks-svpc/modules/base_env`. 1. Update the file `interconnect.tf` with values that are valid for your environment for the interconnects, locations, candidate subnetworks, vlan_tag8021q and peer info. 1. Set variable `enable_dedicated_interconnect` to `true` 1. The candidate subnetworks and vlan_tag8021q variables can be set to `null` to allow the interconnect module to auto generate these values. @@ -104,11 +104,11 @@ If you provisioned the prerequisites listed in the [Dedicated Interconnect READM If you provisioned the prerequisites listed in the [Partner Interconnect README](./modules/partner_interconnect/README.md) follow this steps to enable Partner Interconnect to access on-premises resources. -1. Rename `partner_interconnect.tf.example` to `partner_interconnect.tf` in the shared envs folder in `3-networks-dual-svpc/envs/shared` -1. Rename `partner_interconnect.auto.tfvars.example` to `partner_interconnect.auto.tfvars` in the shared envs folder in `3-networks-dual-svpc/envs/shared` +1. Rename `partner_interconnect.tf.example` to `partner_interconnect.tf` in the shared envs folder in `3-networks-svpc/envs/shared` +1. Rename `partner_interconnect.auto.tfvars.example` to `partner_interconnect.auto.tfvars` in the shared envs folder in `3-networks-svpc/envs/shared` 1. Update the file `interconnect.tf` with values that are valid for your environment for the interconnects, locations, candidate subnetworks, vlan_tag8021q and peer info. -1. Rename `partner_interconnect.tf.example` to `partner_interconnect.tf` in the base-env folder in `3-networks-dual-svpc/modules/base_env` . -1. Update the `enable_partner_interconnect` to `true` in each `main.tf` file in the environment folder in `3-networks-dual-svpc/envs/` . +1. Rename `partner_interconnect.tf.example` to `partner_interconnect.tf` in the base-env folder in `3-networks-svpc/modules/base_env` . +1. Update the `enable_partner_interconnect` to `true` in each `main.tf` file in the environment folder in `3-networks-svpc/envs/` . 1. Update the file `partner_interconnect.tf` with values that are valid for your environment for the VLAN attachments, locations, and candidate subnetworks. 1. The candidate subnetworks variable can be set to `null` to allow the interconnect module to auto generate this value. @@ -116,7 +116,7 @@ If you provisioned the prerequisites listed in the [Partner Interconnect README] If you are not able to use Dedicated or Partner Interconnect, you can also use an HA Cloud VPN to access on-premises resources. -1. Rename `vpn.tf.example` to `vpn.tf` in base-env folder in `3-networks-dual-svpc/modules/base_env`. +1. Rename `vpn.tf.example` to `vpn.tf` in base-env folder in `3-networks-svpc/modules/base_env`. 1. Create secret for VPN private pre-shared key and grant required roles to Networks terraform service account. ```bash @@ -157,7 +157,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get cd gcp-networks/ git checkout -b plan - cp -RT ../terraform-example-foundation/3-networks-dual-svpc/ . + cp -RT ../terraform-example-foundation/3-networks-svpc/ . cp ../terraform-example-foundation/build/cloudbuild-tf-* . cp ../terraform-example-foundation/build/tf-wrapper.sh . chmod 755 ./tf-wrapper.sh @@ -262,6 +262,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash + git checkout plan git push --set-upstream origin plan ``` @@ -293,19 +294,19 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get ### Deploying with Jenkins -See `0-bootstrap` [README-Jenkins.md](../0-bootstrap/README-Jenkins.md#deploying-step-3-networks-dual-svpc). +See `0-bootstrap` [README-Jenkins.md](../0-bootstrap/README-Jenkins.md#deploying-step-3-networks-svpc). ### Deploying with GitHub Actions -See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-step-3-networks-dual-svpc). +See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-step-3-networks-svpc). ### Run Terraform locally -1. The next instructions assume that you are at the same level of the `terraform-example-foundation` folder. Create and change into `gcp-network` folder, copy `3-networks-dual-svpc` content, the Terraform wrapper script and ensure it can be executed. Also, initialize git so you can manage versions locally. +1. The next instructions assume that you are at the same level of the `terraform-example-foundation` folder. Create and change into `gcp-network` folder, copy `3-networks-svpc` content, the Terraform wrapper script and ensure it can be executed. Also, initialize git so you can manage versions locally. ```bash mkdir gcp-network - cp -R terraform-example-foundation/3-networks-dual-svpc/* gcp-network + cp -R terraform-example-foundation/3-networks-svpc/* gcp-network cp terraform-example-foundation/build/tf-wrapper.sh gcp-network/ cp terraform-example-foundation/.gitignore gcp-network/ chmod 755 ./gcp-network/tf-wrapper.sh @@ -323,6 +324,14 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s git checkout -b nonproduction ``` +1. The next instructions assume that you are at the same level of the `terraform-example-foundation` folder. Change into `3-networks-svpc` folder, copy the Terraform wrapper script and ensure it can be executed. + + ```bash + cd terraform-example-foundation/3-networks-svpc + cp ../build/tf-wrapper.sh . + chmod 755 ./tf-wrapper.sh + ``` + 1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. ```bash @@ -350,6 +359,8 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s ```` We will now deploy each of our environments(development/production/nonproduction) using this script. +When using Cloud Build or Jenkins as your CI/CD tool each environment corresponds to a branch in the repository for 3-networks-svpc step +and only the corresponding environment is applied. To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component. @@ -473,6 +484,6 @@ unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT Because enabling VPC Service Controls can be a disruptive process, this repo configures VPC Service Controls perimeters in dry run mode by default. This configuration will service traffic that crosses the security perimeter (API requests that originate from inside your perimeter communicating with external resources, or API requests from external resources communicating with resources inside your perimeter) but still allow service traffic normally. -When you are ready to enforce VPC Service Controls, we recommend that you review the guidance at [Best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable). After you have added the necessary exceptions and are confident that VPC Service Controls will not disrupt your intended operations, set the variable `enforce_vpcsc` under the module `restricted_shared_vpc` to `true` and re-apply this stage. Then re-apply the 4-projects stage, which will inherit the new setting and include those projects inside the enforced perimeter. +When you are ready to enforce VPC Service Controls, we recommend that you review the guidance at [Best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable). After you have added the necessary exceptions and are confident that VPC Service Controls will not disrupt your intended operations, set the variable `enforce_vpcsc` under the module `shared_vpc` to `true` and re-apply this stage. Then re-apply the 4-projects stage, which will inherit the new setting and include those projects inside the enforced perimeter. When you need to make changes to an existing enforced perimeter, you can test safely by modifying the configuration of the [dry run perimeter](https://cloud.google.com/vpc-service-controls/docs/dry-run-mode). This will log traffic denied by the dry run perimeter without impacting whether the enforced perimeter allows or denies traffic. diff --git a/3-networks-dual-svpc/access_context.auto.example.tfvars b/3-networks-svpc/access_context.auto.example.tfvars similarity index 100% rename from 3-networks-dual-svpc/access_context.auto.example.tfvars rename to 3-networks-svpc/access_context.auto.example.tfvars diff --git a/3-networks-dual-svpc/common.auto.example.tfvars b/3-networks-svpc/common.auto.example.tfvars similarity index 100% rename from 3-networks-dual-svpc/common.auto.example.tfvars rename to 3-networks-svpc/common.auto.example.tfvars diff --git a/3-networks-dual-svpc/envs/development/README.md b/3-networks-svpc/envs/development/README.md similarity index 82% rename from 3-networks-dual-svpc/envs/development/README.md rename to 3-networks-svpc/envs/development/README.md index e927ba669..92774e3cb 100644 --- a/3-networks-dual-svpc/envs/development/README.md +++ b/3-networks-svpc/envs/development/README.md @@ -1,13 +1,13 @@ -# 3-networks-dual-svpc/development +# 3-networks-svpc/development -The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment development. +The purpose of this step is to set up shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment development. ## Prerequisites 1. 0-bootstrap executed successfully. 1. 1-org executed successfully. 1. 2-environments/envs/development executed successfully. -1. 3-networks-dual-svpc/envs/shared executed successfully. +1. 3-networks-svpc/envs/shared executed successfully. 1. Obtain the value for the access_context_manager_policy_id variable. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. @@ -33,21 +33,14 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | access\_level\_name | Access context manager access level name | | access\_level\_name\_dry\_run | Access context manager access level name for the dry-run perimeter | -| base\_host\_project\_id | The base host project ID | -| base\_network\_name | The name of the VPC being created | -| base\_network\_self\_link | The URI of the VPC being created | -| base\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| base\_subnets\_names | The names of the subnets being created | -| base\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| base\_subnets\_self\_links | The self-links of subnets being created | | enforce\_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. | -| restricted\_host\_project\_id | The restricted host project ID | -| restricted\_network\_name | The name of the VPC being created | -| restricted\_network\_self\_link | The URI of the VPC being created | -| restricted\_service\_perimeter\_name | Access context manager service perimeter name | -| restricted\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| restricted\_subnets\_names | The names of the subnets being created | -| restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| restricted\_subnets\_self\_links | The self-links of subnets being created | +| network\_name | The name of the VPC being created | +| network\_self\_link | The URI of the VPC being created | +| service\_perimeter\_name | Access context manager service perimeter name | +| shared\_vpc\_host\_project\_id | The shared vpc host project ID | +| subnets\_ips | The IPs and CIDRs of the subnets being created | +| subnets\_names | The names of the subnets being created | +| subnets\_secondary\_ranges | The secondary ranges associated with these subnets | +| subnets\_self\_links | The self-links of subnets being created | diff --git a/3-networks-dual-svpc/envs/development/access_context.auto.tfvars b/3-networks-svpc/envs/development/access_context.auto.tfvars similarity index 100% rename from 3-networks-dual-svpc/envs/development/access_context.auto.tfvars rename to 3-networks-svpc/envs/development/access_context.auto.tfvars diff --git a/3-networks-dual-svpc/envs/development/backend.tf b/3-networks-svpc/envs/development/backend.tf similarity index 100% rename from 3-networks-dual-svpc/envs/development/backend.tf rename to 3-networks-svpc/envs/development/backend.tf diff --git a/3-networks-dual-svpc/envs/development/backend.tf.cloud.example b/3-networks-svpc/envs/development/backend.tf.cloud.example similarity index 100% rename from 3-networks-dual-svpc/envs/development/backend.tf.cloud.example rename to 3-networks-svpc/envs/development/backend.tf.cloud.example diff --git a/3-networks-dual-svpc/envs/development/common.auto.tfvars b/3-networks-svpc/envs/development/common.auto.tfvars similarity index 100% rename from 3-networks-dual-svpc/envs/development/common.auto.tfvars rename to 3-networks-svpc/envs/development/common.auto.tfvars diff --git a/3-networks-svpc/envs/development/main.tf b/3-networks-svpc/envs/development/main.tf new file mode 100644 index 000000000..d948f1043 --- /dev/null +++ b/3-networks-svpc/envs/development/main.tf @@ -0,0 +1,69 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + env = "development" + environment_code = substr(local.env, 0, 1) + /* + * Network ranges + */ + private_service_cidr = "10.16.40.0/21" + subnet_primary_ranges = { + (local.default_region1) = "10.8.64.0/18" + (local.default_region2) = "10.9.64.0/18" + } + subnet_proxy_ranges = { + (local.default_region1) = "10.26.2.0/23" + (local.default_region2) = "10.27.2.0/23" + } + subnet_secondary_ranges = { + (local.default_region1) = [ + { + range_name = "rn-${local.environment_code}-svpc-${local.default_region1}-gke-pod" + ip_cidr_range = "100.72.64.0/18" + }, + { + range_name = "rn-${local.environment_code}-svpc-${local.default_region1}-gke-svc" + ip_cidr_range = "100.73.64.0/18" + } + ] + } +} + +module "base_env" { + source = "../../modules/base_env" + + env = local.env + environment_code = local.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + perimeter_additional_members = var.perimeter_additional_members + perimeter_additional_members_dry_run = var.perimeter_additional_members_dry_run + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + ingress_policies_dry_run = var.ingress_policies_dry_run + egress_policies = var.egress_policies + egress_policies_dry_run = var.egress_policies_dry_run + enable_partner_interconnect = false + private_service_cidr = local.private_service_cidr + subnet_primary_ranges = local.subnet_primary_ranges + subnet_proxy_ranges = local.subnet_proxy_ranges + subnet_secondary_ranges = local.subnet_secondary_ranges + private_service_connect_ip = "10.17.0.6" + remote_state_bucket = var.remote_state_bucket + tfc_org_name = var.tfc_org_name +} diff --git a/3-networks-svpc/envs/development/outputs.tf b/3-networks-svpc/envs/development/outputs.tf new file mode 100644 index 000000000..c104444fd --- /dev/null +++ b/3-networks-svpc/envs/development/outputs.tf @@ -0,0 +1,75 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "access_context_manager_policy_id" { + description = "Access Context Manager Policy ID." + value = var.access_context_manager_policy_id +} + +output "shared_vpc_host_project_id" { + value = module.base_env.shared_vpc_host_project_id + description = "The shared vpc host project ID" +} + +output "network_name" { + value = module.base_env.network_name + description = "The name of the VPC being created" +} + +output "network_self_link" { + value = module.base_env.network_self_link + description = "The URI of the VPC being created" +} + +output "subnets_names" { + value = module.base_env.subnets_names + description = "The names of the subnets being created" +} + +output "subnets_ips" { + value = module.base_env.subnets_ips + description = "The IPs and CIDRs of the subnets being created" +} + +output "subnets_self_links" { + value = module.base_env.subnets_self_links + description = "The self-links of subnets being created" +} + +output "subnets_secondary_ranges" { + value = module.base_env.subnets_secondary_ranges + description = "The secondary ranges associated with these subnets" +} + +output "access_level_name" { + value = module.base_env.access_level_name + description = "Access context manager access level name" +} + +output "access_level_name_dry_run" { + value = module.base_env.access_level_name_dry_run + description = "Access context manager access level name for the dry-run perimeter" +} + +output "enforce_vpcsc" { + value = module.base_env.enforce_vpcsc + description = "Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases." +} + +output "service_perimeter_name" { + value = module.base_env.service_perimeter_name + description = "Access context manager service perimeter name" +} diff --git a/3-networks-dual-svpc/envs/development/providers.tf b/3-networks-svpc/envs/development/providers.tf similarity index 100% rename from 3-networks-dual-svpc/envs/development/providers.tf rename to 3-networks-svpc/envs/development/providers.tf diff --git a/3-networks-dual-svpc/envs/development/remote.tf b/3-networks-svpc/envs/development/remote.tf similarity index 100% rename from 3-networks-dual-svpc/envs/development/remote.tf rename to 3-networks-svpc/envs/development/remote.tf diff --git a/3-networks-dual-svpc/envs/development/remote.tf.cloud.example b/3-networks-svpc/envs/development/remote.tf.cloud.example similarity index 100% rename from 3-networks-dual-svpc/envs/development/remote.tf.cloud.example rename to 3-networks-svpc/envs/development/remote.tf.cloud.example diff --git a/3-networks-dual-svpc/envs/development/variables.tf b/3-networks-svpc/envs/development/variables.tf similarity index 100% rename from 3-networks-dual-svpc/envs/development/variables.tf rename to 3-networks-svpc/envs/development/variables.tf diff --git a/3-networks-dual-svpc/envs/development/versions.tf b/3-networks-svpc/envs/development/versions.tf similarity index 71% rename from 3-networks-dual-svpc/envs/development/versions.tf rename to 3-networks-svpc/envs/development/versions.tf index 2981b9ff7..94018c4e5 100644 --- a/3-networks-dual-svpc/envs/development/versions.tf +++ b/3-networks-svpc/envs/development/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } } } diff --git a/3-networks-dual-svpc/envs/nonproduction/README.md b/3-networks-svpc/envs/nonproduction/README.md similarity index 82% rename from 3-networks-dual-svpc/envs/nonproduction/README.md rename to 3-networks-svpc/envs/nonproduction/README.md index bf0ae714f..33377827e 100644 --- a/3-networks-dual-svpc/envs/nonproduction/README.md +++ b/3-networks-svpc/envs/nonproduction/README.md @@ -1,13 +1,13 @@ -# 3-networks-dual-svpc/nonproduction +# 3-networks-svpc/nonproduction -The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment nonproduction. +The purpose of this step is to set up shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment nonproduction. ## Prerequisites 1. 0-bootstrap executed successfully. 1. 1-org executed successfully. 1. 2-environments/envs/nonproduction executed successfully. -1. 3-networks-dual-svpc/envs/shared executed successfully. +1. 3-networks-svpc/envs/shared executed successfully. 1. Obtain the value for the access_context_manager_policy_id variable. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. @@ -33,21 +33,14 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | access\_level\_name | Access context manager access level name | | access\_level\_name\_dry\_run | Access context manager access level name for the dry-run perimeter | -| base\_host\_project\_id | The base host project ID | -| base\_network\_name | The name of the VPC being created | -| base\_network\_self\_link | The URI of the VPC being created | -| base\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| base\_subnets\_names | The names of the subnets being created | -| base\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| base\_subnets\_self\_links | The self-links of subnets being created | | enforce\_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. | -| restricted\_host\_project\_id | The restricted host project ID | -| restricted\_network\_name | The name of the VPC being created | -| restricted\_network\_self\_link | The URI of the VPC being created | -| restricted\_service\_perimeter\_name | Access context manager service perimeter name | -| restricted\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| restricted\_subnets\_names | The names of the subnets being created | -| restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| restricted\_subnets\_self\_links | The self-links of subnets being created | +| network\_name | The name of the VPC being created | +| network\_self\_link | The URI of the VPC being created | +| service\_perimeter\_name | Access context manager service perimeter name | +| shared\_vpc\_host\_project\_id | The shared vpc host project ID | +| subnets\_ips | The IPs and CIDRs of the subnets being created | +| subnets\_names | The names of the subnets being created | +| subnets\_secondary\_ranges | The secondary ranges associated with these subnets | +| subnets\_self\_links | The self-links of subnets being created | diff --git a/3-networks-dual-svpc/envs/nonproduction/access_context.auto.tfvars b/3-networks-svpc/envs/nonproduction/access_context.auto.tfvars similarity index 100% rename from 3-networks-dual-svpc/envs/nonproduction/access_context.auto.tfvars rename to 3-networks-svpc/envs/nonproduction/access_context.auto.tfvars diff --git a/3-networks-dual-svpc/envs/nonproduction/backend.tf b/3-networks-svpc/envs/nonproduction/backend.tf similarity index 100% rename from 3-networks-dual-svpc/envs/nonproduction/backend.tf rename to 3-networks-svpc/envs/nonproduction/backend.tf diff --git a/3-networks-dual-svpc/envs/nonproduction/backend.tf.cloud.example b/3-networks-svpc/envs/nonproduction/backend.tf.cloud.example similarity index 100% rename from 3-networks-dual-svpc/envs/nonproduction/backend.tf.cloud.example rename to 3-networks-svpc/envs/nonproduction/backend.tf.cloud.example diff --git a/3-networks-dual-svpc/envs/nonproduction/common.auto.tfvars b/3-networks-svpc/envs/nonproduction/common.auto.tfvars similarity index 100% rename from 3-networks-dual-svpc/envs/nonproduction/common.auto.tfvars rename to 3-networks-svpc/envs/nonproduction/common.auto.tfvars diff --git a/3-networks-svpc/envs/nonproduction/main.tf b/3-networks-svpc/envs/nonproduction/main.tf new file mode 100644 index 000000000..2686cf532 --- /dev/null +++ b/3-networks-svpc/envs/nonproduction/main.tf @@ -0,0 +1,67 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + env = "nonproduction" + environment_code = substr(local.env, 0, 1) + + private_service_cidr = "10.16.48.0/21" + subnet_primary_ranges = { + (local.default_region1) = "10.8.128.0/18" + (local.default_region2) = "10.9.128.0/18" + } + subnet_proxy_ranges = { + (local.default_region1) = "10.26.4.0/23" + (local.default_region2) = "10.27.4.0/23" + } + subnet_secondary_ranges = { + (local.default_region1) = [ + { + range_name = "rn-${local.environment_code}-svpc-${local.default_region1}-gke-pod" + ip_cidr_range = "100.72.128.0/18" + }, + { + range_name = "rn-${local.environment_code}-svpc-${local.default_region1}-gke-svc" + ip_cidr_range = "100.73.128.0/18" + } + ] + } +} + +module "base_env" { + source = "../../modules/base_env" + + env = local.env + environment_code = local.