From 7f3dbcfe88ae773564c7c65c10ade9df0905391b Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 1 Nov 2024 17:58:15 -0300 Subject: [PATCH 01/47] DNS Refactory for hub-and-spoke --- .../envs/shared/dns-hub.tf | 4 ++-- .../envs/shared/interconnect.tf.example | 2 +- .../shared/partner_interconnect.tf.example | 2 +- .../modules/base_shared_vpc/dns.tf | 22 +++++++++++++++++++ .../modules/base_shared_vpc/main.tf | 20 +++++++++++++---- .../modules/restricted_shared_vpc/dns.tf | 22 +++++++++++++++++++ .../modules/restricted_shared_vpc/main.tf | 20 +++++++++++++---- 7 files changed, 80 insertions(+), 12 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf b/3-networks-hub-and-spoke/envs/shared/dns-hub.tf index 6f3dc2d96..fa0f2086f 100644 --- a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf +++ b/3-networks-hub-and-spoke/envs/shared/dns-hub.tf @@ -18,7 +18,7 @@ DNS Hub VPC *****************************************/ -module "dns_hub_vpc" { +module "dns_hub_vpc" { ///cria rede vpc source = "terraform-google-modules/network/google" version = "~> 9.0" @@ -99,7 +99,7 @@ module "dns-forwarding-zone" { Routers to advertise DNS proxy range "35.199.192.0/19" *********************************************************/ -module "dns_hub_region1_router1" { +module "dns_hub_region1_router1" { //roteadores bgp source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" diff --git a/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example b/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example index 9151fa3fa..c32138f62 100644 --- a/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example +++ b/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example @@ -17,7 +17,7 @@ module "dns_hub_interconnect" { source = "../../modules/dedicated_interconnect" - vpc_name = "net-dns" + vpc_name = "vpc-net-dns" interconnect_project_id = local.dns_hub_project_id region1 = local.default_region1 diff --git a/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example b/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example index c85b39594..1c8c5ab82 100644 --- a/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example +++ b/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example @@ -18,7 +18,7 @@ module "dns_hub_interconnect" { source = "../../modules/partner_interconnect" - vpc_name = "net-dns" + vpc_name = "vpc-net-dns" attachment_project_id = local.dns_hub_project_id preactivate = var.preactivate_partner_interconnect diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf index 99a7db603..37bbdc6f3 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf @@ -40,6 +40,8 @@ module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" + count = local.mode == "spoke" ? 1 : 0 + project_id = var.project_id type = "peering" name = "dz-${var.environment_code}-shared-base-to-dns-hub" @@ -51,3 +53,23 @@ module "peering_zone" { ] target_network = data.google_compute_network.vpc_dns_hub.self_link } + +/****************************************** + DNS Forwarding +*****************************************/ +module "dns-forwarding-zone" { + source = "terraform-google-modules/cloud-dns/google" + version = "~> 5.0" + + count = var.mode != "spoke" ? 1 : 0 + + project_id = var.project_id + type = "forwarding" + name = "fz-dns-hub" + domain = var.domain + + private_visibility_config_networks = [ + module.dns_hub_vpc.network_self_link + ] + target_name_server_addresses = data.google_compute_network.vpc_dns_hub.self_link +} \ No newline at end of file diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf index eed177f9f..c7813cace 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf @@ -126,7 +126,10 @@ module "region1_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = [ + { range = local.private_googleapis_cidr }, + { range = "35.199.192.0/19" } + ] } } @@ -142,7 +145,10 @@ module "region1_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = [ + { range = local.private_googleapis_cidr }, + { range = "35.199.192.0/19" } + ] } } @@ -158,7 +164,10 @@ module "region2_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = [ + { range = local.private_googleapis_cidr }, + { range = "35.199.192.0/19" } + ] } } @@ -174,6 +183,9 @@ module "region2_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = [ + { range = local.private_googleapis_cidr }, + { range = "35.199.192.0/19" } + ] } } diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf index edef23d18..4acfd3e04 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf @@ -40,6 +40,8 @@ module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" + count = var.mode == "spoke" ? 1 : 0 + project_id = var.project_id type = "peering" name = "dz-${var.environment_code}-shared-restricted-to-dns-hub" @@ -51,3 +53,23 @@ module "peering_zone" { ] target_network = data.google_compute_network.vpc_dns_hub.self_link } + +/****************************************** + DNS Forwarding +*****************************************/ +module "dns-forwarding-zone" { + source = "terraform-google-modules/cloud-dns/google" + version = "~> 5.0" + + count = var.mode != "spoke" ? 1 : 0 + + project_id = var.project_id + type = "forwarding" + name = "fz-dns-hub" + domain = var.domain + + private_visibility_config_networks = [ + module.dns_hub_vpc.network_self_link + ] + target_name_server_addresses = data.google_compute_network.vpc_dns_hub.self_link +} diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf index b81619ea7..56cd96ae5 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf @@ -130,7 +130,10 @@ module "region1_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }] + advertised_ip_ranges = [ + { range = local.restricted_googleapis_cidr }, + { range = "35.199.192.0/19" } + ] } } @@ -146,7 +149,10 @@ module "region1_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }] + advertised_ip_ranges = [ + { range = local.restricted_googleapis_cidr }, + { range = "35.199.192.0/19" } + ] } } @@ -162,7 +168,10 @@ module "region2_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }] + advertised_ip_ranges = [ + { range = local.restricted_googleapis_cidr }, + { range = "35.199.192.0/19" } + ] } } @@ -178,6 +187,9 @@ module "region2_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }] + advertised_ip_ranges = [ + { range = local.restricted_googleapis_cidr }, + { range = "35.199.192.0/19" } + ] } } From 20fd603422d435e2a72197a41c9c5629c41c8e5b Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Mon, 4 Nov 2024 09:44:25 -0300 Subject: [PATCH 02/47] remove dns-hub.tf --- .../envs/shared/dns-hub.tf | 156 ------------------ 1 file changed, 156 deletions(-) delete mode 100644 3-networks-hub-and-spoke/envs/shared/dns-hub.tf diff --git a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf b/3-networks-hub-and-spoke/envs/shared/dns-hub.tf deleted file mode 100644 index fa0f2086f..000000000 --- a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf +++ /dev/null @@ -1,156 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/****************************************** - DNS Hub VPC -*****************************************/ - -module "dns_hub_vpc" { ///cria rede vpc - source = "terraform-google-modules/network/google" - version = "~> 9.0" - - project_id = local.dns_hub_project_id - network_name = "vpc-net-dns" - shared_vpc_host = "false" - delete_default_internet_gateway_routes = "true" - - subnets = [{ - subnet_name = "sb-net-dns-${local.default_region1}" - subnet_ip = "172.16.0.0/25" - subnet_region = local.default_region1 - subnet_private_access = "true" - subnet_flow_logs = var.dns_vpc_flow_logs.enable_logging - subnet_flow_logs_interval = var.dns_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.dns_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.dns_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.dns_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.dns_vpc_flow_logs.filter_expr - description = "DNS hub subnet for region 1." - }, { - subnet_name = "sb-net-dns-${local.default_region2}" - subnet_ip = "172.16.0.128/25" - subnet_region = local.default_region2 - subnet_private_access = "true" - subnet_flow_logs = var.dns_vpc_flow_logs.enable_logging - subnet_flow_logs_interval = var.dns_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.dns_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.dns_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.dns_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.dns_vpc_flow_logs.filter_expr - description = "DNS hub subnet for region 2." - }] - - routes = [{ - name = "rt-net-dns-1000-all-default-private-api" - description = "Route through IGW to allow private google api access." - destination_range = "199.36.153.8/30" - next_hop_internet = "true" - priority = "1000" - }] -} - -/****************************************** - Default DNS Policy - *****************************************/ - -resource "google_dns_policy" "default_policy" { - project = local.dns_hub_project_id - name = "dp-dns-hub-default-policy" - enable_inbound_forwarding = true - enable_logging = var.dns_enable_logging - networks { - network_url = module.dns_hub_vpc.network_self_link - } -} - -/****************************************** - DNS Forwarding -*****************************************/ - -module "dns-forwarding-zone" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" - - project_id = local.dns_hub_project_id - type = "forwarding" - name = "fz-dns-hub" - domain = var.domain - - private_visibility_config_networks = [ - module.dns_hub_vpc.network_self_link - ] - target_name_server_addresses = var.target_name_server_addresses -} - -/********************************************************* - Routers to advertise DNS proxy range "35.199.192.0/19" -*********************************************************/ - -module "dns_hub_region1_router1" { //roteadores bgp - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - - name = "cr-net-dns-${local.default_region1}-cr1" - project = local.dns_hub_project_id - network = module.dns_hub_vpc.network_name - region = local.default_region1 - bgp = { - asn = local.dns_bgp_asn_number - advertised_ip_ranges = [{ range = "35.199.192.0/19" }] - } -} - -module "dns_hub_region1_router2" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - - name = "cr-net-dns-${local.default_region1}-cr2" - project = local.dns_hub_project_id - network = module.dns_hub_vpc.network_name - region = local.default_region1 - bgp = { - asn = local.dns_bgp_asn_number - advertised_ip_ranges = [{ range = "35.199.192.0/19" }] - } -} - -module "dns_hub_region2_router1" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - - name = "cr-net-dns-${local.default_region2}-cr3" - project = local.dns_hub_project_id - network = module.dns_hub_vpc.network_name - region = local.default_region2 - bgp = { - asn = local.dns_bgp_asn_number - advertised_ip_ranges = [{ range = "35.199.192.0/19" }] - } -} - -module "dns_hub_region2_router2" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - - name = "cr-net-dns-${local.default_region2}-cr4" - project = local.dns_hub_project_id - network = module.dns_hub_vpc.network_name - region = local.default_region2 - bgp = { - asn = local.dns_bgp_asn_number - advertised_ip_ranges = [{ range = "35.199.192.0/19" }] - } -} From 5ee619bc08dbc415e13a98e177ab9647f5959d36 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Wed, 6 Nov 2024 11:37:06 -0300 Subject: [PATCH 03/47] remove dns_hub code --- .../envs/shared/interconnect.tf.example | 44 ------------------- .../envs/shared/net-hubs.tf | 2 - .../shared/partner_interconnect.tf.example | 31 ------------- 3 files changed, 77 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example b/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example index c32138f62..c4486e270 100644 --- a/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example +++ b/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example @@ -14,50 +14,6 @@ * limitations under the License. */ -module "dns_hub_interconnect" { - source = "../../modules/dedicated_interconnect" - - vpc_name = "vpc-net-dns" - interconnect_project_id = local.dns_hub_project_id - - region1 = local.default_region1 - region1_router1_name = module.dns_hub_region1_router1.router.name - region1_interconnect1_candidate_subnets = ["169.254.0.0/29"] - region1_interconnect1_vlan_tag8021q = "3931" - region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1" - region1_interconnect1_location = "las-zone1-770" - region1_interconnect1_onprem_dc = "onprem-dc1" - region1_router2_name = module.dns_hub_region1_router2.router.name - region1_interconnect2_candidate_subnets = ["169.254.0.8/29"] - region1_interconnect2_vlan_tag8021q = "3932" - region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2" - region1_interconnect2_location = "las-zone1-770" - region1_interconnect2_onprem_dc = "onprem-dc2" - - region2 = local.default_region2 - region2_router1_name = module.dns_hub_region2_router1.router.name - region2_interconnect1_candidate_subnets = ["169.254.0.16/29"] - region2_interconnect1_vlan_tag8021q = "3933" - region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3" - region2_interconnect1_location = "lax-zone2-19" - region2_interconnect1_onprem_dc = "onprem-dc3" - region2_router2_name = module.dns_hub_region2_router2.router.name - region2_interconnect2_candidate_subnets = ["169.254.0.24/29"] - region2_interconnect2_vlan_tag8021q = "3934" - region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4" - region2_interconnect2_location = "lax-zone1-403" - region2_interconnect2_onprem_dc = "onprem-dc4" - - peer_asn = "64515" - peer_name = "interconnect-peer" - - cloud_router_labels = { - vlan_1 = "cr1", - vlan_2 = "cr2", - vlan_3 = "cr3", - vlan_4 = "cr4" - } -} module "shared_restricted_interconnect" { source = "../../modules/dedicated_interconnect" diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index ec6a99e84..ead317e5d 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -240,7 +240,6 @@ module "base_shared_vpc" { ] secondary_ranges = {} - depends_on = [module.dns_hub_vpc] } /****************************************** @@ -337,5 +336,4 @@ module "restricted_shared_vpc" { ingress_policies = var.ingress_policies - depends_on = [module.dns_hub_vpc] } diff --git a/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example b/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example index 1c8c5ab82..92cd21dde 100644 --- a/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example +++ b/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example @@ -15,37 +15,6 @@ */ -module "dns_hub_interconnect" { - source = "../../modules/partner_interconnect" - - vpc_name = "vpc-net-dns" - attachment_project_id = local.dns_hub_project_id - preactivate = var.preactivate_partner_interconnect - - region1 = local.default_region1 - region1_router1_name = module.dns_hub_region1_router1.router.name - region1_interconnect1_location = "las-zone1-770" - region1_interconnect1_onprem_dc = "onprem-dc-1" - region1_router2_name = module.dns_hub_region1_router2.router.name - region1_interconnect2_location = "las-zone1-770" - region1_interconnect2_onprem_dc = "onprem-dc-2" - - region2 = local.default_region2 - region2_router1_name = module.dns_hub_region2_router1.router.name - region2_interconnect1_location = "lax-zone2-19" - region2_interconnect1_onprem_dc = "onprem-dc-3" - region2_router2_name = module.dns_hub_region2_router2.router.name - region2_interconnect2_location = "lax-zone1-403" - region2_interconnect2_onprem_dc = "onprem-dc-4" - - cloud_router_labels = { - vlan_1 = "cr1", - vlan_2 = "cr2", - vlan_3 = "cr3", - vlan_4 = "cr4" - } -} - module "shared_restricted_interconnect" { source = "../../modules/partner_interconnect" From 7f6644d35eaf41c1f07979ea221cc2701b5adc4c Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Wed, 6 Nov 2024 11:38:49 -0300 Subject: [PATCH 04/47] fix lint and module names --- .../modules/base_shared_vpc/dns.tf | 10 +++++----- .../modules/restricted_shared_vpc/dns.tf | 8 ++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf index 37bbdc6f3..5845f6c75 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf @@ -57,11 +57,11 @@ module "peering_zone" { /****************************************** DNS Forwarding *****************************************/ -module "dns-forwarding-zone" { +module "dns_forwarding_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" - count = var.mode != "spoke" ? 1 : 0 + count = var.mode != "spoke" ? 1 : 0 project_id = var.project_id type = "forwarding" @@ -69,7 +69,7 @@ module "dns-forwarding-zone" { domain = var.domain private_visibility_config_networks = [ - module.dns_hub_vpc.network_self_link + module.main.network_self_link ] - target_name_server_addresses = data.google_compute_network.vpc_dns_hub.self_link -} \ No newline at end of file + target_network = data.google_compute_network.vpc_dns_hub.self_link +} diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf index 4acfd3e04..6cfa4f1be 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf @@ -57,11 +57,11 @@ module "peering_zone" { /****************************************** DNS Forwarding *****************************************/ -module "dns-forwarding-zone" { +module "dns_forwarding_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" - count = var.mode != "spoke" ? 1 : 0 + count = var.mode != "spoke" ? 1 : 0 project_id = var.project_id type = "forwarding" @@ -69,7 +69,7 @@ module "dns-forwarding-zone" { domain = var.domain private_visibility_config_networks = [ - module.dns_hub_vpc.network_self_link + module.main.network_self_link ] - target_name_server_addresses = data.google_compute_network.vpc_dns_hub.self_link + target_network = data.google_compute_network.vpc_dns_hub.self_link } From b6e1cf8d981033245db0918a062c9f4549112a17 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Wed, 6 Nov 2024 11:40:19 -0300 Subject: [PATCH 05/47] change conditional for advertised_ip_ranges --- .../modules/base_shared_vpc/main.tf | 48 +++++++++---------- .../modules/restricted_shared_vpc/main.tf | 48 +++++++++---------- 2 files changed, 48 insertions(+), 48 deletions(-) diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf index c7813cace..32185e2ab 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf @@ -124,12 +124,12 @@ module "region1_router1" { network = module.main.network_name region = var.default_region1 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [ - { range = local.private_googleapis_cidr }, - { range = "35.199.192.0/19" } - ] + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = concat( + [{ range = local.private_googleapis_cidr }], + var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + ) } } @@ -143,12 +143,12 @@ module "region1_router2" { network = module.main.network_name region = var.default_region1 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [ - { range = local.private_googleapis_cidr }, - { range = "35.199.192.0/19" } - ] + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = concat( + [{ range = local.private_googleapis_cidr }], + var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + ) } } @@ -162,12 +162,12 @@ module "region2_router1" { network = module.main.network_name region = var.default_region2 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [ - { range = local.private_googleapis_cidr }, - { range = "35.199.192.0/19" } - ] + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = concat( + [{ range = local.private_googleapis_cidr }], + var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + ) } } @@ -181,11 +181,11 @@ module "region2_router2" { network = module.main.network_name region = var.default_region2 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [ - { range = local.private_googleapis_cidr }, - { range = "35.199.192.0/19" } - ] + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = concat( + [{ range = local.private_googleapis_cidr }], + var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + ) } } diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf index 56cd96ae5..7df85067c 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf @@ -128,12 +128,12 @@ module "region1_router1" { network = module.main.network_name region = var.default_region1 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [ - { range = local.restricted_googleapis_cidr }, - { range = "35.199.192.0/19" } - ] + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = concat( + [{ range = local.restricted_googleapis_cidr }], + var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + ) } } @@ -147,12 +147,12 @@ module "region1_router2" { network = module.main.network_name region = var.default_region1 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [ - { range = local.restricted_googleapis_cidr }, - { range = "35.199.192.0/19" } - ] + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = concat( + [{ range = local.restricted_googleapis_cidr }], + var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + ) } } @@ -166,12 +166,12 @@ module "region2_router1" { network = module.main.network_name region = var.default_region2 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [ - { range = local.restricted_googleapis_cidr }, - { range = "35.199.192.0/19" } - ] + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = concat( + [{ range = local.restricted_googleapis_cidr }], + var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + ) } } @@ -185,11 +185,11 @@ module "region2_router2" { network = module.main.network_name region = var.default_region2 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [ - { range = local.restricted_googleapis_cidr }, - { range = "35.199.192.0/19" } - ] + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = concat( + [{ range = local.restricted_googleapis_cidr }], + var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + ) } } From 573bdf4d89cc1db4eea3c205bf1324b737bbbe8b Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Tue, 12 Nov 2024 17:06:56 -0300 Subject: [PATCH 06/47] removing dns_hub_project_id references --- .../envs/shared/README.md | 4 +- .../envs/shared/net-hubs.tf | 4 +- .../envs/shared/outputs.tf | 4 -- .../envs/shared/remote.tf | 1 - .../envs/shared/remote.tf.cloud.example | 1 - .../modules/base_env/README.md | 1 + .../modules/base_env/main.tf | 42 +++++++++---------- .../modules/base_env/remote.tf | 1 - .../modules/base_env/remote.tf.cloud.example | 1 - .../modules/base_env/variables.tf | 5 +++ .../modules/base_shared_vpc/README.md | 2 +- .../modules/base_shared_vpc/dns.tf | 6 +-- .../modules/base_shared_vpc/main.tf | 17 ++++---- .../modules/base_shared_vpc/variables.tf | 10 ++--- .../modules/restricted_shared_vpc/README.md | 2 +- .../modules/restricted_shared_vpc/dns.tf | 6 +-- .../modules/restricted_shared_vpc/main.tf | 17 ++++---- .../restricted_shared_vpc/variables.tf | 11 ++--- 18 files changed, 67 insertions(+), 68 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/shared/README.md b/3-networks-hub-and-spoke/envs/shared/README.md index f4a8db3d9..55d3be2a5 100644 --- a/3-networks-hub-and-spoke/envs/shared/README.md +++ b/3-networks-hub-and-spoke/envs/shared/README.md @@ -50,8 +50,6 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google. ## Outputs -| Name | Description | -|------|-------------| -| dns\_hub\_project\_id | The DNS hub project ID | +No outputs. diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index ead317e5d..dcffa010d 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -175,7 +175,6 @@ module "base_shared_vpc" { source = "../../modules/base_shared_vpc" project_id = local.base_net_hub_project_id - dns_hub_project_id = local.dns_hub_project_id environment_code = local.environment_code private_service_connect_ip = "10.17.0.1" bgp_asn_subnet = local.bgp_asn_number @@ -190,6 +189,7 @@ module "base_shared_vpc" { nat_num_addresses_region1 = var.base_hub_nat_num_addresses_region1 nat_num_addresses_region2 = var.base_hub_nat_num_addresses_region2 windows_activation_enabled = var.base_hub_windows_activation_enabled + target_name_server_addresses = var.target_name_server_addresses mode = "hub" subnets = [ @@ -251,7 +251,6 @@ module "restricted_shared_vpc" { project_id = local.restricted_net_hub_project_id project_number = local.restricted_net_hub_project_number - dns_hub_project_id = local.dns_hub_project_id environment_code = local.environment_code private_service_connect_ip = "10.17.0.5" access_context_manager_policy_id = var.access_context_manager_policy_id @@ -279,6 +278,7 @@ module "restricted_shared_vpc" { nat_num_addresses_region1 = var.restricted_hub_nat_num_addresses_region1 nat_num_addresses_region2 = var.restricted_hub_nat_num_addresses_region2 windows_activation_enabled = var.restricted_hub_windows_activation_enabled + target_name_server_addresses = var.target_name_server_addresses mode = "hub" subnets = [ diff --git a/3-networks-hub-and-spoke/envs/shared/outputs.tf b/3-networks-hub-and-spoke/envs/shared/outputs.tf index 06f9b0702..3ea74b550 100644 --- a/3-networks-hub-and-spoke/envs/shared/outputs.tf +++ b/3-networks-hub-and-spoke/envs/shared/outputs.tf @@ -14,7 +14,3 @@ * limitations under the License. */ -output "dns_hub_project_id" { - value = local.dns_hub_project_id - description = "The DNS hub project ID" -} diff --git a/3-networks-hub-and-spoke/envs/shared/remote.tf b/3-networks-hub-and-spoke/envs/shared/remote.tf index 6660a6627..78e898578 100644 --- a/3-networks-hub-and-spoke/envs/shared/remote.tf +++ b/3-networks-hub-and-spoke/envs/shared/remote.tf @@ -15,7 +15,6 @@ */ locals { - dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder diff --git a/3-networks-hub-and-spoke/envs/shared/remote.tf.cloud.example b/3-networks-hub-and-spoke/envs/shared/remote.tf.cloud.example index 127d907ee..f609c65e4 100644 --- a/3-networks-hub-and-spoke/envs/shared/remote.tf.cloud.example +++ b/3-networks-hub-and-spoke/envs/shared/remote.tf.cloud.example @@ -15,7 +15,6 @@ */ locals { - dns_hub_project_id = data.tfe_outputs.org.nonsensitive_values.dns_hub_project_id interconnect_project_id = data.tfe_outputs.org.nonsensitive_values.interconnect_project_id interconnect_project_number = data.tfe_outputs.org.nonsensitive_values.interconnect_project_number parent_folder = data.tfe_outputs.bootstrap.nonsensitive_values.common_config.parent_folder diff --git a/3-networks-hub-and-spoke/modules/base_env/README.md b/3-networks-hub-and-spoke/modules/base_env/README.md index a4f1f2ba6..17609ac83 100644 --- a/3-networks-hub-and-spoke/modules/base_env/README.md +++ b/3-networks-hub-and-spoke/modules/base_env/README.md @@ -33,6 +33,7 @@ | restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes | | restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes | ## Outputs diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index 354ce2957..a50e05619 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -166,7 +166,6 @@ module "restricted_shared_vpc" { project_id = local.restricted_project_id project_number = local.restricted_project_number - dns_hub_project_id = local.dns_hub_project_id restricted_net_hub_project_id = local.restricted_net_hub_project_id restricted_net_hub_project_number = local.restricted_net_hub_project_number environment_code = var.environment_code @@ -183,15 +182,16 @@ module "restricted_shared_vpc" { "serviceAccount:${local.projects_service_account}", "serviceAccount:${local.organization_service_account}", ], var.perimeter_additional_members)) - private_service_cidr = var.restricted_private_service_cidr - private_service_connect_ip = var.restricted_private_service_connect_ip - ingress_policies = var.ingress_policies - egress_policies = var.egress_policies - bgp_asn_subnet = local.bgp_asn_number - default_region1 = var.default_region1 - default_region2 = var.default_region2 - domain = var.domain - mode = "spoke" + private_service_cidr = var.restricted_private_service_cidr + private_service_connect_ip = var.restricted_private_service_connect_ip + ingress_policies = var.ingress_policies + egress_policies = var.egress_policies + bgp_asn_subnet = local.bgp_asn_number + default_region1 = var.default_region1 + default_region2 = var.default_region2 + domain = var.domain + mode = "spoke" + target_name_server_addresses = var.target_name_server_addresses subnets = [ { @@ -251,17 +251,17 @@ module "restricted_shared_vpc" { module "base_shared_vpc" { source = "../base_shared_vpc" - project_id = local.base_project_id - dns_hub_project_id = local.dns_hub_project_id - base_net_hub_project_id = local.base_net_hub_project_id - environment_code = var.environment_code - private_service_cidr = var.base_private_service_cidr - private_service_connect_ip = var.base_private_service_connect_ip - default_region1 = var.default_region1 - default_region2 = var.default_region2 - domain = var.domain - bgp_asn_subnet = local.bgp_asn_number - mode = "spoke" + project_id = local.base_project_id + base_net_hub_project_id = local.base_net_hub_project_id + environment_code = var.environment_code + private_service_cidr = var.base_private_service_cidr + private_service_connect_ip = var.base_private_service_connect_ip + default_region1 = var.default_region1 + default_region2 = var.default_region2 + domain = var.domain + bgp_asn_subnet = local.bgp_asn_number + mode = "spoke" + target_name_server_addresses = var.target_name_server_addresses subnets = [ { diff --git a/3-networks-hub-and-spoke/modules/base_env/remote.tf b/3-networks-hub-and-spoke/modules/base_env/remote.tf index 755146d7a..8a6e50259 100644 --- a/3-networks-hub-and-spoke/modules/base_env/remote.tf +++ b/3-networks-hub-and-spoke/modules/base_env/remote.tf @@ -18,7 +18,6 @@ locals { restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id - dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id base_net_hub_project_id = data.terraform_remote_state.org.outputs.base_net_hub_project_id restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id restricted_net_hub_project_number = data.terraform_remote_state.org.outputs.restricted_net_hub_project_number diff --git a/3-networks-hub-and-spoke/modules/base_env/remote.tf.cloud.example b/3-networks-hub-and-spoke/modules/base_env/remote.tf.cloud.example index 14d3bd29f..05eefabbe 100644 --- a/3-networks-hub-and-spoke/modules/base_env/remote.tf.cloud.example +++ b/3-networks-hub-and-spoke/modules/base_env/remote.tf.cloud.example @@ -18,7 +18,6 @@ locals { restricted_project_id = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].restricted_shared_vpc_project_id restricted_project_number = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].restricted_shared_vpc_project_number base_project_id = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].base_shared_vpc_project_id - dns_hub_project_id = data.tfe_outputs.org.nonsensitive_values.dns_hub_project_id base_net_hub_project_id = data.tfe_outputs.org.nonsensitive_values.base_net_hub_project_id restricted_net_hub_project_id = data.tfe_outputs.org.nonsensitive_values.restricted_net_hub_project_id restricted_net_hub_project_number = data.tfe_outputs.org.nonsensitive_values.restricted_net_hub_project_number diff --git a/3-networks-hub-and-spoke/modules/base_env/variables.tf b/3-networks-hub-and-spoke/modules/base_env/variables.tf index bdbf39987..1a3de3139 100644 --- a/3-networks-hub-and-spoke/modules/base_env/variables.tf +++ b/3-networks-hub-and-spoke/modules/base_env/variables.