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + perimeter_additional_members = var.perimeter_additional_members + perimeter_additional_members_dry_run = var.perimeter_additional_members_dry_run + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + ingress_policies_dry_run = var.ingress_policies_dry_run + egress_policies = var.egress_policies + egress_policies_dry_run = var.egress_policies_dry_run + enable_partner_interconnect = false + private_service_cidr = local.private_service_cidr + subnet_proxy_ranges = local.subnet_proxy_ranges + subnet_primary_ranges = local.subnet_primary_ranges + subnet_secondary_ranges = local.subnet_secondary_ranges + private_service_connect_ip = "10.17.0.7" + remote_state_bucket = var.remote_state_bucket + tfc_org_name = var.tfc_org_name +} diff --git a/3-networks-svpc/envs/nonproduction/outputs.tf b/3-networks-svpc/envs/nonproduction/outputs.tf new file mode 100644 index 000000000..c104444fd --- /dev/null +++ b/3-networks-svpc/envs/nonproduction/outputs.tf @@ -0,0 +1,75 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "access_context_manager_policy_id" { + description = "Access Context Manager Policy ID." + value = var.access_context_manager_policy_id +} + +output "shared_vpc_host_project_id" { + value = module.base_env.shared_vpc_host_project_id + description = "The shared vpc host project ID" +} + +output "network_name" { + value = module.base_env.network_name + description = "The name of the VPC being created" +} + +output "network_self_link" { + value = module.base_env.network_self_link + description = "The URI of the VPC being created" +} + +output "subnets_names" { + value = module.base_env.subnets_names + description = "The names of the subnets being created" +} + +output "subnets_ips" { + value = module.base_env.subnets_ips + description = "The IPs and CIDRs of the subnets being created" +} + +output "subnets_self_links" { + value = module.base_env.subnets_self_links + description = "The self-links of subnets being created" +} + +output "subnets_secondary_ranges" { + value = module.base_env.subnets_secondary_ranges + description = "The secondary ranges associated with these subnets" +} + +output "access_level_name" { + value = module.base_env.access_level_name + description = "Access context manager access level name" +} + +output "access_level_name_dry_run" { + value = module.base_env.access_level_name_dry_run + description = "Access context manager access level name for the dry-run perimeter" +} + +output "enforce_vpcsc" { + value = module.base_env.enforce_vpcsc + description = "Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases." +} + +output "service_perimeter_name" { + value = module.base_env.service_perimeter_name + description = "Access context manager service perimeter name" +} diff --git a/3-networks-dual-svpc/envs/nonproduction/providers.tf b/3-networks-svpc/envs/nonproduction/providers.tf similarity index 100% rename from 3-networks-dual-svpc/envs/nonproduction/providers.tf rename to 3-networks-svpc/envs/nonproduction/providers.tf diff --git a/3-networks-dual-svpc/envs/nonproduction/remote.tf b/3-networks-svpc/envs/nonproduction/remote.tf similarity index 100% rename from 3-networks-dual-svpc/envs/nonproduction/remote.tf rename to 3-networks-svpc/envs/nonproduction/remote.tf diff --git a/3-networks-dual-svpc/envs/nonproduction/remote.tf.cloud.example b/3-networks-svpc/envs/nonproduction/remote.tf.cloud.example similarity index 100% rename from 3-networks-dual-svpc/envs/nonproduction/remote.tf.cloud.example rename to 3-networks-svpc/envs/nonproduction/remote.tf.cloud.example diff --git a/3-networks-dual-svpc/envs/nonproduction/variables.tf b/3-networks-svpc/envs/nonproduction/variables.tf similarity index 100% rename from 3-networks-dual-svpc/envs/nonproduction/variables.tf rename to 3-networks-svpc/envs/nonproduction/variables.tf diff --git a/3-networks-dual-svpc/envs/nonproduction/versions.tf b/3-networks-svpc/envs/nonproduction/versions.tf similarity index 71% rename from 3-networks-dual-svpc/envs/nonproduction/versions.tf rename to 3-networks-svpc/envs/nonproduction/versions.tf index 2981b9ff7..94018c4e5 100644 --- a/3-networks-dual-svpc/envs/nonproduction/versions.tf +++ b/3-networks-svpc/envs/nonproduction/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } } } diff --git a/3-networks-dual-svpc/envs/production/README.md b/3-networks-svpc/envs/production/README.md similarity index 81% rename from 3-networks-dual-svpc/envs/production/README.md rename to 3-networks-svpc/envs/production/README.md index 4cedf43a6..01a596fbd 100644 --- a/3-networks-dual-svpc/envs/production/README.md +++ b/3-networks-svpc/envs/production/README.md @@ -1,13 +1,13 @@ -# 3-networks-dual-svpc/production +# 3-networks-svpc/production -The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment production and the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones) that will be used by all environments. +The purpose of this step is to set up shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment production and the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones) that will be used by all environments. ## Prerequisites 1. 0-bootstrap executed successfully. 1. 1-org executed successfully. 1. 2-environments/envs/production executed successfully. -1. 3-networks-dual-svpc/envs/shared executed successfully. +1. 3-networks-svpc/envs/shared executed successfully. 1. Obtain the value for the access_context_manager_policy_id variable. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. @@ -34,21 +34,14 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | access\_level\_name | Access context manager access level name | | access\_level\_name\_dry\_run | Access context manager access level name for the dry-run perimeter | -| base\_host\_project\_id | The base host project ID | -| base\_network\_name | The name of the VPC being created | -| base\_network\_self\_link | The URI of the VPC being created | -| base\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| base\_subnets\_names | The names of the subnets being created | -| base\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| base\_subnets\_self\_links | The self-links of subnets being created | | enforce\_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. | -| restricted\_host\_project\_id | The restricted host project ID | -| restricted\_network\_name | The name of the VPC being created | -| restricted\_network\_self\_link | The URI of the VPC being created | -| restricted\_service\_perimeter\_name | Access context manager service perimeter name | -| restricted\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| restricted\_subnets\_names | The names of the subnets being created | -| restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| restricted\_subnets\_self\_links | The self-links of subnets being created | +| network\_name | The name of the VPC being created | +| network\_self\_link | The URI of the VPC being created | +| service\_perimeter\_name | Access context manager service perimeter name | +| shared\_vpc\_host\_project\_id | The shared vpc host project ID | +| subnets\_ips | The IPs and CIDRs of the subnets being created | +| subnets\_names | The names of the subnets being created | +| subnets\_secondary\_ranges | The secondary ranges associated with these subnets | +| subnets\_self\_links | The self-links of subnets being created | diff --git a/3-networks-dual-svpc/envs/production/access_context.auto.tfvars b/3-networks-svpc/envs/production/access_context.auto.tfvars similarity index 100% rename from 3-networks-dual-svpc/envs/production/access_context.auto.tfvars rename to 3-networks-svpc/envs/production/access_context.auto.tfvars diff --git a/3-networks-dual-svpc/envs/production/backend.tf b/3-networks-svpc/envs/production/backend.tf similarity index 100% rename from 3-networks-dual-svpc/envs/production/backend.tf rename to 3-networks-svpc/envs/production/backend.tf diff --git a/3-networks-dual-svpc/envs/production/backend.tf.cloud.example b/3-networks-svpc/envs/production/backend.tf.cloud.example similarity index 100% rename from 3-networks-dual-svpc/envs/production/backend.tf.cloud.example rename to 3-networks-svpc/envs/production/backend.tf.cloud.example diff --git a/3-networks-dual-svpc/envs/production/common.auto.tfvars b/3-networks-svpc/envs/production/common.auto.tfvars similarity index 100% rename from 3-networks-dual-svpc/envs/production/common.auto.tfvars rename to 3-networks-svpc/envs/production/common.auto.tfvars diff --git a/3-networks-svpc/envs/production/main.tf b/3-networks-svpc/envs/production/main.tf new file mode 100644 index 000000000..07e043eb1 --- /dev/null +++ b/3-networks-svpc/envs/production/main.tf @@ -0,0 +1,68 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + env = "production" + environment_code = substr(local.env, 0, 1) + + private_service_cidr = "10.16.56.0/21" + subnet_primary_ranges = { + (local.default_region1) = "10.8.192.0/18" + (local.default_region2) = "10.9.192.0/18" + } + subnet_proxy_ranges = { + (local.default_region1) = "10.26.6.0/23" + (local.default_region2) = "10.27.6.0/23" + } + subnet_secondary_ranges = { + (local.default_region1) = [ + { + range_name = "rn-${local.environment_code}-svpc-${local.default_region1}-gke-pod" + ip_cidr_range = "100.72.192.0/18" + }, + { + range_name = "rn-${local.environment_code}-svpc-${local.default_region1}-gke-svc" + ip_cidr_range = "100.73.192.0/18" + } + ] + } +} + +module "base_env" { + source = "../../modules/base_env" + + env = local.env + environment_code = local.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + perimeter_additional_members = var.perimeter_additional_members + perimeter_additional_members_dry_run = var.perimeter_additional_members_dry_run + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + ingress_policies_dry_run = var.ingress_policies_dry_run + egress_policies = var.egress_policies + egress_policies_dry_run = var.egress_policies_dry_run + enable_partner_interconnect = false + private_service_cidr = local.private_service_cidr + subnet_primary_ranges = local.subnet_primary_ranges + subnet_proxy_ranges = local.subnet_proxy_ranges + subnet_secondary_ranges = local.subnet_secondary_ranges + private_service_connect_ip = "10.17.0.8" + remote_state_bucket = var.remote_state_bucket + tfc_org_name = var.tfc_org_name + target_name_server_addresses = var.target_name_server_addresses +} diff --git a/3-networks-svpc/envs/production/outputs.tf b/3-networks-svpc/envs/production/outputs.tf new file mode 100644 index 000000000..c104444fd --- /dev/null +++ b/3-networks-svpc/envs/production/outputs.tf @@ -0,0 +1,75 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "access_context_manager_policy_id" { + description = "Access Context Manager Policy ID." + value = var.access_context_manager_policy_id +} + +output "shared_vpc_host_project_id" { + value = module.base_env.shared_vpc_host_project_id + description = "The shared vpc host project ID" +} + +output "network_name" { + value = module.base_env.network_name + description = "The name of the VPC being created" +} + +output "network_self_link" { + value = module.base_env.network_self_link + description = "The URI of the VPC being created" +} + +output "subnets_names" { + value = module.base_env.subnets_names + description = "The names of the subnets being created" +} + +output "subnets_ips" { + value = module.base_env.subnets_ips + description = "The IPs and CIDRs of the subnets being created" +} + +output "subnets_self_links" { + value = module.base_env.subnets_self_links + description = "The self-links of subnets being created" +} + +output "subnets_secondary_ranges" { + value = module.base_env.subnets_secondary_ranges + description = "The secondary ranges associated with these subnets" +} + +output "access_level_name" { + value = module.base_env.access_level_name + description = "Access context manager access level name" +} + +output "access_level_name_dry_run" { + value = module.base_env.access_level_name_dry_run + description = "Access context manager access level name for the dry-run perimeter" +} + +output "enforce_vpcsc" { + value = module.base_env.enforce_vpcsc + description = "Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases." +} + +output "service_perimeter_name" { + value = module.base_env.service_perimeter_name + description = "Access context manager service perimeter name" +} diff --git a/3-networks-dual-svpc/envs/production/production.auto.tfvars b/3-networks-svpc/envs/production/production.auto.tfvars similarity index 100% rename from 3-networks-dual-svpc/envs/production/production.auto.tfvars rename to 3-networks-svpc/envs/production/production.auto.tfvars diff --git a/3-networks-dual-svpc/envs/production/providers.tf b/3-networks-svpc/envs/production/providers.tf similarity index 100% rename from 3-networks-dual-svpc/envs/production/providers.tf rename to 3-networks-svpc/envs/production/providers.tf diff --git a/3-networks-dual-svpc/envs/production/remote.tf b/3-networks-svpc/envs/production/remote.tf similarity index 100% rename from 3-networks-dual-svpc/envs/production/remote.tf rename to 3-networks-svpc/envs/production/remote.tf diff --git a/3-networks-dual-svpc/envs/production/remote.tf.cloud.example b/3-networks-svpc/envs/production/remote.tf.cloud.example similarity index 100% rename from 3-networks-dual-svpc/envs/production/remote.tf.cloud.example rename to 3-networks-svpc/envs/production/remote.tf.cloud.example diff --git a/3-networks-dual-svpc/envs/production/variables.tf b/3-networks-svpc/envs/production/variables.tf similarity index 100% rename from 3-networks-dual-svpc/envs/production/variables.tf rename to 3-networks-svpc/envs/production/variables.tf diff --git a/3-networks-dual-svpc/envs/production/versions.tf b/3-networks-svpc/envs/production/versions.tf similarity index 71% rename from 3-networks-dual-svpc/envs/production/versions.tf rename to 3-networks-svpc/envs/production/versions.tf index 2981b9ff7..94018c4e5 100644 --- a/3-networks-dual-svpc/envs/production/versions.tf +++ b/3-networks-svpc/envs/production/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } } } diff --git a/3-networks-dual-svpc/envs/shared/README.md b/3-networks-svpc/envs/shared/README.md similarity index 98% rename from 3-networks-dual-svpc/envs/shared/README.md rename to 3-networks-svpc/envs/shared/README.md index 37d6649d7..35922911a 100644 --- a/3-networks-dual-svpc/envs/shared/README.md +++ b/3-networks-svpc/envs/shared/README.md @@ -1,4 +1,4 @@ -# 3-networks-dual-svpc/shared +# 3-networks-svpc/shared ## Prerequisites diff --git a/3-networks-dual-svpc/envs/shared/access_context.auto.tfvars b/3-networks-svpc/envs/shared/access_context.auto.tfvars similarity index 100% rename from 3-networks-dual-svpc/envs/shared/access_context.auto.tfvars rename to 3-networks-svpc/envs/shared/access_context.auto.tfvars diff --git a/3-networks-dual-svpc/envs/shared/backend.tf b/3-networks-svpc/envs/shared/backend.tf similarity index 100% rename from 3-networks-dual-svpc/envs/shared/backend.tf rename to 3-networks-svpc/envs/shared/backend.tf diff --git a/3-networks-dual-svpc/envs/shared/backend.tf.cloud.example b/3-networks-svpc/envs/shared/backend.tf.cloud.example similarity index 100% rename from 3-networks-dual-svpc/envs/shared/backend.tf.cloud.example rename to 3-networks-svpc/envs/shared/backend.tf.cloud.example diff --git a/3-networks-dual-svpc/envs/shared/common.auto.tfvars b/3-networks-svpc/envs/shared/common.auto.tfvars similarity index 100% rename from 3-networks-dual-svpc/envs/shared/common.auto.tfvars rename to 3-networks-svpc/envs/shared/common.auto.tfvars diff --git a/3-networks-dual-svpc/envs/shared/hierarchical_firewall.tf b/3-networks-svpc/envs/shared/hierarchical_firewall.tf similarity index 100% rename from 3-networks-dual-svpc/envs/shared/hierarchical_firewall.tf rename to 3-networks-svpc/envs/shared/hierarchical_firewall.tf diff --git a/3-networks-dual-svpc/envs/shared/outputs.tf b/3-networks-svpc/envs/shared/outputs.tf similarity index 100% rename from 3-networks-dual-svpc/envs/shared/outputs.tf rename to 3-networks-svpc/envs/shared/outputs.tf diff --git a/3-networks-dual-svpc/envs/shared/providers.tf b/3-networks-svpc/envs/shared/providers.tf similarity index 100% rename from 3-networks-dual-svpc/envs/shared/providers.tf rename to 3-networks-svpc/envs/shared/providers.tf diff --git a/3-networks-dual-svpc/envs/shared/remote.tf b/3-networks-svpc/envs/shared/remote.tf similarity index 100% rename from 3-networks-dual-svpc/envs/shared/remote.tf rename to 3-networks-svpc/envs/shared/remote.tf diff --git a/3-networks-dual-svpc/envs/shared/remote.tf.cloud.example b/3-networks-svpc/envs/shared/remote.tf.cloud.example similarity index 100% rename from 3-networks-dual-svpc/envs/shared/remote.tf.cloud.example rename to 3-networks-svpc/envs/shared/remote.tf.cloud.example diff --git a/3-networks-dual-svpc/envs/shared/variables.tf b/3-networks-svpc/envs/shared/variables.tf similarity index 100% rename from 3-networks-dual-svpc/envs/shared/variables.tf rename to 3-networks-svpc/envs/shared/variables.tf diff --git a/3-networks-dual-svpc/envs/shared/versions.tf b/3-networks-svpc/envs/shared/versions.tf similarity index 71% rename from 3-networks-dual-svpc/envs/shared/versions.tf rename to 3-networks-svpc/envs/shared/versions.tf index 2981b9ff7..94018c4e5 100644 --- a/3-networks-dual-svpc/envs/shared/versions.tf +++ b/3-networks-svpc/envs/shared/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } } } diff --git a/3-networks-dual-svpc/modules/base_env/README.md b/3-networks-svpc/modules/base_env/README.md similarity index 58% rename from 3-networks-dual-svpc/modules/base_env/README.md rename to 3-networks-svpc/modules/base_env/README.md index 39744b3ba..928e11794 100644 --- a/3-networks-dual-svpc/modules/base_env/README.md +++ b/3-networks-svpc/modules/base_env/README.md @@ -4,12 +4,6 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | -| base\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Base Shared Vpc. | `string` | n/a | yes | -| base\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC | `string` | n/a | yes | -| base\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Base Shared Vpc. | `map(string)` | n/a | yes | -| base\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Base Shared Vpc. | `map(string)` | n/a | yes | -| base\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Base Shared Vpc. | `map(list(map(string)))` | n/a | yes | -| base\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | | custom\_restricted\_services | List of custom services to be protected by the enforced VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no | | custom\_restricted\_services\_dry\_run | List of custom services to be protected by the dry-run VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no | | default\_region1 | First subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes | @@ -25,15 +19,15 @@ | ingress\_policies\_dry\_run | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.

Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | +| private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Shared Vpc. | `string` | n/a | yes | +| private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Shared VPC | `string` | n/a | yes | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | -| restricted\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Restricted Shared Vpc. | `string` | n/a | yes | -| restricted\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Restricted Shared VPC | `string` | n/a | yes | -| restricted\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | -| restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | -| restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes | -| restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | +| subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Shared Vpc. | `map(string)` | n/a | yes | +| subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Shared Vpc. | `map(string)` | n/a | yes | +| subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Shared Vpc | `map(list(map(string)))` | n/a | yes | | target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | `[]` | no | | tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes | +| vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | ## Outputs @@ -41,24 +35,15 @@ |------|-------------| | access\_level\_name | Access context manager access level name for the enforced perimeter | | access\_level\_name\_dry\_run | Access context manager access level name for the dry-run perimeter | -| base\_dns\_project\_id | The base DNS project ID | -| base\_host\_project\_id | The base host project ID | -| base\_network\_name | The name of the VPC being created | -| base\_network\_self\_link | The URI of the VPC being created | -| base\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| base\_subnets\_names | The names of the subnets being created | -| base\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| base\_subnets\_self\_links | The self-links of subnets being created | | enforce\_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. | -| restricted\_dns\_project\_id | The restricted DNS project ID | -| restricted\_host\_project\_id | The restricted host project ID | -| restricted\_network\_name | The name of the VPC being created | -| restricted\_network\_self\_link | The URI of the VPC being created | -| restricted\_service\_perimeter\_name | Access context manager service perimeter name for the enforced perimeter | -| restricted\_subnets\_ips | The IPs and CIDRs of the subnets being created | -| restricted\_subnets\_names | The names of the subnets being created | -| restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | -| restricted\_subnets\_self\_links | The self-links of subnets being created | +| network\_name | The name of the VPC being created | +| network\_self\_link | The URI of the VPC being created | +| service\_perimeter\_name | Access context manager service perimeter name for the enforced perimeter | +| shared\_vpc\_host\_project\_id | The shared vpc host project ID | +| subnets\_ips | The IPs and CIDRs of the subnets being created | +| subnets\_names | The names of the subnets being created | +| subnets\_secondary\_ranges | The secondary ranges associated with these subnets | +| subnets\_self\_links | The self-links of subnets being created | | target\_name\_server\_addresses | List of IPv4 addresses of the target name servers for the forwarding zone configuration. These IP addresses should point to the name server responsible for replying to DNS queries. | diff --git a/3-networks-dual-svpc/modules/base_env/interconnect.tf.example b/3-networks-svpc/modules/base_env/interconnect.tf.example similarity index 63% rename from 3-networks-dual-svpc/modules/base_env/interconnect.tf.example rename to 3-networks-svpc/modules/base_env/interconnect.tf.example index 9246da10c..5f227f711 100644 --- a/3-networks-dual-svpc/modules/base_env/interconnect.tf.example +++ b/3-networks-svpc/modules/base_env/interconnect.tf.example @@ -83,20 +83,20 @@ locals { } } -module "shared_restricted_interconnect" { +module "shared_interconnect" { source = "../dedicated_interconnect" - vpc_name = "${var.environment_code}-shared-restricted" - interconnect_project_id = local.restricted_project_id + vpc_name = "${var.environment_code}-svpc" + interconnect_project_id = local.shared_vpc_project_id region1 = var.default_region1 - region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name + region1_router1_name = module.shared_vpc.region1_router1.router.name region1_interconnect1_candidate_subnets = local.restricted_config[var.env]["region1_interconnect1_candidate_subnets"] region1_interconnect1_vlan_tag8021q = local.restricted_config[var.env]["region1_interconnect1_vlan_tag8021q"] region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1" region1_interconnect1_location = "las-zone1-770" region1_interconnect1_onprem_dc = "onprem-dc1" - region1_router2_name = module.restricted_shared_vpc.region1_router2.router.name + region1_router2_name = module.shared_vpc.region1_router2.router.name region1_interconnect2_candidate_subnets = local.restricted_config[var.env]["region1_interconnect2_candidate_subnets"] region1_interconnect2_vlan_tag8021q = local.restricted_config[var.env]["region1_interconnect2_vlan_tag8021q"] region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2" @@ -104,13 +104,13 @@ module "shared_restricted_interconnect" { region1_interconnect2_onprem_dc = "onprem-dc2" region2 = var.default_region2 - region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name + region2_router1_name = module.shared_vpc.region2_router1.router.name region2_interconnect1_candidate_subnets = local.restricted_config[var.env]["region2_interconnect1_candidate_subnets"] region2_interconnect1_vlan_tag8021q = local.restricted_config[var.env]["region2_interconnect1_vlan_tag8021q"] region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3" region2_interconnect1_location = "lax-zone2-19" region2_interconnect1_onprem_dc = "onprem-dc3" - region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name + region2_router2_name = module.shared_vpc.region2_router2.router.name region2_interconnect2_candidate_subnets = local.restricted_config[var.env]["region2_interconnect2_candidate_subnets"] region2_interconnect2_vlan_tag8021q = local.restricted_config[var.env]["region2_interconnect2_vlan_tag8021q"] region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4" @@ -128,56 +128,6 @@ module "shared_restricted_interconnect" { } depends_on = [ - module.restricted_shared_vpc - ] -} - -module "shared_base_interconnect" { - source = "../dedicated_interconnect" - - vpc_name = "${var.environment_code}-shared-base" - interconnect_project_id = local.base_project_id - - region1 = var.default_region1 - region1_router1_name = module.base_shared_vpc.region1_router1.router.name - region1_interconnect1_candidate_subnets = local.base_config[var.env]["region1_interconnect1_candidate_subnets"] - region1_interconnect1_vlan_tag8021q = local.base_config[var.env]["region1_interconnect1_vlan_tag8021q"] - region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1" - region1_interconnect1_location = "las-zone1-770" - region1_interconnect1_onprem_dc = "onprem-dc1" - region1_router2_name = module.base_shared_vpc.region1_router2.router.name - region1_interconnect2_candidate_subnets = local.base_config[var.env]["region1_interconnect2_candidate_subnets"] - region1_interconnect2_vlan_tag8021q = local.base_config[var.env]["region1_interconnect2_vlan_tag8021q"] - region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2" - region1_interconnect2_location = "las-zone1-770" - region1_interconnect2_onprem_dc = "onprem-dc2" - - region2 = var.default_region2 - region2_router1_name = module.base_shared_vpc.region2_router1.router.name - region2_interconnect1_candidate_subnets = local.base_config[var.env]["region2_interconnect1_candidate_subnets"] - region2_interconnect1_vlan_tag8021q = local.base_config[var.env]["region2_interconnect1_vlan_tag8021q"] - region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3" - region2_interconnect1_location = "lax-zone2-19" - region2_interconnect1_onprem_dc = "onprem-dc3" - region2_router2_name = module.base_shared_vpc.region2_router2.router.name - region2_interconnect2_candidate_subnets = local.base_config[var.env]["region2_interconnect2_candidate_subnets"] - region2_interconnect2_vlan_tag8021q = local.base_config[var.env]["region2_interconnect2_vlan_tag8021q"] - region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4" - region2_interconnect2_location = "lax-zone1-403" - region2_interconnect2_onprem_dc = "onprem-dc4" - - - peer_asn = "64515" - peer_name = "interconnect-peer" - - cloud_router_labels = { - vlan_1 = "cr1", - vlan_2 = "cr2", - vlan_3 = "cr3", - vlan_4 = "cr4" - } - - depends_on = [ - module.base_shared_vpc + module.shared_vpc ] } diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-svpc/modules/base_env/main.tf similarity index 60% rename from 3-networks-dual-svpc/modules/base_env/main.tf rename to 3-networks-svpc/modules/base_env/main.tf index ffd7a9c32..ba632c9db 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-svpc/modules/base_env/main.tf @@ -164,14 +164,14 @@ locals { } /****************************************** - Restricted shared VPC + Shared VPC *****************************************/ -module "restricted_shared_vpc" { - source = "../restricted_shared_vpc" +module "shared_vpc" { + source = "../shared_vpc" - project_id = local.restricted_project_id - project_number = local.restricted_project_number - restricted_dns_project_id = local.restricted_dns_project_id + project_id = local.shared_vpc_project_id + project_number = local.shared_vpc_project_number + dns_project_id = local.dns_project_id environment_code = var.environment_code access_context_manager_policy_id = var.access_context_manager_policy_id restricted_services = local.restricted_services @@ -186,8 +186,8 @@ module "restricted_shared_vpc" { "serviceAccount:${local.projects_service_account}", "serviceAccount:${local.organization_service_account}", ], var.perimeter_additional_members)) - private_service_cidr = var.restricted_private_service_cidr - private_service_connect_ip = var.restricted_private_service_connect_ip + private_service_cidr = var.private_service_cidr + private_service_connect_ip = var.private_service_connect_ip bgp_asn_subnet = local.bgp_asn_number default_region1 = var.default_region1 default_region2 = var.default_region2 @@ -208,34 +208,34 @@ module "restricted_shared_vpc" { subnets = [ { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}" - subnet_ip = var.restricted_subnet_primary_ranges[var.default_region1] + subnet_name = "sb-${var.environment_code}-svpc-${var.default_region1}" + subnet_ip = var.subnet_primary_ranges[var.default_region1] subnet_region = var.default_region1 subnet_private_access = "true" subnet_flow_logs = true - subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr + subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval + subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling + subnet_flow_logs_metadata = var.vpc_flow_logs.metadata + subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields + subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr description = "First ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}" - subnet_ip = var.restricted_subnet_primary_ranges[var.default_region2] + subnet_name = "sb-${var.environment_code}-svpc-${var.default_region2}" + subnet_ip = var.subnet_primary_ranges[var.default_region2] subnet_region = var.default_region2 subnet_private_access = "true" subnet_flow_logs = true - subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr + subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval + subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling + subnet_flow_logs_metadata = var.vpc_flow_logs.metadata + subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields + subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" - subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] + subnet_name = "sb-${var.environment_code}-svpc-${var.default_region1}-proxy" + subnet_ip = var.subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 subnet_flow_logs = false description = "First ${var.env} proxy-only subnet example." @@ -243,8 +243,8 @@ module "restricted_shared_vpc" { purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" - subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] + subnet_name = "sb-${var.environment_code}-svpc-${var.default_region2}-proxy" + subnet_ip = var.subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 subnet_flow_logs = false description = "Second ${var.env} proxy-only subnet example." @@ -253,77 +253,7 @@ module "restricted_shared_vpc" { } ] secondary_ranges = { - "sb-${var.environment_code}-shared-restricted-${var.default_region1}" = var.restricted_subnet_secondary_ranges[var.default_region1] - } -} - -/****************************************** - Base shared VPC -*****************************************/ - -module "base_shared_vpc" { - source = "../base_shared_vpc" - - project_id = local.base_project_id - base_dns_project_id = local.base_dns_project_id - environment_code = var.environment_code - private_service_cidr = var.base_private_service_cidr - private_service_connect_ip = var.base_private_service_connect_ip - default_region1 = var.default_region1 - default_region2 = var.default_region2 - domain = var.domain - bgp_asn_subnet = local.bgp_asn_number - target_name_server_addresses = var.target_name_server_addresses - - subnets = [ - { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}" - subnet_ip = var.base_subnet_primary_ranges[var.default_region1] - subnet_region = var.default_region1 - subnet_private_access = "true" - subnet_flow_logs = true - subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr - description = "First ${var.env} subnet example." - }, - { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}" - subnet_ip = var.base_subnet_primary_ranges[var.default_region2] - subnet_region = var.default_region2 - subnet_private_access = "true" - subnet_flow_logs = true - subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr - description = "Second ${var.env} subnet example." - }, - { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" - subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] - subnet_region = var.default_region1 - subnet_flow_logs = false - description = "First ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" - }, - { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" - subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] - subnet_region = var.default_region2 - subnet_flow_logs = false - description = "Second ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" - } - ] - - secondary_ranges = { - "sb-${var.environment_code}-shared-base-${var.default_region1}" = var.base_subnet_secondary_ranges[var.default_region1] + "sb-${var.environment_code}-svpc-${var.default_region1}" = var.subnet_secondary_ranges[var.default_region1] } } diff --git a/3-networks-svpc/modules/base_env/outputs.tf b/3-networks-svpc/modules/base_env/outputs.tf new file mode 100644 index 000000000..c55a4771c --- /dev/null +++ b/3-networks-svpc/modules/base_env/outputs.tf @@ -0,0 +1,75 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "target_name_server_addresses" { + value = var.target_name_server_addresses + description = "List of IPv4 addresses of the target name servers for the forwarding zone configuration. These IP addresses should point to the name server responsible for replying to DNS queries." +} + +output "shared_vpc_host_project_id" { + value = local.shared_vpc_project_id + description = "The shared vpc host project ID" +} + +output "network_name" { + value = module.shared_vpc.network_name + description = "The name of the VPC being created" +} + +output "network_self_link" { + value = module.shared_vpc.network_self_link + description = "The URI of the VPC being created" +} + +output "subnets_names" { + value = module.shared_vpc.subnets_names + description = "The names of the subnets being created" +} + +output "subnets_ips" { + value = module.shared_vpc.subnets_ips + description = "The IPs and CIDRs of the subnets being created" +} + +output "subnets_self_links" { + value = module.shared_vpc.subnets_self_links + description = "The self-links of subnets being created" +} + +output "subnets_secondary_ranges" { + value = module.shared_vpc.subnets_secondary_ranges + description = "The secondary ranges associated with these subnets" +} + +output "access_level_name" { + value = module.shared_vpc.access_level_name + description = "Access context manager access level name for the enforced perimeter" +} + +output "access_level_name_dry_run" { + value = module.shared_vpc.access_level_name_dry_run + description = "Access context manager access level name for the dry-run perimeter" +} + +output "enforce_vpcsc" { + value = module.shared_vpc.enforce_vpcsc + description = "Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases." +} + +output "service_perimeter_name" { + value = module.shared_vpc.service_perimeter_name + description = "Access context manager service perimeter name for the enforced perimeter" +} diff --git a/3-networks-svpc/modules/base_env/partner_interconnect.tf.example b/3-networks-svpc/modules/base_env/partner_interconnect.tf.example new file mode 100644 index 000000000..3ab8f691b --- /dev/null +++ b/3-networks-svpc/modules/base_env/partner_interconnect.tf.example @@ -0,0 +1,50 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "shared_interconnect" { + source = "../partner_interconnect" + + attachment_project_id = local.shared_vpc_project_id + vpc_name = "${var.environment_code}-svpc" + preactivate = true + + region1 = var.default_region1 + region1_router1_name = module.shared_vpc.region1_router1.router.name + region1_interconnect1_location = "las-zone1-770" + region1_interconnect1_onprem_dc = "onprem-dc1" + region1_router2_name = module.shared_vpc.region1_router2.router.name + region1_interconnect2_location = "las-zone1-770" + region1_interconnect2_onprem_dc = "onprem-dc2" + + region2 = var.default_region2 + region2_router1_name = module.shared_vpc.region2_router1.router.name + region2_interconnect1_location = "lax-zone2-19" + region2_interconnect1_onprem_dc = "onprem-dc3" + region2_router2_name = module.shared_vpc.region2_router2.router.name + region2_interconnect2_location = "lax-zone1-403" + region2_interconnect2_onprem_dc = "onprem-dc4" + + cloud_router_labels = { + vlan_1 = "cr5", + vlan_2 = "cr6", + vlan_3 = "cr7", + vlan_4 = "cr8" + } + + depends_on = [ + module.shared_vpc + ] +} diff --git a/3-networks-dual-svpc/modules/base_env/remote.tf b/3-networks-svpc/modules/base_env/remote.tf similarity index 67% rename from 3-networks-dual-svpc/modules/base_env/remote.tf rename to 3-networks-svpc/modules/base_env/remote.tf index 8c8f853ec..dc6e8f4f7 100644 --- a/3-networks-dual-svpc/modules/base_env/remote.tf +++ b/3-networks-svpc/modules/base_env/remote.tf @@ -15,15 +15,13 @@ */ locals { - restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id - base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id - restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number + shared_vpc_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].shared_vpc_project_id + shared_vpc_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].shared_vpc_project_number interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email - restricted_dns_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].restricted_shared_vpc_project_id - base_dns_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].base_shared_vpc_project_id + dns_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].shared_vpc_project_id } data "terraform_remote_state" "bootstrap" { diff --git a/3-networks-dual-svpc/modules/base_env/remote.tf.cloud.example b/3-networks-svpc/modules/base_env/remote.tf.cloud.example similarity index 75% rename from 3-networks-dual-svpc/modules/base_env/remote.tf.cloud.example rename to 3-networks-svpc/modules/base_env/remote.tf.cloud.example index df60f9e1c..3bbd96d42 100644 --- a/3-networks-dual-svpc/modules/base_env/remote.tf.cloud.example +++ b/3-networks-svpc/modules/base_env/remote.tf.cloud.example @@ -15,9 +15,8 @@ */ locals { - restricted_project_id = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].restricted_shared_vpc_project_id - restricted_project_number = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].restricted_shared_vpc_project_number - base_project_id = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].base_shared_vpc_project_id + shared_vpc_project_id = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].shared_vpc_project_id + shared_vpc_project_number = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].shared_vpc_project_number interconnect_project_number = data.tfe_outputs.org.nonsensitive_values.interconnect_project_number organization_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.organization_step_terraform_service_account_email networks_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.networks_step_terraform_service_account_email diff --git a/3-networks-dual-svpc/modules/base_env/variables.tf b/3-networks-svpc/modules/base_env/variables.tf similarity index 77% rename from 3-networks-dual-svpc/modules/base_env/variables.tf rename to 3-networks-svpc/modules/base_env/variables.tf index 4bb88ca6c..378bf1788 100644 --- a/3-networks-dual-svpc/modules/base_env/variables.tf +++ b/3-networks-svpc/modules/base_env/variables.tf @@ -67,75 +67,32 @@ variable "enable_partner_interconnect" { default = false } -variable "base_private_service_cidr" { +variable "private_service_cidr" { type = string - description = "CIDR range for private service networking. Used for Cloud SQL and other managed services in the Base Shared Vpc." + description = "CIDR range for private service networking. Used for Cloud SQL and other managed services in the Shared Vpc." } -variable "base_subnet_primary_ranges" { +variable "subnet_primary_ranges" { type = map(string) - description = "The base subnet primary IPTs ranges to the Base Shared Vpc." + description = "The base subnet primary IPTs ranges to the Shared Vpc." } -variable "base_subnet_proxy_ranges" { +variable "subnet_proxy_ranges" { type = map(string) - description = "The base proxy-only subnet primary IPTs ranges to the Base Shared Vpc." + description = "The base proxy-only subnet primary IPTs ranges to the Shared Vpc." } -variable "base_subnet_secondary_ranges" { +variable "subnet_secondary_ranges" { type = map(list(map(string))) - description = "The base subnet secondary IPTs ranges to the Base Shared Vpc." + description = "The base subnet secondary IPTs ranges to the Shared Vpc" } -variable "base_private_service_connect_ip" { +variable "private_service_connect_ip" { type = string - description = "The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC" + description = "The base subnet internal IP to be used as the private service connect endpoint in the Shared VPC" } -variable "base_vpc_flow_logs" { - description = <` . +1. Rename `partner_interconnect.tf.example` to `partner_interconnect.tf` in the base-env folder in `3-networks-svpc/modules/base_env` . +1. Update the `enable_partner_interconnect` to `true` in each `main.tf` file in the environment folder in `3-networks-svpc/envs/` . 1. Update the file `partner_interconnect.tf` with values that are valid for your environment for the VLAN attachments, locations. diff --git a/3-networks-dual-svpc/modules/partner_interconnect/main.tf b/3-networks-svpc/modules/partner_interconnect/main.tf similarity index 100% rename from 3-networks-dual-svpc/modules/partner_interconnect/main.tf rename to 3-networks-svpc/modules/partner_interconnect/main.tf diff --git a/3-networks-dual-svpc/modules/partner_interconnect/outputs.tf b/3-networks-svpc/modules/partner_interconnect/outputs.tf similarity index 100% rename from 3-networks-dual-svpc/modules/partner_interconnect/outputs.tf rename to 3-networks-svpc/modules/partner_interconnect/outputs.tf diff --git a/3-networks-dual-svpc/modules/partner_interconnect/variables.tf b/3-networks-svpc/modules/partner_interconnect/variables.tf similarity index 100% rename from 3-networks-dual-svpc/modules/partner_interconnect/variables.tf rename to 3-networks-svpc/modules/partner_interconnect/variables.tf diff --git a/3-networks-dual-svpc/modules/partner_interconnect/versions.tf b/3-networks-svpc/modules/partner_interconnect/versions.tf similarity index 77% rename from 3-networks-dual-svpc/modules/partner_interconnect/versions.tf rename to 3-networks-svpc/modules/partner_interconnect/versions.tf index 0fb11f02f..8cde23477 100644 --- a/3-networks-dual-svpc/modules/partner_interconnect/versions.tf +++ b/3-networks-svpc/modules/partner_interconnect/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } } diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-svpc/modules/shared_vpc/README.md similarity index 97% rename from 3-networks-dual-svpc/modules/restricted_shared_vpc/README.md rename to 3-networks-svpc/modules/shared_vpc/README.md index 3ad3b457d..ee245c0b9 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-svpc/modules/shared_vpc/README.md @@ -9,6 +9,7 @@ | default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes | | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | +| dns\_project\_id | Project ID for DNS Restricted Shared. | `string` | `""` | no | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | egress\_policies\_dry\_run | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | @@ -26,9 +27,8 @@ | nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | -| project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | -| project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | -| restricted\_dns\_project\_id | Project ID for DNS Restricted Shared. | `string` | `""` | no | +| project\_id | Project ID for Shared VPC. | `string` | n/a | yes | +| project\_number | Project number for Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | | restricted\_services | List of services to restrict in an enforced perimeter. | `list(string)` | n/a | yes | | restricted\_services\_dry\_run | List of services to restrict in a dry-run perimeter. | `list(string)` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf b/3-networks-svpc/modules/shared_vpc/dns.tf similarity index 90% rename from 3-networks-dual-svpc/modules/base_shared_vpc/dns.tf rename to 3-networks-svpc/modules/shared_vpc/dns.tf index dd065135e..d6a38a6fd 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf +++ b/3-networks-svpc/modules/shared_vpc/dns.tf @@ -20,7 +20,7 @@ resource "google_dns_policy" "default_policy" { project = var.project_id - name = "dp-${var.environment_code}-shared-base-default-policy" + name = "dp-${var.environment_code}-svpc-default-policy" enable_inbound_forwarding = var.dns_enable_inbound_forwarding enable_logging = var.dns_enable_logging networks { @@ -35,8 +35,8 @@ data "google_compute_network" "vpc_dns_hub" { count = var.environment_code != "p" ? 