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +variable "target_name_server_addresses" { + description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." + type = list(map(any)) +} + variable "remote_state_bucket" { description = "Backend bucket to load Terraform Remote State Data from previous steps." type = string diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md index bc1d6b4e1..e0ed9e736 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md @@ -9,7 +9,6 @@ | default\_region2 | Default region 2 for subnets and Cloud Routers | `string` | n/a | yes | | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | -| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | enable\_all\_vpc\_internal\_traffic | Enable firewall policy rule to allow internal traffic (ingress and egress). | `bool` | `false` | no | | enable\_transitivity\_traffic | Enable a firewall policy rule to allow traffic between Hub and Spokes (ingress only). | `bool` | `true` | no | @@ -25,6 +24,7 @@ | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | | subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf index 5845f6c75..8e88e77d6 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf @@ -32,8 +32,8 @@ resource "google_dns_policy" "default_policy" { Creates DNS Peering to DNS HUB *****************************************/ data "google_compute_network" "vpc_dns_hub" { - name = "vpc-net-dns" - project = var.dns_hub_project_id + name = module.main.network_name + project = var.project_id } module "peering_zone" { @@ -71,5 +71,5 @@ module "dns_forwarding_zone" { private_visibility_config_networks = [ module.main.network_self_link ] - target_network = data.google_compute_network.vpc_dns_hub.self_link + target_name_server_addresses = var.target_name_server_addresses } diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf index 32185e2ab..5c870c852 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf @@ -15,10 +15,11 @@ */ locals { - mode = var.mode == "hub" ? "-hub" : "-spoke" - vpc_name = "${var.environment_code}-shared-base${local.mode}" - network_name = "vpc-${local.vpc_name}" - private_googleapis_cidr = module.private_service_connect.private_service_connect_ip + mode = var.mode == "hub" ? "-hub" : "-spoke" + vpc_name = "${var.environment_code}-shared-base${local.mode}" + network_name = "vpc-${local.vpc_name}" + private_googleapis_cidr = module.private_service_connect.private_service_connect_ip + google_private_service_range = "35.199.192.0/19" } /****************************************** @@ -128,7 +129,7 @@ module "region1_router1" { advertised_groups = ["ALL_SUBNETS"] advertised_ip_ranges = concat( [{ range = local.private_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] ) } } @@ -147,7 +148,7 @@ module "region1_router2" { advertised_groups = ["ALL_SUBNETS"] advertised_ip_ranges = concat( [{ range = local.private_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] ) } } @@ -166,7 +167,7 @@ module "region2_router1" { advertised_groups = ["ALL_SUBNETS"] advertised_ip_ranges = concat( [{ range = local.private_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] ) } } @@ -185,7 +186,7 @@ module "region2_router2" { advertised_groups = ["ALL_SUBNETS"] advertised_ip_ranges = concat( [{ range = local.private_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] ) } } diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf index 0afd5bbaa..ed45d3a9a 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf @@ -14,14 +14,14 @@ * limitations under the License. */ -variable "project_id" { - type = string - description = "Project ID for Private Shared VPC." +variable "target_name_server_addresses" { + description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." + type = list(map(any)) } -variable "dns_hub_project_id" { +variable "project_id" { type = string - description = "The DNS hub project ID" + description = "Project ID for Private Shared VPC." } variable "base_net_hub_project_id" { diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md index 03b4b29e9..de75121ad 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md @@ -9,7 +9,6 @@ | default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes | | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | -| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | egress\_policies\_dry\_run | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | @@ -37,6 +36,7 @@ | restricted\_services\_dry\_run | List of services to restrict in a dry-run perimeter. | `list(string)` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | | subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf index 6cfa4f1be..5c269c717 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf @@ -32,8 +32,8 @@ resource "google_dns_policy" "default_policy" { Creates DNS Peering to DNS HUB *****************************************/ data "google_compute_network" "vpc_dns_hub" { - name = "vpc-net-dns" - project = var.dns_hub_project_id + name = module.main.network_name + project = var.project_id } module "peering_zone" { @@ -71,5 +71,5 @@ module "dns_forwarding_zone" { private_visibility_config_networks = [ module.main.network_self_link ] - target_network = data.google_compute_network.vpc_dns_hub.self_link + target_name_server_addresses = var.target_name_server_addresses } diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf index 7df85067c..865e6733d 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf @@ -15,10 +15,11 @@ */ locals { - mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke" - vpc_name = "${var.environment_code}-shared-restricted${local.mode}" - network_name = "vpc-${local.vpc_name}" - restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip + mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke" + vpc_name = "${var.environment_code}-shared-restricted${local.mode}" + network_name = "vpc-${local.vpc_name}" + restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip + google_private_service_range = "35.199.192.0/19" } /****************************************** @@ -132,7 +133,7 @@ module "region1_router1" { advertised_groups = ["ALL_SUBNETS"] advertised_ip_ranges = concat( [{ range = local.restricted_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] ) } } @@ -151,7 +152,7 @@ module "region1_router2" { advertised_groups = ["ALL_SUBNETS"] advertised_ip_ranges = concat( [{ range = local.restricted_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] ) } } @@ -170,7 +171,7 @@ module "region2_router1" { advertised_groups = ["ALL_SUBNETS"] advertised_ip_ranges = concat( [{ range = local.restricted_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] ) } } @@ -189,7 +190,7 @@ module "region2_router2" { advertised_groups = ["ALL_SUBNETS"] advertised_ip_ranges = concat( [{ range = local.restricted_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = "35.199.192.0/19" }] : [] + var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] ) } } diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf index 853e47bdc..cfe7b7827 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf @@ -14,6 +14,12 @@ * limitations under the License. */ +variable "target_name_server_addresses" { + description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." + type = list(map(any)) +} + + variable "access_context_manager_policy_id" { type = number description = "The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." @@ -29,11 +35,6 @@ variable "project_number" { description = "Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter." } -variable "dns_hub_project_id" { - type = string - description = "The DNS hub project ID" -} - variable "restricted_net_hub_project_id" { type = string description = "The restricted net hub project ID" From 62274d7ac03bd32f96e264e872db31cb0a0126f2 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Thu, 14 Nov 2024 10:41:50 -0300 Subject: [PATCH 07/47] fix project for vpc_dns_hub --- 3-networks-hub-and-spoke/envs/development/README.md | 1 + 3-networks-hub-and-spoke/envs/development/main.tf | 1 + 3-networks-hub-and-spoke/envs/development/variables.tf | 5 +++++ 3-networks-hub-and-spoke/envs/nonproduction/README.md | 1 + 3-networks-hub-and-spoke/envs/nonproduction/main.tf | 1 + 3-networks-hub-and-spoke/envs/nonproduction/variables.tf | 5 +++++ 3-networks-hub-and-spoke/envs/production/README.md | 1 + 3-networks-hub-and-spoke/envs/production/main.tf | 1 + 3-networks-hub-and-spoke/envs/production/variables.tf | 5 +++++ 3-networks-hub-and-spoke/envs/shared/README.md | 4 +++- 3-networks-hub-and-spoke/envs/shared/outputs.tf | 5 +++++ 3-networks-hub-and-spoke/modules/base_env/README.md | 1 + 3-networks-hub-and-spoke/modules/base_env/outputs.tf | 5 +++++ .../modules/base_shared_vpc/README.md | 1 + 3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf | 8 +++++--- 3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf | 2 +- .../modules/base_shared_vpc/outputs.tf | 5 +++++ .../modules/restricted_shared_vpc/README.md | 1 + .../modules/restricted_shared_vpc/dns.tf | 8 +++++--- .../modules/restricted_shared_vpc/outputs.tf | 5 +++++ .../modules/restricted_shared_vpc/variables.tf | 1 - 21 files changed, 58 insertions(+), 9 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/development/README.md b/3-networks-hub-and-spoke/envs/development/README.md index baa2d7ed3..f950767ce 100644 --- a/3-networks-hub-and-spoke/envs/development/README.md +++ b/3-networks-hub-and-spoke/envs/development/README.md @@ -25,6 +25,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | ## Outputs diff --git a/3-networks-hub-and-spoke/envs/development/main.tf b/3-networks-hub-and-spoke/envs/development/main.tf index db7388fc8..c15615588 100644 --- a/3-networks-hub-and-spoke/envs/development/main.tf +++ b/3-networks-hub-and-spoke/envs/development/main.tf @@ -94,4 +94,5 @@ module "base_env" { restricted_private_service_connect_ip = "10.17.0.6" remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name + target_name_server_addresses = var.target_name_server_addresses } diff --git a/3-networks-hub-and-spoke/envs/development/variables.tf b/3-networks-hub-and-spoke/envs/development/variables.tf index cf3061211..6becd9ccb 100644 --- a/3-networks-hub-and-spoke/envs/development/variables.tf +++ b/3-networks-hub-and-spoke/envs/development/variables.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +variable "target_name_server_addresses" { + description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." + type = list(map(any)) +} + variable "remote_state_bucket" { description = "Backend bucket to load Terraform Remote State Data from previous steps." type = string diff --git a/3-networks-hub-and-spoke/envs/nonproduction/README.md b/3-networks-hub-and-spoke/envs/nonproduction/README.md index 60c54d913..1ce255c62 100644 --- a/3-networks-hub-and-spoke/envs/nonproduction/README.md +++ b/3-networks-hub-and-spoke/envs/nonproduction/README.md @@ -25,6 +25,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | ## Outputs diff --git a/3-networks-hub-and-spoke/envs/nonproduction/main.tf b/3-networks-hub-and-spoke/envs/nonproduction/main.tf index dffcd5170..db5f0a9b2 100644 --- a/3-networks-hub-and-spoke/envs/nonproduction/main.tf +++ b/3-networks-hub-and-spoke/envs/nonproduction/main.tf @@ -96,4 +96,5 @@ module "base_env" { restricted_private_service_connect_ip = "10.17.0.7" remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name + target_name_server_addresses = var.target_name_server_addresses } diff --git a/3-networks-hub-and-spoke/envs/nonproduction/variables.tf b/3-networks-hub-and-spoke/envs/nonproduction/variables.tf index cf3061211..6becd9ccb 100644 --- a/3-networks-hub-and-spoke/envs/nonproduction/variables.tf +++ b/3-networks-hub-and-spoke/envs/nonproduction/variables.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +variable "target_name_server_addresses" { + description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." + type = list(map(any)) +} + variable "remote_state_bucket" { description = "Backend bucket to load Terraform Remote State Data from previous steps." type = string diff --git a/3-networks-hub-and-spoke/envs/production/README.md b/3-networks-hub-and-spoke/envs/production/README.md index 1ba5a652c..1fd9351c9 100644 --- a/3-networks-hub-and-spoke/envs/production/README.md +++ b/3-networks-hub-and-spoke/envs/production/README.md @@ -25,6 +25,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | ## Outputs diff --git a/3-networks-hub-and-spoke/envs/production/main.tf b/3-networks-hub-and-spoke/envs/production/main.tf index cd464258c..28687241d 100644 --- a/3-networks-hub-and-spoke/envs/production/main.tf +++ b/3-networks-hub-and-spoke/envs/production/main.tf @@ -96,4 +96,5 @@ module "base_env" { restricted_private_service_connect_ip = "10.17.0.8" remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name + target_name_server_addresses = var.target_name_server_addresses } diff --git a/3-networks-hub-and-spoke/envs/production/variables.tf b/3-networks-hub-and-spoke/envs/production/variables.tf index cf3061211..6becd9ccb 100644 --- a/3-networks-hub-and-spoke/envs/production/variables.tf +++ b/3-networks-hub-and-spoke/envs/production/variables.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +variable "target_name_server_addresses" { + description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." + type = list(map(any)) +} + variable "remote_state_bucket" { description = "Backend bucket to load Terraform Remote State Data from previous steps." type = string diff --git a/3-networks-hub-and-spoke/envs/shared/README.md b/3-networks-hub-and-spoke/envs/shared/README.md index 55d3be2a5..f8deac849 100644 --- a/3-networks-hub-and-spoke/envs/shared/README.md +++ b/3-networks-hub-and-spoke/envs/shared/README.md @@ -50,6 +50,8 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google. ## Outputs -No outputs. +| Name | Description | +|------|-------------| +| project | Project name | diff --git a/3-networks-hub-and-spoke/envs/shared/outputs.tf b/3-networks-hub-and-spoke/envs/shared/outputs.tf index 3ea74b550..cf2a4cecf 100644 --- a/3-networks-hub-and-spoke/envs/shared/outputs.tf +++ b/3-networks-hub-and-spoke/envs/shared/outputs.tf @@ -14,3 +14,8 @@ * limitations under the License. */ +output "project" { + value = local.restricted_net_hub_project_id + description = "Project name" +} + diff --git a/3-networks-hub-and-spoke/modules/base_env/README.md b/3-networks-hub-and-spoke/modules/base_env/README.md index 17609ac83..a0a65d149 100644 --- a/3-networks-hub-and-spoke/modules/base_env/README.md +++ b/3-networks-hub-and-spoke/modules/base_env/README.md @@ -58,5 +58,6 @@ | restricted\_subnets\_names | The names of the subnets being created | | restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | | restricted\_subnets\_self\_links | The self-links of subnets being created | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration | diff --git a/3-networks-hub-and-spoke/modules/base_env/outputs.tf b/3-networks-hub-and-spoke/modules/base_env/outputs.tf index b51cda651..053c1c134 100644 --- a/3-networks-hub-and-spoke/modules/base_env/outputs.tf +++ b/3-networks-hub-and-spoke/modules/base_env/outputs.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +output "target_name_server_addresses" { + value = var.target_name_server_addresses + description = "List of IPv4 address of target name servers for the forwarding zone configuration" +} + /********************* Restricted Outputs *********************/ diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md index e0ed9e736..8656e2d40 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md @@ -34,6 +34,7 @@ | firewall\_policy | Policy created for firewall policy rules. | | network\_name | The name of the VPC being created | | network\_self\_link | The URI of the VPC being created | +| project | Project name | | region1\_router1 | Router 1 for Region 1 | | region1\_router2 | Router 2 for Region 1 | | region2\_router1 | Router 1 for Region 2 | diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf index 8e88e77d6..1798bad75 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf @@ -32,8 +32,10 @@ resource "google_dns_policy" "default_policy" { Creates DNS Peering to DNS HUB *****************************************/ data "google_compute_network" "vpc_dns_hub" { - name = module.main.network_name - project = var.project_id + count = var.mode == "spoke" ? 1 : 0 + + name = data.google_compute_network.vpc_base_net_hub[0].name + project = var.restricted_net_hub_project_id } module "peering_zone" { @@ -51,7 +53,7 @@ module "peering_zone" { private_visibility_config_networks = [ module.main.network_self_link ] - target_network = data.google_compute_network.vpc_dns_hub.self_link + target_network = data.google_compute_network.vpc_dns_hub[0].self_link } /****************************************** diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf index 5c870c852..01f6547a1 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf @@ -70,7 +70,7 @@ module "main" { data "google_compute_network" "vpc_base_net_hub" { count = var.mode == "spoke" ? 1 : 0 name = "vpc-c-shared-base-hub" - project = var.base_net_hub_project_id + project = var.restricted_net_hub_project_id } module "peering" { diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf index d7527cbc7..17657a296 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +output "project" { + value = var.project_id + description = "Project name" +} + output "network_name" { value = module.main.network_name description = "The name of the VPC being created" diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md index de75121ad..f255fde89 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md @@ -49,6 +49,7 @@ | firewall\_policy | Policy created for firewall policy rules. | | network\_name | The name of the VPC being created | | network\_self\_link | The URI of the VPC being created | +| project | Project name | | region1\_router1 | Router 1 for Region 1 | | region1\_router2 | Router 2 for Region 1 | | region2\_router1 | Router 1 for Region 2 | diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf index 5c269c717..e5706d46f 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf @@ -32,8 +32,10 @@ resource "google_dns_policy" "default_policy" { Creates DNS Peering to DNS HUB *****************************************/ data "google_compute_network" "vpc_dns_hub" { - name = module.main.network_name - project = var.project_id + count = var.mode == "spoke" ? 1 : 0 + + name = data.google_compute_network.vpc_restricted_net_hub[0].name + project = var.restricted_net_hub_project_id } module "peering_zone" { @@ -51,7 +53,7 @@ module "peering_zone" { private_visibility_config_networks = [ module.main.network_self_link ] - target_network = data.google_compute_network.vpc_dns_hub.self_link + target_network = data.google_compute_network.vpc_dns_hub[0].self_link } /****************************************** diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf index 40ac84c4c..12cc2da7a 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +output "project" { + value = var.project_id + description = "Project name" +} + output "network_name" { value = module.main.network_name description = "The name of the VPC being created" diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf index cfe7b7827..4814ff734 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf @@ -19,7 +19,6 @@ variable "target_name_server_addresses" { type = list(map(any)) } - variable "access_context_manager_policy_id" { type = number description = "The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." From e39a508a076c7cd0aacbdd2d5862ee871102e8c3 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Thu, 14 Nov 2024 14:47:20 -0300 Subject: [PATCH 08/47] fix base_shared project value --- 3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf | 2 +- 3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf index 1798bad75..abb63e8bb 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf @@ -35,7 +35,7 @@ data "google_compute_network" "vpc_dns_hub" { count = var.mode == "spoke" ? 1 : 0 name = data.google_compute_network.vpc_base_net_hub[0].name - project = var.restricted_net_hub_project_id + project = var.base_net_hub_project_id } module "peering_zone" { diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf index 01f6547a1..5c870c852 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf @@ -70,7 +70,7 @@ module "main" { data "google_compute_network" "vpc_base_net_hub" { count = var.mode == "spoke" ? 1 : 0 name = "vpc-c-shared-base-hub" - project = var.restricted_net_hub_project_id + project = var.base_net_hub_project_id } module "peering" { From 8306009a582dc7d26de078a901ff500b9c980f5f Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Thu, 21 Nov 2024 17:05:51 -0300 Subject: [PATCH 09/47] fix shared network --- .../modules/base_shared_vpc/README.md | 1 - .../modules/base_shared_vpc/dns.tf | 2 +- .../modules/base_shared_vpc/main.tf | 38 +++++++------------ .../modules/base_shared_vpc/outputs.tf | 5 --- .../modules/restricted_shared_vpc/main.tf | 36 ++++++------------ 5 files changed, 26 insertions(+), 56 deletions(-) diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md index 8656e2d40..e0ed9e736 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md @@ -34,7 +34,6 @@ | firewall\_policy | Policy created for firewall policy rules. | | network\_name | The name of the VPC being created | | network\_self\_link | The URI of the VPC being created | -| project | Project name | | region1\_router1 | Router 1 for Region 1 | | region1\_router2 | Router 2 for Region 1 | | region2\_router1 | Router 1 for Region 2 | diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf index abb63e8bb..d20c3f0df 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf @@ -42,7 +42,7 @@ module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" - count = local.mode == "spoke" ? 1 : 0 + count = var.mode == "spoke" ? 1 : 0 project_id = var.project_id type = "peering" diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf index 5c870c852..374b5bd86 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf @@ -15,7 +15,7 @@ */ locals { - mode = var.mode == "hub" ? "-hub" : "-spoke" + mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke" vpc_name = "${var.environment_code}-shared-base${local.mode}" network_name = "vpc-${local.vpc_name}" private_googleapis_cidr = module.private_service_connect.private_service_connect_ip @@ -125,12 +125,9 @@ module "region1_router1" { network = module.main.network_name region = var.default_region1 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = concat( - [{ range = local.private_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] - ) + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] } } @@ -144,12 +141,9 @@ module "region1_router2" { network = module.main.network_name region = var.default_region1 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = concat( - [{ range = local.private_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] - ) + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] } } @@ -163,12 +157,9 @@ module "region2_router1" { network = module.main.network_name region = var.default_region2 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = concat( - [{ range = local.private_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] - ) + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] } } @@ -182,11 +173,8 @@ module "region2_router2" { network = module.main.network_name region = var.default_region2 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = concat( - [{ range = local.private_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] - ) + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] } } diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf index 17657a296..d7527cbc7 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf @@ -14,11 +14,6 @@ * limitations under the License. */ -output "project" { - value = var.project_id - description = "Project name" -} - output "network_name" { value = module.main.network_name description = "The name of the VPC being created" diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf index 865e6733d..532b3fa43 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf @@ -129,12 +129,9 @@ module "region1_router1" { network = module.main.network_name region = var.default_region1 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = concat( - [{ range = local.restricted_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] - ) + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] } } @@ -148,12 +145,9 @@ module "region1_router2" { network = module.main.network_name region = var.default_region1 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = concat( - [{ range = local.restricted_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] - ) + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] } } @@ -167,12 +161,9 @@ module "region2_router1" { network = module.main.network_name region = var.default_region2 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = concat( - [{ range = local.restricted_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] - ) + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] } } @@ -186,11 +177,8 @@ module "region2_router2" { network = module.main.network_name region = var.default_region2 bgp = { - asn = var.bgp_asn_subnet - advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = concat( - [{ range = local.restricted_googleapis_cidr }], - var.private_service_cidr != null ? [{ range = local.google_private_service_range }] : [] - ) + asn = var.bgp_asn_subnet + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] } } From f7c4d140eb0faa7d53451cd5145eaa55316d3753 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Wed, 27 Nov 2024 15:53:49 -0300 Subject: [PATCH 10/47] fix advertised_ip_ranges --- .../modules/restricted_shared_vpc/README.md | 1 - .../modules/restricted_shared_vpc/main.tf | 8 ++++---- .../modules/restricted_shared_vpc/outputs.tf | 5 ----- 3 files changed, 4 insertions(+), 10 deletions(-) diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md index f255fde89..de75121ad 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md @@ -49,7 +49,6 @@ | firewall\_policy | Policy created for firewall policy rules. | | network\_name | The name of the VPC being created | | network\_self\_link | The URI of the VPC being created | -| project | Project name | | region1\_router1 | Router 1 for Region 1 | | region1\_router2 | Router 2 for Region 1 | | region2\_router1 | Router 1 for Region 2 | diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf index 532b3fa43..9e88ceada 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf @@ -131,7 +131,7 @@ module "region1_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] } } @@ -147,7 +147,7 @@ module "region1_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] } } @@ -163,7 +163,7 @@ module "region2_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] } } @@ -179,6 +179,6 @@ module "region2_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] } } diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf index 12cc2da7a..40ac84c4c 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf @@ -14,11 +14,6 @@ * limitations under the License. */ -output "project" { - value = var.project_id - description = "Project name" -} - output "network_name" { value = module.main.network_name description = "The name of the VPC being created" From 04dbfcc6a50170e3bc674b61fbedcc1c389df61d Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 6 Dec 2024 11:39:16 -0300 Subject: [PATCH 11/47] change advertised_ip_ranges to local advertised_ip --- 3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf | 9 +++++---- .../modules/restricted_shared_vpc/main.tf | 9 +++++---- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf index 374b5bd86..e9c4fbba6 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf @@ -20,6 +20,7 @@ locals { network_name = "vpc-${local.vpc_name}" private_googleapis_cidr = module.private_service_connect.private_service_connect_ip google_private_service_range = "35.199.192.0/19" + advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] } /****************************************** @@ -127,7 +128,7 @@ module "region1_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } @@ -143,7 +144,7 @@ module "region1_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } @@ -159,7 +160,7 @@ module "region2_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } @@ -175,6 +176,6 @@ module "region2_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf index 9e88ceada..07cd09540 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf @@ -20,6 +20,7 @@ locals { network_name = "vpc-${local.vpc_name}" restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip google_private_service_range = "35.199.192.0/19" + advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] } /****************************************** @@ -131,7 +132,7 @@ module "region1_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } @@ -147,7 +148,7 @@ module "region1_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } @@ -163,7 +164,7 @@ module "region2_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } @@ -179,6 +180,6 @@ module "region2_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } From b27c513e27cf40bb4040ac6c44c31b8a6c19ecf1 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 6 Dec 2024 16:08:53 -0300 Subject: [PATCH 12/47] remove target_name_server_addresses from dev/prod/nonprod --- 3-networks-hub-and-spoke/envs/development/README.md | 1 - 3-networks-hub-and-spoke/envs/development/main.tf | 1 - 3-networks-hub-and-spoke/envs/development/variables.tf | 5 ----- 3-networks-hub-and-spoke/envs/nonproduction/README.md | 1 - 3-networks-hub-and-spoke/envs/nonproduction/main.tf | 1 - 3-networks-hub-and-spoke/envs/nonproduction/variables.tf | 5 ----- 3-networks-hub-and-spoke/envs/production/README.md | 1 - 3-networks-hub-and-spoke/envs/production/main.tf | 1 - 3-networks-hub-and-spoke/envs/production/variables.tf | 5 ----- 3-networks-hub-and-spoke/modules/base_env/README.md | 2 +- 3-networks-hub-and-spoke/modules/base_env/variables.tf | 1 + 11 files changed, 2 insertions(+), 22 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/development/README.md b/3-networks-hub-and-spoke/envs/development/README.md index f950767ce..baa2d7ed3 100644 --- a/3-networks-hub-and-spoke/envs/development/README.md +++ b/3-networks-hub-and-spoke/envs/development/README.md @@ -25,7 +25,6 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | -| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | ## Outputs diff --git a/3-networks-hub-and-spoke/envs/development/main.tf b/3-networks-hub-and-spoke/envs/development/main.tf index c15615588..db7388fc8 100644 --- a/3-networks-hub-and-spoke/envs/development/main.tf +++ b/3-networks-hub-and-spoke/envs/development/main.tf @@ -94,5 +94,4 @@ module "base_env" { restricted_private_service_connect_ip = "10.17.0.6" remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name - target_name_server_addresses = var.target_name_server_addresses } diff --git a/3-networks-hub-and-spoke/envs/development/variables.tf b/3-networks-hub-and-spoke/envs/development/variables.tf index 6becd9ccb..cf3061211 100644 --- a/3-networks-hub-and-spoke/envs/development/variables.tf +++ b/3-networks-hub-and-spoke/envs/development/variables.tf @@ -14,11 +14,6 @@ * limitations under the License. */ -variable "target_name_server_addresses" { - description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." - type = list(map(any)) -} - variable "remote_state_bucket" { description = "Backend bucket to load Terraform Remote State Data from previous steps." type = string diff --git a/3-networks-hub-and-spoke/envs/nonproduction/README.md b/3-networks-hub-and-spoke/envs/nonproduction/README.md index 1ce255c62..60c54d913 100644 --- a/3-networks-hub-and-spoke/envs/nonproduction/README.md +++ b/3-networks-hub-and-spoke/envs/nonproduction/README.md @@ -25,7 +25,6 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | -| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | ## Outputs diff --git a/3-networks-hub-and-spoke/envs/nonproduction/main.tf b/3-networks-hub-and-spoke/envs/nonproduction/main.tf index db5f0a9b2..dffcd5170 100644 --- a/3-networks-hub-and-spoke/envs/nonproduction/main.tf +++ b/3-networks-hub-and-spoke/envs/nonproduction/main.tf @@ -96,5 +96,4 @@ module "base_env" { restricted_private_service_connect_ip = "10.17.0.7" remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name - target_name_server_addresses = var.target_name_server_addresses } diff --git a/3-networks-hub-and-spoke/envs/nonproduction/variables.tf b/3-networks-hub-and-spoke/envs/nonproduction/variables.tf index 6becd9ccb..cf3061211 100644 --- a/3-networks-hub-and-spoke/envs/nonproduction/variables.tf +++ b/3-networks-hub-and-spoke/envs/nonproduction/variables.tf @@ -14,11 +14,6 @@ * limitations under the License. */ -variable "target_name_server_addresses" { - description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." - type = list(map(any)) -} - variable "remote_state_bucket" { description = "Backend bucket to load Terraform Remote State Data from previous steps." type = string diff --git a/3-networks-hub-and-spoke/envs/production/README.md b/3-networks-hub-and-spoke/envs/production/README.md index 1fd9351c9..1ba5a652c 100644 --- a/3-networks-hub-and-spoke/envs/production/README.md +++ b/3-networks-hub-and-spoke/envs/production/README.md @@ -25,7 +25,6 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | -| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | ## Outputs diff --git a/3-networks-hub-and-spoke/envs/production/main.tf b/3-networks-hub-and-spoke/envs/production/main.tf index 28687241d..cd464258c 100644 --- a/3-networks-hub-and-spoke/envs/production/main.tf +++ b/3-networks-hub-and-spoke/envs/production/main.tf @@ -96,5 +96,4 @@ module "base_env" { restricted_private_service_connect_ip = "10.17.0.8" remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name - target_name_server_addresses = var.target_name_server_addresses } diff --git a/3-networks-hub-and-spoke/envs/production/variables.tf b/3-networks-hub-and-spoke/envs/production/variables.tf index 6becd9ccb..cf3061211 100644 --- a/3-networks-hub-and-spoke/envs/production/variables.tf +++ b/3-networks-hub-and-spoke/envs/production/variables.tf @@ -14,11 +14,6 @@ * limitations under the License. */ -variable "target_name_server_addresses" { - description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." - type = list(map(any)) -} - variable "remote_state_bucket" { description = "Backend bucket to load Terraform Remote State Data from previous steps." type = string diff --git a/3-networks-hub-and-spoke/modules/base_env/README.md b/3-networks-hub-and-spoke/modules/base_env/README.md index a0a65d149..b3683838d 100644 --- a/3-networks-hub-and-spoke/modules/base_env/README.md +++ b/3-networks-hub-and-spoke/modules/base_env/README.md @@ -33,7 +33,7 @@ | restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes | | restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | -| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | `[]` | no | | tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes | ## Outputs diff --git a/3-networks-hub-and-spoke/modules/base_env/variables.tf b/3-networks-hub-and-spoke/modules/base_env/variables.tf index 1a3de3139..aa4cdef97 100644 --- a/3-networks-hub-and-spoke/modules/base_env/variables.tf +++ b/3-networks-hub-and-spoke/modules/base_env/variables.tf @@ -17,6 +17,7 @@ variable "target_name_server_addresses" { description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." type = list(map(any)) + default = [] } variable "remote_state_bucket" { From 770b9571c75163fb997b1028594ec3744a70f8c3 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Thu, 12 Dec 2024 13:04:04 -0300 Subject: [PATCH 13/47] remove dns-hub from dual_shared_vpc --- 3-networks-dual-svpc/envs/shared/README.md | 4 +- 3-networks-dual-svpc/envs/shared/dns-hub.tf | 156 ------------------ 3-networks-dual-svpc/envs/shared/outputs.tf | 4 - 3-networks-dual-svpc/envs/shared/remote.tf | 1 - .../modules/base_env/README.md | 2 + 3-networks-dual-svpc/modules/base_env/main.tf | 37 +++-- .../modules/base_env/outputs.tf | 5 + .../modules/base_env/remote.tf | 1 - .../modules/base_env/variables.tf | 6 + .../modules/base_shared_vpc/README.md | 3 +- .../modules/base_shared_vpc/dns.tf | 29 +++- .../modules/base_shared_vpc/main.tf | 26 ++- .../modules/base_shared_vpc/variables.tf | 14 +- .../modules/restricted_shared_vpc/README.md | 3 +- .../modules/restricted_shared_vpc/dns.tf | 31 +++- .../modules/restricted_shared_vpc/main.tf | 26 ++- .../restricted_shared_vpc/variables.tf | 16 +- 17 files changed, 150 insertions(+), 214 deletions(-) delete mode 100644 3-networks-dual-svpc/envs/shared/dns-hub.tf diff --git a/3-networks-dual-svpc/envs/shared/README.md b/3-networks-dual-svpc/envs/shared/README.md index 27ab3647c..0f84d6cd2 100644 --- a/3-networks-dual-svpc/envs/shared/README.md +++ b/3-networks-dual-svpc/envs/shared/README.md @@ -25,8 +25,6 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google. ## Outputs -| Name | Description | -|------|-------------| -| dns\_hub\_project\_id | The DNS hub project ID | +No outputs. diff --git a/3-networks-dual-svpc/envs/shared/dns-hub.tf b/3-networks-dual-svpc/envs/shared/dns-hub.tf deleted file mode 100644 index 10ffa7084..000000000 --- a/3-networks-dual-svpc/envs/shared/dns-hub.tf +++ /dev/null @@ -1,156 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/****************************************** - DNS Hub VPC -*****************************************/ - -module "dns_hub_vpc" { - source = "terraform-google-modules/network/google" - version = "~> 9.0" - - project_id = local.dns_hub_project_id - network_name = "vpc-net-dns" - shared_vpc_host = "false" - delete_default_internet_gateway_routes = "true" - - subnets = [{ - subnet_name = "sb-net-dns-${local.default_region1}" - subnet_ip = "172.16.0.0/25" - subnet_region = local.default_region1 - subnet_private_access = "true" - subnet_flow_logs = var.vpc_flow_logs.enable_logging - subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr - description = "DNS hub subnet for region 1." - }, { - subnet_name = "sb-net-dns-${local.default_region2}" - subnet_ip = "172.16.0.128/25" - subnet_region = local.default_region2 - subnet_private_access = "true" - subnet_flow_logs = var.vpc_flow_logs.enable_logging - subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr - description = "DNS hub subnet for region 2." - }] - - routes = [{ - name = "rt-net-dns-1000-all-default-private-api" - description = "Route through IGW to allow private google api access." - destination_range = "199.36.153.8/30" - next_hop_internet = "true" - priority = "1000" - }] -} - -/****************************************** - Default DNS Policy - *****************************************/ - -resource "google_dns_policy" "default_policy" { - project = local.dns_hub_project_id - name = "dp-dns-hub-default-policy" - enable_inbound_forwarding = true - enable_logging = var.dns_enable_logging - networks { - network_url = module.dns_hub_vpc.network_self_link - } -} - -/****************************************** - DNS Forwarding -*****************************************/ - -module "dns-forwarding-zone" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" - - project_id = local.dns_hub_project_id - type = "forwarding" - name = "fz-dns-hub" - domain = var.domain - - private_visibility_config_networks = [ - module.dns_hub_vpc.network_self_link - ] - target_name_server_addresses = var.target_name_server_addresses -} - -/********************************************************* - Routers to advertise DNS proxy range "35.199.192.0/19" -*********************************************************/ - -module "dns_hub_region1_router1" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - - name = "cr-net-dns-${local.default_region1}-cr1" - project = local.dns_hub_project_id - network = module.dns_hub_vpc.network_name - region = local.default_region1 - bgp = { - asn = local.dns_bgp_asn_number - advertised_ip_ranges = [{ range = "35.199.192.0/19" }] - } -} - -module "dns_hub_region1_router2" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - - name = "cr-net-dns-${local.default_region1}-cr2" - project = local.dns_hub_project_id - network = module.dns_hub_vpc.network_name - region = local.default_region1 - bgp = { - asn = local.dns_bgp_asn_number - advertised_ip_ranges = [{ range = "35.199.192.0/19" }] - } -} - -module "dns_hub_region2_router1" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - - name = "cr-net-dns-${local.default_region2}-cr3" - project = local.dns_hub_project_id - network = module.dns_hub_vpc.network_name - region = local.default_region2 - bgp = { - asn = local.dns_bgp_asn_number - advertised_ip_ranges = [{ range = "35.199.192.0/19" }] - } -} - -module "dns_hub_region2_router2" { - source = "terraform-google-modules/cloud-router/google" - version = "~> 6.0" - - name = "cr-net-dns-${local.default_region2}-cr4" - project = local.dns_hub_project_id - network = module.dns_hub_vpc.network_name - region = local.default_region2 - bgp = { - asn = local.dns_bgp_asn_number - advertised_ip_ranges = [{ range = "35.199.192.0/19" }] - } -} diff --git a/3-networks-dual-svpc/envs/shared/outputs.tf b/3-networks-dual-svpc/envs/shared/outputs.tf index f7aca2374..9d277cce1 100644 --- a/3-networks-dual-svpc/envs/shared/outputs.tf +++ b/3-networks-dual-svpc/envs/shared/outputs.tf @@ -14,7 +14,3 @@ * limitations under the License. */ -output "dns_hub_project_id" { - value = local.dns_hub_project_id - description = "The DNS hub project ID" -} diff --git a/3-networks-dual-svpc/envs/shared/remote.tf b/3-networks-dual-svpc/envs/shared/remote.tf index 8bb1ddc51..8f0c1b9c9 100644 --- a/3-networks-dual-svpc/envs/shared/remote.tf +++ b/3-networks-dual-svpc/envs/shared/remote.tf @@ -21,7 +21,6 @@ locals { default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id bootstrap_folder_name = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name diff --git a/3-networks-dual-svpc/modules/base_env/README.md b/3-networks-dual-svpc/modules/base_env/README.md index d543340d4..596c740e5 100644 --- a/3-networks-dual-svpc/modules/base_env/README.md +++ b/3-networks-dual-svpc/modules/base_env/README.md @@ -32,6 +32,7 @@ | restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes | | restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | `[]` | no | | tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes | ## Outputs @@ -56,5 +57,6 @@ | restricted\_subnets\_names | The names of the subnets being created | | restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | | restricted\_subnets\_self\_links | The self-links of subnets being created | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration | diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index cfd4958a5..02d390d5f 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -170,7 +170,6 @@ module "restricted_shared_vpc" { source = "../restricted_shared_vpc" project_id = local.restricted_project_id - dns_hub_project_id = local.dns_hub_project_id project_number = local.restricted_project_number environment_code = var.environment_code access_context_manager_policy_id = var.access_context_manager_policy_id @@ -186,14 +185,15 @@ module "restricted_shared_vpc" { "serviceAccount:${local.projects_service_account}", "serviceAccount:${local.organization_service_account}", ], var.perimeter_additional_members)) - private_service_cidr = var.restricted_private_service_cidr - private_service_connect_ip = var.restricted_private_service_connect_ip - bgp_asn_subnet = local.bgp_asn_number - default_region1 = var.default_region1 - default_region2 = var.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - ingress_policies_dry_run = var.ingress_policies_dry_run + private_service_cidr = var.restricted_private_service_cidr + private_service_connect_ip = var.restricted_private_service_connect_ip + bgp_asn_subnet = local.bgp_asn_number + default_region1 = var.default_region1 + default_region2 = var.default_region2 + domain = var.domain + target_name_server_addresses = var.target_name_server_addresses + ingress_policies = var.ingress_policies + ingress_policies_dry_run = var.ingress_policies_dry_run egress_policies = distinct(concat( local.dedicated_interconnect_egress_policy, var.egress_policies @@ -262,15 +262,15 @@ module "restricted_shared_vpc" { module "base_shared_vpc" { source = "../base_shared_vpc" - project_id = local.base_project_id - dns_hub_project_id = local.dns_hub_project_id - environment_code = var.environment_code - private_service_cidr = var.base_private_service_cidr - private_service_connect_ip = var.base_private_service_connect_ip - default_region1 = var.default_region1 - default_region2 = var.default_region2 - domain = var.domain - bgp_asn_subnet = local.bgp_asn_number + project_id = local.base_project_id + environment_code = var.environment_code + private_service_cidr = var.base_private_service_cidr + private_service_connect_ip = var.base_private_service_connect_ip + default_region1 = var.default_region1 + default_region2 = var.default_region2 + domain = var.domain + bgp_asn_subnet = local.bgp_asn_number + target_name_server_addresses = var.target_name_server_addresses subnets = [ { @@ -323,3 +323,4 @@ module "base_shared_vpc" { "sb-${var.environment_code}-shared-base-${var.default_region1}" = var.base_subnet_secondary_ranges[var.default_region1] } } + diff --git a/3-networks-dual-svpc/modules/base_env/outputs.tf b/3-networks-dual-svpc/modules/base_env/outputs.tf index 05dfc0107..5ab1c3428 100644 --- a/3-networks-dual-svpc/modules/base_env/outputs.tf +++ b/3-networks-dual-svpc/modules/base_env/outputs.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +output "target_name_server_addresses" { + value = var.target_name_server_addresses + description = "List of IPv4 address of target name servers for the forwarding zone configuration" +} + /********************* Restricted Outputs *********************/ diff --git a/3-networks-dual-svpc/modules/base_env/remote.tf b/3-networks-dual-svpc/modules/base_env/remote.tf index 8bad47f0d..57562db0c 100644 --- a/3-networks-dual-svpc/modules/base_env/remote.tf +++ b/3-networks-dual-svpc/modules/base_env/remote.tf @@ -19,7 +19,6 @@ locals { restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number - dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email diff --git a/3-networks-dual-svpc/modules/base_env/variables.tf b/3-networks-dual-svpc/modules/base_env/variables.tf index 963eae139..9e0f8c59e 100644 --- a/3-networks-dual-svpc/modules/base_env/variables.tf +++ b/3-networks-dual-svpc/modules/base_env/variables.tf @@ -14,6 +14,12 @@ * limitations under the License. */ +variable "target_name_server_addresses" { + description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." + type = list(map(any)) + default = [] +} + variable "remote_state_bucket" { description = "Backend bucket to load Terraform Remote State Data from previous steps." type = string diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md index 10b8c0e1c..6ff0d0477 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/base_shared_vpc/README.md @@ -3,12 +3,12 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| base\_net\_hub\_project\_id | The base net hub project ID | `string` | `""` | no | | bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes | | default\_region1 | Default region 1 for subnets and Cloud Routers | `string` | n/a | yes | | default\_region2 | Default region 2 for subnets and Cloud Routers | `string` | n/a | yes | | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | -| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | enable\_all\_vpc\_internal\_traffic | Enable firewall policy rule to allow internal traffic (ingress and egress). | `bool` | `false` | no | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes | @@ -22,6 +22,7 @@ | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | | subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf index 3b11a05eb..3f0189273 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf @@ -32,14 +32,18 @@ resource "google_dns_policy" "default_policy" { Creates DNS Peering to DNS HUB *****************************************/ data "google_compute_network" "vpc_dns_hub" { - name = "vpc-net-dns" - project = var.dns_hub_project_id + count = local.environment == "production" ? 1 : 0 + + name = data.google_compute_network.vpc_base_net_hub[0].name + project = var.base_net_hub_project_id } module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" + count = local.environment == "production" ? 1 : 0 + project_id = var.project_id type = "peering" name = "dz-${var.environment_code}-shared-base-to-dns-hub" @@ -49,5 +53,24 @@ module "peering_zone" { private_visibility_config_networks = [ module.main.network_self_link ] - target_network = data.google_compute_network.vpc_dns_hub.self_link + target_network = data.google_compute_network.vpc_dns_hub[0].self_link +} + +/****************************************** + DNS Forwarding +*****************************************/ +module "dns_forwarding_zone" { + source = "terraform-google-modules/cloud-dns/google" + version = "~> 5.0" + + project_id = var.project_id + type = "forwarding" + name = "fz-dns-hub" + domain = var.domain + + private_visibility_config_networks = [ + module.main.network_self_link + ] + target_name_server_addresses = var.target_name_server_addresses } + diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf index 25fb01aa3..629e792c2 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf @@ -15,9 +15,12 @@ */ locals { - vpc_name = "${var.environment_code}-shared-base" - network_name = "vpc-${local.vpc_name}" - private_googleapis_cidr = module.private_service_connect.private_service_connect_ip + vpc_name = "${var.environment_code}-shared-base" + network_name = "vpc-${local.vpc_name}" + private_googleapis_cidr = module.private_service_connect.private_service_connect_ip + environment = var.environment_code == "plan" ? "plan" : var.environment_code == "production" ? "production" : var.environment_code == "development" ? "development" : "nonproduction" + google_private_service_range = "35.199.192.0/19" + advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] } /****************************************** @@ -94,6 +97,8 @@ module "region1_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" + count = local.environment == "production" ? 1 : 0 + name = "cr-${local.vpc_name}-${var.default_region1}-cr1" project = var.project_id network = module.main.network_name @@ -101,7 +106,7 @@ module "region1_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } @@ -109,6 +114,8 @@ module "region1_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" + count = local.environment == "production" ? 1 : 0 + name = "cr-${local.vpc_name}-${var.default_region1}-cr2" project = var.project_id network = module.main.network_name @@ -116,7 +123,7 @@ module "region1_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } @@ -124,6 +131,8 @@ module "region2_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" + count = local.environment == "production" ? 1 : 0 + name = "cr-${local.vpc_name}-${var.default_region2}-cr3" project = var.project_id network = module.main.network_name @@ -131,7 +140,7 @@ module "region2_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } @@ -139,6 +148,8 @@ module "region2_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" + count = local.environment == "production" ? 1 : 0 + name = "cr-${local.vpc_name}-${var.default_region2}-cr4" project = var.project_id network = module.main.network_name @@ -146,6 +157,7 @@ module "region2_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.private_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } + diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf index 4b2fca26b..06558fde4 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf @@ -14,14 +14,20 @@ * limitations under the License. */ -variable "project_id" { +variable "target_name_server_addresses" { + description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." + type = list(map(any)) +} + +variable "base_net_hub_project_id" { type = string - description = "Project ID for Private Shared VPC." + description = "The base net hub project ID" + default = "" } -variable "dns_hub_project_id" { +variable "project_id" { type = string - description = "The DNS hub project ID" + description = "Project ID for Private Shared VPC." } variable "environment_code" { diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index 1ce44d877..01b41721c 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -9,7 +9,6 @@ | default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes | | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | -| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | egress\_policies\_dry\_run | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | @@ -29,10 +28,12 @@ | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | +| restricted\_net\_hub\_project\_id | The restricted net hub project ID | `string` | `""` | no | | restricted\_services | List of services to restrict in an enforced perimeter. | `list(string)` | n/a | yes | | restricted\_services\_dry\_run | List of services to restrict in a dry-run perimeter. | `list(string)` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | | subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf index 138ad4505..57840c6a3 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf @@ -32,14 +32,18 @@ resource "google_dns_policy" "default_policy" { Creates DNS Peering to DNS HUB *****************************************/ data "google_compute_network" "vpc_dns_hub" { - name = "vpc-net-dns" - project = var.dns_hub_project_id + count = local.environment == "production" ? 1 : 0 + + name = data.google_compute_network.vpc_restricted_net_hub[0].name + project = var.restricted_net_hub_project_id } module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" + count = local.environment == "production" ? 1 : 0 + project_id = var.project_id type = "peering" name = "dz-${var.environment_code}-shared-restricted-to-dns-hub" @@ -49,5 +53,26 @@ module "peering_zone" { private_visibility_config_networks = [ module.main.network_self_link ] - target_network = data.google_compute_network.vpc_dns_hub.self_link + target_network = data.google_compute_network.vpc_dns_hub[0].self_link } + +/****************************************** + DNS Forwarding +*****************************************/ +module "dns_forwarding_zone" { + source = "terraform-google-modules/cloud-dns/google" + version = "~> 5.0" + + count = local.environment == "production" ? 1 : 0 + + project_id = var.project_id + type = "forwarding" + name = "fz-dns-hub" + domain = var.domain + + private_visibility_config_networks = [ + module.main.network_self_link + ] + target_name_server_addresses = var.target_name_server_addresses +} + diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf index dfdf7cd50..d2ae88e1f 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf @@ -15,9 +15,12 @@ */ locals { - vpc_name = "${var.environment_code}-shared-restricted" - network_name = "vpc-${local.vpc_name}" - restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip + vpc_name = "${var.environment_code}-shared-restricted" + network_name = "vpc-${local.vpc_name}" + restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip + environment = var.environment_code == "plan" ? "plan" : var.environment_code == "production" ? "production" : var.environment_code == "development" ? "development" : "nonproduction" + google_private_service_range = "35.199.192.0/19" + advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] } /****************************************** @@ -98,6 +101,8 @@ module "region1_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" + count = local.environment == "production" ? 1 : 0 + name = "cr-${local.vpc_name}-${var.default_region1}-cr5" project = var.project_id network = module.main.network_name @@ -105,7 +110,7 @@ module "region1_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } @@ -113,6 +118,8 @@ module "region1_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" + count = local.environment == "production" ? 1 : 0 + name = "cr-${local.vpc_name}-${var.default_region1}-cr6" project = var.project_id network = module.main.network_name @@ -120,7 +127,7 @@ module "region1_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } @@ -128,6 +135,8 @@ module "region2_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" + count = local.environment == "production" ? 1 : 0 + name = "cr-${local.vpc_name}-${var.default_region2}-cr7" project = var.project_id network = module.main.network_name @@ -135,7 +144,7 @@ module "region2_router1" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } @@ -143,6 +152,8 @@ module "region2_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" + count = local.environment == "production" ? 1 : 0 + name = "cr-${local.vpc_name}-${var.default_region2}-cr8" project = var.project_id network = module.main.network_name @@ -150,6 +161,7 @@ module "region2_router2" { bgp = { asn = var.bgp_asn_subnet advertised_groups = ["ALL_SUBNETS"] - advertised_ip_ranges = [{ range = local.restricted_googleapis_cidr }] + advertised_ip_ranges = local.advertised_ip } } + diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf index 7774c1d49..7fd903f38 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf @@ -14,6 +14,17 @@ * limitations under the License. */ +variable "target_name_server_addresses" { + description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." + type = list(map(any)) +} + +variable "restricted_net_hub_project_id" { + type = string + description = "The restricted net hub project ID" + default = "" +} + variable "access_context_manager_policy_id" { type = number description = "The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." @@ -29,11 +40,6 @@ variable "project_number" { description = "Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter." } -variable "dns_hub_project_id" { - type = string - description = "The DNS hub project ID" -} - variable "environment_code" { type = string description = "A short form of the folder level resources (environment) within the Google Cloud organization." From 71eda886d5201be4897126ec04f29f0e6bd099b1 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 13 Dec 2024 11:38:20 -0300 Subject: [PATCH 14/47] DNS Forward for dual-shared-vpc --- .../envs/production/README.md | 20 ++ 3-networks-dual-svpc/envs/production/main.tf | 321 ++++++++++++++++++ .../envs/production/remote.tf | 11 +- .../envs/production/variables.tf | 121 +++++++ .../envs/shared/shared.auto.tfvars | 1 - 3-networks-dual-svpc/modules/base_env/main.tf | 25 +- .../modules/base_shared_vpc/dns.tf | 4 +- .../modules/restricted_shared_vpc/README.md | 1 + .../restricted_shared_vpc/variables.tf | 6 + 9 files changed, 495 insertions(+), 15 deletions(-) delete mode 120000 3-networks-dual-svpc/envs/shared/shared.auto.tfvars diff --git a/3-networks-dual-svpc/envs/production/README.md b/3-networks-dual-svpc/envs/production/README.md index a92f78e34..bb817052b 100644 --- a/3-networks-dual-svpc/envs/production/README.md +++ b/3-networks-dual-svpc/envs/production/README.md @@ -16,14 +16,34 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | +| base\_hub\_dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for Base Hub VPC DNS. | `bool` | `true` | no | +| base\_hub\_dns\_enable\_logging | Toggle DNS logging for Base Hub VPC DNS. | `bool` | `true` | no | +| base\_hub\_firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls in Base Hub VPC. | `bool` | `true` | no | +| base\_hub\_nat\_bgp\_asn | BGP ASN for first NAT cloud routes in Base Hub. | `number` | `64514` | no | +| base\_hub\_nat\_enabled | Toggle creation of NAT cloud router in Base Hub. | `bool` | `false` | no | +| base\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Base Hub. | `number` | `2` | no | +| base\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Base Hub. | `number` | `2` | no | +| base\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Base Hub | `bool` | `false` | no | +| custom\_restricted\_services | List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no | | domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes | | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | egress\_policies\_dry\_run | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | +| enable\_dedicated\_interconnect | Enable Dedicated Interconnect in the environment. | `bool` | `false` | no | +| enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no | | ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.

Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | ingress\_policies\_dry\_run | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.

Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | +| restricted\_hub\_dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for Restricted Hub VPC DNS. | `bool` | `true` | no | +| restricted\_hub\_dns\_enable\_logging | Toggle DNS logging for Restricted Hub VPC DNS. | `bool` | `true` | no | +| restricted\_hub\_firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls in Restricted Hub VPC. | `bool` | `true` | no | +| restricted\_hub\_nat\_bgp\_asn | BGP ASN for first NAT cloud routes in Restricted Hub. | `number` | `64514` | no | +| restricted\_hub\_nat\_enabled | Toggle creation of NAT cloud router in Restricted Hub. | `bool` | `false` | no | +| restricted\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Restricted Hub. | `number` | `2` | no | +| restricted\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Restricted Hub. | `number` | `2` | no | +| restricted\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Restricted Hub. | `bool` | `false` | no | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | ## Outputs diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index d2ea8490e..76e3b5591 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -65,6 +65,155 @@ locals { } ] } + + + restricted_services = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service + restricted_services_dry_run = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service + + bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" + + dedicated_interconnect_egress_policy = var.enable_dedicated_interconnect ? [ + { + "from" = { + "identity_type" = "" + "identities" = ["serviceAccount:${local.networks_service_account}"] + }, + "to" = { + "resources" = ["projects/${local.interconnect_project_number}"] + "operations" = { + "compute.googleapis.com" = { + "methods" = ["*"] + } + } + } + }, + ] : [] + + supported_restricted_service = [ + "accessapproval.googleapis.com", + "adsdatahub.googleapis.com", + "aiplatform.googleapis.com", + "alloydb.googleapis.com", + "alpha-documentai.googleapis.com", + "analyticshub.googleapis.com", + "apigee.googleapis.com", + "apigeeconnect.googleapis.com", + "artifactregistry.googleapis.com", + "assuredworkloads.googleapis.com", + "automl.googleapis.com", + "baremetalsolution.googleapis.com", + "batch.googleapis.com", + "bigquery.googleapis.com", + "bigquerydatapolicy.googleapis.com", + "bigquerydatatransfer.googleapis.com", + "bigquerymigration.googleapis.com", + "bigqueryreservation.googleapis.com", + "bigtable.googleapis.com", + "binaryauthorization.googleapis.com", + "cloud.googleapis.com", + "cloudasset.googleapis.com", + "cloudbuild.googleapis.com", + "clouddebugger.googleapis.com", + "clouddeploy.googleapis.com", + "clouderrorreporting.googleapis.com", + "cloudfunctions.googleapis.com", + "cloudkms.googleapis.com", + "cloudprofiler.googleapis.com", + "cloudresourcemanager.googleapis.com", + "cloudscheduler.googleapis.com", + "cloudsearch.googleapis.com", + "cloudtrace.googleapis.com", + "composer.googleapis.com", + "compute.googleapis.com", + "connectgateway.googleapis.com", + "contactcenterinsights.googleapis.com", + "container.googleapis.com", + "containeranalysis.googleapis.com", + "containerfilesystem.googleapis.com", + "containerregistry.googleapis.com", + "containerthreatdetection.googleapis.com", + "datacatalog.googleapis.com", + "dataflow.googleapis.com", + "datafusion.googleapis.com", + "datamigration.googleapis.com", + "dataplex.googleapis.com", + "dataproc.googleapis.com", + "datastream.googleapis.com", + "dialogflow.googleapis.com", + "dlp.googleapis.com", + "dns.googleapis.com", + "documentai.googleapis.com", + "domains.googleapis.com", + "eventarc.googleapis.com", + "file.googleapis.com", + "firebaseappcheck.googleapis.com", + "firebaserules.googleapis.com", + "firestore.googleapis.com", + "gameservices.googleapis.com", + "gkebackup.googleapis.com", + "gkeconnect.googleapis.com", + "gkehub.googleapis.com", + "healthcare.googleapis.com", + "iam.googleapis.com", + "iamcredentials.googleapis.com", + "iaptunnel.googleapis.com", + "ids.googleapis.com", + "integrations.googleapis.com", + "kmsinventory.googleapis.com", + "krmapihosting.googleapis.com", + "language.googleapis.com", + "lifesciences.googleapis.com", + "logging.googleapis.com", + "managedidentities.googleapis.com", + "memcache.googleapis.com", + "meshca.googleapis.com", + "meshconfig.googleapis.com", + "metastore.googleapis.com", + "ml.googleapis.com", + "monitoring.googleapis.com", + "networkconnectivity.googleapis.com", + "networkmanagement.googleapis.com", + "networksecurity.googleapis.com", + "networkservices.googleapis.com", + "notebooks.googleapis.com", + "opsconfigmonitoring.googleapis.com", + "orgpolicy.googleapis.com", + "osconfig.googleapis.com", + "oslogin.googleapis.com", + "privateca.googleapis.com", + "pubsub.googleapis.com", + "pubsublite.googleapis.com", + "recaptchaenterprise.googleapis.com", + "recommender.googleapis.com", + "redis.googleapis.com", + "retail.googleapis.com", + "run.googleapis.com", + "secretmanager.googleapis.com", + "servicecontrol.googleapis.com", + "servicedirectory.googleapis.com", + "spanner.googleapis.com", + "speakerid.googleapis.com", + "speech.googleapis.com", + "sqladmin.googleapis.com", + "storage.googleapis.com", + "storagetransfer.googleapis.com", + "sts.googleapis.com", + "texttospeech.googleapis.com", + "timeseriesinsights.googleapis.com", + "tpu.googleapis.com", + "trafficdirector.googleapis.com", + "transcoder.googleapis.com", + "translate.googleapis.com", + "videointelligence.googleapis.com", + "vision.googleapis.com", + "visionai.googleapis.com", + "vmmigration.googleapis.com", + "vpcaccess.googleapis.com", + "webrisk.googleapis.com", + "workflows.googleapis.com", + "workstations.googleapis.com", + ] + } module "base_env" { @@ -96,3 +245,175 @@ module "base_env" { remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name } +#################### net_hub below + +/****************************************** + Base Network VPC +*****************************************/ + +module "base_shared_vpc" { + source = "../../modules/base_shared_vpc" + + project_id = local.base_net_hub_project_id + environment_code = local.environment_code + private_service_connect_ip = "10.17.0.1" + bgp_asn_subnet = local.bgp_asn_number + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + dns_enable_inbound_forwarding = var.base_hub_dns_enable_inbound_forwarding + dns_enable_logging = var.base_hub_dns_enable_logging + firewall_enable_logging = var.base_hub_firewall_enable_logging + nat_enabled = var.base_hub_nat_enabled + nat_bgp_asn = var.base_hub_nat_bgp_asn + nat_num_addresses_region1 = var.base_hub_nat_num_addresses_region1 + nat_num_addresses_region2 = var.base_hub_nat_num_addresses_region2 + windows_activation_enabled = var.base_hub_windows_activation_enabled + target_name_server_addresses = var.target_name_server_addresses + + subnets = [ + { + subnet_name = "sb-c-shared-base-hub-${local.default_region1}" + subnet_ip = local.base_subnet_primary_ranges[local.default_region1] + subnet_region = local.default_region1 + subnet_private_access = "true" + subnet_flow_logs = var.base_vpc_flow_logs.enable_logging + subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval + subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling + subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata + subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields + subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr + description = "Base network hub subnet for ${local.default_region1}" + }, + { + subnet_name = "sb-c-shared-base-hub-${local.default_region2}" + subnet_ip = local.base_subnet_primary_ranges[local.default_region2] + subnet_region = local.default_region2 + subnet_private_access = "true" + subnet_flow_logs = var.base_vpc_flow_logs.enable_logging + subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval + subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling + subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata + subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields + subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr + description = "Base network hub subnet for ${local.default_region2}" + }, + { + subnet_name = "sb-c-shared-base-hub-${local.default_region1}-proxy" + subnet_ip = local.base_subnet_proxy_ranges[local.default_region1] + subnet_region = local.default_region1 + subnet_flow_logs = false + description = "Base network hub proxy-only subnet for ${local.default_region1}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" + }, + { + subnet_name = "sb-c-shared-base-hub-${local.default_region2}-proxy" + subnet_ip = local.base_subnet_proxy_ranges[local.default_region2] + subnet_region = local.default_region2 + subnet_flow_logs = false + description = "Base network hub proxy-only subnet for ${local.default_region2}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" + } + ] + secondary_ranges = {} + +} + +/****************************************** + Restricted Network VPC +*****************************************/ + +module "restricted_shared_vpc" { + source = "../../modules/restricted_shared_vpc" + + project_id = local.restricted_net_hub_project_id + project_number = local.restricted_net_hub_project_number + environment_code = local.environment_code + private_service_connect_ip = "10.17.0.5" + access_context_manager_policy_id = var.access_context_manager_policy_id + restricted_services = local.restricted_services + restricted_services_dry_run = local.restricted_services_dry_run + members = distinct(concat([ + "serviceAccount:${local.networks_service_account}", + "serviceAccount:${local.projects_service_account}", + "serviceAccount:${local.organization_service_account}", + ], var.perimeter_additional_members)) + members_dry_run = distinct(concat([ + "serviceAccount:${local.networks_service_account}", + "serviceAccount:${local.projects_service_account}", + "serviceAccount:${local.organization_service_account}", + ], var.perimeter_additional_members)) + bgp_asn_subnet = local.bgp_asn_number + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + dns_enable_inbound_forwarding = var.restricted_hub_dns_enable_inbound_forwarding + dns_enable_logging = var.restricted_hub_dns_enable_logging + firewall_enable_logging = var.restricted_hub_firewall_enable_logging + nat_enabled = var.restricted_hub_nat_enabled + nat_bgp_asn = var.restricted_hub_nat_bgp_asn + nat_num_addresses_region1 = var.restricted_hub_nat_num_addresses_region1 + nat_num_addresses_region2 = var.restricted_hub_nat_num_addresses_region2 + windows_activation_enabled = var.restricted_hub_windows_activation_enabled + target_name_server_addresses = var.target_name_server_addresses + + subnets = [ + { + subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}" + subnet_ip = local.restricted_subnet_primary_ranges[local.default_region1] + subnet_region = local.default_region1 + subnet_private_access = "true" + subnet_flow_logs = var.restricted_vpc_flow_logs.enable_logging + subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval + subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling + subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata + subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields + subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr + description = "Restricted network hub subnet for ${local.default_region1}" + }, + { + subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}" + subnet_ip = local.restricted_subnet_primary_ranges[local.default_region2] + subnet_region = local.default_region2 + subnet_private_access = "true" + subnet_flow_logs = var.restricted_vpc_flow_logs.enable_logging + subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval + subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling + subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata + subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields + subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr + description = "Restricted network hub subnet for ${local.default_region2}" + }, + { + subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}-proxy" + subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region1] + subnet_region = local.default_region1 + subnet_flow_logs = false + description = "Restricted network hub proxy-only subnet for ${local.default_region1}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" + }, + { + subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}-proxy" + subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region2] + subnet_region = local.default_region2 + subnet_flow_logs = false + description = "Restricted network hub proxy-only subnet for ${local.default_region2}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" + } + ] + secondary_ranges = {} + + egress_policies = distinct(concat( + local.dedicated_interconnect_egress_policy, + var.egress_policies + )) + + ingress_policies = var.ingress_policies + +} + + diff --git a/3-networks-dual-svpc/envs/production/remote.tf b/3-networks-dual-svpc/envs/production/remote.tf index e2e5b151d..fb6a57053 100644 --- a/3-networks-dual-svpc/envs/production/remote.tf +++ b/3-networks-dual-svpc/envs/production/remote.tf @@ -15,8 +15,15 @@ */ locals { - default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region - default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 + default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 + interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number + base_net_hub_project_id = data.terraform_remote_state.org.outputs.base_net_hub_project_id + restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id + restricted_net_hub_project_number = data.terraform_remote_state.org.outputs.restricted_net_hub_project_number + organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email + networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email + projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email } data "terraform_remote_state" "bootstrap" { diff --git a/3-networks-dual-svpc/envs/production/variables.tf b/3-networks-dual-svpc/envs/production/variables.tf index 02448e5a9..ab329922a 100644 --- a/3-networks-dual-svpc/envs/production/variables.tf +++ b/3-networks-dual-svpc/envs/production/variables.tf @@ -14,6 +14,126 @@ * limitations under the License. */ +variable "enable_partner_interconnect" { + description = "Enable Partner Interconnect in the environment." + type = bool + default = false +} + +variable "enable_dedicated_interconnect" { + description = "Enable Dedicated Interconnect in the environment." + type = bool + default = false +} + +variable "custom_restricted_services" { + description = "List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected." + type = list(string) + default = [] +} + +variable "restricted_hub_dns_enable_inbound_forwarding" { + type = bool + description = "Toggle inbound query forwarding for Restricted Hub VPC DNS." + default = true +} + +variable "restricted_hub_firewall_enable_logging" { + type = bool + description = "Toggle firewall logging for VPC Firewalls in Restricted Hub VPC." + default = true +} + +variable "restricted_hub_dns_enable_logging" { + type = bool + description = "Toggle DNS logging for Restricted Hub VPC DNS." + default = true +} + +variable "restricted_hub_nat_enabled" { + type = bool + description = "Toggle creation of NAT cloud router in Restricted Hub." + default = false +} + +variable "restricted_hub_nat_bgp_asn" { + type = number + description = "BGP ASN for first NAT cloud routes in Restricted Hub." + default = 64514 +} + +variable "restricted_hub_nat_num_addresses_region1" { + type = number + description = "Number of external IPs to reserve for first Cloud NAT in Restricted Hub." + default = 2 +} + +variable "restricted_hub_nat_num_addresses_region2" { + type = number + description = "Number of external IPs to reserve for second Cloud NAT in Restricted Hub." + default = 2 +} + +variable "restricted_hub_windows_activation_enabled" { + type = bool + description = "Enable Windows license activation for Windows workloads in Restricted Hub." + default = false +} + +variable "base_hub_dns_enable_inbound_forwarding" { + type = bool + description = "Toggle inbound query forwarding for Base Hub VPC DNS." + default = true +} + +variable "base_hub_dns_enable_logging" { + type = bool + description = "Toggle DNS logging for Base Hub VPC DNS." + default = true +} + +variable "base_hub_firewall_enable_logging" { + type = bool + description = "Toggle firewall logging for VPC Firewalls in Base Hub VPC." + default = true +} + +variable "base_hub_nat_enabled" { + type = bool + description = "Toggle creation of NAT cloud router in Base Hub." + default = false +} + +variable "base_hub_nat_bgp_asn" { + type = number + description = "BGP ASN for first NAT cloud routes in Base Hub." + default = 64514 +} + +variable "base_hub_nat_num_addresses_region1" { + type = number + description = "Number of external IPs to reserve for first Cloud NAT in Base Hub." + default = 2 +} + +variable "base_hub_nat_num_addresses_region2" { + type = number + description = "Number of external IPs to reserve for second Cloud NAT in Base Hub." + default = 2 +} + +variable "base_hub_windows_activation_enabled" { + type = bool + description = "Enable Windows license activation for Windows workloads in Base Hub" + default = false +} + +variable "target_name_server_addresses" { + description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." + type = list(map(any)) +} + +############################## variable "remote_state_bucket" { description = "Backend bucket to load Terraform Remote State Data from previous steps." type = string @@ -82,3 +202,4 @@ variable "tfc_org_name" { type = string default = "" } + diff --git a/3-networks-dual-svpc/envs/shared/shared.auto.tfvars b/3-networks-dual-svpc/envs/shared/shared.auto.tfvars deleted file mode 120000 index b7f8387a8..000000000 --- a/3-networks-dual-svpc/envs/shared/shared.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../shared.auto.tfvars \ No newline at end of file diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index 02d390d5f..d7bf6af7f 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -169,7 +169,8 @@ locals { module "restricted_shared_vpc" { source = "../restricted_shared_vpc" - project_id = local.restricted_project_id + project_id = local.restricted_project_id + #dns_hub_project_id = local.dns_hub_project_id project_number = local.restricted_project_number environment_code = var.environment_code access_context_manager_policy_id = var.access_context_manager_policy_id @@ -185,15 +186,14 @@ module "restricted_shared_vpc" { "serviceAccount:${local.projects_service_account}", "serviceAccount:${local.organization_service_account}", ], var.perimeter_additional_members)) - private_service_cidr = var.restricted_private_service_cidr - private_service_connect_ip = var.restricted_private_service_connect_ip - bgp_asn_subnet = local.bgp_asn_number - default_region1 = var.default_region1 - default_region2 = var.default_region2 - domain = var.domain - target_name_server_addresses = var.target_name_server_addresses - ingress_policies = var.ingress_policies - ingress_policies_dry_run = var.ingress_policies_dry_run + private_service_cidr = var.restricted_private_service_cidr + private_service_connect_ip = var.restricted_private_service_connect_ip + bgp_asn_subnet = local.bgp_asn_number + default_region1 = var.default_region1 + default_region2 = var.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + ingress_policies_dry_run = var.ingress_policies_dry_run egress_policies = distinct(concat( local.dedicated_interconnect_egress_policy, var.egress_policies @@ -202,6 +202,8 @@ module "restricted_shared_vpc" { local.dedicated_interconnect_egress_policy, var.egress_policies_dry_run )) + target_name_server_addresses = var.target_name_server_addresses + subnets = [ @@ -262,7 +264,8 @@ module "restricted_shared_vpc" { module "base_shared_vpc" { source = "../base_shared_vpc" - project_id = local.base_project_id + project_id = local.base_project_id + #dns_hub_project_id = local.dns_hub_project_id environment_code = var.environment_code private_service_cidr = var.base_private_service_cidr private_service_connect_ip = var.base_private_service_connect_ip diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf index 3f0189273..7456f9e6a 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf @@ -34,7 +34,7 @@ resource "google_dns_policy" "default_policy" { data "google_compute_network" "vpc_dns_hub" { count = local.environment == "production" ? 1 : 0 - name = data.google_compute_network.vpc_base_net_hub[0].name + name = var.base_network_name project = var.base_net_hub_project_id } @@ -63,6 +63,8 @@ module "dns_forwarding_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" + count = local.environment == "production" ? 1 : 0 + project_id = var.project_id type = "forwarding" name = "fz-dns-hub" diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index 01b41721c..889bba787 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -29,6 +29,7 @@ | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | | restricted\_net\_hub\_project\_id | The restricted net hub project ID | `string` | `""` | no | +| restricted\_network\_name | The name of the VPC being created | `string` | `""` | no | | restricted\_services | List of services to restrict in an enforced perimeter. | `list(string)` | n/a | yes | | restricted\_services\_dry\_run | List of services to restrict in a dry-run perimeter. | `list(string)` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf index 7fd903f38..ab9b3273d 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf @@ -25,6 +25,12 @@ variable "restricted_net_hub_project_id" { default = "" } +variable "restricted_network_name" { + type = string + description = "The name of the VPC being created" + default = "" +} + variable "access_context_manager_policy_id" { type = number description = "The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." From 576a942a6e5e26a106729606e07cbeb158e159bc Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Thu, 19 Dec 2024 14:32:24 -0300 Subject: [PATCH 15/47] dual-shared-vpc-changes --- 3-networks-dual-svpc/envs/production/main.tf | 355 +++++++++--------- .../envs/production/remote.tf | 54 ++- .../envs/production/variables.tf | 41 ++ 3-networks-dual-svpc/envs/shared/outputs.tf | 4 + 3-networks-dual-svpc/envs/shared/remote.tf | 2 +- 3-networks-dual-svpc/envs/shared/variables.tf | 8 +- .../modules/base_env/README.md | 2 - 3-networks-dual-svpc/modules/base_env/main.tf | 30 +- .../modules/base_env/outputs.tf | 2 + .../modules/base_env/remote.tf | 4 +- .../modules/base_env/variables.tf | 1 + .../modules/base_shared_vpc/README.md | 3 +- .../modules/base_shared_vpc/dns.tf | 15 +- .../modules/base_shared_vpc/main.tf | 12 +- .../modules/base_shared_vpc/outputs.tf | 2 + .../modules/base_shared_vpc/variables.tf | 13 +- .../modules/restricted_shared_vpc/README.md | 4 +- .../modules/restricted_shared_vpc/dns.tf | 3 +- .../modules/restricted_shared_vpc/main.tf | 4 +- .../modules/restricted_shared_vpc/outputs.tf | 1 + .../restricted_shared_vpc/variables.tf | 7 + 21 files changed, 346 insertions(+), 221 deletions(-) diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index 76e3b5591..e595f8b91 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -66,30 +66,32 @@ locals { ] } +############################## - restricted_services = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service - restricted_services_dry_run = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service + restricted_services = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service + restricted_services_dry_run = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service - bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" + bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" + # dns_bgp_asn_number = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns - dedicated_interconnect_egress_policy = var.enable_dedicated_interconnect ? [ - { - "from" = { - "identity_type" = "" - "identities" = ["serviceAccount:${local.networks_service_account}"] - }, - "to" = { - "resources" = ["projects/${local.interconnect_project_number}"] - "operations" = { - "compute.googleapis.com" = { - "methods" = ["*"] - } - } - } - }, - ] : [] +# dedicated_interconnect_egress_policy = var.enable_dedicated_interconnect ? [ +# { +# "from" = { +# "identity_type" = "" +# "identities" = ["serviceAccount:${local.networks_service_account}"] +# }, +# "to" = { +# "resources" = ["projects/${local.interconnect_project_number}"] +# "operations" = { +# "compute.googleapis.com" = { +# "methods" = ["*"] +# } +# } +# } +# }, +# ] : [] - supported_restricted_service = [ +supported_restricted_service = [ "accessapproval.googleapis.com", "adsdatahub.googleapis.com", "aiplatform.googleapis.com", @@ -214,6 +216,7 @@ locals { "workstations.googleapis.com", ] +###################################### } module "base_env" { @@ -244,6 +247,7 @@ module "base_env" { restricted_private_service_connect_ip = "10.17.0.8" remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name + target_name_server_addresses = var.target_name_server_addresses } #################### net_hub below @@ -251,169 +255,178 @@ module "base_env" { Base Network VPC *****************************************/ -module "base_shared_vpc" { - source = "../../modules/base_shared_vpc" +# module "base_shared_vpc" { +# source = "../../modules/base_shared_vpc" - project_id = local.base_net_hub_project_id - environment_code = local.environment_code - private_service_connect_ip = "10.17.0.1" - bgp_asn_subnet = local.bgp_asn_number - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - dns_enable_inbound_forwarding = var.base_hub_dns_enable_inbound_forwarding - dns_enable_logging = var.base_hub_dns_enable_logging - firewall_enable_logging = var.base_hub_firewall_enable_logging - nat_enabled = var.base_hub_nat_enabled - nat_bgp_asn = var.base_hub_nat_bgp_asn - nat_num_addresses_region1 = var.base_hub_nat_num_addresses_region1 - nat_num_addresses_region2 = var.base_hub_nat_num_addresses_region2 - windows_activation_enabled = var.base_hub_windows_activation_enabled - target_name_server_addresses = var.target_name_server_addresses +# project_id = local.base_project_id +# #project_id = var.base_net_hub_project_id +# environment_code = local.environment_code +# private_service_connect_ip = "10.17.0.1" +# bgp_asn_subnet = local.bgp_asn_number +# default_region1 = local.default_region1 +# default_region2 = local.default_region2 +# domain = var.domain +# dns_enable_inbound_forwarding = var.base_hub_dns_enable_inbound_forwarding +# dns_enable_logging = var.base_hub_dns_enable_logging +# firewall_enable_logging = var.base_hub_firewall_enable_logging +# nat_enabled = var.base_hub_nat_enabled +# nat_bgp_asn = var.base_hub_nat_bgp_asn +# nat_num_addresses_region1 = var.base_hub_nat_num_addresses_region1 +# nat_num_addresses_region2 = var.base_hub_nat_num_addresses_region2 +# windows_activation_enabled = var.base_hub_windows_activation_enabled +# target_name_server_addresses = var.target_name_server_addresses +# #mode = "hub" - subnets = [ - { - subnet_name = "sb-c-shared-base-hub-${local.default_region1}" - subnet_ip = local.base_subnet_primary_ranges[local.default_region1] - subnet_region = local.default_region1 - subnet_private_access = "true" - subnet_flow_logs = var.base_vpc_flow_logs.enable_logging - subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr - description = "Base network hub subnet for ${local.default_region1}" - }, - { - subnet_name = "sb-c-shared-base-hub-${local.default_region2}" - subnet_ip = local.base_subnet_primary_ranges[local.default_region2] - subnet_region = local.default_region2 - subnet_private_access = "true" - subnet_flow_logs = var.base_vpc_flow_logs.enable_logging - subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr - description = "Base network hub subnet for ${local.default_region2}" - }, - { - subnet_name = "sb-c-shared-base-hub-${local.default_region1}-proxy" - subnet_ip = local.base_subnet_proxy_ranges[local.default_region1] - subnet_region = local.default_region1 - subnet_flow_logs = false - description = "Base network hub proxy-only subnet for ${local.default_region1}" - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" - }, - { - subnet_name = "sb-c-shared-base-hub-${local.default_region2}-proxy" - subnet_ip = local.base_subnet_proxy_ranges[local.default_region2] - subnet_region = local.default_region2 - subnet_flow_logs = false - description = "Base network hub proxy-only subnet for ${local.default_region2}" - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" - } - ] - secondary_ranges = {} +# subnets = [ +# { +# subnet_name = "sb-c-shared-base-hub-${local.default_region1}" +# subnet_ip = local.base_subnet_primary_ranges[local.default_region1] +# subnet_region = local.default_region1 +# subnet_private_access = "true" +# subnet_flow_logs = var.base_vpc_flow_logs.enable_logging +# subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval +# subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling +# subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata +# subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields +# subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr +# description = "Base network hub subnet for ${local.default_region1}" +# }, +# { +# subnet_name = "sb-c-shared-base-hub-${local.default_region2}" +# subnet_ip = local.base_subnet_primary_ranges[local.default_region2] +# subnet_region = local.default_region2 +# subnet_private_access = "true" +# subnet_flow_logs = var.base_vpc_flow_logs.enable_logging +# subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval +# subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling +# subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata +# subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields +# subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr +# description = "Base network hub subnet for ${local.default_region2}" +# }, +# { +# subnet_name = "sb-c-shared-base-hub-${local.default_region1}-proxy" +# subnet_ip = local.base_subnet_proxy_ranges[local.default_region1] +# subnet_region = local.default_region1 +# subnet_flow_logs = false +# description = "Base network hub proxy-only subnet for ${local.default_region1}" +# role = "ACTIVE" +# purpose = "REGIONAL_MANAGED_PROXY" +# }, +# { +# subnet_name = "sb-c-shared-base-hub-${local.default_region2}-proxy" +# subnet_ip = local.base_subnet_proxy_ranges[local.default_region2] +# subnet_region = local.default_region2 +# subnet_flow_logs = false +# description = "Base network hub proxy-only subnet for ${local.default_region2}" +# role = "ACTIVE" +# purpose = "REGIONAL_MANAGED_PROXY" +# } +# ] +# secondary_ranges = {} -} +# #depends_on = [module.dns_hub_vpc] +# } /****************************************** Restricted Network VPC *****************************************/ -module "restricted_shared_vpc" { - source = "../../modules/restricted_shared_vpc" +# module "restricted_shared_vpc" { +# source = "../../modules/restricted_shared_vpc" - project_id = local.restricted_net_hub_project_id - project_number = local.restricted_net_hub_project_number - environment_code = local.environment_code - private_service_connect_ip = "10.17.0.5" - access_context_manager_policy_id = var.access_context_manager_policy_id - restricted_services = local.restricted_services - restricted_services_dry_run = local.restricted_services_dry_run - members = distinct(concat([ - "serviceAccount:${local.networks_service_account}", - "serviceAccount:${local.projects_service_account}", - "serviceAccount:${local.organization_service_account}", - ], var.perimeter_additional_members)) - members_dry_run = distinct(concat([ - "serviceAccount:${local.networks_service_account}", - "serviceAccount:${local.projects_service_account}", - "serviceAccount:${local.organization_service_account}", - ], var.perimeter_additional_members)) - bgp_asn_subnet = local.bgp_asn_number - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - dns_enable_inbound_forwarding = var.restricted_hub_dns_enable_inbound_forwarding - dns_enable_logging = var.restricted_hub_dns_enable_logging - firewall_enable_logging = var.restricted_hub_firewall_enable_logging - nat_enabled = var.restricted_hub_nat_enabled - nat_bgp_asn = var.restricted_hub_nat_bgp_asn - nat_num_addresses_region1 = var.restricted_hub_nat_num_addresses_region1 - nat_num_addresses_region2 = var.restricted_hub_nat_num_addresses_region2 - windows_activation_enabled = var.restricted_hub_windows_activation_enabled - target_name_server_addresses = var.target_name_server_addresses +# project_id = local.restricted_project_id +# project_number = local.restricted_project_number +# #project_id = var.restricted_net_hub_project_id +# #project_number = var.project_number +# environment_code = local.environment_code +# private_service_connect_ip = "10.17.0.5" +# access_context_manager_policy_id = var.access_context_manager_policy_id +# restricted_services = local.restricted_services +# restricted_services_dry_run = local.restricted_services_dry_run +# members = distinct(concat([ +# "serviceAccount:${local.networks_service_account}", +# "serviceAccount:${local.projects_service_account}", +# "serviceAccount:${local.organization_service_account}", +# ], var.perimeter_additional_members)) +# members_dry_run = distinct(concat([ +# "serviceAccount:${local.networks_service_account}", +# "serviceAccount:${local.projects_service_account}", +# "serviceAccount:${local.organization_service_account}", +# ], var.perimeter_additional_members)) +# bgp_asn_subnet = local.bgp_asn_number +# default_region1 = local.default_region1 +# default_region2 = local.default_region2 +# domain = var.domain +# dns_enable_inbound_forwarding = var.restricted_hub_dns_enable_inbound_forwarding +# dns_enable_logging = var.restricted_hub_dns_enable_logging +# firewall_enable_logging = var.restricted_hub_firewall_enable_logging +# nat_enabled = var.restricted_hub_nat_enabled +# nat_bgp_asn = var.restricted_hub_nat_bgp_asn +# nat_num_addresses_region1 = var.restricted_hub_nat_num_addresses_region1 +# nat_num_addresses_region2 = var.restricted_hub_nat_num_addresses_region2 +# windows_activation_enabled = var.restricted_hub_windows_activation_enabled +# target_name_server_addresses = var.target_name_server_addresses +# #mode = "hub" - subnets = [ - { - subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}" - subnet_ip = local.restricted_subnet_primary_ranges[local.default_region1] - subnet_region = local.default_region1 - subnet_private_access = "true" - subnet_flow_logs = var.restricted_vpc_flow_logs.enable_logging - subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr - description = "Restricted network hub subnet for ${local.default_region1}" - }, - { - subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}" - subnet_ip = local.restricted_subnet_primary_ranges[local.default_region2] - subnet_region = local.default_region2 - subnet_private_access = "true" - subnet_flow_logs = var.restricted_vpc_flow_logs.enable_logging - subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval - subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling - subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata - subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields - subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr - description = "Restricted network hub subnet for ${local.default_region2}" - }, - { - subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}-proxy" - subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region1] - subnet_region = local.default_region1 - subnet_flow_logs = false - description = "Restricted network hub proxy-only subnet for ${local.default_region1}" - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" - }, - { - subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}-proxy" - subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region2] - subnet_region = local.default_region2 - subnet_flow_logs = false - description = "Restricted network hub proxy-only subnet for ${local.default_region2}" - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" - } - ] - secondary_ranges = {} +# subnets = [ +# { +# subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}" +# subnet_ip = local.restricted_subnet_primary_ranges[local.default_region1] +# subnet_region = local.default_region1 +# subnet_private_access = "true" +# subnet_flow_logs = var.restricted_vpc_flow_logs.enable_logging +# subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval +# subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling +# subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata +# subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields +# subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr +# description = "Restricted network hub subnet for ${local.default_region1}" +# }, +# { +# subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}" +# subnet_ip = local.restricted_subnet_primary_ranges[local.default_region2] +# subnet_region = local.default_region2 +# subnet_private_access = "true" +# subnet_flow_logs = var.restricted_vpc_flow_logs.enable_logging +# subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval +# subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling +# subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata +# subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields +# subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr +# description = "Restricted network hub subnet for ${local.default_region2}" +# }, +# { +# subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}-proxy" +# subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region1] +# subnet_region = local.default_region1 +# subnet_flow_logs = false +# description = "Restricted network hub proxy-only subnet for ${local.default_region1}" +# role = "ACTIVE" +# purpose = "REGIONAL_MANAGED_PROXY" +# }, +# { +# subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}-proxy" +# subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region2] +# subnet_region = local.default_region2 +# subnet_flow_logs = false +# description = "Restricted network hub proxy-only subnet for ${local.default_region2}" +# role = "ACTIVE" +# purpose = "REGIONAL_MANAGED_PROXY" +# } +# ] +# secondary_ranges = {} - egress_policies = distinct(concat( - local.dedicated_interconnect_egress_policy, - var.egress_policies - )) +# egress_policies = distinct(concat( +# #local.dedicated_interconnect_egress_policy, +# var.egress_policies +# )) - ingress_policies = var.ingress_policies +# ingress_policies = var.ingress_policies -} +# #depends_on = [module.dns_hub_vpc] +# } + +######################################################################################### diff --git a/3-networks-dual-svpc/envs/production/remote.tf b/3-networks-dual-svpc/envs/production/remote.tf index fb6a57053..09500eb8c 100644 --- a/3-networks-dual-svpc/envs/production/remote.tf +++ b/3-networks-dual-svpc/envs/production/remote.tf @@ -15,15 +15,17 @@ */ locals { - default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region - default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 - interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number - base_net_hub_project_id = data.terraform_remote_state.org.outputs.base_net_hub_project_id - restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id - restricted_net_hub_project_number = data.terraform_remote_state.org.outputs.restricted_net_hub_project_number + default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 + #### organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email + + restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id + restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_number + base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].base_shared_vpc_project_id + } data "terraform_remote_state" "bootstrap" { @@ -34,3 +36,43 @@ data "terraform_remote_state" "bootstrap" { prefix = "terraform/bootstrap/state" } } + + +################################### + +data "terraform_remote_state" "org" { + backend = "gcs" + + config = { + bucket = var.remote_state_bucket + prefix = "terraform/org/state" + } +} + +data "terraform_remote_state" "env_development" { + backend = "gcs" + + config = { + bucket = var.remote_state_bucket + prefix = "terraform/environments/development" + } +} + +data "terraform_remote_state" "env_nonproduction" { + backend = "gcs" + + config = { + bucket = var.remote_state_bucket + prefix = "terraform/environments/nonproduction" + } +} + +data "terraform_remote_state" "env_production" { + backend = "gcs" + + config = { + bucket = var.remote_state_bucket + prefix = "terraform/environments/production" + } +} + diff --git a/3-networks-dual-svpc/envs/production/variables.tf b/3-networks-dual-svpc/envs/production/variables.tf index ab329922a..90c15a638 100644 --- a/3-networks-dual-svpc/envs/production/variables.tf +++ b/3-networks-dual-svpc/envs/production/variables.tf @@ -14,6 +14,47 @@ * limitations under the License. */ + +variable "base_vpc_flow_logs" { + description = < flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | -| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | `[]` | no | | tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes | ## Outputs @@ -57,6 +56,5 @@ | restricted\_subnets\_names | The names of the subnets being created | | restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | | restricted\_subnets\_self\_links | The self-links of subnets being created | -| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration | diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index d7bf6af7f..b0d244c24 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -169,9 +169,10 @@ locals { module "restricted_shared_vpc" { source = "../restricted_shared_vpc" - project_id = local.restricted_project_id - #dns_hub_project_id = local.dns_hub_project_id - project_number = local.restricted_project_number + project_id = local.restricted_project_id + project_number = local.restricted_project_number + + environment_code = var.environment_code access_context_manager_policy_id = var.access_context_manager_policy_id restricted_services = local.restricted_services @@ -186,20 +187,20 @@ module "restricted_shared_vpc" { "serviceAccount:${local.projects_service_account}", "serviceAccount:${local.organization_service_account}", ], var.perimeter_additional_members)) - private_service_cidr = var.restricted_private_service_cidr - private_service_connect_ip = var.restricted_private_service_connect_ip - bgp_asn_subnet = local.bgp_asn_number - default_region1 = var.default_region1 - default_region2 = var.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - ingress_policies_dry_run = var.ingress_policies_dry_run + private_service_cidr = var.restricted_private_service_cidr + private_service_connect_ip = var.restricted_private_service_connect_ip + bgp_asn_subnet = local.bgp_asn_number + default_region1 = var.default_region1 + default_region2 = var.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + ingress_policies_dry_run = var.ingress_policies_dry_run egress_policies = distinct(concat( - local.dedicated_interconnect_egress_policy, + #local.dedicated_interconnect_egress_policy, var.egress_policies )) egress_policies_dry_run = distinct(concat( - local.dedicated_interconnect_egress_policy, + #local.dedicated_interconnect_egress_policy, var.egress_policies_dry_run )) target_name_server_addresses = var.target_name_server_addresses @@ -264,8 +265,7 @@ module "restricted_shared_vpc" { module "base_shared_vpc" { source = "../base_shared_vpc" - project_id = local.base_project_id - #dns_hub_project_id = local.dns_hub_project_id + project_id = local.base_project_id environment_code = var.environment_code private_service_cidr = var.base_private_service_cidr private_service_connect_ip = var.base_private_service_connect_ip diff --git a/3-networks-dual-svpc/modules/base_env/outputs.tf b/3-networks-dual-svpc/modules/base_env/outputs.tf index 5ab1c3428..fd3a574fb 100644 --- a/3-networks-dual-svpc/modules/base_env/outputs.tf +++ b/3-networks-dual-svpc/modules/base_env/outputs.tf @@ -19,6 +19,7 @@ output "target_name_server_addresses" { description = "List of IPv4 address of target name servers for the forwarding zone configuration" } + /********************* Restricted Outputs *********************/ @@ -118,3 +119,4 @@ output "base_subnets_secondary_ranges" { value = module.base_shared_vpc.subnets_secondary_ranges description = "The secondary ranges associated with these subnets" } + diff --git a/3-networks-dual-svpc/modules/base_env/remote.tf b/3-networks-dual-svpc/modules/base_env/remote.tf index 57562db0c..7cbf38606 100644 --- a/3-networks-dual-svpc/modules/base_env/remote.tf +++ b/3-networks-dual-svpc/modules/base_env/remote.tf @@ -16,14 +16,15 @@ locals { restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id - restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id + restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email } + data "terraform_remote_state" "bootstrap" { backend = "gcs" @@ -41,3 +42,4 @@ data "terraform_remote_state" "org" { prefix = "terraform/org/state" } } + diff --git a/3-networks-dual-svpc/modules/base_env/variables.tf b/3-networks-dual-svpc/modules/base_env/variables.tf index 9e0f8c59e..4bb88ca6c 100644 --- a/3-networks-dual-svpc/modules/base_env/variables.tf +++ b/3-networks-dual-svpc/modules/base_env/variables.tf @@ -218,3 +218,4 @@ variable "tfc_org_name" { description = "Name of the TFC organization" type = string } + diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md index 6ff0d0477..10b8c0e1c 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/base_shared_vpc/README.md @@ -3,12 +3,12 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| base\_net\_hub\_project\_id | The base net hub project ID | `string` | `""` | no | | bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes | | default\_region1 | Default region 1 for subnets and Cloud Routers | `string` | n/a | yes | | default\_region2 | Default region 2 for subnets and Cloud Routers | `string` | n/a | yes | | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | +| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | enable\_all\_vpc\_internal\_traffic | Enable firewall policy rule to allow internal traffic (ingress and egress). | `bool` | `false` | no | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes | @@ -22,7 +22,6 @@ | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | | subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | -| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf index 7456f9e6a..4d4cacbcd 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf @@ -32,17 +32,18 @@ resource "google_dns_policy" "default_policy" { Creates DNS Peering to DNS HUB *****************************************/ data "google_compute_network" "vpc_dns_hub" { - count = local.environment == "production" ? 1 : 0 - name = var.base_network_name - project = var.base_net_hub_project_id + #count = local.environment == "production" ? 1 : 0 + + name = local.network_name + project = var.project_id } module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" - count = local.environment == "production" ? 1 : 0 + #count = local.environment == "production" ? 1 : 0 project_id = var.project_id type = "peering" @@ -53,7 +54,8 @@ module "peering_zone" { private_visibility_config_networks = [ module.main.network_self_link ] - target_network = data.google_compute_network.vpc_dns_hub[0].self_link + #target_network = data.google_compute_network.vpc_dns_hub[0].self_link + target_network = data.google_compute_network.vpc_dns_hub.self_link } /****************************************** @@ -63,7 +65,7 @@ module "dns_forwarding_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" - count = local.environment == "production" ? 1 : 0 + #count = local.environment == "production" ? 1 : 0 project_id = var.project_id type = "forwarding" @@ -75,4 +77,3 @@ module "dns_forwarding_zone" { ] target_name_server_addresses = var.target_name_server_addresses } - diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf index 629e792c2..5ef56729e 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf @@ -18,7 +18,9 @@ locals { vpc_name = "${var.environment_code}-shared-base" network_name = "vpc-${local.vpc_name}" private_googleapis_cidr = module.private_service_connect.private_service_connect_ip - environment = var.environment_code == "plan" ? "plan" : var.environment_code == "production" ? "production" : var.environment_code == "development" ? "development" : "nonproduction" + #environment = "production" + #environment = var.environment_code == "production" ? "production" : var.environment_code == "shared" ? "shared" : var.environment_code == "development" ? "development" : "nonproduction" + #environment = var.environment_code == "production" ? "production" : null google_private_service_range = "35.199.192.0/19" advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] } @@ -97,7 +99,7 @@ module "region1_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" - count = local.environment == "production" ? 1 : 0 + #count = local.environment == "production" ? 1 : 0 name = "cr-${local.vpc_name}-${var.default_region1}-cr1" project = var.project_id @@ -114,7 +116,7 @@ module "region1_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" - count = local.environment == "production" ? 1 : 0 + #count = local.environment == "production" ? 1 : 0 name = "cr-${local.vpc_name}-${var.default_region1}-cr2" project = var.project_id @@ -131,7 +133,7 @@ module "region2_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" - count = local.environment == "production" ? 1 : 0 + #count = local.environment == "production" ? 1 : 0 name = "cr-${local.vpc_name}-${var.default_region2}-cr3" project = var.project_id @@ -148,7 +150,7 @@ module "region2_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" - count = local.environment == "production" ? 1 : 0 + #count = local.environment == "production" ? 1 : 0 name = "cr-${local.vpc_name}-${var.default_region2}-cr4" project = var.project_id diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/outputs.tf b/3-networks-dual-svpc/modules/base_shared_vpc/outputs.tf index 226e21343..f2e9e6eeb 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/outputs.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/outputs.tf @@ -14,6 +14,7 @@ * limitations under the License. */ + output "network_name" { value = module.main.network_name description = "The name of the VPC being created" @@ -78,3 +79,4 @@ output "region2_router2" { value = module.region2_router2 description = "Router 2 for Region 2" } + diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf index 06558fde4..5d5d9fa5a 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf @@ -14,14 +14,21 @@ * limitations under the License. */ + variable "target_name_server_addresses" { description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." type = list(map(any)) } -variable "base_net_hub_project_id" { +variable "base_network_name" { type = string - description = "The base net hub project ID" + description = "The name of the VPC being created" + default = "" +} + +variable "base_project_id" { + type = string + description = "The base project ID" default = "" } @@ -30,6 +37,7 @@ variable "project_id" { description = "Project ID for Private Shared VPC." } + variable "environment_code" { type = string description = "A short form of the folder level resources (environment) within the Google Cloud organization." @@ -148,3 +156,4 @@ variable "enable_all_vpc_internal_traffic" { description = "Enable firewall policy rule to allow internal traffic (ingress and egress)." default = false } + diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index 889bba787..1ce44d877 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -9,6 +9,7 @@ | default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes | | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | +| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | egress\_policies\_dry\_run | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | @@ -28,13 +29,10 @@ | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | -| restricted\_net\_hub\_project\_id | The restricted net hub project ID | `string` | `""` | no | -| restricted\_network\_name | The name of the VPC being created | `string` | `""` | no | | restricted\_services | List of services to restrict in an enforced perimeter. | `list(string)` | n/a | yes | | restricted\_services\_dry\_run | List of services to restrict in a dry-run perimeter. | `list(string)` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | | subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | -| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf index 57840c6a3..6d5c857fe 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf @@ -34,7 +34,8 @@ resource "google_dns_policy" "default_policy" { data "google_compute_network" "vpc_dns_hub" { count = local.environment == "production" ? 1 : 0 - name = data.google_compute_network.vpc_restricted_net_hub[0].name + #name = data.google_compute_network.vpc_restricted_net_hub[0].name + name = var.restricted_network_name project = var.restricted_net_hub_project_id } diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf index d2ae88e1f..19db44ee5 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf @@ -18,7 +18,9 @@ locals { vpc_name = "${var.environment_code}-shared-restricted" network_name = "vpc-${local.vpc_name}" restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip - environment = var.environment_code == "plan" ? "plan" : var.environment_code == "production" ? "production" : var.environment_code == "development" ? "development" : "nonproduction" + environment = var.environment_code == "production" ? "production" : var.environment_code == "shared" ? "shared" : var.environment_code == "development" ? "development" : "nonproduction" + #environment = var.environment_code == "production" ? "production" : null + #environment = var.environment_code == "shared" ? "shared" : var.environment_code == "production" ? "production" : var.environment_code == "development" ? "development" : "nonproduction" google_private_service_range = "35.199.192.0/19" advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] } diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/outputs.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/outputs.tf index af80f106d..748ec4ca3 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/outputs.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/outputs.tf @@ -88,3 +88,4 @@ output "service_perimeter_name" { value = local.perimeter_name description = "Access context manager service perimeter name for the enforced perimeter" } + diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf index ab9b3273d..d92072c51 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf @@ -46,6 +46,12 @@ variable "project_number" { description = "Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter." } +# variable "dns_hub_project_id" { +# type = string +# description = "The DNS hub project ID" +# } + + variable "environment_code" { type = string description = "A short form of the folder level resources (environment) within the Google Cloud organization." @@ -226,3 +232,4 @@ variable "ingress_policies_dry_run" { })) default = [] } + From d92c5cecf923ba274109691fc4ad147a8997a919 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Thu, 19 Dec 2024 14:35:02 -0300 Subject: [PATCH 16/47] fix lint --- .../envs/production/README.md | 2 + 3-networks-dual-svpc/envs/production/main.tf | 48 +++++++++---------- .../envs/production/remote.tf | 12 ++--- 3-networks-dual-svpc/envs/shared/README.md | 1 - 3-networks-dual-svpc/envs/shared/remote.tf | 12 ++--- .../modules/base_env/README.md | 2 + 3-networks-dual-svpc/modules/base_env/main.tf | 20 ++++---- .../modules/base_shared_vpc/README.md | 4 +- .../modules/base_shared_vpc/main.tf | 8 ++-- .../modules/restricted_shared_vpc/README.md | 4 +- .../modules/restricted_shared_vpc/main.tf | 8 ++-- 11 files changed, 64 insertions(+), 57 deletions(-) diff --git a/3-networks-dual-svpc/envs/production/README.md b/3-networks-dual-svpc/envs/production/README.md index bb817052b..48bbfcbfb 100644 --- a/3-networks-dual-svpc/envs/production/README.md +++ b/3-networks-dual-svpc/envs/production/README.md @@ -24,6 +24,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | base\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Base Hub. | `number` | `2` | no | | base\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Base Hub. | `number` | `2` | no | | base\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Base Hub | `bool` | `false` | no | +| base\_vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    enable_logging       = optional(string, "true")
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | | custom\_restricted\_services | List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no | | domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes | | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | @@ -43,6 +44,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | restricted\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Restricted Hub. | `number` | `2` | no | | restricted\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Restricted Hub. | `number` | `2` | no | | restricted\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Restricted Hub. | `bool` | `false` | no | +| restricted\_vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    enable_logging       = optional(string, "true")