1 : 0 - name = "vpc-p-shared-base" - project = var.base_dns_project_id + name = "vpc-p-svpc" + project = var.dns_project_id } module "peering_zone" { @@ -47,7 +47,7 @@ module "peering_zone" { project_id = var.project_id type = "peering" - name = "dz-${var.environment_code}-shared-base-to-dns-hub" + name = "dz-${var.environment_code}-svpc-to-dns-hub" domain = var.domain description = "Private DNS peering zone." @@ -76,3 +76,4 @@ module "dns_forwarding_zone" { ] target_name_server_addresses = var.target_name_server_addresses } + diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/firewall.tf b/3-networks-svpc/modules/shared_vpc/firewall.tf similarity index 84% rename from 3-networks-dual-svpc/modules/restricted_shared_vpc/firewall.tf rename to 3-networks-svpc/modules/shared_vpc/firewall.tf index 3e35b3d7c..41ed2eb67 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/firewall.tf +++ b/3-networks-svpc/modules/shared_vpc/firewall.tf @@ -23,8 +23,8 @@ module "firewall_rules" { version = "~> 10.0" project_id = var.project_id - policy_name = "fp-${var.environment_code}-dual-svpc-restricted-firewalls" - description = "Firewall rules for restricted dual shared vpc: ${module.main.network_name}." + policy_name = "fp-${var.environment_code}-svpc-firewalls" + description = "Firewall rules for shared vpc: ${module.main.network_name}." target_vpcs = ["projects/${var.project_id}/global/networks/${module.main.network_name}"] rules = concat( @@ -33,7 +33,7 @@ module "firewall_rules" { priority = "65530" direction = "EGRESS" action = "deny" - rule_name = "fw-${var.environment_code}-shared-restricted-65530-e-d-all-all-all" + rule_name = "fw-${var.environment_code}-svpc-65530-e-d-all-all-all" description = "Lower priority rule to deny all egress traffic." enable_logging = var.firewall_enable_logging match = { @@ -49,7 +49,7 @@ module "firewall_rules" { priority = "1000" direction = "EGRESS" action = "allow" - rule_name = "fw-${var.environment_code}-shared-restricted-1000-e-a-allow-google-apis-all-tcp-443" + rule_name = "fw-${var.environment_code}-svpc-1000-e-a-allow-google-apis-all-tcp-443" description = "Lower priority rule to allow restricted google apis on TCP port 443." enable_logging = var.firewall_enable_logging match = { @@ -68,7 +68,7 @@ module "firewall_rules" { priority = "10000" direction = "EGRESS" action = "allow" - rule_name = "fw-${var.environment_code}-shared-base-10000-e-a-all-all-all" + rule_name = "fw-${var.environment_code}-svpc-10000-e-a-all-all-all" description = "Allow all egress to the provided IP range." enable_logging = var.firewall_enable_logging match = { @@ -86,7 +86,7 @@ module "firewall_rules" { priority = "10001" direction = "INGRESS" action = "allow" - rule_name = "fw-${var.environment_code}-shared-base-10001-i-a-all" + rule_name = "fw-${var.environment_code}-svpc-10001-i-a-all" description = "Allow all ingress to the provided IP range." enable_logging = var.firewall_enable_logging match = { diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf b/3-networks-svpc/modules/shared_vpc/main.tf similarity index 98% rename from 3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf rename to 3-networks-svpc/modules/shared_vpc/main.tf index 75792e367..4d117a85d 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf +++ b/3-networks-svpc/modules/shared_vpc/main.tf @@ -15,7 +15,7 @@ */ locals { - vpc_name = "${var.environment_code}-shared-restricted" + vpc_name = "${var.environment_code}-svpc" network_name = "vpc-${local.vpc_name}" restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip google_forward_source_range = "35.199.192.0/19" diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/nat.tf b/3-networks-svpc/modules/shared_vpc/nat.tf similarity index 100% rename from 3-networks-dual-svpc/modules/restricted_shared_vpc/nat.tf rename to 3-networks-svpc/modules/shared_vpc/nat.tf diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/outputs.tf b/3-networks-svpc/modules/shared_vpc/outputs.tf similarity index 100% rename from 3-networks-dual-svpc/modules/restricted_shared_vpc/outputs.tf rename to 3-networks-svpc/modules/shared_vpc/outputs.tf diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf b/3-networks-svpc/modules/shared_vpc/private_service_connect.tf similarity index 92% rename from 3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf rename to 3-networks-svpc/modules/shared_vpc/private_service_connect.tf index 3294a0ce5..50b6cb88e 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf +++ b/3-networks-svpc/modules/shared_vpc/private_service_connect.tf @@ -20,7 +20,7 @@ module "private_service_connect" { version = "~> 10.0" project_id = var.project_id - dns_code = "dz-${var.environment_code}-shared-restricted" + dns_code = "dz-${var.environment_code}-svpc" network_self_link = module.main.network_self_link private_service_connect_ip = var.private_service_connect_ip forwarding_rule_target = "vpc-sc" diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/service_control.tf b/3-networks-svpc/modules/shared_vpc/service_control.tf similarity index 98% rename from 3-networks-dual-svpc/modules/restricted_shared_vpc/service_control.tf rename to 3-networks-svpc/modules/shared_vpc/service_control.tf index 636dcb2bf..16c8905fd 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/service_control.tf +++ b/3-networks-svpc/modules/shared_vpc/service_control.tf @@ -15,7 +15,7 @@ */ locals { - prefix = "${var.environment_code}_shared_restricted" + prefix = "${var.environment_code}_svpc" access_level_name = "alp_${local.prefix}_members_${random_id.random_access_level_suffix.hex}" access_level_name_dry_run = "alp_${local.prefix}_members_dry_run_${random_id.random_access_level_suffix.hex}" perimeter_name = "sp_${local.prefix}_default_perimeter_${random_id.random_access_level_suffix.hex}" diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-svpc/modules/shared_vpc/variables.tf similarity index 98% rename from 3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf rename to 3-networks-svpc/modules/shared_vpc/variables.tf index 27e733385..bda401989 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-svpc/modules/shared_vpc/variables.tf @@ -14,7 +14,7 @@ * limitations under the License. */ -variable "restricted_dns_project_id" { +variable "dns_project_id" { description = "Project ID for DNS Restricted Shared." type = string default = "" @@ -32,12 +32,12 @@ variable "access_context_manager_policy_id" { variable "project_id" { type = string - description = "Project ID for Restricted Shared VPC." + description = "Project ID for Shared VPC." } variable "project_number" { type = number - description = "Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter." + description = "Project number for Shared VPC. It is the project INSIDE the regular service perimeter." } variable "environment_code" { diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/versions.tf b/3-networks-svpc/modules/shared_vpc/versions.tf similarity index 93% rename from 3-networks-dual-svpc/modules/restricted_shared_vpc/versions.tf rename to 3-networks-svpc/modules/shared_vpc/versions.tf index 234c7d5c7..70d2dd824 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/versions.tf +++ b/3-networks-svpc/modules/shared_vpc/versions.tf @@ -19,11 +19,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } random = { source = "hashicorp/random" diff --git a/3-networks-dual-svpc/modules/vpn-ha/README.md b/3-networks-svpc/modules/vpn-ha/README.md similarity index 98% rename from 3-networks-dual-svpc/modules/vpn-ha/README.md rename to 3-networks-svpc/modules/vpn-ha/README.md index 4e85d3059..1c58b85bf 100755 --- a/3-networks-dual-svpc/modules/vpn-ha/README.md +++ b/3-networks-svpc/modules/vpn-ha/README.md @@ -7,7 +7,7 @@ If you are not able to use Dedicated Interconnect or Partner Interconnect you ca ## Usage -1. Rename `vpn.tf.example` to `vpn.tf` in the environment folder in `3-networks-dual-svpc/envs/` +1. Rename `vpn.tf.example` to `vpn.tf` in the environment folder in `3-networks-svpc/envs/` 1. Create secret for VPN pre-shared key `echo 'MY_PSK' | gcloud secrets create VPN_PSK_SECRET_NAME --project ENV_SECRETS_PROJECT --replication-policy=automatic --data-file=-` 1. Update in the file the values for `environment`, `vpn_psk_secret_name`, `on_prem_router_ip_address1`, `on_prem_router_ip_address2` and `bgp_peer_asn`. 1. Verify other default values are valid for your environment. diff --git a/3-networks-dual-svpc/modules/vpn-ha/main.tf b/3-networks-svpc/modules/vpn-ha/main.tf similarity index 100% rename from 3-networks-dual-svpc/modules/vpn-ha/main.tf rename to 3-networks-svpc/modules/vpn-ha/main.tf diff --git a/3-networks-dual-svpc/modules/vpn-ha/variables.tf b/3-networks-svpc/modules/vpn-ha/variables.tf similarity index 100% rename from 3-networks-dual-svpc/modules/vpn-ha/variables.tf rename to 3-networks-svpc/modules/vpn-ha/variables.tf diff --git a/3-networks-dual-svpc/production.auto.example.tfvars b/3-networks-svpc/production.auto.example.tfvars similarity index 100% rename from 3-networks-dual-svpc/production.auto.example.tfvars rename to 3-networks-svpc/production.auto.example.tfvars diff --git a/4-projects/README.md b/4-projects/README.md index d092afb3c..96464bf9f 100644 --- a/4-projects/README.md +++ b/4-projects/README.md @@ -25,16 +25,16 @@ organizational policy. Google Cloud organization that you've created. -3-networks-dual-svpc -Sets up base and restricted shared VPCs with default DNS, NAT (optional), +3-networks-svpc +Sets up shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, on-premises Dedicated Interconnect, and baseline firewall rules for each environment. It also sets up the global DNS hub. 3-networks-hub-and-spoke -Sets up base and restricted shared VPCs with all the default configuration -found on step 3-networks-dual-svpc, but here the architecture will be based on the +Sets up shared VPCs with all the default configuration +found on step 3-networks-svpc, but here the architecture will be based on the Hub and Spoke network model. It also sets up the global DNS hub @@ -60,7 +60,7 @@ The purpose of this step is to set up the folder structure, projects, and infras For each business unit, a shared `infra-pipeline` project is created along with Cloud Build triggers, CSRs for application infrastructure code and Google Cloud Storage buckets for state storage. This step follows the same [conventions](https://github.com/terraform-google-modules/terraform-example-foundation#branching-strategy) as the Foundation pipeline deployed in [0-bootstrap](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/0-bootstrap/README.md). -A custom [workspace](https://github.com/terraform-google-modules/terraform-google-bootstrap/blob/master/modules/tf_cloudbuild_workspace/README.md) (`bu1-example-app`) is created by this pipeline and necessary roles are granted to the Terraform Service Account of this workspace by enabling variable `sa_roles` as shown in this [example](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/4-projects/modules/base_env/example_base_shared_vpc_project.tf). +A custom [workspace](https://github.com/terraform-google-modules/terraform-google-bootstrap/blob/master/modules/tf_cloudbuild_workspace/README.md) (`bu1-example-app`) is created by this pipeline and necessary roles are granted to the Terraform Service Account of this workspace by enabling variable `sa_roles` as shown in this [example](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/4-projects/modules/base_env/example_shared_vpc_project.tf). This pipeline is utilized to deploy resources in projects across development/nonproduction/production in step [5-app-infra](../5-app-infra/README.md). Other Workspaces can also be created to isolate deployments if needed. @@ -73,7 +73,7 @@ Other Workspaces can also be created to isolate deployments if needed. 1. 3-networks executed successfully. 1. For the manual step described in this document, you need to use the same [Terraform](https://www.terraform.io/downloads.html) version used on the build pipeline. -Otherwise, you might experience Terraform state snapshot lock errors. + Otherwise, you might experience Terraform state snapshot lock errors. **Note:** As mentioned in 0-bootstrap [README note 2](../0-bootstrap/README.md#deploying-with-cloud-build) at the end of Cloud Build deploy section, make sure that you have requested at least 50 additional projects for the **projects step service account**, otherwise you may face a project quota exceeded error message during the following steps and you will need to apply the fix from [this entry](../docs/TROUBLESHOOTING.md#attempt-to-run-4-projects-step-without-enough-project-quota) of the Troubleshooting guide in order to continue. @@ -89,8 +89,8 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS. ### Deploying with Cloud Build 1. Clone the `gcp-projects` repo based on the Terraform output from the `0-bootstrap` step. -Clone the repo at the same level of the `terraform-example-foundation` folder, the following instructions assume this layout. -Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get the Cloud Build Project ID. + Clone the repo at the same level of the `terraform-example-foundation` folder, the following instructions assume this layout. + Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get the Cloud Build Project ID. ```bash export CLOUD_BUILD_PROJECT_ID=$(terraform -chdir="terraform-example-foundation/0-bootstrap/" output -raw cloudbuild_project_id) @@ -137,16 +137,16 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get For example, to create a new business unit similar to business_unit_1, run the following: - ```bash - #copy the business_unit_1 folder and it's contents to a new folder business_unit_2 - cp -r business_unit_1 business_unit_2 - - # search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2 - grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g' - grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g' - # search subnet_ip_range 10.3.64.0 and replace for the new range 10.4.64.0 - grep -rl 10.3.64.0 business_unit_2/ | xargs sed -i 's/10.3.64.0/10.4.64.0/g' - ``` +```bash +#copy the business_unit_1 folder and it's contents to a new folder business_unit_2 +cp -r business_unit_1 business_unit_2 + +# search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2 +grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g' +grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g' +# search subnet_ip_range 10.3.64.0 and replace for the new range 10.4.64.0 +grep -rl 10.3.64.0 business_unit_2/ | xargs sed -i 's/10.3.64.0/10.4.64.0/g' +``` 1. Commit changes. @@ -295,21 +295,20 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` - 1. (Optional) If you want additional subfolders for separate business units or entities, make additional copies of the folder `business_unit_1` and modify any values that vary across business unit like `business_code`, `business_unit`, or `subnet_ip_range`. For example, to create a new business unit similar to business_unit_1, run the following: - ```bash - #copy the business_unit_1 folder and it's contents to a new folder business_unit_2 - cp -r business_unit_1 business_unit_2 - - # search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2 - grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g' - grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g' - # search subnet_ip_range 10.3.64.0 and replace for the new range 10.4.64.0 - grep -rl 10.3.64.0 business_unit_2/ | xargs sed -i 's/10.3.64.0/10.4.64.0/g' - ``` +```bash +#copy the business_unit_1 folder and it's contents to a new folder business_unit_2 +cp -r business_unit_1 business_unit_2 + +# search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2 +grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g' +grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g' +# search subnet_ip_range 10.3.64.0 and replace for the new range 10.4.64.0 +grep -rl 10.3.64.0 business_unit_2/ | xargs sed -i 's/10.3.64.0/10.4.64.0/g' +``` 1. Checkout `shared` branch. Run `init` and `plan` and review output for environment shared. diff --git a/4-projects/business_unit_1/development/README.md b/4-projects/business_unit_1/development/README.md index 9d723d711..fd653c107 100644 --- a/4-projects/business_unit_1/development/README.md +++ b/4-projects/business_unit_1/development/README.md @@ -18,9 +18,6 @@ | Name | Description | |------|-------------| | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | -| base\_shared\_vpc\_project | Project sample base project. | -| base\_shared\_vpc\_project\_sa | Project sample base project SA. | -| base\_subnets\_self\_links | The self-links of subnets from base environment. | | bucket | The created storage bucket. | | default\_region | The default region for the project. | | floating\_project | Project sample floating project. | @@ -32,9 +29,9 @@ | peering\_project | Project sample peering project id. | | peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. | | restricted\_enabled\_apis | Activated APIs. | -| restricted\_shared\_vpc\_project | Project sample restricted project id. | -| restricted\_shared\_vpc\_project\_number | Project sample restricted project. | -| restricted\_subnets\_self\_links | The self-links of subnets from restricted environment. | +| shared\_vpc\_project | Project sample shared vpc project id. | +| shared\_vpc\_project\_number | Project sample shared vpc project. | +| subnets\_self\_links | The self-links of subnets from environment. | | vpc\_service\_control\_perimeter\_name | VPC Service Control name. | diff --git a/4-projects/business_unit_1/development/outputs.tf b/4-projects/business_unit_1/development/outputs.tf index 92a332bc6..f92ed8578 100644 --- a/4-projects/business_unit_1/development/outputs.tf +++ b/4-projects/business_unit_1/development/outputs.tf @@ -14,21 +14,6 @@ * limitations under the License. */ -output "base_shared_vpc_project" { - description = "Project sample base project." - value = module.env.base_shared_vpc_project -} - -output "base_shared_vpc_project_sa" { - description = "Project sample base project SA." - value = module.env.base_shared_vpc_project_sa -} - -output "base_subnets_self_links" { - value = module.env.base_subnets_self_links - description = "The self-links of subnets from base environment." -} - output "floating_project" { description = "Project sample floating project." value = module.env.floating_project @@ -44,19 +29,19 @@ output "peering_network" { value = module.env.peering_network } -output "restricted_shared_vpc_project" { - description = "Project sample restricted project id." - value = module.env.restricted_shared_vpc_project +output "shared_vpc_project" { + description = "Project sample shared vpc project id." + value = module.env.shared_vpc_project } -output "restricted_shared_vpc_project_number" { - description = "Project sample restricted project." - value = module.env.restricted_shared_vpc_project_number +output "shared_vpc_project_number" { + description = "Project sample shared vpc project." + value = module.env.shared_vpc_project_number } -output "restricted_subnets_self_links" { - value = module.env.restricted_subnets_self_links - description = "The self-links of subnets from restricted environment." +output "subnets_self_links" { + value = module.env.subnets_self_links + description = "The self-links of subnets from environment." } output "vpc_service_control_perimeter_name" { diff --git a/4-projects/business_unit_1/nonproduction/README.md b/4-projects/business_unit_1/nonproduction/README.md index 9d723d711..e0ff4ea94 100644 --- a/4-projects/business_unit_1/nonproduction/README.md +++ b/4-projects/business_unit_1/nonproduction/README.md @@ -18,9 +18,6 @@ | Name | Description | |------|-------------| | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | -| base\_shared\_vpc\_project | Project sample base project. | -| base\_shared\_vpc\_project\_sa | Project sample base project SA. | -| base\_subnets\_self\_links | The self-links of subnets from base environment. | | bucket | The created storage bucket. | | default\_region | The default region for the project. | | floating\_project | Project sample floating project. | @@ -32,9 +29,9 @@ | peering\_project | Project sample peering project id. | | peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. | | restricted\_enabled\_apis | Activated APIs. | -| restricted\_shared\_vpc\_project | Project sample restricted project id. | -| restricted\_shared\_vpc\_project\_number | Project sample restricted project. | -| restricted\_subnets\_self\_links | The self-links of subnets from restricted environment. | +| shared\_vpc\_project | Project sample project id. | +| shared\_vpc\_project\_number | Project sample shared vpc project. | +| subnets\_self\_links | The self-links of subnets from environment. | | vpc\_service\_control\_perimeter\_name | VPC Service Control name. | diff --git a/4-projects/business_unit_1/nonproduction/outputs.tf b/4-projects/business_unit_1/nonproduction/outputs.tf index 92a332bc6..120ff0ad1 100644 --- a/4-projects/business_unit_1/nonproduction/outputs.tf +++ b/4-projects/business_unit_1/nonproduction/outputs.tf @@ -14,21 +14,6 @@ * limitations under the License. */ -output "base_shared_vpc_project" { - description = "Project sample base project." - value = module.env.base_shared_vpc_project -} - -output "base_shared_vpc_project_sa" { - description = "Project sample base project SA." - value = module.env.base_shared_vpc_project_sa -} - -output "base_subnets_self_links" { - value = module.env.base_subnets_self_links - description = "The self-links of subnets from base environment." -} - output "floating_project" { description = "Project sample floating project." value = module.env.floating_project @@ -44,19 +29,19 @@ output "peering_network" { value = module.env.peering_network } -output "restricted_shared_vpc_project" { - description = "Project sample restricted project id." - value = module.env.restricted_shared_vpc_project +output "shared_vpc_project" { + description = "Project sample project id." + value = module.env.shared_vpc_project } -output "restricted_shared_vpc_project_number" { - description = "Project sample restricted project." - value = module.env.restricted_shared_vpc_project_number +output "shared_vpc_project_number" { + description = "Project sample shared vpc project." + value = module.env.shared_vpc_project_number } -output "restricted_subnets_self_links" { - value = module.env.restricted_subnets_self_links - description = "The self-links of subnets from restricted environment." +output "subnets_self_links" { + value = module.env.subnets_self_links + description = "The self-links of subnets from environment." } output "vpc_service_control_perimeter_name" { diff --git a/4-projects/business_unit_1/production/README.md b/4-projects/business_unit_1/production/README.md index 9d723d711..d8cb23985 100644 --- a/4-projects/business_unit_1/production/README.md +++ b/4-projects/business_unit_1/production/README.md @@ -18,9 +18,6 @@ | Name | Description | |------|-------------| | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | -| base\_shared\_vpc\_project | Project sample base project. | -| base\_shared\_vpc\_project\_sa | Project sample base project SA. | -| base\_subnets\_self\_links | The self-links of subnets from base environment. | | bucket | The created storage bucket. | | default\_region | The default region for the project. | | floating\_project | Project sample floating project. | @@ -32,9 +29,9 @@ | peering\_project | Project sample peering project id. | | peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. | | restricted\_enabled\_apis | Activated APIs. | -| restricted\_shared\_vpc\_project | Project sample restricted project id. | -| restricted\_shared\_vpc\_project\_number | Project sample restricted project. | -| restricted\_subnets\_self\_links | The self-links of subnets from restricted environment. | +| shared\_vpc\_project | Project sample shared vpc project id. | +| shared\_vpc\_project\_number | Project sample shared vpc project. | +| subnets\_self\_links | The self-links of subnets from shared vpc environment. | | vpc\_service\_control\_perimeter\_name | VPC Service Control name. | diff --git a/4-projects/business_unit_1/production/outputs.tf b/4-projects/business_unit_1/production/outputs.tf index 55b839cb4..0cd227d6a 100644 --- a/4-projects/business_unit_1/production/outputs.tf +++ b/4-projects/business_unit_1/production/outputs.tf @@ -14,21 +14,6 @@ * limitations under the License. */ -output "base_shared_vpc_project" { - description = "Project sample base project." - value = module.env.base_shared_vpc_project -} - -output "base_shared_vpc_project_sa" { - description = "Project sample base project SA." - value = module.env.base_shared_vpc_project_sa -} - -output "base_subnets_self_links" { - value = module.env.base_subnets_self_links - description = "The self-links of subnets from base environment." -} - output "floating_project" { description = "Project sample floating project." value = module.env.floating_project @@ -44,19 +29,19 @@ output "peering_network" { value = module.env.peering_network } -output "restricted_shared_vpc_project" { - description = "Project sample restricted project id." - value = module.env.restricted_shared_vpc_project +output "shared_vpc_project" { + description = "Project sample shared vpc project id." + value = module.env.shared_vpc_project } -output "restricted_shared_vpc_project_number" { - description = "Project sample restricted project." - value = module.env.restricted_shared_vpc_project_number +output "shared_vpc_project_number" { + description = "Project sample shared vpc project." + value = module.env.shared_vpc_project_number } -output "restricted_subnets_self_links" { - value = module.env.restricted_subnets_self_links - description = "The self-links of subnets from restricted environment." +output "subnets_self_links" { + value = module.env.subnets_self_links + description = "The self-links of subnets from shared vpc environment." } output "vpc_service_control_perimeter_name" { diff --git a/4-projects/modules/base_env/README.md b/4-projects/modules/base_env/README.md index 25653ac3c..ef2760eff 100644 --- a/4-projects/modules/base_env/README.md +++ b/4-projects/modules/base_env/README.md @@ -36,9 +36,6 @@ | Name | Description | |------|-------------| | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | -| base\_shared\_vpc\_project | Project sample base project. | -| base\_shared\_vpc\_project\_sa | Project sample base project SA. | -| base\_subnets\_self\_links | The self-links of subnets from base environment. | | bucket | The created storage bucket. | | floating\_project | Project sample floating project. | | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. | @@ -49,9 +46,9 @@ | peering\_project | Project sample peering project id. | | peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. | | restricted\_enabled\_apis | Activated APIs. | -| restricted\_shared\_vpc\_project | Project sample restricted project id. | -| restricted\_shared\_vpc\_project\_number | Project sample restricted project. | -| restricted\_subnets\_self\_links | The self-links of subnets from restricted environment. | +| shared\_vpc\_project | Project sample restricted project id. | +| shared\_vpc\_project\_number | Project sample shared vpc project. | +| subnets\_self\_links | The self-links of subnets. | | vpc\_service\_control\_perimeter\_name | VPC Service Control name. | diff --git a/4-projects/modules/base_env/example_base_shared_vpc_project.tf b/4-projects/modules/base_env/example_base_shared_vpc_project.tf deleted file mode 100644 index 03741b6a2..000000000 --- a/4-projects/modules/base_env/example_base_shared_vpc_project.tf +++ /dev/null @@ -1,63 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "base_shared_vpc_project" { - source = "../single_project" - - org_id = local.org_id - billing_account = local.billing_account - folder_id = google_folder.env_business_unit.name - environment = var.env - vpc = "base" - shared_vpc_host_project_id = local.base_host_project_id - shared_vpc_subnets = local.base_subnets_self_links - project_budget = var.project_budget - project_prefix = local.project_prefix - enable_cloudbuild_deploy = local.enable_cloudbuild_deploy - app_infra_pipeline_service_accounts = local.app_infra_pipeline_service_accounts - - project_deletion_policy = var.project_deletion_policy - - // The roles defined in "sa_roles" will be used to grant the necessary permissions - // to deploy the resources, a Compute Engine instance for each environment, defined - // in 5-app-infra step (5-app-infra/modules/env_base/main.tf). - // The roles are grouped by the repository name ("${var.business_code}-example-app") used to create the Cloud Build workspace - // (https://github.com/terraform-google-modules/terraform-google-bootstrap/tree/master/modules/tf_cloudbuild_workspace) - // in the 4-projects shared environment of each business unit. - // the repository name is the same key used for the app_infra_pipeline_service_accounts map and the - // roles will be granted to the service account with the same key. - sa_roles = { - "${var.business_code}-example-app" = [ - "roles/compute.instanceAdmin.v1", - "roles/iam.serviceAccountAdmin", - "roles/iam.serviceAccountUser", - ] - } - - activate_apis = [ - "iam.googleapis.com", - "cloudresourcemanager.googleapis.com", - "storage.googleapis.com" - ] - - # Metadata - project_suffix = "sample-base" - application_name = "${var.business_code}-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = var.business_code -} diff --git a/4-projects/modules/base_env/example_peering_project.tf b/4-projects/modules/base_env/example_peering_project.tf index aee340e6b..6a2a36f7c 100644 --- a/4-projects/modules/base_env/example_peering_project.tf +++ b/4-projects/modules/base_env/example_peering_project.tf @@ -116,7 +116,7 @@ module "peering" { prefix = "${var.business_code}-${local.env_code}" local_network = module.peering_network.network_self_link - peer_network = local.base_network_self_link + peer_network = local.network_self_link module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf b/4-projects/modules/base_env/example_shared_vpc_project.tf similarity index 71% rename from 4-projects/modules/base_env/example_restricted_shared_vpc_project.tf rename to 4-projects/modules/base_env/example_shared_vpc_project.tf index 5244a53b7..0f0b52784 100644 --- a/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf +++ b/4-projects/modules/base_env/example_shared_vpc_project.tf @@ -14,20 +14,30 @@ * limitations under the License. */ -module "restricted_shared_vpc_project" { +module "shared_vpc_project" { source = "../single_project" org_id = local.org_id billing_account = local.billing_account folder_id = google_folder.env_business_unit.name environment = var.env - vpc = "restricted" - shared_vpc_host_project_id = local.restricted_host_project_id - shared_vpc_subnets = local.restricted_subnets_self_links + vpc = "svpc" + shared_vpc_host_project_id = local.shared_vpc_host_project_id + shared_vpc_subnets = local.subnets_self_links project_budget = var.project_budget project_prefix = local.project_prefix + project_deletion_policy = var.project_deletion_policy - project_deletion_policy = var.project_deletion_policy + enable_cloudbuild_deploy = local.enable_cloudbuild_deploy + app_infra_pipeline_service_accounts = local.app_infra_pipeline_service_accounts + + sa_roles = { + "${var.business_code}-example-app" = [ + "roles/compute.instanceAdmin.v1", + "roles/iam.serviceAccountUser", + "roles/iam.serviceAccountAdmin", + ] + } activate_apis = ["accesscontextmanager.googleapis.com"] vpc_service_control_attach_enabled = local.enforce_vpcsc ? "true" : "false" @@ -36,7 +46,7 @@ module "restricted_shared_vpc_project" { vpc_service_control_sleep_duration = "60s" # Metadata - project_suffix = "sample-restrict" + project_suffix = "sample-svpc" application_name = "${var.business_code}-sample-application" billing_code = "1234" primary_contact = "example@example.com" diff --git a/4-projects/modules/base_env/example_storage_cmek.tf b/4-projects/modules/base_env/example_storage_cmek.tf index af21ded6f..1a3477da9 100644 --- a/4-projects/modules/base_env/example_storage_cmek.tf +++ b/4-projects/modules/base_env/example_storage_cmek.tf @@ -15,7 +15,7 @@ */ data "google_storage_project_service_account" "gcs_account" { - project = module.base_shared_vpc_project.project_id + project = module.shared_vpc_project.project_id } module "kms" { @@ -46,9 +46,9 @@ module "gcs_buckets" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" version = "~> 9.0" - project_id = module.base_shared_vpc_project.project_id + project_id = module.shared_vpc_project.project_id location = var.location_gcs - name = "${var.gcs_bucket_prefix}-${module.base_shared_vpc_project.project_id}-cmek-encrypted-${random_string.bucket_name.result}" + name = "${var.gcs_bucket_prefix}-${module.shared_vpc_project.project_id}-cmek-encrypted-${random_string.bucket_name.result}" bucket_policy_only = true custom_placement_config = var.gcs_custom_placement_config @@ -56,5 +56,5 @@ module "gcs_buckets" { default_kms_key_name = module.kms.keys[var.key_name] } - depends_on = [module.kms] + depends_on = [module.shared_vpc_project] } diff --git a/4-projects/modules/base_env/outputs.tf b/4-projects/modules/base_env/outputs.tf index 565910d96..fa2f69d0b 100644 --- a/4-projects/modules/base_env/outputs.tf +++ b/4-projects/modules/base_env/outputs.tf @@ -14,21 +14,6 @@ * limitations under the License. */ -output "base_shared_vpc_project" { - description = "Project sample base project." - value = module.base_shared_vpc_project.project_id -} - -output "base_shared_vpc_project_sa" { - description = "Project sample base project SA." - value = module.base_shared_vpc_project.sa -} - -output "base_subnets_self_links" { - value = local.base_subnets_self_links - description = "The self-links of subnets from base environment." -} - output "floating_project" { description = "Project sample floating project." value = module.floating_project.project_id @@ -44,19 +29,19 @@ output "peering_network" { value = module.peering.peer_network_peering } -output "restricted_shared_vpc_project" { +output "shared_vpc_project" { description = "Project sample restricted project id." - value = module.restricted_shared_vpc_project.project_id + value = module.shared_vpc_project.project_id } -output "restricted_shared_vpc_project_number" { - description = "Project sample restricted project." - value = module.restricted_shared_vpc_project.project_number +output "shared_vpc_project_number" { + description = "Project sample shared vpc project." + value = module.shared_vpc_project.project_number } -output "restricted_subnets_self_links" { - value = local.restricted_subnets_self_links - description = "The self-links of subnets from restricted environment." +output "subnets_self_links" { + value = local.subnets_self_links + description = "The self-links of subnets." } output "vpc_service_control_perimeter_name" { @@ -71,7 +56,7 @@ output "access_context_manager_policy_id" { output "restricted_enabled_apis" { description = "Activated APIs." - value = module.restricted_shared_vpc_project.enabled_apis + value = module.shared_vpc_project.enabled_apis } output "peering_complete" { diff --git a/4-projects/modules/base_env/remote.tf b/4-projects/modules/base_env/remote.tf index 55942f987..5624b7fa6 100644 --- a/4-projects/modules/base_env/remote.tf +++ b/4-projects/modules/base_env/remote.tf @@ -19,18 +19,17 @@ locals { billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix projects_backend_bucket = data.terraform_remote_state.bootstrap.outputs.projects_gcs_bucket_tfstate - perimeter_name = data.terraform_remote_state.network_env.outputs.restricted_service_perimeter_name - base_network_self_link = data.terraform_remote_state.network_env.outputs.base_network_self_link - base_subnets_self_links = data.terraform_remote_state.network_env.outputs.base_subnets_self_links - base_host_project_id = data.terraform_remote_state.network_env.outputs.base_host_project_id - restricted_host_project_id = data.terraform_remote_state.network_env.outputs.restricted_host_project_id - restricted_subnets_self_links = data.terraform_remote_state.network_env.outputs.restricted_subnets_self_links + perimeter_name = data.terraform_remote_state.network_env.outputs.service_perimeter_name + network_self_link = data.terraform_remote_state.network_env.outputs.network_self_link + shared_vpc_host_project_id = data.terraform_remote_state.network_env.outputs.shared_vpc_host_project_id + subnets_self_links = data.terraform_remote_state.network_env.outputs.subnets_self_links access_context_manager_policy_id = data.terraform_remote_state.network_env.outputs.access_context_manager_policy_id enforce_vpcsc = data.terraform_remote_state.network_env.outputs.enforce_vpcsc env_folder_name = data.terraform_remote_state.environments_env.outputs.env_folder app_infra_pipeline_service_accounts = data.terraform_remote_state.business_unit_shared.outputs.terraform_service_accounts enable_cloudbuild_deploy = data.terraform_remote_state.business_unit_shared.outputs.enable_cloudbuild_deploy kms_project_id = data.terraform_remote_state.environments_env.outputs.env_kms_project_id + kms_project_number = data.terraform_remote_state.environments_env.outputs.env_kms_project_number } data "terraform_remote_state" "bootstrap" { diff --git a/4-projects/modules/base_env/remote.tf.cloud.example b/4-projects/modules/base_env/remote.tf.cloud.example index c6dd2a752..d8e2c622b 100644 --- a/4-projects/modules/base_env/remote.tf.cloud.example +++ b/4-projects/modules/base_env/remote.tf.cloud.example @@ -19,12 +19,10 @@ locals { billing_account = data.tfe_outputs.bootstrap.nonsensitive_values.common_config.billing_account project_prefix = data.tfe_outputs.bootstrap.nonsensitive_values.common_config.project_prefix projects_backend_bucket = "" - perimeter_name = data.tfe_outputs.network_env.nonsensitive_values.restricted_service_perimeter_name - base_network_self_link = data.tfe_outputs.network_env.nonsensitive_values.base_network_self_link - base_subnets_self_links = data.tfe_outputs.network_env.nonsensitive_values.base_subnets_self_links - base_host_project_id = data.tfe_outputs.network_env.nonsensitive_values.base_host_project_id - restricted_host_project_id = data.tfe_outputs.network_env.nonsensitive_values.restricted_host_project_id - restricted_subnets_self_links = data.tfe_outputs.network_env.nonsensitive_values.restricted_subnets_self_links + perimeter_name = data.tfe_outputs.network_env.nonsensitive_values.service_perimeter_name + shared_vpc_host_project_id = data.tfe_outputs.network_env.nonsensitive_values.shared_vpc_host_project_id + shared_vpc_host_project_id = data.tfe_outputs.network_env.nonsensitive_values.shared_vpc_host_project_id + subnets_self_links = data.tfe_outputs.network_env.nonsensitive_values.subnets_self_links access_context_manager_policy_id = data.tfe_outputs.network_env.nonsensitive_values.access_context_manager_policy_id env_folder_name = data.tfe_outputs.environments_env.nonsensitive_values.env_folder app_infra_pipeline_service_accounts = data.tfe_outputs.business_unit_shared.nonsensitive_values.terraform_service_accounts diff --git a/4-projects/modules/infra_pipelines/versions.tf b/4-projects/modules/infra_pipelines/versions.tf index b392be026..4124769e8 100644 --- a/4-projects/modules/infra_pipelines/versions.tf +++ b/4-projects/modules/infra_pipelines/versions.tf @@ -19,13 +19,15 @@ terraform { required_providers { google = { // version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226 + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, != 4.31.0" + version = ">= 3.50, != 4.31.0, < 6.26.0" } google-beta = { // version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226 + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, != 4.31.0" + version = ">= 3.50, != 4.31.0, < 6.26.0" } null = { source = "hashicorp/null" diff --git a/4-projects/modules/single_project/README.md b/4-projects/modules/single_project/README.md index 80758abb9..66e53e5f0 100644 --- a/4-projects/modules/single_project/README.md +++ b/4-projects/modules/single_project/README.md @@ -22,7 +22,7 @@ | secondary\_contact | The secondary email contact for the project | `string` | `""` | no | | shared\_vpc\_host\_project\_id | Shared VPC host project ID | `string` | `""` | no | | shared\_vpc\_subnets | List of the shared vpc subnets self links. | `list(string)` | `[]` | no | -| vpc | The type of VPC to attach the project to. Possible options are none, base, or restricted. | `string` | `"none"` | no | +| vpc | The type of VPC to attach the project to. Possible options are none, or svpc. | `string` | `"none"` | no | | vpc\_service\_control\_attach\_dry\_run | Whether the project will be attached to a VPC Service Control Perimeter with an explicit dry run spec flag, which may use different values for the dry run perimeter compared to the ENFORCED perimeter. | `bool` | `false` | no | | vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. | `bool` | `false` | no | | vpc\_service\_control\_perimeter\_name | The name of a VPC Service Control Perimeter to add the created project to | `string` | `null` | no | diff --git a/4-projects/modules/single_project/variables.tf b/4-projects/modules/single_project/variables.tf index 00d68d1de..f53a89790 100644 --- a/4-projects/modules/single_project/variables.tf +++ b/4-projects/modules/single_project/variables.tf @@ -73,13 +73,13 @@ variable "environment" { } variable "vpc" { - description = "The type of VPC to attach the project to. Possible options are none, base, or restricted." + description = "The type of VPC to attach the project to. Possible options are none, or svpc." type = string default = "none" validation { - condition = contains(["none", "base", "restricted"], var.vpc) - error_message = "For vpc, only `none`, `base`, or `restricted` are valid." + condition = contains(["none", "svpc"], var.vpc) + error_message = "For vpc, only `none` or `svpc` are valid." } } diff --git a/4-projects/modules/single_project/versions.tf b/4-projects/modules/single_project/versions.tf index b198fef54..e5e3863b7 100644 --- a/4-projects/modules/single_project/versions.tf +++ b/4-projects/modules/single_project/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 1.3" required_providers { google = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } google-beta = { + // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50" + version = ">= 3.50, < 6.26.0" } } diff --git a/5-app-infra/README.md b/5-app-infra/README.md index e1b220850..e286ecf18 100644 --- a/5-app-infra/README.md +++ b/5-app-infra/README.md @@ -25,16 +25,16 @@ organizational policies. Google Cloud organization that you've created. -3-networks-dual-svpc -Sets up base and restricted shared VPCs with default DNS, NAT (optional), +3-networks-svpc +Sets up shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, on-premises Dedicated Interconnect, and baseline firewall rules for each environment. It also sets up the global DNS hub. 3-networks-hub-and-spoke -Sets up base and restricted shared VPCs with all the default configuration -found on step 3-networks-dual-svpc, but here the architecture will be based on the +Sets up shared VPCs with all the default configuration +found on step 3-networks-svpc, but here the architecture will be based on the Hub and Spoke network model. It also sets up the global DNS hub diff --git a/5-app-infra/business_unit_1/development/main.tf b/5-app-infra/business_unit_1/development/main.tf index 4fbe40bdd..0efbb756b 100644 --- a/5-app-infra/business_unit_1/development/main.tf +++ b/5-app-infra/business_unit_1/development/main.tf @@ -19,12 +19,12 @@ locals { environment = "development" } -module "base_shared_gce_instance" { +module "shared_gce_instance" { source = "../../modules/env_base" environment = local.environment business_unit = local.business_unit - project_suffix = "sample-base" + project_suffix = "sample-svpc" region = coalesce(var.instance_region, local.default_region) remote_state_bucket = var.remote_state_bucket } diff --git a/5-app-infra/business_unit_1/development/outputs.tf