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | | target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index e595f8b91..6b3fb76b0 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -66,32 +66,32 @@ locals { ] } -############################## + ############################## - restricted_services = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service - restricted_services_dry_run = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service + restricted_services = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service + restricted_services_dry_run = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service - bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" - # dns_bgp_asn_number = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns + bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" + # dns_bgp_asn_number = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns -# dedicated_interconnect_egress_policy = var.enable_dedicated_interconnect ? [ -# { -# "from" = { -# "identity_type" = "" -# "identities" = ["serviceAccount:${local.networks_service_account}"] -# }, -# "to" = { -# "resources" = ["projects/${local.interconnect_project_number}"] -# "operations" = { -# "compute.googleapis.com" = { -# "methods" = ["*"] -# } -# } -# } -# }, -# ] : [] + # dedicated_interconnect_egress_policy = var.enable_dedicated_interconnect ? [ + # { + # "from" = { + # "identity_type" = "" + # "identities" = ["serviceAccount:${local.networks_service_account}"] + # }, + # "to" = { + # "resources" = ["projects/${local.interconnect_project_number}"] + # "operations" = { + # "compute.googleapis.com" = { + # "methods" = ["*"] + # } + # } + # } + # }, + # ] : [] -supported_restricted_service = [ + supported_restricted_service = [ "accessapproval.googleapis.com", "adsdatahub.googleapis.com", "aiplatform.googleapis.com", @@ -216,7 +216,7 @@ supported_restricted_service = [ "workstations.googleapis.com", ] -###################################### + ###################################### } module "base_env" { @@ -247,7 +247,7 @@ module "base_env" { restricted_private_service_connect_ip = "10.17.0.8" remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name - target_name_server_addresses = var.target_name_server_addresses + target_name_server_addresses = var.target_name_server_addresses } #################### net_hub below diff --git a/3-networks-dual-svpc/envs/production/remote.tf b/3-networks-dual-svpc/envs/production/remote.tf index 09500eb8c..e7c5894e5 100644 --- a/3-networks-dual-svpc/envs/production/remote.tf +++ b/3-networks-dual-svpc/envs/production/remote.tf @@ -18,13 +18,13 @@ locals { default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 #### - organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email - networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email - projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email + organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email + networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email + projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email - restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id - restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_number - base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].base_shared_vpc_project_id + restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id + restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_number + base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].base_shared_vpc_project_id } diff --git a/3-networks-dual-svpc/envs/shared/README.md b/3-networks-dual-svpc/envs/shared/README.md index 0f84d6cd2..59a4a0a55 100644 --- a/3-networks-dual-svpc/envs/shared/README.md +++ b/3-networks-dual-svpc/envs/shared/README.md @@ -19,7 +19,6 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google. | firewall\_policies\_enable\_logging | Toggle hierarchical firewall logging. | `bool` | `true` | no | | preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | -| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | | vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    enable_logging       = optional(string, "true")
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | diff --git a/3-networks-dual-svpc/envs/shared/remote.tf b/3-networks-dual-svpc/envs/shared/remote.tf index b3df2b0e0..b2cd2cd64 100644 --- a/3-networks-dual-svpc/envs/shared/remote.tf +++ b/3-networks-dual-svpc/envs/shared/remote.tf @@ -15,12 +15,12 @@ */ locals { - env = "common" - environment_code = "c" - dns_bgp_asn_number = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns - default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region - default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 - folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + env = "common" + environment_code = "c" + dns_bgp_asn_number = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns + default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix #interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id bootstrap_folder_name = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name diff --git a/3-networks-dual-svpc/modules/base_env/README.md b/3-networks-dual-svpc/modules/base_env/README.md index d543340d4..596c740e5 100644 --- a/3-networks-dual-svpc/modules/base_env/README.md +++ b/3-networks-dual-svpc/modules/base_env/README.md @@ -32,6 +32,7 @@ | restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes | | restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | `[]` | no | | tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes | ## Outputs @@ -56,5 +57,6 @@ | restricted\_subnets\_names | The names of the subnets being created | | restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | | restricted\_subnets\_self\_links | The self-links of subnets being created | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration | diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index b0d244c24..59faad059 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -169,8 +169,8 @@ locals { module "restricted_shared_vpc" { source = "../restricted_shared_vpc" - project_id = local.restricted_project_id - project_number = local.restricted_project_number + project_id = local.restricted_project_id + project_number = local.restricted_project_number environment_code = var.environment_code @@ -187,14 +187,14 @@ module "restricted_shared_vpc" { "serviceAccount:${local.projects_service_account}", "serviceAccount:${local.organization_service_account}", ], var.perimeter_additional_members)) - private_service_cidr = var.restricted_private_service_cidr - private_service_connect_ip = var.restricted_private_service_connect_ip - bgp_asn_subnet = local.bgp_asn_number - default_region1 = var.default_region1 - default_region2 = var.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - ingress_policies_dry_run = var.ingress_policies_dry_run + private_service_cidr = var.restricted_private_service_cidr + private_service_connect_ip = var.restricted_private_service_connect_ip + bgp_asn_subnet = local.bgp_asn_number + default_region1 = var.default_region1 + default_region2 = var.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + ingress_policies_dry_run = var.ingress_policies_dry_run egress_policies = distinct(concat( #local.dedicated_interconnect_egress_policy, var.egress_policies diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md index 10b8c0e1c..d3656a445 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/base_shared_vpc/README.md @@ -3,12 +3,13 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| base\_network\_name | The name of the VPC being created | `string` | `""` | no | +| base\_project\_id | The base project ID | `string` | `""` | no | | bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes | | default\_region1 | Default region 1 for subnets and Cloud Routers | `string` | n/a | yes | | default\_region2 | Default region 2 for subnets and Cloud Routers | `string` | n/a | yes | | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | -| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | enable\_all\_vpc\_internal\_traffic | Enable firewall policy rule to allow internal traffic (ingress and egress). | `bool` | `false` | no | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes | @@ -22,6 +23,7 @@ | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | | subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf index 5ef56729e..2a181d5f1 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf @@ -15,9 +15,9 @@ */ locals { - vpc_name = "${var.environment_code}-shared-base" - network_name = "vpc-${local.vpc_name}" - private_googleapis_cidr = module.private_service_connect.private_service_connect_ip + vpc_name = "${var.environment_code}-shared-base" + network_name = "vpc-${local.vpc_name}" + private_googleapis_cidr = module.private_service_connect.private_service_connect_ip #environment = "production" #environment = var.environment_code == "production" ? "production" : var.environment_code == "shared" ? "shared" : var.environment_code == "development" ? "development" : "nonproduction" #environment = var.environment_code == "production" ? "production" : null @@ -99,7 +99,7 @@ module "region1_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" - #count = local.environment == "production" ? 1 : 0 + #count = local.environment == "production" ? 1 : 0 name = "cr-${local.vpc_name}-${var.default_region1}-cr1" project = var.project_id diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index 1ce44d877..889bba787 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -9,7 +9,6 @@ | default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes | | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | -| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | egress\_policies\_dry\_run | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | @@ -29,10 +28,13 @@ | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | +| restricted\_net\_hub\_project\_id | The restricted net hub project ID | `string` | `""` | no | +| restricted\_network\_name | The name of the VPC being created | `string` | `""` | no | | restricted\_services | List of services to restrict in an enforced perimeter. | `list(string)` | n/a | yes | | restricted\_services\_dry\_run | List of services to restrict in a dry-run perimeter. | `list(string)` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | | subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf index 19db44ee5..cc55e2225 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf @@ -15,10 +15,10 @@ */ locals { - vpc_name = "${var.environment_code}-shared-restricted" - network_name = "vpc-${local.vpc_name}" - restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip - environment = var.environment_code == "production" ? "production" : var.environment_code == "shared" ? "shared" : var.environment_code == "development" ? "development" : "nonproduction" + vpc_name = "${var.environment_code}-shared-restricted" + network_name = "vpc-${local.vpc_name}" + restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip + environment = var.environment_code == "production" ? "production" : var.environment_code == "shared" ? "shared" : var.environment_code == "development" ? "development" : "nonproduction" #environment = var.environment_code == "production" ? "production" : null #environment = var.environment_code == "shared" ? "shared" : var.environment_code == "production" ? "production" : var.environment_code == "development" ? "development" : "nonproduction" google_private_service_range = "35.199.192.0/19" From cc17b6a798dddda849a881d4ecae7ee5179fb815 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 20 Dec 2024 16:49:59 -0300 Subject: [PATCH 17/47] refactoy DNS Dual-Shared --- 3-networks-dual-svpc/envs/development/main.tf | 1 + .../envs/development/variables.tf | 1 + .../envs/nonproduction/main.tf | 1 + .../envs/nonproduction/variables.tf | 1 + 3-networks-dual-svpc/envs/production/main.tf | 181 ------------------ .../envs/production/remote.tf | 14 +- .../envs/production/variables.tf | 2 - 3-networks-dual-svpc/envs/shared/outputs.tf | 4 - 3-networks-dual-svpc/envs/shared/variables.tf | 5 - 3-networks-dual-svpc/modules/base_env/main.tf | 6 +- .../modules/base_env/remote.tf | 4 + .../modules/base_shared_vpc/README.md | 2 +- .../modules/base_shared_vpc/dns.tf | 14 +- .../modules/base_shared_vpc/main.tf | 18 +- .../modules/base_shared_vpc/variables.tf | 5 +- .../modules/restricted_shared_vpc/README.md | 1 + .../modules/restricted_shared_vpc/dns.tf | 12 +- .../modules/restricted_shared_vpc/main.tf | 18 +- .../restricted_shared_vpc/variables.tf | 10 +- 19 files changed, 48 insertions(+), 252 deletions(-) diff --git a/3-networks-dual-svpc/envs/development/main.tf b/3-networks-dual-svpc/envs/development/main.tf index 202dc8345..d06588a58 100644 --- a/3-networks-dual-svpc/envs/development/main.tf +++ b/3-networks-dual-svpc/envs/development/main.tf @@ -96,3 +96,4 @@ module "base_env" { remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name } + diff --git a/3-networks-dual-svpc/envs/development/variables.tf b/3-networks-dual-svpc/envs/development/variables.tf index 02448e5a9..f3e720f97 100644 --- a/3-networks-dual-svpc/envs/development/variables.tf +++ b/3-networks-dual-svpc/envs/development/variables.tf @@ -82,3 +82,4 @@ variable "tfc_org_name" { type = string default = "" } + diff --git a/3-networks-dual-svpc/envs/nonproduction/main.tf b/3-networks-dual-svpc/envs/nonproduction/main.tf index 6505a4478..e6c91e097 100644 --- a/3-networks-dual-svpc/envs/nonproduction/main.tf +++ b/3-networks-dual-svpc/envs/nonproduction/main.tf @@ -96,3 +96,4 @@ module "base_env" { remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name } + diff --git a/3-networks-dual-svpc/envs/nonproduction/variables.tf b/3-networks-dual-svpc/envs/nonproduction/variables.tf index 02448e5a9..f3e720f97 100644 --- a/3-networks-dual-svpc/envs/nonproduction/variables.tf +++ b/3-networks-dual-svpc/envs/nonproduction/variables.tf @@ -82,3 +82,4 @@ variable "tfc_org_name" { type = string default = "" } + diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index 6b3fb76b0..06e22911f 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -249,184 +249,3 @@ module "base_env" { tfc_org_name = var.tfc_org_name target_name_server_addresses = var.target_name_server_addresses } -#################### net_hub below - -/****************************************** - Base Network VPC -*****************************************/ - -# module "base_shared_vpc" { -# source = "../../modules/base_shared_vpc" - -# project_id = local.base_project_id -# #project_id = var.base_net_hub_project_id -# environment_code = local.environment_code -# private_service_connect_ip = "10.17.0.1" -# bgp_asn_subnet = local.bgp_asn_number -# default_region1 = local.default_region1 -# default_region2 = local.default_region2 -# domain = var.domain -# dns_enable_inbound_forwarding = var.base_hub_dns_enable_inbound_forwarding -# dns_enable_logging = var.base_hub_dns_enable_logging -# firewall_enable_logging = var.base_hub_firewall_enable_logging -# nat_enabled = var.base_hub_nat_enabled -# nat_bgp_asn = var.base_hub_nat_bgp_asn -# nat_num_addresses_region1 = var.base_hub_nat_num_addresses_region1 -# nat_num_addresses_region2 = var.base_hub_nat_num_addresses_region2 -# windows_activation_enabled = var.base_hub_windows_activation_enabled -# target_name_server_addresses = var.target_name_server_addresses -# #mode = "hub" - -# subnets = [ -# { -# subnet_name = "sb-c-shared-base-hub-${local.default_region1}" -# subnet_ip = local.base_subnet_primary_ranges[local.default_region1] -# subnet_region = local.default_region1 -# subnet_private_access = "true" -# subnet_flow_logs = var.base_vpc_flow_logs.enable_logging -# subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval -# subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling -# subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata -# subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields -# subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr -# description = "Base network hub subnet for ${local.default_region1}" -# }, -# { -# subnet_name = "sb-c-shared-base-hub-${local.default_region2}" -# subnet_ip = local.base_subnet_primary_ranges[local.default_region2] -# subnet_region = local.default_region2 -# subnet_private_access = "true" -# subnet_flow_logs = var.base_vpc_flow_logs.enable_logging -# subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval -# subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling -# subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata -# subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields -# subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr -# description = "Base network hub subnet for ${local.default_region2}" -# }, -# { -# subnet_name = "sb-c-shared-base-hub-${local.default_region1}-proxy" -# subnet_ip = local.base_subnet_proxy_ranges[local.default_region1] -# subnet_region = local.default_region1 -# subnet_flow_logs = false -# description = "Base network hub proxy-only subnet for ${local.default_region1}" -# role = "ACTIVE" -# purpose = "REGIONAL_MANAGED_PROXY" -# }, -# { -# subnet_name = "sb-c-shared-base-hub-${local.default_region2}-proxy" -# subnet_ip = local.base_subnet_proxy_ranges[local.default_region2] -# subnet_region = local.default_region2 -# subnet_flow_logs = false -# description = "Base network hub proxy-only subnet for ${local.default_region2}" -# role = "ACTIVE" -# purpose = "REGIONAL_MANAGED_PROXY" -# } -# ] -# secondary_ranges = {} - -# #depends_on = [module.dns_hub_vpc] -# } - -/****************************************** - Restricted Network VPC -*****************************************/ - -# module "restricted_shared_vpc" { -# source = "../../modules/restricted_shared_vpc" - -# project_id = local.restricted_project_id -# project_number = local.restricted_project_number -# #project_id = var.restricted_net_hub_project_id -# #project_number = var.project_number -# environment_code = local.environment_code -# private_service_connect_ip = "10.17.0.5" -# access_context_manager_policy_id = var.access_context_manager_policy_id -# restricted_services = local.restricted_services -# restricted_services_dry_run = local.restricted_services_dry_run -# members = distinct(concat([ -# "serviceAccount:${local.networks_service_account}", -# "serviceAccount:${local.projects_service_account}", -# "serviceAccount:${local.organization_service_account}", -# ], var.perimeter_additional_members)) -# members_dry_run = distinct(concat([ -# "serviceAccount:${local.networks_service_account}", -# "serviceAccount:${local.projects_service_account}", -# "serviceAccount:${local.organization_service_account}", -# ], var.perimeter_additional_members)) -# bgp_asn_subnet = local.bgp_asn_number -# default_region1 = local.default_region1 -# default_region2 = local.default_region2 -# domain = var.domain -# dns_enable_inbound_forwarding = var.restricted_hub_dns_enable_inbound_forwarding -# dns_enable_logging = var.restricted_hub_dns_enable_logging -# firewall_enable_logging = var.restricted_hub_firewall_enable_logging -# nat_enabled = var.restricted_hub_nat_enabled -# nat_bgp_asn = var.restricted_hub_nat_bgp_asn -# nat_num_addresses_region1 = var.restricted_hub_nat_num_addresses_region1 -# nat_num_addresses_region2 = var.restricted_hub_nat_num_addresses_region2 -# windows_activation_enabled = var.restricted_hub_windows_activation_enabled -# target_name_server_addresses = var.target_name_server_addresses -# #mode = "hub" - -# subnets = [ -# { -# subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}" -# subnet_ip = local.restricted_subnet_primary_ranges[local.default_region1] -# subnet_region = local.default_region1 -# subnet_private_access = "true" -# subnet_flow_logs = var.restricted_vpc_flow_logs.enable_logging -# subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval -# subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling -# subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata -# subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields -# subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr -# description = "Restricted network hub subnet for ${local.default_region1}" -# }, -# { -# subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}" -# subnet_ip = local.restricted_subnet_primary_ranges[local.default_region2] -# subnet_region = local.default_region2 -# subnet_private_access = "true" -# subnet_flow_logs = var.restricted_vpc_flow_logs.enable_logging -# subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval -# subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling -# subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata -# subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields -# subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr -# description = "Restricted network hub subnet for ${local.default_region2}" -# }, -# { -# subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}-proxy" -# subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region1] -# subnet_region = local.default_region1 -# subnet_flow_logs = false -# description = "Restricted network hub proxy-only subnet for ${local.default_region1}" -# role = "ACTIVE" -# purpose = "REGIONAL_MANAGED_PROXY" -# }, -# { -# subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}-proxy" -# subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region2] -# subnet_region = local.default_region2 -# subnet_flow_logs = false -# description = "Restricted network hub proxy-only subnet for ${local.default_region2}" -# role = "ACTIVE" -# purpose = "REGIONAL_MANAGED_PROXY" -# } -# ] -# secondary_ranges = {} - -# egress_policies = distinct(concat( -# #local.dedicated_interconnect_egress_policy, -# var.egress_policies -# )) - -# ingress_policies = var.ingress_policies - -# #depends_on = [module.dns_hub_vpc] -# } - -######################################################################################### - - diff --git a/3-networks-dual-svpc/envs/production/remote.tf b/3-networks-dual-svpc/envs/production/remote.tf index e7c5894e5..4a6954902 100644 --- a/3-networks-dual-svpc/envs/production/remote.tf +++ b/3-networks-dual-svpc/envs/production/remote.tf @@ -15,17 +15,14 @@ */ locals { - default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region - default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 - #### + default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email - - restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id - restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_number - base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].base_shared_vpc_project_id - + restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id + restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_number + base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].base_shared_vpc_project_id } data "terraform_remote_state" "bootstrap" { @@ -38,7 +35,6 @@ data "terraform_remote_state" "bootstrap" { } -################################### data "terraform_remote_state" "org" { backend = "gcs" diff --git a/3-networks-dual-svpc/envs/production/variables.tf b/3-networks-dual-svpc/envs/production/variables.tf index 90c15a638..3baad97f3 100644 --- a/3-networks-dual-svpc/envs/production/variables.tf +++ b/3-networks-dual-svpc/envs/production/variables.tf @@ -14,7 +14,6 @@ * limitations under the License. */ - variable "base_vpc_flow_logs" { description = <list(object({
subnet_name = string
subnet_ip = string
subnet_region = string
subnet_private_access = optional(string, "false")
subnet_private_ipv6_access = optional(string)
subnet_flow_logs = optional(string, "false")
subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
subnet_flow_logs_sampling = optional(string, "0.5")
subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
subnet_flow_logs_filter = optional(string, "true")
subnet_flow_logs_metadata_fields = optional(list(string), [])
description = optional(string)
purpose = optional(string)
role = optional(string)
stack_type = optional(string)
ipv6_access_type = optional(string)
})) | `[]` | no | diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf index 4d4cacbcd..f318b8b8f 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf @@ -33,17 +33,17 @@ resource "google_dns_policy" "default_policy" { *****************************************/ data "google_compute_network" "vpc_dns_hub" { - #count = local.environment == "production" ? 1 : 0 + count = var.environment_code != "p" ? 1 : 0 - name = local.network_name - project = var.project_id + name = "vpc-p-shared-base" + project = var.production_project_id } module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" - #count = local.environment == "production" ? 1 : 0 + count = var.environment_code != "p" ? 1 : 0 project_id = var.project_id type = "peering" @@ -54,8 +54,7 @@ module "peering_zone" { private_visibility_config_networks = [ module.main.network_self_link ] - #target_network = data.google_compute_network.vpc_dns_hub[0].self_link - target_network = data.google_compute_network.vpc_dns_hub.self_link + target_network = data.google_compute_network.vpc_dns_hub[0].self_link } /****************************************** @@ -65,7 +64,7 @@ module "dns_forwarding_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" - #count = local.environment == "production" ? 1 : 0 + count = var.environment_code == "p" ? 1 : 0 project_id = var.project_id type = "forwarding" @@ -77,3 +76,4 @@ module "dns_forwarding_zone" { ] target_name_server_addresses = var.target_name_server_addresses } + diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf index 2a181d5f1..e4c22a827 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf @@ -15,12 +15,9 @@ */ locals { - vpc_name = "${var.environment_code}-shared-base" - network_name = "vpc-${local.vpc_name}" - private_googleapis_cidr = module.private_service_connect.private_service_connect_ip - #environment = "production" - #environment = var.environment_code == "production" ? "production" : var.environment_code == "shared" ? "shared" : var.environment_code == "development" ? "development" : "nonproduction" - #environment = var.environment_code == "production" ? "production" : null + vpc_name = "${var.environment_code}-shared-base" + network_name = "vpc-${local.vpc_name}" + private_googleapis_cidr = module.private_service_connect.private_service_connect_ip google_private_service_range = "35.199.192.0/19" advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] } @@ -67,6 +64,7 @@ module "main" { ) } + /*************************************************************** Configure Service Networking for Cloud SQL & future services. **************************************************************/ @@ -99,8 +97,6 @@ module "region1_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" - #count = local.environment == "production" ? 1 : 0 - name = "cr-${local.vpc_name}-${var.default_region1}-cr1" project = var.project_id network = module.main.network_name @@ -116,8 +112,6 @@ module "region1_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" - #count = local.environment == "production" ? 1 : 0 - name = "cr-${local.vpc_name}-${var.default_region1}-cr2" project = var.project_id network = module.main.network_name @@ -133,8 +127,6 @@ module "region2_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" - #count = local.environment == "production" ? 1 : 0 - name = "cr-${local.vpc_name}-${var.default_region2}-cr3" project = var.project_id network = module.main.network_name @@ -150,8 +142,6 @@ module "region2_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" - #count = local.environment == "production" ? 1 : 0 - name = "cr-${local.vpc_name}-${var.default_region2}-cr4" project = var.project_id network = module.main.network_name diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf index 5d5d9fa5a..4fcc647ad 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf @@ -14,7 +14,6 @@ * limitations under the License. */ - variable "target_name_server_addresses" { description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." type = list(map(any)) @@ -26,9 +25,9 @@ variable "base_network_name" { default = "" } -variable "base_project_id" { +variable "production_project_id" { + description = "Production Project ID" type = string - description = "The base project ID" default = "" } diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index 889bba787..802255d58 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -26,6 +26,7 @@ | nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | +| prod\_restricted\_project\_id | Production Project ID | `string` | `""` | no | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | | restricted\_net\_hub\_project\_id | The restricted net hub project ID | `string` | `""` | no | diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf index 6d5c857fe..00a58b08b 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf @@ -32,18 +32,18 @@ resource "google_dns_policy" "default_policy" { Creates DNS Peering to DNS HUB *****************************************/ data "google_compute_network" "vpc_dns_hub" { - count = local.environment == "production" ? 