b/5-app-infra/business_unit_1/development/outputs.tf index 0fa8c81ab..abf47a245 100644 --- a/5-app-infra/business_unit_1/development/outputs.tf +++ b/5-app-infra/business_unit_1/development/outputs.tf @@ -16,38 +16,38 @@ output "instances_self_links" { description = "List of self-links for compute instances" - value = module.base_shared_gce_instance.instances_self_links + value = module.shared_gce_instance.instances_self_links } output "instances_names" { description = "List of names for compute instances" - value = [for u in module.base_shared_gce_instance.instances_details : u.name] + value = [for u in module.shared_gce_instance.instances_details : u.name] sensitive = true } output "instances_zones" { description = "List of zone for compute instances" - value = [for u in module.base_shared_gce_instance.instances_details : u.zone] + value = [for u in module.shared_gce_instance.instances_details : u.zone] sensitive = true } output "instances_details" { description = "List of details for compute instances" - value = module.base_shared_gce_instance.instances_details + value = module.shared_gce_instance.instances_details sensitive = true } output "available_zones" { description = "List of available zones in region" - value = module.base_shared_gce_instance.available_zones + value = module.shared_gce_instance.available_zones } output "project_id" { description = "Project where compute instance was created" - value = module.base_shared_gce_instance.project_id + value = module.shared_gce_instance.project_id } output "region" { description = "Region where compute instance was created" - value = module.base_shared_gce_instance.region + value = module.shared_gce_instance.region } diff --git a/5-app-infra/business_unit_1/nonproduction/main.tf b/5-app-infra/business_unit_1/nonproduction/main.tf index 76489f10d..fc7c6b926 100644 --- a/5-app-infra/business_unit_1/nonproduction/main.tf +++ b/5-app-infra/business_unit_1/nonproduction/main.tf @@ -19,12 +19,12 @@ locals { environment = "nonproduction" } -module "base_shared_gce_instance" { +module "shared_gce_instance" { source = "../../modules/env_base" environment = local.environment business_unit = local.business_unit - project_suffix = "sample-base" + project_suffix = "sample-svpc" region = coalesce(var.instance_region, local.default_region) remote_state_bucket = var.remote_state_bucket } diff --git a/5-app-infra/business_unit_1/nonproduction/outputs.tf b/5-app-infra/business_unit_1/nonproduction/outputs.tf index 0fa8c81ab..abf47a245 100644 --- a/5-app-infra/business_unit_1/nonproduction/outputs.tf +++ b/5-app-infra/business_unit_1/nonproduction/outputs.tf @@ -16,38 +16,38 @@ output "instances_self_links" { description = "List of self-links for compute instances" - value = module.base_shared_gce_instance.instances_self_links + value = module.shared_gce_instance.instances_self_links } output "instances_names" { description = "List of names for compute instances" - value = [for u in module.base_shared_gce_instance.instances_details : u.name] + value = [for u in module.shared_gce_instance.instances_details : u.name] sensitive = true } output "instances_zones" { description = "List of zone for compute instances" - value = [for u in module.base_shared_gce_instance.instances_details : u.zone] + value = [for u in module.shared_gce_instance.instances_details : u.zone] sensitive = true } output "instances_details" { description = "List of details for compute instances" - value = module.base_shared_gce_instance.instances_details + value = module.shared_gce_instance.instances_details sensitive = true } output "available_zones" { description = "List of available zones in region" - value = module.base_shared_gce_instance.available_zones + value = module.shared_gce_instance.available_zones } output "project_id" { description = "Project where compute instance was created" - value = module.base_shared_gce_instance.project_id + value = module.shared_gce_instance.project_id } output "region" { description = "Region where compute instance was created" - value = module.base_shared_gce_instance.region + value = module.shared_gce_instance.region } diff --git a/5-app-infra/business_unit_1/production/main.tf b/5-app-infra/business_unit_1/production/main.tf index 40b488e89..1caa332f4 100644 --- a/5-app-infra/business_unit_1/production/main.tf +++ b/5-app-infra/business_unit_1/production/main.tf @@ -19,12 +19,12 @@ locals { environment = "production" } -module "base_shared_gce_instance" { +module "shared_gce_instance" { source = "../../modules/env_base" environment = local.environment business_unit = local.business_unit - project_suffix = "sample-base" + project_suffix = "sample-svpc" region = coalesce(var.instance_region, local.default_region) remote_state_bucket = var.remote_state_bucket } diff --git a/5-app-infra/business_unit_1/production/outputs.tf b/5-app-infra/business_unit_1/production/outputs.tf index 0fa8c81ab..abf47a245 100644 --- a/5-app-infra/business_unit_1/production/outputs.tf +++ b/5-app-infra/business_unit_1/production/outputs.tf @@ -16,38 +16,38 @@ output "instances_self_links" { description = "List of self-links for compute instances" - value = module.base_shared_gce_instance.instances_self_links + value = module.shared_gce_instance.instances_self_links } output "instances_names" { description = "List of names for compute instances" - value = [for u in module.base_shared_gce_instance.instances_details : u.name] + value = [for u in module.shared_gce_instance.instances_details : u.name] sensitive = true } output "instances_zones" { description = "List of zone for compute instances" - value = [for u in module.base_shared_gce_instance.instances_details : u.zone] + value = [for u in module.shared_gce_instance.instances_details : u.zone] sensitive = true } output "instances_details" { description = "List of details for compute instances" - value = module.base_shared_gce_instance.instances_details + value = module.shared_gce_instance.instances_details sensitive = true } output "available_zones" { description = "List of available zones in region" - value = module.base_shared_gce_instance.available_zones + value = module.shared_gce_instance.available_zones } output "project_id" { description = "Project where compute instance was created" - value = module.base_shared_gce_instance.project_id + value = module.shared_gce_instance.project_id } output "region" { description = "Region where compute instance was created" - value = module.base_shared_gce_instance.region + value = module.shared_gce_instance.region } diff --git a/5-app-infra/modules/env_base/main.tf b/5-app-infra/modules/env_base/main.tf index 6fdc56349..e457729a8 100644 --- a/5-app-infra/modules/env_base/main.tf +++ b/5-app-infra/modules/env_base/main.tf @@ -16,26 +16,23 @@ locals { env_project_ids = { - "sample-base" = data.terraform_remote_state.projects_env.outputs.base_shared_vpc_project, "sample-floating" = data.terraform_remote_state.projects_env.outputs.floating_project, "sample-peering" = data.terraform_remote_state.projects_env.outputs.peering_project, - "sample-restrict" = data.terraform_remote_state.projects_env.outputs.restricted_shared_vpc_project, + "sample-svpc" = data.terraform_remote_state.projects_env.outputs.shared_vpc_project, } env_project_subnets = { - "sample-base" = local.base_subnetwork_self_link, - "sample-floating" = local.base_subnetwork_self_link, + "sample-floating" = local.svpc_subnetwork_self_link, "sample-peering" = data.terraform_remote_state.projects_env.outputs.peering_subnetwork_self_link, - "sample-restrict" = local.base_subnetwork_self_link, + "sample-svpc" = local.svpc_subnetwork_self_link, } env_project_resource_manager_tags = { - "sample-base" = null, "sample-floating" = null, "sample-peering" = data.terraform_remote_state.projects_env.outputs.iap_firewall_tags, - "sample-restrict" = null, + "sample-svpc" = null, } - subnetwork_self_links = data.terraform_remote_state.projects_env.outputs.base_subnets_self_links - base_subnetwork_self_link = [for subnet in local.subnetwork_self_links : subnet if length(regexall("regions/${var.region}/subnetworks", subnet)) > 0][0] + subnetwork_self_links = data.terraform_remote_state.projects_env.outputs.subnets_self_links + svpc_subnetwork_self_link = [for subnet in local.subnetwork_self_links : subnet if length(regexall("regions/${var.region}/subnetworks", subnet)) > 0][0] env_project_id = local.env_project_ids[var.project_suffix] subnetwork_self_link = local.env_project_subnets[var.project_suffix] diff --git a/CHANGELOG.md b/CHANGELOG.md index 717c05118..99759407f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,7 +39,7 @@ * **deps:** update terraform-google-modules/network/google to v8.0 ([#1082](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1082)) ([6d8e106](https://github.com/terraform-google-modules/terraform-example-foundation/commit/6d8e106444ca1b7b04b0beafbde5eac1b353559f)) * **deps:** update tf modules ([#1023](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1023)) ([03b1976](https://github.com/terraform-google-modules/terraform-example-foundation/commit/03b1976b42c427e3efbc879a894641593206d1c6)) * **deps:** update to terraform-google-modules/network/google//modules/network-peering v8 for increased TPG v5 compatibility ([#1073](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1073)) ([5d808b1](https://github.com/terraform-google-modules/terraform-example-foundation/commit/5d808b16fe23b0a1d7c6b43664d6d599cfb2bf8b)) -* **docs:** Update 3-networks-dual-svpc README after accidental change ([#1294](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1294)) ([57c96c4](https://github.com/terraform-google-modules/terraform-example-foundation/commit/57c96c4d669e296b02cf4ad00c8000ee55eee6ea)) +* **docs:** Update 3-networks-svpc README after accidental change ([#1294](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1294)) ([57c96c4](https://github.com/terraform-google-modules/terraform-example-foundation/commit/57c96c4d669e296b02cf4ad00c8000ee55eee6ea)) * Fix of the new group structure ([#1174](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1174)) ([dd6c09c](https://github.com/terraform-google-modules/terraform-example-foundation/commit/dd6c09ccc73dc13abf989c511caf73094ecf5d11)) * Fix project labels ([#1107](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1107)) ([eb28ecb](https://github.com/terraform-google-modules/terraform-example-foundation/commit/eb28ecb1ca659b1279db83b0b7f9667d56698c22)) * Groups creation and permissions ([#1110](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1110)) ([f57a47c](https://github.com/terraform-google-modules/terraform-example-foundation/commit/f57a47c2e36e9924a3232983385e741fd05ee2f3)) diff --git a/README.md b/README.md index 71f5f004f..490729bc5 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ Usage instructions are available in the 0-bootstrap [README](./0-bootstrap/READM ### [1. org](./1-org/) The purpose of this stage is to set up the common folder used to house projects that contain shared resources such as Security Command Center notification, Cloud Key Management Service (KMS), org level secrets, and org level logging. -This stage also sets up the network folder used to house network related projects such as DNS Hub, Interconnect, network hub, and base and restricted projects for each environment (`development`, `nonproduction` or `production`). +This stage also sets up the network folder used to house network related projects such as DNS Hub, Interconnect, network hub and projects for each environment (`development`, `nonproduction` or `production`). This will create the following folder and project structure: ``` @@ -85,16 +85,12 @@ example-organization ├── prj-c-kms └── prj-c-secrets └── fldr-network - ├── prj-net-hub-base - ├── prj-net-hub-restricted + ├── prj-net-hub-svpc ├── prj-net-dns ├── prj-net-interconnect - ├── prj-d-shared-base - ├── prj-d-shared-restricted - ├── prj-n-shared-base - ├── prj-n-shared-restricted - ├── prj-p-shared-base - └── prj-p-shared-restricted + ├── prj-d-svpc + ├── prj-n-svpc + └── prj-p-svpc ``` #### Logs @@ -137,8 +133,8 @@ Another project created under the network folder. This project will host the Ded #### Networking -Under the network folder, two projects, one for base and another for restricted network, are created per environment (`development`, `nonproduction`, and `production`) which is intended to be used as a [Shared VPC host project](https://cloud.google.com/vpc/docs/shared-vpc) for all projects in that environment. -This stage only creates the projects and enables the correct APIs, the following networks stages, [3-networks-dual-svpc](./3-networks-dual-svpc/) and [3-networks-hub-and-spoke](./3-networks-hub-and-spoke/), create the actual Shared VPC networks. +Under the network folder, one project for shared vpc network, are created per environment (`development`, `nonproduction`, and `production`) which is intended to be used as a [Shared VPC host project](https://cloud.google.com/vpc/docs/shared-vpc) for all projects in that environment. +This stage only creates the projects and enables the correct APIs, the following networks stages, [3-networks-svpc](./3-networks-svpc/) and [3-networks-hub-and-spoke](./3-networks-hub-and-spoke/), create the actual Shared VPC networks. ### [2. environments](./2-environments/) @@ -170,7 +166,7 @@ Under the environment folder, a project is created per environment (`development Usage instructions are available for the environments step in the [README](./2-environments/README.md). -### [3. networks-dual-svpc](./3-networks-dual-svpc/) +### [3. networks-svpc](./3-networks-svpc/) This step focuses on creating a [Shared VPC](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) per environment (`development`, `nonproduction`, and `production`) in a standard configuration with a reasonable security baseline. Currently, this includes: @@ -179,17 +175,16 @@ This step focuses on creating a [Shared VPC](https://cloud.google.com/architectu - Hierarchical firewall policy created to allow for [load balancing health checks](https://cloud.google.com/load-balancing/docs/health-checks#firewall_rules). - Hierarchical firewall policy created to allow [Windows KMS activation](https://cloud.google.com/compute/docs/instances/windows/creating-managing-windows-instances#kms-server). - [Private service networking](https://cloud.google.com/vpc/docs/configure-private-services-access) configured to enable workload dependant resources like Cloud SQL. -- Base Shared VPC with [private.googleapis.com](https://cloud.google.com/vpc/docs/configure-private-google-access#private-domains) configured for base access to googleapis.com and gcr.io. Route added for VIP so no internet access is required to access APIs. -- Restricted Shared VPC with [restricted.googleapis.com](https://cloud.google.com/vpc-service-controls/docs/supported-products) configured for restricted access to googleapis.com and gcr.io. Route added for VIP so no internet access is required to access APIs. +- Shared VPC with [restricted.googleapis.com](https://cloud.google.com/vpc-service-controls/docs/supported-products) configured for restricted access to googleapis.com and gcr.io. Route added for VIP so no internet access is required to access APIs. - Default routes to internet removed, with tag based route `egress-internet` required on VMs in order to reach the internet. - (Optional) Cloud NAT configured for all subnets with logging and static outbound IPs. - Default Cloud DNS policy applied, with DNS logging and [inbound query forwarding](https://cloud.google.com/dns/docs/overview#dns-server-policy-in) turned on. -Usage instructions are available for the networks step in the [README](./3-networks-dual-svpc/README.md). +Usage instructions are available for the networks step in the [README](./3-networks-svpc/README.md). ### [3. networks-hub-and-spoke](./3-networks-hub-and-spoke/) -This step configures the same network resources that the step 3-networks-dual-svpc does, but this time it makes use of the architecture based on the [hub-and-spoke](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke) reference network model. +This step configures the same network resources that the step 3-networks-svpc does, but this time it makes use of the architecture based on the [hub-and-spoke](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke) reference network model. Usage instructions are available for the networks step in the [README](./3-networks-hub-and-spoke/README.md). @@ -203,35 +198,29 @@ example-organization/ └── fldr-development └── fldr-development-bu1 ├── prj-d-bu1-sample-floating - ├── prj-d-bu1-sample-base - ├── prj-d-bu1-sample-restrict + ├── prj-d-bu1-sample-svpc ├── prj-d-bu1-sample-peering └── fldr-development-bu2 ├── prj-d-bu2-sample-floating - ├── prj-d-bu2-sample-base - ├── prj-d-bu2-sample-restrict + ├── prj-d-bu2-sample-svpc └── prj-d-bu2-sample-peering └── fldr-nonproduction └── fldr-nonproduction-bu1 ├── prj-n-bu1-sample-floating - ├── prj-n-bu1-sample-base - ├── prj-n-bu1-sample-restrict + ├── prj-n-bu1-sample-svpc ├── prj-n-bu1-sample-peering └── fldr-nonproduction-bu2 ├── prj-n-bu2-sample-floating - ├── prj-n-bu2-sample-base - ├── prj-n-bu2-sample-restrict + ├── prj-n-bu2-sample-svpc └── prj-n-bu2-sample-peering └── fldr-production └── fldr-production-bu1 ├── prj-p-bu1-sample-floating - ├── prj-p-bu1-sample-base - ├── prj-p-bu1-sample-restrict + ├── prj-p-bu1-sample-svpc ├── prj-p-bu1-sample-peering └── fldr-production-bu2 ├── prj-p-bu2-sample-floating - ├── prj-p-bu2-sample-base - ├── prj-p-bu2-sample-restrict + ├── prj-p-bu2-sample-svpc └── prj-p-bu2-sample-peering └── fldr-common ├── prj-c-bu1-infra-pipeline @@ -265,60 +254,44 @@ example-organization ├── prj-c-bu1-infra-pipeline └── prj-c-bu2-infra-pipeline └── fldr-network - ├── prj-net-hub-base - ├── prj-net-hub-restricted + ├── prj-net-hub-svpc ├── prj-net-dns ├── prj-net-interconnect - ├── prj-d-shared-base - ├── prj-d-shared-restricted - ├── prj-n-shared-base - ├── prj-n-shared-restricted - ├── prj-p-shared-base - └── prj-p-shared-restricted + ├── prj-d-svpc + ├── prj-n-svpc + └── prj-p-svpc └── fldr-development ├── prj-d-kms └── prj-d-secrets └── fldr-development-bu1 - ├── prj-d-bu1-sample-floating - ├── prj-d-bu1-sample-base - ├── prj-d-bu1-sample-restrict + ├── prj-d-bu1-sample-svpc ├── prj-d-bu1-sample-peering └── fldr-development-bu2 - ├── prj-d-bu2-sample-floating - ├── prj-d-bu2-sample-base - ├── prj-d-bu2-sample-restrict + ├── prj-d-bu2-sample-svpc └── prj-d-bu2-sample-peering └── fldr-nonproduction ├── prj-n-kms └── prj-n-secrets └── fldr-nonproduction-bu1 - ├── prj-n-bu1-sample-floating - ├── prj-n-bu1-sample-base - ├── prj-n-bu1-sample-restrict + ├── prj-n-bu1-sample-svpc ├── prj-n-bu1-sample-peering └── fldr-nonproduction-bu2 - ├── prj-n-bu2-sample-floating - ├── prj-n-bu2-sample-base - ├── prj-n-bu2-sample-restrict + ├── prj-n-bu2-sample-svpc └── prj-n-bu2-sample-peering └── fldr-production ├── prj-p-kms └── prj-p-secrets └── fldr-production-bu1 - ├── prj-p-bu1-sample-floating - ├── prj-p-bu1-sample-base - ├── prj-p-bu1-sample-restrict + ├── prj-p-bu1-sample-svpc ├── prj-p-bu1-sample-peering └── fldr-production-bu2 - ├── prj-p-bu2-sample-floating - ├── prj-p-bu2-sample-base - ├── prj-p-bu2-sample-restrict + ├── prj-p-bu2-sample-svpc └── prj-p-bu2-sample-peering └── fldr-bootstrap ├── prj-b-cicd @@ -350,7 +323,7 @@ Some variables used to deploy the steps have default values, check those **befor - Step 0-bootstrap: If you are using Cloud Build in the [CI/CD Pipeline](/docs/GLOSSARY.md#foundation-cicd-pipeline), check the main [README](./0-bootstrap/README.md#Inputs) of the step. If you are using Jenkins, check the [README](./0-bootstrap/modules/jenkins-agent/README.md#Inputs) of the module `jenkins-agent`. - Step 1-org: The [README](./1-org/envs/shared/README.md#Inputs) of the environment `shared`. - Step 2-environments: The READMEs of the environments [development](./2-environments/envs/development/README.md#Inputs), [nonproduction](./2-environments/envs/nonproduction/README.md#Inputs), and [production](./2-environments/envs/production/README.md#Inputs) -- Step 3-networks-dual-svpc: The READMEs of the environments [shared](./3-networks-dual-svpc/envs/shared/README.md#inputs), [development](./3-networks-dual-svpc/envs/development/README.md#Inputs), [nonproduction](./3-networks/envs/nonproduction/README.md#Inputs), and [production](./3-networks/envs/production/README.md#Inputs) +- Step 3-networks-svpc: The READMEs of the environments [shared](./3-networks-svpc/envs/shared/README.md#inputs), [development](./3-networks-svpc/envs/development/README.md#Inputs), [nonproduction](./3-networks/envs/nonproduction/README.md#Inputs), and [production](./3-networks/envs/production/README.md#Inputs) - Step 3-networks-hub-and-spoke: The READMEs of the environments [shared](./3-networks-hub-and-spoke/envs/shared/README.md#inputs), [development](./3-networks-hub-and-spoke/envs/development/README.md#Inputs), [nonproduction](./3-networks/envs/nonproduction/README.md#Inputs), and [production](./3-networks/envs/production/README.md#Inputs) - Step 4-projects: The READMEs of the environments [shared](./4-projects/business_unit_1/shared/README.md#inputs), [development](./4-projects/business_unit_1/development/README.md#Inputs), [nonproduction](./4-projects/business_unit_1/nonproduction/README.md#Inputs), and [production](./4-projects/business_unit_1/production/README.md#Inputs) diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md index 06b359d76..52584d045 100644 --- a/docs/TROUBLESHOOTING.md +++ b/docs/TROUBLESHOOTING.md @@ -246,7 +246,7 @@ Details: **Cause:** -In a deploy using the [Hub and Spoke](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke) network mode, an error occurs when adding the network peering between the restricted Hub network and the restricted Spoke network or the base Hub network and the base Spoke network due to too many peering operations. +In a deploy using the [Hub and Spoke](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke) network mode, an error occurs when adding the network peering between the Hub network and the Spoke network due to too many peering operations. **Solution:** @@ -258,7 +258,7 @@ This is a transient error and the deploy can be retried. Wait for at least a min **Error message:** ```text -Error 400: Unknown project id: 'prj---sample-base-', invalid +Error 400: Unknown project id: 'prj---svpc-', invalid ``` **Cause:** @@ -273,7 +273,7 @@ You will need to mark some Terraform resources as **tainted** in order to trigge 1. In a