1 : 0 - #name = data.google_compute_network.vpc_restricted_net_hub[0].name - name = var.restricted_network_name - project = var.restricted_net_hub_project_id + count = var.environment_code != "p" ? 1 : 0 + + name = "vpc-p-shared-restricted" + project = var.prod_restricted_project_id } module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" - count = local.environment == "production" ? 1 : 0 + count = var.environment_code != "p" ? 1 : 0 project_id = var.project_id type = "peering" @@ -64,7 +64,7 @@ module "dns_forwarding_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" - count = local.environment == "production" ? 1 : 0 + count = var.environment_code == "p" ? 1 : 0 project_id = var.project_id type = "forwarding" diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf index cc55e2225..306a19d28 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf @@ -15,12 +15,9 @@ */ locals { - vpc_name = "${var.environment_code}-shared-restricted" - network_name = "vpc-${local.vpc_name}" - restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip - environment = var.environment_code == "production" ? "production" : var.environment_code == "shared" ? "shared" : var.environment_code == "development" ? "development" : "nonproduction" - #environment = var.environment_code == "production" ? "production" : null - #environment = var.environment_code == "shared" ? "shared" : var.environment_code == "production" ? "production" : var.environment_code == "development" ? "development" : "nonproduction" + vpc_name = "${var.environment_code}-shared-restricted" + network_name = "vpc-${local.vpc_name}" + restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip google_private_service_range = "35.199.192.0/19" advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] } @@ -68,6 +65,7 @@ module "main" { ) } + /*************************************************************** Configure Service Networking for Cloud SQL & future services. **************************************************************/ @@ -103,8 +101,6 @@ module "region1_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" - count = local.environment == "production" ? 1 : 0 - name = "cr-${local.vpc_name}-${var.default_region1}-cr5" project = var.project_id network = module.main.network_name @@ -120,8 +116,6 @@ module "region1_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" - count = local.environment == "production" ? 1 : 0 - name = "cr-${local.vpc_name}-${var.default_region1}-cr6" project = var.project_id network = module.main.network_name @@ -137,8 +131,6 @@ module "region2_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" - count = local.environment == "production" ? 1 : 0 - name = "cr-${local.vpc_name}-${var.default_region2}-cr7" project = var.project_id network = module.main.network_name @@ -154,8 +146,6 @@ module "region2_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 6.0" - count = local.environment == "production" ? 1 : 0 - name = "cr-${local.vpc_name}-${var.default_region2}-cr8" project = var.project_id network = module.main.network_name diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf index d92072c51..1453732c3 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf @@ -14,6 +14,12 @@ * limitations under the License. */ +variable "prod_restricted_project_id" { + description = "Production Project ID" + type = string + default = "" +} + variable "target_name_server_addresses" { description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." type = list(map(any)) @@ -46,10 +52,6 @@ variable "project_number" { description = "Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter." } -# variable "dns_hub_project_id" { -# type = string -# description = "The DNS hub project ID" -# } variable "environment_code" { From e9867b6f3a5976436459461a05e9f30b4c55e56c Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Thu, 26 Dec 2024 16:30:16 -0300 Subject: [PATCH 18/47] remove comments and update code --- 3-networks-dual-svpc/README.md | 2 + 3-networks-dual-svpc/envs/development/main.tf | 1 - .../envs/development/variables.tf | 1 - .../envs/nonproduction/main.tf | 1 - .../envs/nonproduction/variables.tf | 1 - .../envs/production/README.md | 24 +-- 3-networks-dual-svpc/envs/production/main.tf | 189 ++---------------- .../envs/production/remote.tf | 49 +---- .../envs/production/variables.tf | 160 --------------- 3-networks-dual-svpc/envs/shared/README.md | 2 - .../envs/shared/interconnect.tf.example | 4 +- .../shared/partner_interconnect.tf.example | 4 +- 3-networks-dual-svpc/envs/shared/remote.tf | 15 +- 3-networks-dual-svpc/modules/base_env/main.tf | 4 +- .../modules/base_env/remote.tf | 1 - .../modules/base_shared_vpc/README.md | 2 +- .../modules/base_shared_vpc/dns.tf | 5 +- .../modules/base_shared_vpc/variables.tf | 2 +- .../modules/restricted_shared_vpc/README.md | 2 +- .../modules/restricted_shared_vpc/dns.tf | 2 +- .../restricted_shared_vpc/variables.tf | 5 +- 21 files changed, 46 insertions(+), 430 deletions(-) diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md index 61ade0323..ddfb54ab2 100644 --- a/3-networks-dual-svpc/README.md +++ b/3-networks-dual-svpc/README.md @@ -240,6 +240,8 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get 1. Merge changes to production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID +*Note:** The Production envrionment must be the next branch to be merged as it includes the DNS Hub communication that will be used by other environments. + ```bash git checkout -b production git push origin production diff --git a/3-networks-dual-svpc/envs/development/main.tf b/3-networks-dual-svpc/envs/development/main.tf index d06588a58..202dc8345 100644 --- a/3-networks-dual-svpc/envs/development/main.tf +++ b/3-networks-dual-svpc/envs/development/main.tf @@ -96,4 +96,3 @@ module "base_env" { remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name } - diff --git a/3-networks-dual-svpc/envs/development/variables.tf b/3-networks-dual-svpc/envs/development/variables.tf index f3e720f97..02448e5a9 100644 --- a/3-networks-dual-svpc/envs/development/variables.tf +++ b/3-networks-dual-svpc/envs/development/variables.tf @@ -82,4 +82,3 @@ variable "tfc_org_name" { type = string default = "" } - diff --git a/3-networks-dual-svpc/envs/nonproduction/main.tf b/3-networks-dual-svpc/envs/nonproduction/main.tf index e6c91e097..6505a4478 100644 --- a/3-networks-dual-svpc/envs/nonproduction/main.tf +++ b/3-networks-dual-svpc/envs/nonproduction/main.tf @@ -96,4 +96,3 @@ module "base_env" { remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name } - diff --git a/3-networks-dual-svpc/envs/nonproduction/variables.tf b/3-networks-dual-svpc/envs/nonproduction/variables.tf index f3e720f97..02448e5a9 100644 --- a/3-networks-dual-svpc/envs/nonproduction/variables.tf +++ b/3-networks-dual-svpc/envs/nonproduction/variables.tf @@ -82,4 +82,3 @@ variable "tfc_org_name" { type = string default = "" } - diff --git a/3-networks-dual-svpc/envs/production/README.md b/3-networks-dual-svpc/envs/production/README.md index 48bbfcbfb..b769dce48 100644 --- a/3-networks-dual-svpc/envs/production/README.md +++ b/3-networks-dual-svpc/envs/production/README.md @@ -1,6 +1,6 @@ # 3-networks-dual-svpc/production -The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment production. +The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment production and the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones) that will be used by all environments. ## Prerequisites @@ -16,36 +16,14 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | -| base\_hub\_dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for Base Hub VPC DNS. | `bool` | `true` | no | -| base\_hub\_dns\_enable\_logging | Toggle DNS logging for Base Hub VPC DNS. | `bool` | `true` | no | -| base\_hub\_firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls in Base Hub VPC. | `bool` | `true` | no | -| base\_hub\_nat\_bgp\_asn | BGP ASN for first NAT cloud routes in Base Hub. | `number` | `64514` | no | -| base\_hub\_nat\_enabled | Toggle creation of NAT cloud router in Base Hub. | `bool` | `false` | no | -| base\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Base Hub. | `number` | `2` | no | -| base\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Base Hub. | `number` | `2` | no | -| base\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Base Hub | `bool` | `false` | no | -| base\_vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    enable_logging       = optional(string, "true")
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | -| custom\_restricted\_services | List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no | | domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes | | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | egress\_policies\_dry\_run | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | -| enable\_dedicated\_interconnect | Enable Dedicated Interconnect in the environment. | `bool` | `false` | no | -| enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no | | ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.

Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | ingress\_policies\_dry\_run | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.

Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | -| restricted\_hub\_dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for Restricted Hub VPC DNS. | `bool` | `true` | no | -| restricted\_hub\_dns\_enable\_logging | Toggle DNS logging for Restricted Hub VPC DNS. | `bool` | `true` | no | -| restricted\_hub\_firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls in Restricted Hub VPC. | `bool` | `true` | no | -| restricted\_hub\_nat\_bgp\_asn | BGP ASN for first NAT cloud routes in Restricted Hub. | `number` | `64514` | no | -| restricted\_hub\_nat\_enabled | Toggle creation of NAT cloud router in Restricted Hub. | `bool` | `false` | no | -| restricted\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Restricted Hub. | `number` | `2` | no | -| restricted\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Restricted Hub. | `number` | `2` | no | -| restricted\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Restricted Hub. | `bool` | `false` | no | -| restricted\_vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    enable_logging       = optional(string, "true")
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | -| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | ## Outputs diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index 06e22911f..6505a4478 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -15,208 +15,56 @@ */ locals { - env = "production" + env = "nonproduction" environment_code = substr(local.env, 0, 1) /* * Base network ranges */ - base_private_service_cidr = "10.16.24.0/21" + base_private_service_cidr = "10.16.16.0/21" base_subnet_primary_ranges = { - (local.default_region1) = "10.0.192.0/18" - (local.default_region2) = "10.1.192.0/18" + (local.default_region1) = "10.0.128.0/18" + (local.default_region2) = "10.1.128.0/18" } base_subnet_proxy_ranges = { - (local.default_region1) = "10.18.6.0/23" - (local.default_region2) = "10.19.6.0/23" + (local.default_region1) = "10.18.4.0/23" + (local.default_region2) = "10.19.4.0/23" } base_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.192.0/18" + ip_cidr_range = "100.64.128.0/18" }, { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.65.192.0/18" + ip_cidr_range = "100.65.128.0/18" } ] } /* * Restricted network ranges */ - restricted_private_service_cidr = "10.16.56.0/21" + restricted_private_service_cidr = "10.16.48.0/21" restricted_subnet_primary_ranges = { - (local.default_region1) = "10.8.192.0/18" - (local.default_region2) = "10.9.192.0/18" + (local.default_region1) = "10.8.128.0/18" + (local.default_region2) = "10.9.128.0/18" } restricted_subnet_proxy_ranges = { - (local.default_region1) = "10.26.6.0/23" - (local.default_region2) = "10.27.6.0/23" + (local.default_region1) = "10.26.4.0/23" + (local.default_region2) = "10.27.4.0/23" } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" - ip_cidr_range = "100.72.192.0/18" + ip_cidr_range = "100.72.128.0/18" }, { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" - ip_cidr_range = "100.73.192.0/18" + ip_cidr_range = "100.73.128.0/18" } ] } - - ############################## - - restricted_services = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service - restricted_services_dry_run = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service - - bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" - # dns_bgp_asn_number = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns - - # dedicated_interconnect_egress_policy = var.enable_dedicated_interconnect ? [ - # { - # "from" = { - # "identity_type" = "" - # "identities" = ["serviceAccount:${local.networks_service_account}"] - # }, - # "to" = { - # "resources" = ["projects/${local.interconnect_project_number}"] - # "operations" = { - # "compute.googleapis.com" = { - # "methods" = ["*"] - # } - # } - # } - # }, - # ] : [] - - supported_restricted_service = [ - "accessapproval.googleapis.com", - "adsdatahub.googleapis.com", - "aiplatform.googleapis.com", - "alloydb.googleapis.com", - "alpha-documentai.googleapis.com", - "analyticshub.googleapis.com", - "apigee.googleapis.com", - "apigeeconnect.googleapis.com", - "artifactregistry.googleapis.com", - "assuredworkloads.googleapis.com", - "automl.googleapis.com", - "baremetalsolution.googleapis.com", - "batch.googleapis.com", - "bigquery.googleapis.com", - "bigquerydatapolicy.googleapis.com", - "bigquerydatatransfer.googleapis.com", - "bigquerymigration.googleapis.com", - "bigqueryreservation.googleapis.com", - "bigtable.googleapis.com", - "binaryauthorization.googleapis.com", - "cloud.googleapis.com", - "cloudasset.googleapis.com", - "cloudbuild.googleapis.com", - "clouddebugger.googleapis.com", - "clouddeploy.googleapis.com", - "clouderrorreporting.googleapis.com", - "cloudfunctions.googleapis.com", - "cloudkms.googleapis.com", - "cloudprofiler.googleapis.com", - "cloudresourcemanager.googleapis.com", - "cloudscheduler.googleapis.com", - "cloudsearch.googleapis.com", - "cloudtrace.googleapis.com", - "composer.googleapis.com", - "compute.googleapis.com", - "connectgateway.googleapis.com", - "contactcenterinsights.googleapis.com", - "container.googleapis.com", - "containeranalysis.googleapis.com", - "containerfilesystem.googleapis.com", - "containerregistry.googleapis.com", - "containerthreatdetection.googleapis.com", - "datacatalog.googleapis.com", - "dataflow.googleapis.com", - "datafusion.googleapis.com", - "datamigration.googleapis.com", - "dataplex.googleapis.com", - "dataproc.googleapis.com", - "datastream.googleapis.com", - "dialogflow.googleapis.com", - "dlp.googleapis.com", - "dns.googleapis.com", - "documentai.googleapis.com", - "domains.googleapis.com", - "eventarc.googleapis.com", - "file.googleapis.com", - "firebaseappcheck.googleapis.com", - "firebaserules.googleapis.com", - "firestore.googleapis.com", - "gameservices.googleapis.com", - "gkebackup.googleapis.com", - "gkeconnect.googleapis.com", - "gkehub.googleapis.com", - "healthcare.googleapis.com", - "iam.googleapis.com", - "iamcredentials.googleapis.com", - "iaptunnel.googleapis.com", - "ids.googleapis.com", - "integrations.googleapis.com", - "kmsinventory.googleapis.com", - "krmapihosting.googleapis.com", - "language.googleapis.com", - "lifesciences.googleapis.com", - "logging.googleapis.com", - "managedidentities.googleapis.com", - "memcache.googleapis.com", - "meshca.googleapis.com", - "meshconfig.googleapis.com", - "metastore.googleapis.com", - "ml.googleapis.com", - "monitoring.googleapis.com", - "networkconnectivity.googleapis.com", - "networkmanagement.googleapis.com", - "networksecurity.googleapis.com", - "networkservices.googleapis.com", - "notebooks.googleapis.com", - "opsconfigmonitoring.googleapis.com", - "orgpolicy.googleapis.com", - "osconfig.googleapis.com", - "oslogin.googleapis.com", - "privateca.googleapis.com", - "pubsub.googleapis.com", - "pubsublite.googleapis.com", - "recaptchaenterprise.googleapis.com", - "recommender.googleapis.com", - "redis.googleapis.com", - "retail.googleapis.com", - "run.googleapis.com", - "secretmanager.googleapis.com", - "servicecontrol.googleapis.com", - "servicedirectory.googleapis.com", - "spanner.googleapis.com", - "speakerid.googleapis.com", - "speech.googleapis.com", - "sqladmin.googleapis.com", - "storage.googleapis.com", - "storagetransfer.googleapis.com", - "sts.googleapis.com", - "texttospeech.googleapis.com", - "timeseriesinsights.googleapis.com", - "tpu.googleapis.com", - "trafficdirector.googleapis.com", - "transcoder.googleapis.com", - "translate.googleapis.com", - "videointelligence.googleapis.com", - "vision.googleapis.com", - "visionai.googleapis.com", - "vmmigration.googleapis.com", - "vpcaccess.googleapis.com", - "webrisk.googleapis.com", - "workflows.googleapis.com", - "workstations.googleapis.com", - ] - - ###################################### } module "base_env" { @@ -239,13 +87,12 @@ module "base_env" { base_subnet_primary_ranges = local.base_subnet_primary_ranges base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.17.0.4" + base_private_service_connect_ip = "10.17.0.3" restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges + restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.17.0.8" + restricted_private_service_connect_ip = "10.17.0.7" remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name - target_name_server_addresses = var.target_name_server_addresses } diff --git a/3-networks-dual-svpc/envs/production/remote.tf b/3-networks-dual-svpc/envs/production/remote.tf index 4a6954902..e2e5b151d 100644 --- a/3-networks-dual-svpc/envs/production/remote.tf +++ b/3-networks-dual-svpc/envs/production/remote.tf @@ -15,14 +15,8 @@ */ locals { - default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region - default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 - organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email - networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email - projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email - restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id - restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_number - base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].base_shared_vpc_project_id + default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 } data "terraform_remote_state" "bootstrap" { @@ -33,42 +27,3 @@ data "terraform_remote_state" "bootstrap" { prefix = "terraform/bootstrap/state" } } - - - -data "terraform_remote_state" "org" { - backend = "gcs" - - config = { - bucket = var.remote_state_bucket - prefix = "terraform/org/state" - } -} - -data "terraform_remote_state" "env_development" { - backend = "gcs" - - config = { - bucket = var.remote_state_bucket - prefix = "terraform/environments/development" - } -} - -data "terraform_remote_state" "env_nonproduction" { - backend = "gcs" - - config = { - bucket = var.remote_state_bucket - prefix = "terraform/environments/nonproduction" - } -} - -data "terraform_remote_state" "env_production" { - backend = "gcs" - - config = { - bucket = var.remote_state_bucket - prefix = "terraform/environments/production" - } -} - diff --git a/3-networks-dual-svpc/envs/production/variables.tf b/3-networks-dual-svpc/envs/production/variables.tf index 3baad97f3..02448e5a9 100644 --- a/3-networks-dual-svpc/envs/production/variables.tf +++ b/3-networks-dual-svpc/envs/production/variables.tf @@ -14,165 +14,6 @@ * limitations under the License. */ -variable "base_vpc_flow_logs" { - description = <list(object({
subnet_name = string
subnet_ip = string
subnet_region = string
subnet_private_access = optional(string, "false")
subnet_private_ipv6_access = optional(string)
subnet_flow_logs = optional(string, "false")
subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
subnet_flow_logs_sampling = optional(string, "0.5")
subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
subnet_flow_logs_filter = optional(string, "true")
subnet_flow_logs_metadata_fields = optional(list(string), [])
description = optional(string)
purpose = optional(string)
role = optional(string)
stack_type = optional(string)
ipv6_access_type = optional(string)
})) | `[]` | no | diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf index f318b8b8f..5f37d7f56 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf @@ -44,6 +44,7 @@ module "peering_zone" { version = "~> 5.0" count = var.environment_code != "p" ? 1 : 0 + #count = var.environment_code != "d" ? 1 : 0 project_id = var.project_id type = "peering" @@ -55,6 +56,7 @@ module "peering_zone" { module.main.network_self_link ] target_network = data.google_compute_network.vpc_dns_hub[0].self_link + #target_network = data.google_compute_network.vpc_dns_hub.self_link } /****************************************** @@ -64,7 +66,7 @@ module "dns_forwarding_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" - count = var.environment_code == "p" ? 1 : 0 + count = var.environment_code == "p" ? 1 : 0 ####added project_id = var.project_id type = "forwarding" @@ -76,4 +78,3 @@ module "dns_forwarding_zone" { ] target_name_server_addresses = var.target_name_server_addresses } - diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf index 4fcc647ad..7da2f0901 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf @@ -26,7 +26,7 @@ variable "base_network_name" { } variable "production_project_id" { - description = "Production Project ID" + description = "production project" type = string default = "" } diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index 802255d58..ef6dd02de 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -26,7 +26,7 @@ | nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | -| prod\_restricted\_project\_id | Production Project ID | `string` | `""` | no | +| prod\_restricted\_project\_id | production project | `string` | `""` | no | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | | restricted\_net\_hub\_project\_id | The restricted net hub project ID | `string` | `""` | no | diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf index 00a58b08b..ee45c198a 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf @@ -64,7 +64,7 @@ module "dns_forwarding_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" - count = var.environment_code == "p" ? 1 : 0 + count = var.environment_code == "p" ? 1 : 0 ####added project_id = var.project_id type = "forwarding" diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf index 1453732c3..7e707e13d 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf @@ -15,7 +15,7 @@ */ variable "prod_restricted_project_id" { - description = "Production Project ID" + description = "production project" type = string default = "" } @@ -35,6 +35,7 @@ variable "restricted_network_name" { type = string description = "The name of the VPC being created" default = "" + #default = module.base_shared_vpc.network_name } variable "access_context_manager_policy_id" { @@ -52,8 +53,6 @@ variable "project_number" { description = "Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter." } - - variable "environment_code" { type = string description = "A short form of the folder level resources (environment) within the Google Cloud organization." From 1557bd040e4c495cd71ba7a55319af4916350e0d Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 27 Dec 2024 16:57:05 -0300 Subject: [PATCH 19/47] Changes related to PR review --- 3-networks-dual-svpc/envs/production/main.tf | 2 +- .../modules/base_env/README.md | 2 +- 3-networks-dual-svpc/modules/base_env/main.tf | 10 ++++------ .../modules/base_env/outputs.tf | 2 +- .../modules/base_env/remote.tf | 19 +++++++++---------- .../modules/base_shared_vpc/README.md | 2 +- .../modules/base_shared_vpc/dns.tf | 4 +--- .../modules/base_shared_vpc/variables.tf | 2 +- .../modules/restricted_shared_vpc/README.md | 2 +- .../modules/restricted_shared_vpc/dns.tf | 4 ++-- .../restricted_shared_vpc/variables.tf | 5 ++--- 11 files changed, 24 insertions(+), 30 deletions(-) diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index 6505a4478..233cafe53 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -15,7 +15,7 @@ */ locals { - env = "nonproduction" + env = "production" environment_code = substr(local.env, 0, 1) /* * Base network ranges diff --git a/3-networks-dual-svpc/modules/base_env/README.md b/3-networks-dual-svpc/modules/base_env/README.md index 596c740e5..4ce102cfc 100644 --- a/3-networks-dual-svpc/modules/base_env/README.md +++ b/3-networks-dual-svpc/modules/base_env/README.md @@ -57,6 +57,6 @@ | restricted\_subnets\_names | The names of the subnets being created | | restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | | restricted\_subnets\_self\_links | The self-links of subnets being created | -| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration | +| target\_name\_server\_addresses | List of IPv4 addresses of the target name servers for the forwarding zone configuration. These IP addresses should point to the name server responsible for replying to DNS queries. | diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index 941b0f653..c5679eea7 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -169,11 +169,9 @@ locals { module "restricted_shared_vpc" { source = "../restricted_shared_vpc" - project_id = local.restricted_project_id - project_number = local.restricted_project_number - prod_restricted_project_id = local.prod_restricted_project_id - - + project_id = local.restricted_project_id + project_number = local.restricted_project_number + production_restricted_project_id = local.production_restricted_project_id environment_code = var.environment_code access_context_manager_policy_id = var.access_context_manager_policy_id restricted_services = local.restricted_services @@ -267,7 +265,7 @@ module "base_shared_vpc" { source = "../base_shared_vpc" project_id = local.base_project_id - production_project_id = local.prod_base_project_id + production_project_id = local.production_base_project_id environment_code = var.environment_code private_service_cidr = var.base_private_service_cidr private_service_connect_ip = var.base_private_service_connect_ip diff --git a/3-networks-dual-svpc/modules/base_env/outputs.tf b/3-networks-dual-svpc/modules/base_env/outputs.tf index fd3a574fb..c67e52119 100644 --- a/3-networks-dual-svpc/modules/base_env/outputs.tf +++ b/3-networks-dual-svpc/modules/base_env/outputs.tf @@ -16,7 +16,7 @@ output "target_name_server_addresses" { value = var.target_name_server_addresses - description = "List of IPv4 address of target name servers for the forwarding zone configuration" + description = "List of IPv4 addresses of the target name servers for the forwarding zone configuration. These IP addresses should point to the name server responsible for replying to DNS queries." } diff --git a/3-networks-dual-svpc/modules/base_env/remote.tf b/3-networks-dual-svpc/modules/base_env/remote.tf index fea9bb6e7..80db5b34a 100644 --- a/3-networks-dual-svpc/modules/base_env/remote.tf +++ b/3-networks-dual-svpc/modules/base_env/remote.tf @@ -15,16 +15,15 @@ */ locals { - restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id - base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id - restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number - interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number - organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email - networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email - projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email - prod_restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].restricted_shared_vpc_project_id - prod_base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].base_shared_vpc_project_id - + restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id + base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id + restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number + interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number + organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email + networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email + projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email + production_restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].restricted_shared_vpc_project_id + production_base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].base_shared_vpc_project_id } diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md index 8c9187057..1372cc47e 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/base_shared_vpc/README.md @@ -19,7 +19,7 @@ | nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint | `string` | n/a | yes | -| production\_project\_id | production project | `string` | `""` | no | +| production\_project\_id | Project ID for Base Shared. | `string` | `""` | no | | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | | subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf index 5f37d7f56..9ed5abc34 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf @@ -44,7 +44,6 @@ module "peering_zone" { version = "~> 5.0" count = var.environment_code != "p" ? 