terminal, navigate to the path where the error is being reported. - For example, if the unknown project ID is `prj-bu1-p-sample-base-shared`, you should go to ./gcp-projects/business_unit_1/production (`business_unit_1` due to `bu1` and `production` due to `p`, see [naming conventions](https://cloud.google.com/architecture/security-foundations/using-example-terraform#naming_conventions) for more information on the projects naming guideline). + For example, if the unknown project ID is `prj-bu1-p-svpc`, you should go to ./gcp-projects/business_unit_1/production (`business_unit_1` due to `bu1` and `production` due to `p`, see [naming conventions](https://cloud.google.com/architecture/security-foundations/using-example-terraform#naming_conventions) for more information on the projects naming guideline). ```bash cd ./gcp-projects// diff --git a/helpers/foundation-deployer/README.md b/helpers/foundation-deployer/README.md index 6c5cc1048..c5a9b042c 100644 --- a/helpers/foundation-deployer/README.md +++ b/helpers/foundation-deployer/README.md @@ -97,7 +97,7 @@ Version 1.5.7 is the last version before the license model change. To use a late - [0-bootstrap](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/0-bootstrap/README.md) - [1-org](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/1-org/README.md) - [2-environments](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/2-environments/README.md) - - [3-networks-dual-svpc](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/3-networks-dual-svpc) + - [3-networks-svpc](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/3-networks-svpc) - [3-networks-hub-and-spoke](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/3-networks-hub-and-spoke) - [4-projects](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/4-projects) - [5-app-infra](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/5-app-infra) @@ -106,8 +106,8 @@ Version 1.5.7 is the last version before the license model change. To use a late By default the foundation regional resources are deployed in `us-west1` and `us-central1` regions and multi-regional resources are deployed in the `US` multi-region. -In addition to the variables declared in the file `global.tfvars` for configuring location, there are two locals, `default_region1` and `default_region2`, in each one of the environments (`production`, `nonproduction`, and `development`) in the network steps (`3-networks-dual-svpc` and `3-networks-hub-and-spoke`). -They are located in the [main.tf](../../3-networks-dual-svpc/envs/production/main.tf#L20-L21) files for each environments. +In addition to the variables declared in the file `global.tfvars` for configuring location, there are two locals, `default_region1` and `default_region2`, in each one of the environments (`production`, `nonproduction`, and `development`) in the network steps (`3-networks-svpc` and `3-networks-hub-and-spoke`). +They are located in the [main.tf](../../3-networks-svpc/envs/production/main.tf#L20-L21) files for each environments. Change the two locals **before** starting the deployment to deploy in other regions. **Note:** the region used for the variable `default_region` in the file `global.tfvars` **MUST** be one of the regions used for the `default_region1` and `default_region2` locals. diff --git a/helpers/foundation-deployer/global.tfvars.example b/helpers/foundation-deployer/global.tfvars.example index 352408781..f6e77d452 100644 --- a/helpers/foundation-deployer/global.tfvars.example +++ b/helpers/foundation-deployer/global.tfvars.example @@ -95,7 +95,7 @@ log_export_storage_location = "US" billing_export_dataset_location = "US" // Choose witch network architecture to use: -// Dual Shared VPC: https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/3-networks-dual-svpc/README.md +// Shared VPC: https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/3-networks-svpc/README.md // Hub And Spoke: https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/3-networks-hub-and-spoke/README.md enable_hub_and_spoke = false diff --git a/helpers/foundation-deployer/stages/data.go b/helpers/foundation-deployer/stages/data.go index e27639d91..86c569a8b 100644 --- a/helpers/foundation-deployer/stages/data.go +++ b/helpers/foundation-deployer/stages/data.go @@ -39,7 +39,7 @@ const ( OrgStep = "1-org" EnvironmentsStep = "2-environments" HubAndSpokeStep = "3-networks-hub-and-spoke" - DualSvpcStep = "3-networks-dual-svpc" + SvpcStep = "3-networks-svpc" ProjectsStep = "4-projects" AppInfraStep = "5-app-infra" ) @@ -331,5 +331,5 @@ func GetNetworkStep(enableHubAndSpoke bool) string { if enableHubAndSpoke { return HubAndSpokeStep } - return DualSvpcStep + return SvpcStep } diff --git a/test/disable_tf_files.sh b/test/disable_tf_files.sh index bdd22f199..3f5438622 100755 --- a/test/disable_tf_files.sh +++ b/test/disable_tf_files.sh @@ -22,7 +22,7 @@ function networks(){ if [ "$TF_VAR_example_foundations_mode" == "HubAndSpoke" ]; then network_dir="3-networks-hub-and-spoke" else - network_dir="3-networks-dual-svpc" + network_dir="3-networks-svpc" # disable production.auto.tfvars in main module # mv $network_dir/envs/production/production.auto.tfvars $network_dir/envs/production/production.auto.tfvars.disabled @@ -47,7 +47,7 @@ function shared(){ # disable shared.auto.tfvars in main module mv $network_dir/envs/shared/shared.auto.tfvars $network_dir/envs/shared/shared.auto.tfvars.disabled else - network_dir="3-networks-dual-svpc" + network_dir="3-networks-svpc" fi # disable access_context.auto.tfvars in main module diff --git a/test/integration/app-infra/app_infra_test.go b/test/integration/app-infra/app_infra_test.go index f3769db52..00d6de448 100644 --- a/test/integration/app-infra/app_infra_test.go +++ b/test/integration/app-infra/app_infra_test.go @@ -63,7 +63,7 @@ func TestAppInfra(t *testing.T) { appInfra := tft.NewTFBlueprintTest(t, tft.WithTFDir(fmt.Sprintf("../../../5-app-infra/business_unit_1/%s", envName)), tft.WithBackendConfig(backendConfig), - tft.WithPolicyLibraryPath("/workspace/policy-library", projects.GetStringOutput("base_shared_vpc_project")), + tft.WithPolicyLibraryPath("/workspace/policy-library", projects.GetStringOutput("shared_vpc_project")), tft.WithVars(vars), ) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index b37a35682..48b401c91 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -44,49 +44,28 @@ func getFirewallMode(t *testing.T) string { if mode == "HubAndSpoke" { return "hub-and-spoke" } - return "dual-svpc" + return "svpc" } -func getNetworkResourceNames(envCode string, networkMode string, firewallMode string) map[string]map[string]string { - return map[string]map[string]string{ - "base": { - "network_name": fmt.Sprintf("vpc-%s-shared-base%s", envCode, networkMode), - "global_address": fmt.Sprintf("ga-%s-shared-base%s-vpc-peering-internal", envCode, networkMode), - "dns_zone_forward": "fz-dns-hub", - "dns_zone_googleapis": fmt.Sprintf("dz-%s-shared-base-apis", envCode), - "dns_zone_gcr": fmt.Sprintf("dz-%s-shared-base-gcr", envCode), - "dns_zone_pkg_dev": fmt.Sprintf("dz-%s-shared-base-pkg-dev", envCode), - "dns_zone_peering_zone": fmt.Sprintf("dz-%s-shared-base-to-dns-hub", envCode), - "dns_policy_name": fmt.Sprintf("dp-%s-shared-base-default-policy", envCode), - "subnet_name1": fmt.Sprintf("sb-%s-shared-base-us-central1", envCode), - "subnet_name2": fmt.Sprintf("sb-%s-shared-base-us-west1", envCode), - "region1_router1": fmt.Sprintf("cr-%s-shared-base%s-us-central1-cr1", envCode, networkMode), - "region1_router2": fmt.Sprintf("cr-%s-shared-base%s-us-central1-cr2", envCode, networkMode), - "region2_router1": fmt.Sprintf("cr-%s-shared-base%s-us-west1-cr3", envCode, networkMode), - "region2_router2": fmt.Sprintf("cr-%s-shared-base%s-us-west1-cr4", envCode, networkMode), - "firewall_policy": fmt.Sprintf("fp-%s-%s-base-firewalls", envCode, firewallMode), - "fw_deny_all_egress": fmt.Sprintf("fw-%s-shared-base-65530-e-d-all-all-all", envCode), - "fw_allow_api_egress": fmt.Sprintf("fw-%s-shared-base-1000-e-a-allow-google-apis-all-tcp-443", envCode), - }, - "restricted": { - "network_name": fmt.Sprintf("vpc-%s-shared-restricted%s", envCode, networkMode), - "global_address": fmt.Sprintf("ga-%s-shared-restricted%s-vpc-peering-internal", envCode, networkMode), - "dns_zone_forward": "fz-dns-hub", - "dns_zone_googleapis": fmt.Sprintf("dz-%s-shared-restricted-apis", envCode), - "dns_zone_gcr": fmt.Sprintf("dz-%s-shared-restricted-gcr", envCode), - "dns_zone_pkg_dev": fmt.Sprintf("dz-%s-shared-restricted-pkg-dev", envCode), - "dns_zone_peering_zone": fmt.Sprintf("dz-%s-shared-restricted-to-dns-hub", envCode), - "dns_policy_name": fmt.Sprintf("dp-%s-shared-restricted-default-policy", envCode), - "subnet_name1": fmt.Sprintf("sb-%s-shared-restricted-us-central1", envCode), - "subnet_name2": fmt.Sprintf("sb-%s-shared-restricted-us-west1", envCode), - "region1_router1": fmt.Sprintf("cr-%s-shared-restricted%s-us-central1-cr5", envCode, networkMode), - "region1_router2": fmt.Sprintf("cr-%s-shared-restricted%s-us-central1-cr6", envCode, networkMode), - "region2_router1": fmt.Sprintf("cr-%s-shared-restricted%s-us-west1-cr7", envCode, networkMode), - "region2_router2": fmt.Sprintf("cr-%s-shared-restricted%s-us-west1-cr8", envCode, networkMode), - "firewall_policy": fmt.Sprintf("fp-%s-%s-restricted-firewalls", envCode, firewallMode), - "fw_deny_all_egress": fmt.Sprintf("fw-%s-shared-restricted-65530-e-d-all-all-all", envCode), - "fw_allow_api_egress": fmt.Sprintf("fw-%s-shared-restricted-1000-e-a-allow-google-apis-all-tcp-443", envCode), - }, +func getNetworkResourceNames(envCode string, networkMode string, firewallMode string) map[string]string { + return map[string]string{ + "network_name": fmt.Sprintf("vpc-%s-svpc%s", envCode, networkMode), + "global_address": fmt.Sprintf("ga-%s-svpc%s-vpc-peering-internal", envCode, networkMode), + "dns_zone_forward": "fz-dns-hub", + "dns_zone_googleapis": fmt.Sprintf("dz-%s-svpc-apis", envCode), + "dns_zone_gcr": fmt.Sprintf("dz-%s-svpc-gcr", envCode), + "dns_zone_pkg_dev": fmt.Sprintf("dz-%s-svpc-pkg-dev", envCode), + "dns_zone_peering_zone": fmt.Sprintf("dz-%s-svpc-to-dns-hub", envCode), + "dns_policy_name": fmt.Sprintf("dp-%s-svpc-default-policy", envCode), + "subnet_name1": fmt.Sprintf("sb-%s-svpc-us-central1", envCode), + "subnet_name2": fmt.Sprintf("sb-%s-svpc-us-west1", envCode), + "region1_router1": fmt.Sprintf("cr-%s-svpc%s-us-central1-cr5", envCode, networkMode), + "region1_router2": fmt.Sprintf("cr-%s-svpc%s-us-central1-cr6", envCode, networkMode), + "region2_router1": fmt.Sprintf("cr-%s-svpc%s-us-west1-cr7", envCode, networkMode), + "region2_router2": fmt.Sprintf("cr-%s-svpc%s-us-west1-cr8", envCode, networkMode), + "firewall_policy": fmt.Sprintf("fp-%s-%s-firewalls", envCode, firewallMode), + "fw_deny_all_egress": fmt.Sprintf("fw-%s-svpc-65530-e-d-all-all-all", envCode), + "fw_allow_api_egress": fmt.Sprintf("fw-%s-svpc-1000-e-a-allow-google-apis-all-tcp-443", envCode), } } @@ -236,34 +215,16 @@ func TestNetworks(t *testing.T) { "workstations.googleapis.com", } - cidrRanges := map[string]map[string][]string{ - "development": { - "base": []string{"10.0.64.0/18", "10.1.64.0/18"}, - "restricted": []string{"10.8.64.0/18", "10.9.64.0/18"}, - }, - "nonproduction": { - "base": []string{"10.0.128.0/18", "10.1.128.0/18"}, - "restricted": []string{"10.8.128.0/18", "10.9.128.0/18"}, - }, - "production": { - "base": []string{"10.0.192.0/18", "10.1.192.0/18"}, - "restricted": []string{"10.8.192.0/18", "10.9.192.0/18"}, - }, + cidrRanges := map[string][]string{ + "development": []string{"10.8.64.0/18", "10.9.64.0/18"}, + "nonproduction": []string{"10.8.128.0/18", "10.9.128.0/18"}, + "production": []string{"10.8.192.0/18", "10.9.192.0/18"}, } - googleapisCIDR := map[string]map[string]string{ - "development": { - "base": "10.17.0.2", - "restricted": "10.17.0.6", - }, - "nonproduction": { - "base": "10.17.0.3", - "restricted": "10.17.0.7", - }, - "production": { - "base": "10.17.0.4", - "restricted": "10.17.0.8", - }, + googleapisCIDR := map[string]string{ + "development": "10.17.0.6", + "nonproduction": "10.17.0.7", + "production": "10.17.0.8", } ingressPolicies := []map[string]interface{}{ @@ -341,7 +302,7 @@ func TestNetworks(t *testing.T) { var tfdDir string if networkMode == "" { - tfdDir = "../../../3-networks-dual-svpc/envs/%s" + tfdDir = "../../../3-networks-svpc/envs/%s" } else { tfdDir = "../../../3-networks-hub-and-spoke/envs/%s" } @@ -366,144 +327,138 @@ func TestNetworks(t *testing.T) { // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16804 // networks.DefaultVerify(assert) - servicePerimeterLink := fmt.Sprintf("accessPolicies/%s/servicePerimeters/%s", policyID, networks.GetStringOutput("restricted_service_perimeter_name")) + servicePerimeterLink := fmt.Sprintf("accessPolicies/%s/servicePerimeters/%s", policyID, networks.GetStringOutput("service_perimeter_name")) accessLevel := fmt.Sprintf("accessPolicies/%s/accessLevels/%s", policyID, networks.GetStringOutput("access_level_name_dry_run")) networkNames := getNetworkResourceNames(envCode, networkMode, firewallMode) servicePerimeter, err := gcloud.RunCmdE(t, fmt.Sprintf("access-context-manager perimeters dry-run describe %s --policy %s", servicePerimeterLink, policyID)) assert.NoError(err) - perimeterName := networks.GetStringOutput("restricted_service_perimeter_name") + perimeterName := networks.GetStringOutput("service_perimeter_name") assert.True(strings.Contains(servicePerimeter, perimeterName), fmt.Sprintf("service perimeter %s should exist", perimeterName)) assert.True(strings.Contains(servicePerimeter, accessLevel), fmt.Sprintf("service perimeter %s should have access level %s", servicePerimeterLink, accessLevel)) for _, service := range restrictedServices { assert.True(strings.Contains(servicePerimeter, service), fmt.Sprintf("service perimeter %s should restrict all supported services", servicePerimeterLink)) } - for _, networkType := range []string{ - "base", - "restricted", - } { - projectID := networks.GetStringOutput(fmt.Sprintf("%s_host_project_id", networkType)) - - if strings.Contains(projectID, "-p-") && networkMode != "-spoke" { - for _, dnsType := range []string{ - "dns_zone_googleapis", - "dns_zone_gcr", - "dns_zone_pkg_dev", - "dns_zone_forward", - } { - dnsName := networkNames[networkType][dnsType] - dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsName, projectID, terraformSA) - assert.Equal(dnsName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsName)) - } - } else { - for _, dnsType := range []string{ - "dns_zone_googleapis", - "dns_zone_gcr", - "dns_zone_pkg_dev", - "dns_zone_peering_zone", - } { - dnsName := networkNames[networkType][dnsType] - dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsName, projectID, terraformSA) - assert.Equal(dnsName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsName)) - } + projectID := networks.GetStringOutput("shared_vpc_host_project_id") + + if strings.Contains(projectID, "-p-") && networkMode != "-spoke" { + for _, dnsType := range []string{ + "dns_zone_googleapis", + "dns_zone_gcr", + "dns_zone_pkg_dev", + "dns_zone_forward", + } { + dnsName := networkNames[dnsType] + dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsName, projectID, terraformSA) + assert.Equal(dnsName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsName)) } + } else { + for _, dnsType := range []string{ + "dns_zone_googleapis", + "dns_zone_gcr", + "dns_zone_pkg_dev", + "dns_zone_peering_zone", + } { + dnsName := networkNames[dnsType] + dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsName, projectID, terraformSA) + assert.Equal(dnsName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsName)) + } + } - networkName := networkNames[networkType]["network_name"] - networkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", projectID, networkName) - dnsPolicyName := networkNames[networkType]["dns_policy_name"] - dnsPolicy := gcloud.Runf(t, "dns policies describe %s --project %s --impersonate-service-account %s", dnsPolicyName, projectID, terraformSA) - assert.True(dnsPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", dnsPolicyName)) - assert.Equal(networkUrl, dnsPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", dnsPolicyName, networkName)) - - //compute networks describe %s --project %s - projectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s --impersonate-service-account %s", networkName, projectID, terraformSA) - assert.Equal(networkName, projectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", networkName)) - - //gcloud compute addresses describe NAME --global - globalAddressName := networkNames[networkType]["global_address"] - globalAddress := gcloud.Runf(t, "compute addresses describe %s --global --project %s --impersonate-service-account %s", globalAddressName, projectID, terraformSA) - assert.Equal(globalAddressName, globalAddress.Get("name").String(), fmt.Sprintf("global address %s should exist", globalAddressName)) - - subnetName1 := networkNames[networkType]["subnet_name1"] - usCentral1Range := cidrRanges[envName][networkType][0] - subnet1 := gcloud.Runf(t, "compute networks subnets describe %s --region us-central1 --project %s --impersonate-service-account %s", subnetName1, projectID, terraformSA) - assert.Equal(subnetName1, subnet1.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnetName1)) - assert.Equal(usCentral1Range, subnet1.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", usCentral1Range)) - - subnetName2 := networkNames[networkType]["subnet_name2"] - usWest1Range := cidrRanges[envName][networkType][1] - subnet2 := gcloud.Runf(t, "compute networks subnets describe %s --region us-west1 --project %s --impersonate-service-account %s", subnetName2, projectID, terraformSA) - assert.Equal(subnetName2, subnet2.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnetName2)) - assert.Equal(usWest1Range, subnet2.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", usWest1Range)) - - denyAllEgressName := networkNames[networkType]["fw_deny_all_egress"] - denyAllEgressRule := gcloud.Runf(t, "compute network-firewall-policies rules describe 65530 --firewall-policy %s --global-firewall-policy --project %s --impersonate-service-account %s", networkNames[networkType]["firewall_policy"], projectID, terraformSA).Array()[0] - assert.Equal(denyAllEgressName, denyAllEgressRule.Get("ruleName").String(), fmt.Sprintf("firewall rule %s should exist", denyAllEgressName)) - assert.Equal("EGRESS", denyAllEgressRule.Get("direction").String(), fmt.Sprintf("firewall rule %s direction should be EGRESS", denyAllEgressName)) - assert.Equal("deny", denyAllEgressRule.Get("action").String(), fmt.Sprintf("firewall rule %s action should be deny", denyAllEgressName)) - assert.True(denyAllEgressRule.Get("enableLogging").Bool(), fmt.Sprintf("firewall rule %s should have log configuration enabled", denyAllEgressName)) - assert.Equal("0.0.0.0/0", denyAllEgressRule.Get("match.destIpRanges").Array()[0].String(), fmt.Sprintf("firewall rule %s destination ranges should be 0.0.0.0/0", denyAllEgressName)) - - allowApiEgressName := networkNames[networkType]["fw_allow_api_egress"] - allowApiEgressRule := gcloud.Runf(t, "compute network-firewall-policies rules describe 1000 --firewall-policy %s --global-firewall-policy --project %s --impersonate-service-account %s", networkNames[networkType]["firewall_policy"], projectID, terraformSA).Array()[0] - assert.Equal(allowApiEgressName, allowApiEgressRule.Get("ruleName").String(), fmt.Sprintf("firewall rule %s should exist", allowApiEgressName)) - assert.Equal("EGRESS", allowApiEgressRule.Get("direction").String(), fmt.Sprintf("firewall rule %s direction should be EGRESS", allowApiEgressName)) - assert.Equal("allow", allowApiEgressRule.Get("action").String(), fmt.Sprintf("firewall rule %s action should be allow", allowApiEgressName)) - assert.True(allowApiEgressRule.Get("enableLogging").Bool(), fmt.Sprintf("firewall rule %s should have log configuration enabled", allowApiEgressName)) - assert.Equal(googleapisCIDR[envName][networkType], allowApiEgressRule.Get("match.destIpRanges").Array()[0].String(), fmt.Sprintf("firewall rule %s destination ranges should be %s", allowApiEgressName, googleapisCIDR[envName][networkType])) - - if networkMode == "" { - for _, router := range []struct { - router string - region string - }{ - { - router: "region1_router1", - region: "us-central1", - }, - { - router: "region1_router2", - region: "us-central1", - }, - { - router: "region2_router1", - region: "us-west1", - }, - { - router: "region2_router2", - region: "us-west1", - }, - } { - - routerName := networkNames[networkType][router.router] - bgpAdvertisedIpRange := "35.199.192.0/19" - computeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s --impersonate-service-account %s", routerName, router.region, projectID, terraformSA) - networkSelfLink := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", projectID, networkNames[networkType]["network_name"]) - assert.Equal(routerName, computeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", routerName)) - assert.Equal("64514", computeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", routerName)) - assert.Equal(networkSelfLink, computeRouter.Get("network").String(), fmt.Sprintf("router %s should be on network %s", routerName, networkNames[networkType]["network_name"])) - assert.Contains(googleapisCIDR[envName][networkType], computeRouter.Get("bgp.advertisedIpRanges.1.range").String(), fmt.Sprintf("router %s should have range %s", routerName, googleapisCIDR[envName][networkType])) - - if strings.Contains(projectID, "prj-p") && networkMode != "-spoke" { - advertisedIpRanges := computeRouter.Get("bgp.advertisedIpRanges").Array() - found := false - for _, ipRange := range advertisedIpRanges { - if ipRange.Get("range").String() == bgpAdvertisedIpRange { - found = true - break - } + networkName := networkNames["network_name"] + networkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", projectID, networkName) + dnsPolicyName := networkNames["dns_policy_name"] + dnsPolicy := gcloud.Runf(t, "dns policies describe %s --project %s --impersonate-service-account %s", dnsPolicyName, projectID, terraformSA) + assert.True(dnsPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", dnsPolicyName)) + assert.Equal(networkUrl, dnsPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", dnsPolicyName, networkName)) + + //compute networks describe %s --project %s + projectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s --impersonate-service-account %s", networkName, projectID, terraformSA) + assert.Equal(networkName, projectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", networkName)) + + //gcloud compute addresses describe NAME --global + globalAddressName := networkNames["global_address"] + globalAddress := gcloud.Runf(t, "compute addresses describe %s --global --project %s --impersonate-service-account %s", globalAddressName, projectID, terraformSA) + assert.Equal(globalAddressName, globalAddress.Get("name").String(), fmt.Sprintf("global address %s should exist", globalAddressName)) + + subnetName1 := networkNames["subnet_name1"] + usCentral1Range := cidrRanges[envName][0] + subnet1 := gcloud.Runf(t, "compute networks subnets describe %s --region us-central1 --project %s --impersonate-service-account %s", subnetName1, projectID, terraformSA) + assert.Equal(subnetName1, subnet1.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnetName1)) + assert.Equal(usCentral1Range, subnet1.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", usCentral1Range)) + + subnetName2 := networkNames["subnet_name2"] + usWest1Range := cidrRanges[envName][1] + subnet2 := gcloud.Runf(t, "compute networks subnets describe %s --region us-west1 --project %s --impersonate-service-account %s", subnetName2, projectID, terraformSA) + assert.Equal(subnetName2, subnet2.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnetName2)) + assert.Equal(usWest1Range, subnet2.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", usWest1Range)) + + denyAllEgressName := networkNames["fw_deny_all_egress"] + denyAllEgressRule := gcloud.Runf(t, "compute network-firewall-policies rules describe 65530 --firewall-policy %s --global-firewall-policy --project %s --impersonate-service-account %s", networkNames["firewall_policy"], projectID, terraformSA).Array()[0] + assert.Equal(denyAllEgressName, denyAllEgressRule.Get("ruleName").String(), fmt.Sprintf("firewall rule %s should exist", denyAllEgressName)) + assert.Equal("EGRESS", denyAllEgressRule.Get("direction").String(), fmt.Sprintf("firewall rule %s direction should be EGRESS", denyAllEgressName)) + assert.Equal("deny", denyAllEgressRule.Get("action").String(), fmt.Sprintf("firewall rule %s action should be deny", denyAllEgressName)) + assert.True(denyAllEgressRule.Get("enableLogging").Bool(), fmt.Sprintf("firewall rule %s should have log configuration enabled", denyAllEgressName)) + assert.Equal("0.0.0.0/0", denyAllEgressRule.Get("match.destIpRanges").Array()[0].String(), fmt.Sprintf("firewall rule %s destination ranges should be 0.0.0.0/0", denyAllEgressName)) + + allowApiEgressName := networkNames["fw_allow_api_egress"] + allowApiEgressRule := gcloud.Runf(t, "compute network-firewall-policies rules describe 1000 --firewall-policy %s --global-firewall-policy --project %s --impersonate-service-account %s", networkNames["firewall_policy"], projectID, terraformSA).Array()[0] + assert.Equal(allowApiEgressName, allowApiEgressRule.Get("ruleName").String(), fmt.Sprintf("firewall rule %s should exist", allowApiEgressName)) + assert.Equal("EGRESS", allowApiEgressRule.Get("direction").String(), fmt.Sprintf("firewall rule %s direction should be EGRESS", allowApiEgressName)) + assert.Equal("allow", allowApiEgressRule.Get("action").String(), fmt.Sprintf("firewall rule %s action should be allow", allowApiEgressName)) + assert.True(allowApiEgressRule.Get("enableLogging").Bool(), fmt.Sprintf("firewall rule %s should have log configuration enabled", allowApiEgressName)) + assert.Equal(googleapisCIDR[envName], allowApiEgressRule.Get("match.destIpRanges").Array()[0].String(), fmt.Sprintf("firewall rule %s destination ranges should be %s", allowApiEgressName, googleapisCIDR[envName])) + + if networkMode == "" { + for _, router := range []struct { + router string + region string + }{ + { + router: "region1_router1", + region: "us-central1", + }, + { + router: "region1_router2", + region: "us-central1", + }, + { + router: "region2_router1", + region: "us-west1", + }, + { + router: "region2_router2", + region: "us-west1", + }, + } { + + routerName := networkNames[router.router] + bgpAdvertisedIpRange := "35.199.192.0/19" + computeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s --impersonate-service-account %s", routerName, router.region, projectID, terraformSA) + networkSelfLink := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", projectID, networkNames["network_name"]) + assert.Equal(routerName, computeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", routerName)) + assert.Equal("64514", computeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", routerName)) + assert.Equal(networkSelfLink, computeRouter.Get("network").String(), fmt.Sprintf("router %s should be on network %s", routerName, networkNames["network_name"])) + assert.Contains(googleapisCIDR[envName], computeRouter.Get("bgp.advertisedIpRanges.1.range").String(), fmt.Sprintf("router %s should have range %s", routerName, googleapisCIDR[envName])) + + if strings.Contains(projectID, "prj-p") && networkMode != "-spoke" { + advertisedIpRanges := computeRouter.Get("bgp.advertisedIpRanges").Array() + found := false + for _, ipRange := range advertisedIpRanges { + if ipRange.Get("range").String() == bgpAdvertisedIpRange { + found = true + break } - assert.True(found, fmt.Sprintf("router %s should have range %s", routerName, bgpAdvertisedIpRange)) - assert.True(found, fmt.Sprintf("router %s should have range %s", routerName, googleapisCIDR[envName][networkType])) } - + assert.True(found, fmt.Sprintf("router %s should have range %s", routerName, bgpAdvertisedIpRange)) + assert.True(found, fmt.Sprintf("router %s should have range %s", routerName, googleapisCIDR[envName])) } + } } }) networks.Test() }) - } } diff --git a/test/integration/org/org_test.go b/test/integration/org/org_test.go index 7cae2023e..31a913f64 100644 --- a/test/integration/org/org_test.go +++ b/test/integration/org/org_test.go @@ -382,8 +382,7 @@ func TestOrg(t *testing.T) { require.NoError(t, err) if enable_hub_and_spoke { for _, hubAndSpokeProjectOutput := range []string{ - "base_net_hub_project_id", - "restricted_net_hub_project_id", + "net_hub_project_id", } { projectID := org.GetStringOutput(hubAndSpokeProjectOutput) gcOps := gcloud.WithCommonArgs([]string{"--filter", fmt.Sprintf("projectId:%s", projectID), "--format", "json"}) @@ -462,18 +461,7 @@ func TestOrg(t *testing.T) { apis []string }{ { - projectOutput: "base_shared_vpc_project_id", - apis: []string{ - "compute.googleapis.com", - "dns.googleapis.com", - "servicenetworking.googleapis.com", - "container.googleapis.com", - "logging.googleapis.com", - "billingbudgets.googleapis.com", - }, - }, - { - projectOutput: "restricted_shared_vpc_project_id", + projectOutput: "shared_vpc_project_id", apis: []string{ "compute.googleapis.com", "dns.googleapis.com", diff --git a/test/integration/projects/projects_test.go b/test/integration/projects/projects_test.go index f630045d5..def083e8d 100644 --- a/test/integration/projects/projects_test.go +++ b/test/integration/projects/projects_test.go @@ -74,29 +74,25 @@ func TestProjects(t *testing.T) { name string repo string baseDir string - baseNetwork string - restrictedNetwork string + sharedNetwork string }{ { name: "bu1_development", repo: "bu1-example-app", baseDir: "../../../4-projects/business_unit_1/%s", - baseNetwork: fmt.Sprintf("vpc-d-shared-base%s", networkMode), - restrictedNetwork: fmt.Sprintf("vpc-d-shared-restricted%s", networkMode), + sharedNetwork: fmt.Sprintf("vpc-d-svpc%s", networkMode), }, { name: "bu1_nonproduction", repo: "bu1-example-app", baseDir: "../../../4-projects/business_unit_1/%s", - baseNetwork: fmt.Sprintf("vpc-n-shared-base%s", networkMode), - restrictedNetwork: fmt.Sprintf("vpc-n-shared-restricted%s", networkMode), + sharedNetwork: fmt.Sprintf("vpc-n-svpc%s", networkMode), }, { name: "bu1_production", repo: "bu1-example-app", baseDir: "../../../4-projects/business_unit_1/%s", - baseNetwork: fmt.Sprintf("vpc-p-shared-base%s", networkMode), - restrictedNetwork: fmt.Sprintf("vpc-p-shared-restricted%s", networkMode), + sharedNetwork: fmt.Sprintf("vpc-p-svpc%s", networkMode), }, } { tt := tt @@ -111,7 +107,7 @@ func TestProjects(t *testing.T) { // networks created to retrieve output from the network step for this environment var networkTFDir string if networkMode == "" { - networkTFDir = "../../../3-networks-dual-svpc/envs/%s" + networkTFDir = "../../../3-networks-svpc/envs/%s" } else { networkTFDir = "../../../3-networks-hub-and-spoke/envs/%s" } @@ -120,7 +116,7 @@ func TestProjects(t *testing.T) { tft.WithTFDir(fmt.Sprintf(networkTFDir, env)), tft.WithVars(netVars), ) - perimeterName := networks.GetStringOutput("restricted_service_perimeter_name") + perimeterName := networks.GetStringOutput("service_perimeter_name") shared := tft.NewTFBlueprintTest(t, tft.WithTFDir(fmt.Sprintf(tt.baseDir, "shared")), @@ -145,57 +141,35 @@ func TestProjects(t *testing.T) { func(assert *assert.Assertions) { for _, projectOutput := range []string{ - "base_shared_vpc_project", "floating_project", "peering_project", - "restricted_shared_vpc_project", + "shared_vpc_project", } { projectID := projects.GetStringOutput(projectOutput) prj := gcloud.Runf(t, "projects describe %s", projectID) assert.Equal("ACTIVE", prj.Get("lifecycleState").String(), fmt.Sprintf("project %s should be ACTIVE", projectID)) - if projectOutput == "restricted_shared_vpc_project" { + if projectOutput == "shared_vpc_project" { enabledAPIS := gcloud.Runf(t, "services list --project %s --impersonate-service-account %s", projectID, terraformSA).Array() listApis := testutils.GetResultFieldStrSlice(enabledAPIS, "config.name") assert.Subset(listApis, restrictedApisEnabled, "APIs should have been enabled") - restrictedProjectNumber := projects.GetStringOutput("restricted_shared_vpc_project_number") + sharedProjectNumber := projects.GetStringOutput("shared_vpc_project_number") perimeter, err := gcloud.RunCmdE(t, fmt.Sprintf("access-context-manager perimeters dry-run describe %s --policy %s", perimeterName, policyID)) assert.NoError(err) - assert.True(strings.Contains(perimeter, restrictedProjectNumber), fmt.Sprintf("dry-run service perimeter %s should contain project %s", perimeterName, restrictedProjectNumber)) + assert.True(strings.Contains(perimeter, sharedProjectNumber), fmt.Sprintf("dry-run service perimeter %s should contain project %s", perimeterName, sharedProjectNumber)) sharedVPC := gcloud.Runf(t, "compute shared-vpc get-host-project %s --impersonate-service-account %s", projectID, terraformSA) assert.NotEmpty(sharedVPC.Map()) hostProjectID := sharedVPC.Get("name").String() hostProject := gcloud.Runf(t, "projects describe %s --impersonate-service-account %s", hostProjectID, terraformSA) - assert.Equal("restricted-shared-vpc-host", hostProject.Get("labels.application_name").String(), "host project should have application_name label equals to base-shared-vpc-host") + assert.Equal("shared-vpc-host", hostProject.Get("labels.application_name").String(), "host project should have application_name label equals to shared-vpc-host") assert.Equal(env, hostProject.Get("labels.environment").String(), fmt.Sprintf("project should have environment label %s", env)) hostNetwork := gcloud.Runf(t, "compute networks list --project %s --impersonate-service-account %s", hostProjectID, terraformSA).Array()[0] - assert.Equal(tt.restrictedNetwork, hostNetwork.Get("name").String(), "should have a shared vpc") - - } - - if projectOutput == "base_shared_vpc_project" { - - iamFilter := fmt.Sprintf("bindings.members:'serviceAccount:%s'", sharedCloudBuildSA) - iamOpts := gcloud.WithCommonArgs([]string{"--flatten", "bindings", "--filter", iamFilter, "--format", "json"}) - projectPolicy := gcloud.Run(t, fmt.Sprintf("projects get-iam-policy %s", projectID), iamOpts).Array() - listRoles := testutils.GetResultFieldStrSlice(projectPolicy, "bindings.role") - assert.Subset(listRoles, project_sa_roles, fmt.Sprintf("service account %s should have project level roles", sharedCloudBuildSA)) - - sharedVPC := gcloud.Runf(t, "compute shared-vpc get-host-project %s", projectID) - assert.NotEmpty(sharedVPC.Map()) - - hostProjectID := sharedVPC.Get("name").String() - hostProject := gcloud.Runf(t, "projects describe %s", hostProjectID) - assert.Equal("base-shared-vpc-host", hostProject.Get("labels.application_name").String(), "host project should have application_name label equals to base-shared-vpc-host") - assert.Equal(env, hostProject.Get("labels.environment").String(), fmt.Sprintf("project should have environment label %s", env)) - - hostNetwork := gcloud.Runf(t, "compute networks list --project %s", hostProjectID).Array()[0] - assert.Equal(tt.baseNetwork, hostNetwork.Get("name").String(), "should have a shared vpc") + assert.Equal(tt.sharedNetwork, hostNetwork.Get("name").String(), "should have a shared vpc") } @@ -214,7 +188,7 @@ func TestProjects(t *testing.T) { assert.Subset(listRoles, peeringProjectSaRoles, fmt.Sprintf("service account %s should have project level roles", sharedCloudBuildSA)) peering := gcloud.Runf(t, "compute networks peerings list --project %s", projectID).Array()[0] - assert.Contains(peering.Get("peerings.0.network").String(), tt.baseNetwork, "should have a peering network") + assert.Contains(peering.Get("peerings.0.network").String(), tt.sharedNetwork, "should have a peering network") instanceRegion := terraform.OutputMap(t, bootstrap.GetTFOptions(), "common_config")["default_region"] peeringSubnetworkSelfLink := projects.GetStringOutput("peering_subnetwork_self_link") diff --git a/test/integration/shared/shared_test.go b/test/integration/shared/shared_test.go index 6f7d21f9d..1b1a73016 100644 --- a/test/integration/shared/shared_test.go +++ b/test/integration/shared/shared_test.go @@ -62,7 +62,7 @@ func TestShared(t *testing.T) { vars["perimeter_additional_members"] = []string{} tfdDir = "../../../3-networks-hub-and-spoke/envs/shared" } else { - tfdDir = "../../../3-networks-dual-svpc/envs/shared" + tfdDir = "../../../3-networks-svpc/envs/shared" } shared := tft.NewTFBlueprintTest(t, @@ -89,20 +89,20 @@ func TestShared(t *testing.T) { dnsFwZoneName := "fz-dns-hub" bgpAdvertisedIpRange := "35.199.192.0/19" - baseProjectID := shared.GetStringOutput("base_host_project_id") - baseNetworkName := shared.GetStringOutput("base_network_name") - baseDNSPolicyName := shared.GetStringOutput("base_dns_policy") - baseDNSHubNetworkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", baseProjectID, baseNetworkName) + projectID := shared.GetStringOutput("shared_vpc_host_project_id") + networkName := shared.GetStringOutput("network_name") + DNSPolicyName := shared.GetStringOutput("dns_policy") + sharedDNSHubNetworkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", projectID, networkName) - baseDNSPolicy := gcloud.Runf(t, "dns policies describe %s --project %s", baseDNSPolicyName, baseProjectID) /////// - assert.True(baseDNSPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", baseDNSPolicyName)) - assert.Equal(baseDNSHubNetworkUrl, baseDNSPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", baseDNSPolicyName, baseNetworkName)) + DNSPolicy := gcloud.Runf(t, "dns policies describe %s --project %s", DNSPolicyName, projectID) + assert.True(DNSPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", DNSPolicyName)) + assert.Equal(sharedDNSHubNetworkUrl, DNSPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", DNSPolicyName, networkName)) - baseDNSZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s", dnsFwZoneName, baseProjectID) - assert.Equal(dnsFwZoneName, baseDNSZone.Get("name").String(), fmt.Sprintf("baseDNSZone %s should exist", dnsFwZoneName)) // + sharedDNSZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s", dnsFwZoneName, projectID) + assert.Equal(dnsFwZoneName, sharedDNSZone.Get("name").String(), fmt.Sprintf("sharedDNSZone %s should exist", dnsFwZoneName)) - baseProjectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s", baseNetworkName, baseProjectID) - assert.Equal(baseNetworkName, baseProjectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", baseNetworkName)) + sharedProjectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s", networkName, projectID) + assert.Equal(networkName, sharedProjectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", networkName)) for _, subnet := range []struct { name string @@ -110,83 +110,19 @@ func TestShared(t *testing.T) { region string }{ { - name: "sb-c-shared-base-hub-us-west1", - cidrRange: "10.1.0.0/18", - region: "us-west1", - }, - { - name: "sb-c-shared-base-hub-us-central1", - cidrRange: "10.0.0.0/18", - region: "us-central1", - }, - } { - baseSubnet := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnet.name, subnet.region, baseProjectID) - assert.Equal(subnet.name, baseSubnet.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnet.name)) - assert.Equal(subnet.cidrRange, baseSubnet.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnet.cidrRange)) - } - - for _, router := range []struct { - name string - region string - }{ - { - name: "cr-c-shared-base-hub-us-central1-cr1", - region: "us-central1", - }, - { - name: "cr-c-shared-base-hub-us-central1-cr2", - region: "us-central1", - }, - { - name: "cr-c-shared-base-hub-us-west1-cr3", - region: "us-west1", - }, - { - name: "cr-c-shared-base-hub-us-west1-cr4", - region: "us-west1", - }, - } { - baseComputeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s", router.name, router.region, baseProjectID) - assert.Equal(router.name, baseComputeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", router.name)) - assert.Equal("64514", baseComputeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", router.name)) - assert.Equal(bgpAdvertisedIpRange, baseComputeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have range %s", router.name, bgpAdvertisedIpRange)) - assert.Equal(baseDNSHubNetworkUrl, baseComputeRouter.Get("network").String(), fmt.Sprintf("router %s should be on network vpc-c-shared-base-hub", router.name)) - } - - restrictedProjectID := shared.GetStringOutput("restricted_host_project_id") - restrictedNetworkName := shared.GetStringOutput("restricted_network_name") - restrictedDNSPolicyName := shared.GetStringOutput("restricted_dns_policy") - restrictedDNSHubNetworkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", restrictedProjectID, restrictedNetworkName) - - restrictedDNSPolicy := gcloud.Runf(t, "dns policies describe %s --project %s", restrictedDNSPolicyName, restrictedProjectID) - assert.True(restrictedDNSPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", restrictedDNSPolicyName)) - assert.Equal(restrictedDNSHubNetworkUrl, restrictedDNSPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", restrictedDNSPolicyName, restrictedNetworkName)) - - restrictedDNSZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s", dnsFwZoneName, restrictedProjectID) - assert.Equal(dnsFwZoneName, restrictedDNSZone.Get("name").String(), fmt.Sprintf("restrictedDNSZone %s should exist", dnsFwZoneName)) - - restrictedProjectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s", restrictedNetworkName, restrictedProjectID) - assert.Equal(restrictedNetworkName, restrictedProjectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", restrictedNetworkName)) - - for _, subnet := range []struct { - name string - cidrRange string - region string - }{ - { - name: "sb-c-shared-restricted-hub-us-west1", + name: "sb-c-svpc-hub-us-west1", cidrRange: "10.9.0.0/18", region: "us-west1", }, { - name: "sb-c-shared-restricted-hub-us-central1", + name: "sb-c-svpc-hub-us-central1", cidrRange: "10.8.0.0/18", region: "us-central1", }, } { - restrictedSubnet := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnet.name, subnet.region, restrictedProjectID) - assert.Equal(subnet.name, restrictedSubnet.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnet.name)) - assert.Equal(subnet.cidrRange, restrictedSubnet.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnet.cidrRange)) + sharedSubnet := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnet.name, subnet.region, projectID) + assert.Equal(subnet.name, sharedSubnet.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnet.name)) + assert.Equal(subnet.cidrRange, sharedSubnet.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnet.cidrRange)) } for _, router := range []struct { @@ -194,27 +130,27 @@ func TestShared(t *testing.T) { region string }{ { - name: "cr-c-shared-restricted-hub-us-central1-cr5", + name: "cr-c-svpc-hub-us-central1-cr5", region: "us-central1", }, { - name: "cr-c-shared-restricted-hub-us-central1-cr6", + name: "cr-c-svpc-hub-us-central1-cr6", region: "us-central1", }, { - name: "cr-c-shared-restricted-hub-us-west1-cr7", + name: "cr-c-svpc-hub-us-west1-cr7", region: "us-west1", }, { - name: "cr-c-shared-restricted-hub-us-west1-cr8", + name: "cr-c-svpc-hub-us-west1-cr8", region: "us-west1", }, } { - restrictedComputeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s", router.name, router.region, restrictedProjectID) - assert.Equal(router.name, restrictedComputeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", router.name)) - assert.Equal("64514", restrictedComputeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", router.name)) - assert.Equal(bgpAdvertisedIpRange, restrictedComputeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have range %s", router.name, bgpAdvertisedIpRange)) - assert.Equal(restrictedDNSHubNetworkUrl, restrictedComputeRouter.Get("network").String(), fmt.Sprintf("router %s should be on network vpc-c-shared-restricted-hub", router.name)) + sharedComputeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s", router.name, router.region, projectID) + assert.Equal(router.name, sharedComputeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", router.name)) + assert.Equal("64514", sharedComputeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", router.name)) + assert.Equal(bgpAdvertisedIpRange, sharedComputeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have range %s", router.name, bgpAdvertisedIpRange)) + assert.Equal(sharedDNSHubNetworkUrl, sharedComputeRouter.Get("network").String(), fmt.Sprintf("router %s should be on network vpc-c-svpc-hub", router.name)) } } }) diff --git a/test/restore_tf_files.sh b/test/restore_tf_files.sh index 74d530c13..c089f459c 100644 --- a/test/restore_tf_files.sh +++ b/test/restore_tf_files.sh @@ -64,7 +64,7 @@ function shared(){ # restore shared.auto.tfvars in main module mv $network_dir/envs/shared/shared.auto.tfvars.disabled $network_dir/envs/shared/shared.auto.tfvars else - network_dir="3-networks-dual-svpc" + network_dir="3-networks-svpc" fi # restore backend configs in main module