1 : 0 - #count = var.environment_code != "d" ? 1 : 0 project_id = var.project_id type = "peering" @@ -56,7 +55,6 @@ module "peering_zone" { module.main.network_self_link ] target_network = data.google_compute_network.vpc_dns_hub[0].self_link - #target_network = data.google_compute_network.vpc_dns_hub.self_link } /****************************************** @@ -66,7 +64,7 @@ module "dns_forwarding_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" - count = var.environment_code == "p" ? 1 : 0 ####added + count = var.environment_code == "p" ? 1 : 0 project_id = var.project_id type = "forwarding" diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf index 7da2f0901..5afba9883 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf @@ -26,7 +26,7 @@ variable "base_network_name" { } variable "production_project_id" { - description = "production project" + description = "Project ID for Base Shared." type = string default = "" } diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index ef6dd02de..f0937fcb1 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -26,7 +26,7 @@ | nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | -| prod\_restricted\_project\_id | production project | `string` | `""` | no | +| production\_restricted\_project\_id | Project ID for Restricted Shared. | `string` | `""` | no | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | | restricted\_net\_hub\_project\_id | The restricted net hub project ID | `string` | `""` | no | diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf index ee45c198a..2d07d80a9 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf @@ -36,7 +36,7 @@ data "google_compute_network" "vpc_dns_hub" { count = var.environment_code != "p" ? 1 : 0 name = "vpc-p-shared-restricted" - project = var.prod_restricted_project_id + project = var.production_restricted_project_id } module "peering_zone" { @@ -64,7 +64,7 @@ module "dns_forwarding_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 5.0" - count = var.environment_code == "p" ? 1 : 0 ####added + count = var.environment_code == "p" ? 1 : 0 project_id = var.project_id type = "forwarding" diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf index 7e707e13d..f73965b07 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf @@ -14,8 +14,8 @@ * limitations under the License. */ -variable "prod_restricted_project_id" { - description = "production project" +variable "production_restricted_project_id" { + description = "Project ID for Restricted Shared." type = string default = "" } @@ -35,7 +35,6 @@ variable "restricted_network_name" { type = string description = "The name of the VPC being created" default = "" - #default = module.base_shared_vpc.network_name } variable "access_context_manager_policy_id" { From 5941cdfce1e25d51a8b157bd3b2e61067c6fe085 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Wed, 8 Jan 2025 16:41:13 -0300 Subject: [PATCH 20/47] add symbolic link --- 3-networks-dual-svpc/envs/production/shared.auto.tfvars | 1 + 3-networks-dual-svpc/envs/shared/shared.auto.tfvars | 1 + 2 files changed, 2 insertions(+) create mode 120000 3-networks-dual-svpc/envs/production/shared.auto.tfvars create mode 120000 3-networks-dual-svpc/envs/shared/shared.auto.tfvars diff --git a/3-networks-dual-svpc/envs/production/shared.auto.tfvars b/3-networks-dual-svpc/envs/production/shared.auto.tfvars new file mode 120000 index 000000000..b7f8387a8 --- /dev/null +++ b/3-networks-dual-svpc/envs/production/shared.auto.tfvars @@ -0,0 +1 @@ +../../shared.auto.tfvars \ No newline at end of file diff --git a/3-networks-dual-svpc/envs/shared/shared.auto.tfvars b/3-networks-dual-svpc/envs/shared/shared.auto.tfvars new file mode 120000 index 000000000..b7f8387a8 --- /dev/null +++ b/3-networks-dual-svpc/envs/shared/shared.auto.tfvars @@ -0,0 +1 @@ +../../shared.auto.tfvars \ No newline at end of file From 0ed0b0a16867963ca896eed388c3b2bf2dd2ad14 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Thu, 9 Jan 2025 16:30:46 -0300 Subject: [PATCH 21/47] fix integration tests and remove DNS Hub Project --- 1-org/envs/shared/README.md | 3 +- 1-org/envs/shared/outputs.tf | 5 - 1-org/envs/shared/projects.tf | 42 ----- 1-org/envs/shared/variables.tf | 4 - .../envs/shared/README.md | 3 +- .../envs/shared/outputs.tf | 8 +- test/integration/networks/networks_test.go | 36 +++- test/integration/org/org_test.go | 10 -- test/integration/shared/shared_test.go | 159 ------------------ 9 files changed, 37 insertions(+), 233 deletions(-) delete mode 100644 test/integration/shared/shared_test.go diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md index e12dc5bcf..9233b2bba 100644 --- a/1-org/envs/shared/README.md +++ b/1-org/envs/shared/README.md @@ -18,7 +18,7 @@ | log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `null` | no | | log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | 
object({
    is_locked             = bool
    retention_period_days = number
  })
| `null` | no | | log\_export\_storage\_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | `bool` | `false` | no | -| project\_budget | Budget configuration for projects.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    dns_hub_budget_amount                       = optional(number, 1000)
    dns_hub_alert_spent_percents                = optional(list(number), [1.2])
    dns_hub_alert_pubsub_topic                  = optional(string, null)
    dns_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")
    base_net_hub_budget_amount                  = optional(number, 1000)
    base_net_hub_alert_spent_percents           = optional(list(number), [1.2])
    base_net_hub_alert_pubsub_topic             = optional(string, null)
    base_net_hub_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    base_network_budget_amount                  = optional(number, 1000)
    base_network_alert_spent_percents           = optional(list(number), [1.2])
    base_network_alert_pubsub_topic             = optional(string, null)
    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    restricted_net_hub_budget_amount            = optional(number, 1000)
    restricted_net_hub_alert_spent_percents     = optional(list(number), [1.2])
    restricted_net_hub_alert_pubsub_topic       = optional(string, null)
    restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    restricted_network_budget_amount            = optional(number, 1000)
    restricted_network_alert_spent_percents     = optional(list(number), [1.2])
    restricted_network_alert_pubsub_topic       = optional(string, null)
    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    interconnect_budget_amount                  = optional(number, 1000)
    interconnect_alert_spent_percents           = optional(list(number), [1.2])
    interconnect_alert_pubsub_topic             = optional(string, null)
    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    org_secrets_budget_amount                   = optional(number, 1000)
    org_secrets_alert_spent_percents            = optional(list(number), [1.2])
    org_secrets_alert_pubsub_topic              = optional(string, null)
    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")
    org_billing_export_budget_amount            = optional(number, 1000)
    org_billing_export_alert_spent_percents     = optional(list(number), [1.2])
    org_billing_export_alert_pubsub_topic       = optional(string, null)
    org_billing_export_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    org_audit_logs_budget_amount                = optional(number, 1000)
    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])
    org_audit_logs_alert_pubsub_topic           = optional(string, null)
    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")
    common_kms_budget_amount                    = optional(number, 1000)
    common_kms_alert_spent_percents             = optional(list(number), [1.2])
    common_kms_alert_pubsub_topic               = optional(string, null)
    common_kms_budget_alert_spend_basis         = optional(string, "FORECASTED_SPEND")
    scc_notifications_budget_amount             = optional(number, 1000)
    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])
    scc_notifications_alert_pubsub_topic        = optional(string, null)
    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | +| project\_budget | Budget configuration for projects.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    base_net_hub_budget_amount                  = optional(number, 1000)
    base_net_hub_alert_spent_percents           = optional(list(number), [1.2])
    base_net_hub_alert_pubsub_topic             = optional(string, null)
    base_net_hub_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    base_network_budget_amount                  = optional(number, 1000)
    base_network_alert_spent_percents           = optional(list(number), [1.2])
    base_network_alert_pubsub_topic             = optional(string, null)
    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    restricted_net_hub_budget_amount            = optional(number, 1000)
    restricted_net_hub_alert_spent_percents     = optional(list(number), [1.2])
    restricted_net_hub_alert_pubsub_topic       = optional(string, null)
    restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    restricted_network_budget_amount            = optional(number, 1000)
    restricted_network_alert_spent_percents     = optional(list(number), [1.2])
    restricted_network_alert_pubsub_topic       = optional(string, null)
    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    interconnect_budget_amount                  = optional(number, 1000)
    interconnect_alert_spent_percents           = optional(list(number), [1.2])
    interconnect_alert_pubsub_topic             = optional(string, null)
    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    org_secrets_budget_amount                   = optional(number, 1000)
    org_secrets_alert_spent_percents            = optional(list(number), [1.2])
    org_secrets_alert_pubsub_topic              = optional(string, null)
    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")
    org_billing_export_budget_amount            = optional(number, 1000)
    org_billing_export_alert_spent_percents     = optional(list(number), [1.2])
    org_billing_export_alert_pubsub_topic       = optional(string, null)
    org_billing_export_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    org_audit_logs_budget_amount                = optional(number, 1000)
    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])
    org_audit_logs_alert_pubsub_topic           = optional(string, null)
    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")
    common_kms_budget_amount                    = optional(number, 1000)
    common_kms_alert_spent_percents             = optional(list(number), [1.2])
    common_kms_alert_pubsub_topic               = optional(string, null)
    common_kms_budget_alert_spend_basis         = optional(string, "FORECASTED_SPEND")
    scc_notifications_budget_amount             = optional(number, 1000)
    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])
    scc_notifications_alert_pubsub_topic        = optional(string, null)
    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | | project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | | scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state = \"ACTIVE\""` | no | @@ -37,7 +37,6 @@ | cai\_monitoring\_topic | CAI Monitoring Cloud Function Pub/Sub Topic name. | | common\_folder\_name | The common folder name | | common\_kms\_project\_id | The org Cloud Key Management Service (KMS) project ID | -| dns\_hub\_project\_id | The DNS hub project ID | | domains\_to\_allow | The list of domains to allow users from in IAM. | | interconnect\_project\_id | The Dedicated Interconnect project ID | | interconnect\_project\_number | The Dedicated Interconnect project number | diff --git a/1-org/envs/shared/outputs.tf b/1-org/envs/shared/outputs.tf index b1cc75605..5d7d1c986 100644 --- a/1-org/envs/shared/outputs.tf +++ b/1-org/envs/shared/outputs.tf @@ -79,11 +79,6 @@ output "scc_notifications_project_id" { description = "The SCC notifications project ID" } -output "dns_hub_project_id" { - value = module.dns_hub.project_id - description = "The DNS hub project ID" -} - output "base_net_hub_project_id" { value = try(module.base_network_hub[0].project_id, null) description = "The Base Network hub project ID" diff --git a/1-org/envs/shared/projects.tf b/1-org/envs/shared/projects.tf index 2cf27b963..cb6ed4d76 100644 --- a/1-org/envs/shared/projects.tf +++ b/1-org/envs/shared/projects.tf @@ -233,48 +233,6 @@ module "scc_notifications" { budget_alert_spend_basis = var.project_budget.scc_notifications_budget_alert_spend_basis } -/****************************************** - Project for DNS Hub -*****************************************/ - -module "dns_hub" { - source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" - - random_project_id = true - random_project_id_length = 4 - default_service_account = "deprivilege" - name = "${local.project_prefix}-net-dns" - org_id = local.org_id - billing_account = local.billing_account - folder_id = google_folder.network.id - deletion_policy = var.project_deletion_policy - - activate_apis = [ - "compute.googleapis.com", - "dns.googleapis.com", - "servicenetworking.googleapis.com", - "logging.googleapis.com", - "cloudresourcemanager.googleapis.com", - "billingbudgets.googleapis.com" - ] - - labels = { - environment = "network" - application_name = "org-dns-hub" - billing_code = "1234" - primary_contact = "example1" - secondary_contact = "example2" - business_code = "shared" - env_code = "net" - vpc = "none" - } - budget_alert_pubsub_topic = var.project_budget.dns_hub_alert_pubsub_topic - budget_alert_spent_percents = var.project_budget.dns_hub_alert_spent_percents - budget_amount = var.project_budget.dns_hub_budget_amount - budget_alert_spend_basis = var.project_budget.dns_hub_budget_alert_spend_basis -} - /****************************************** Project for Base Network Hub *****************************************/ diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index b39073d7d..929d213df 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -97,10 +97,6 @@ variable "project_budget" { alert_spend_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). EOT type = object({ - dns_hub_budget_amount = optional(number, 1000) - dns_hub_alert_spent_percents = optional(list(number), [1.2]) - dns_hub_alert_pubsub_topic = optional(string, null) - dns_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") base_net_hub_budget_amount = optional(number, 1000) base_net_hub_alert_spent_percents = optional(list(number), [1.2]) base_net_hub_alert_pubsub_topic = optional(string, null) diff --git a/3-networks-hub-and-spoke/envs/shared/README.md b/3-networks-hub-and-spoke/envs/shared/README.md index f8deac849..4d7df9dff 100644 --- a/3-networks-hub-and-spoke/envs/shared/README.md +++ b/3-networks-hub-and-spoke/envs/shared/README.md @@ -52,6 +52,7 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google. | Name | Description | |------|-------------| -| project | Project name | +| base\_host\_project\_id | The base host project ID | +| restricted\_host\_project\_id | The restricted host project ID | diff --git a/3-networks-hub-and-spoke/envs/shared/outputs.tf b/3-networks-hub-and-spoke/envs/shared/outputs.tf index cf2a4cecf..351152ace 100644 --- a/3-networks-hub-and-spoke/envs/shared/outputs.tf +++ b/3-networks-hub-and-spoke/envs/shared/outputs.tf @@ -14,8 +14,12 @@ * limitations under the License. */ -output "project" { +output "restricted_host_project_id" { value = local.restricted_net_hub_project_id - description = "Project name" + description = "The restricted host project ID" } +output "base_host_project_id" { + value = local.base_net_hub_project_id + description = "The base host project ID" +} diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index 51fd8bc7f..b9233a8f1 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -38,14 +38,6 @@ func getNetworkMode(t *testing.T) string { return "" } -func getFirewallMode(t *testing.T) string { - mode := utils.ValFromEnv(t, "TF_VAR_example_foundations_mode") - if mode == "HubAndSpoke" { - return "hub-and-spoke" - } - return "dual-svpc" -} - func getNetworkResourceNames(envCode string, networkMode string, firewallMode string) map[string]map[string]string { return map[string]map[string]string{ "base": { @@ -331,9 +323,17 @@ func TestNetworks(t *testing.T) { tfdDir = "../../../3-networks-hub-and-spoke/envs/%s" } + var tfdDirDNS string + if networkMode == "" { + tfdDirDNS = "../../../3-networks-dual-svpc/envs/production" + } else { + tfdDirDNS = "../../../3-networks-hub-and-spoke/envs/shared" + } + envCode := string(envName[0:1]) networks := tft.NewTFBlueprintTest(t, tft.WithTFDir(fmt.Sprintf(tfdDir, envName)), + tft.WithTFDir(fmt.Sprintf(tfdDirDNS)), tft.WithVars(vars), tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 10, 2*time.Minute), tft.WithPolicyLibraryPath("/workspace/policy-library", bootstrap.GetTFSetupStringOutput("project_id")), @@ -378,6 +378,16 @@ func TestNetworks(t *testing.T) { assert.Equal(dnsName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsName)) } + baseSharedProjectID := networks.GetStringOutput("base_host_project_id") + dnsFwZoneName := "fz-dns-hub" + dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, baseSharedProjectID, terraformSA) + assert.Equal(dnsFwZoneName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsFwZoneName)) + + restrictedProjectID := networks.GetStringOutput("restricted_host_project_id") + dnsFwZoneName := "fz-dns-hub" + dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, restrictedProjectID, terraformSA) + assert.Equal(dnsFwZoneName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsFwZoneName)) + networkName := networkNames[networkType]["network_name"] networkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", projectID, networkName) dnsPolicyName := networkNames[networkType]["dns_policy_name"] @@ -453,6 +463,16 @@ func TestNetworks(t *testing.T) { assert.Equal(1, len(computeRouter.Get("bgp.advertisedIpRanges").Array()), fmt.Sprintf("router %s should have only one advertised IP range", routerName)) assert.Equal(googleapisCIDR[envName][networkType], computeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have only range %s", routerName, googleapisCIDR[envName][networkType])) assert.Equal(networkSelfLink, computeRouter.Get("network").String(), fmt.Sprintf("router %s should have be from network %s", routerName, networkNames[networkType]["network_name"])) + + baseSharedProjectID := networks.GetStringOutput("base_host_project_id") + dnsFwZoneName := "fz-dns-hub" + dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, baseSharedProjectID, terraformSA) + assert.Equal(dnsFwZoneName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsFwZoneName)) + + restrictedProjectID := networks.GetStringOutput("restricted_host_project_id") + dnsFwZoneName := "fz-dns-hub" + dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, restrictedProjectID, terraformSA) + assert.Equal(dnsFwZoneName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsFwZoneName)) } } } diff --git a/test/integration/org/org_test.go b/test/integration/org/org_test.go index 927783abb..7cae2023e 100644 --- a/test/integration/org/org_test.go +++ b/test/integration/org/org_test.go @@ -442,16 +442,6 @@ func TestOrg(t *testing.T) { "securitycenter.googleapis.com", }, }, - { - output: "dns_hub_project_id", - apis: []string{ - "compute.googleapis.com", - "dns.googleapis.com", - "servicenetworking.googleapis.com", - "logging.googleapis.com", - "cloudresourcemanager.googleapis.com", - }, - }, } { projectID := org.GetStringOutput(projectOutput.output) prj := gcloud.Runf(t, "projects describe %s", projectID) diff --git a/test/integration/shared/shared_test.go b/test/integration/shared/shared_test.go deleted file mode 100644 index 8102b7163..000000000 --- a/test/integration/shared/shared_test.go +++ /dev/null @@ -1,159 +0,0 @@ -// Copyright 2022 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package shared - -import ( - "fmt" - "testing" - "time" - - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" - "github.com/gruntwork-io/terratest/modules/terraform" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/terraform-google-modules/terraform-example-foundation/test/integration/testutils" -) - -func isHubAndSpokeMode(t *testing.T) bool { - mode := utils.ValFromEnv(t, "TF_VAR_example_foundations_mode") - return mode == "HubAndSpoke" -} - -func TestShared(t *testing.T) { - - bootstrap := tft.NewTFBlueprintTest(t, - tft.WithTFDir("../../../0-bootstrap"), - ) - - orgID := terraform.OutputMap(t, bootstrap.GetTFOptions(), "common_config")["org_id"] - policyID := testutils.GetOrgACMPolicyID(t, orgID) - require.NotEmpty(t, policyID, "Access Context Manager Policy ID must be configured in the organization for the test to proceed.") - - // Configure impersonation for test execution - terraformSA := bootstrap.GetStringOutput("networks_step_terraform_service_account_email") - utils.SetEnv(t, "GOOGLE_IMPERSONATE_SERVICE_ACCOUNT", terraformSA) - backend_bucket := bootstrap.GetStringOutput("gcs_bucket_tfstate") - - backendConfig := map[string]interface{}{ - "bucket": backend_bucket, - } - - vars := map[string]interface{}{ - "remote_state_bucket": backend_bucket, - } - var tfdDir string - if isHubAndSpokeMode(t) { - vars["access_context_manager_policy_id"] = policyID - vars["perimeter_additional_members"] = []string{} - tfdDir = "../../../3-networks-hub-and-spoke/envs/shared" - } else { - tfdDir = "../../../3-networks-dual-svpc/envs/shared" - } - - shared := tft.NewTFBlueprintTest(t, - tft.WithTFDir(tfdDir), - tft.WithVars(vars), - tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 1, 2*time.Minute), - tft.WithPolicyLibraryPath("/workspace/policy-library", bootstrap.GetTFSetupStringOutput("project_id")), - tft.WithBackendConfig(backendConfig), - ) - shared.DefineVerify( - func(assert *assert.Assertions) { - - // do a time.Sleep to wait for propagation of VPC Service Controls configuration in the Hub and Spoke network mode - if isHubAndSpokeMode(t) { - time.Sleep(60 * time.Second) - } - - // perform default verification ensuring Terraform reports no additional changes on an applied blueprint - // Comment DefaultVerify because proxy-only subnets tries to change `ipv6_access_type` from `INTERNAL` to `null` on every run (plan and apply) - // Module issue: https://github.com/terraform-google-modules/terraform-google-network/issues/528 - // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16801 - // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16804 - // shared.DefaultVerify(assert) - - projectID := shared.GetStringOutput("dns_hub_project_id") - networkName := "vpc-net-dns" - dnsHubNetworkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/vpc-net-dns", projectID) - dnsPolicyName := "dp-dns-hub-default-policy" - - dnsPolicy := gcloud.Runf(t, "dns policies describe %s --project %s", dnsPolicyName, projectID) - assert.True(dnsPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", dnsPolicyName)) - assert.Equal(dnsHubNetworkUrl, dnsPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", dnsPolicyName, networkName)) - - dnsFwZoneName := "fz-dns-hub" - dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s", dnsFwZoneName, projectID) - assert.Equal(dnsFwZoneName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsFwZoneName)) - - projectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s", networkName, projectID) - assert.Equal(networkName, projectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", networkName)) - - for _, subnet := range []struct { - name string - cidrRange string - region string - }{ - { - name: "sb-net-dns-us-west1", - cidrRange: "172.16.0.128/25", - region: "us-west1", - }, - { - name: "sb-net-dns-us-central1", - cidrRange: "172.16.0.0/25", - region: "us-central1", - }, - } { - sub := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnet.name, subnet.region, projectID) - assert.Equal(subnet.name, sub.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnet.name)) - assert.Equal(subnet.cidrRange, sub.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnet.cidrRange)) - } - - bgpAdvertisedIpRange := "35.199.192.0/19" - - for _, router := range []struct { - name string - region string - }{ - { - name: "cr-net-dns-us-central1-cr1", - region: "us-central1", - }, - { - name: "cr-net-dns-us-central1-cr2", - region: "us-central1", - }, - { - name: "cr-net-dns-us-west1-cr3", - region: "us-west1", - }, - { - name: "cr-net-dns-us-west1-cr4", - region: "us-west1", - }, - } { - computeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s", router.name, router.region, projectID) - assert.Equal(router.name, computeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", router.name)) - assert.Equal("64667", computeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64667", router.name)) - assert.Equal(1, len(computeRouter.Get("bgp.advertisedIpRanges").Array()), fmt.Sprintf("router %s should have only one advertised IP range", router.name)) - assert.Equal(bgpAdvertisedIpRange, computeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have only range %s", router.name, bgpAdvertisedIpRange)) - assert.Equal(dnsHubNetworkUrl, computeRouter.Get("network").String(), fmt.Sprintf("router %s should have be from network vpc-net-dns", router.name)) - } - }) - shared.Test() -} From b73d165e093dde7afb8646b8fce683962de047a7 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Thu, 9 Jan 2025 16:35:56 -0300 Subject: [PATCH 22/47] Rollback func getFirewallMode --- test/integration/networks/networks_test.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index b9233a8f1..2c45a0edc 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -38,6 +38,14 @@ func getNetworkMode(t *testing.T) string { return "" } +func getFirewallMode(t *testing.T) string { + mode := utils.ValFromEnv(t, "TF_VAR_example_foundations_mode") + if mode == "HubAndSpoke" { + return "hub-and-spoke" + } + return "dual-svpc" +} + func getNetworkResourceNames(envCode string, networkMode string, firewallMode string) map[string]map[string]string { return map[string]map[string]string{ "base": { From 488ced4fe00eeaa7eb78d90311edd16abc8cf4d1 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 10 Jan 2025 15:16:12 -0300 Subject: [PATCH 23/47] remove TestShared from int.cloudbuild.yaml --- build/int.cloudbuild.yaml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 41dfabe41..49216a86b 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -66,18 +66,6 @@ steps: name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestEnvs --stage verify --verbose --test-dir /workspace/test/integration'] -- id: create-shared - name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', './test/disable_tf_files.sh --shared && cft test run TestShared --stage init --verbose --test-dir /workspace/test/integration'] - -- id: converge-shared - name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestShared --stage apply --verbose --test-dir /workspace/test/integration'] - -- id: verify-shared - name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestShared --stage verify --verbose --test-dir /workspace/test/integration'] - - id: create-networks name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', './test/disable_tf_files.sh --networks && cft test run TestNetworks --stage init --verbose --test-dir /workspace/test/integration'] @@ -142,10 +130,6 @@ steps: name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestNetworks --stage destroy --verbose --test-dir /workspace/test/integration'] -- id: destroy-shared - name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestShared --stage destroy --verbose --test-dir /workspace/test/integration'] - - id: destroy-envs name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestEnvs --stage destroy --verbose --test-dir /workspace/test/integration'] From dd5c5f2f771153ac610d83f9d69173a78d396c90 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 10 Jan 2025 17:08:48 -0300 Subject: [PATCH 24/47] fix integration test for DNS --- test/integration/networks/networks_test.go | 30 +++++++++------------- 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index 2c45a0edc..ef053682e 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -359,6 +359,9 @@ func TestNetworks(t *testing.T) { servicePerimeterLink := fmt.Sprintf("accessPolicies/%s/servicePerimeters/%s", policyID, networks.GetStringOutput("restricted_service_perimeter_name")) accessLevel := fmt.Sprintf("accessPolicies/%s/accessLevels/%s", policyID, networks.GetStringOutput("access_level_name_dry_run")) networkNames := getNetworkResourceNames(envCode, networkMode, firewallMode) + baseSharedProjectID := networks.GetStringOutput("base_host_project_id") + restrictedProjectID := networks.GetStringOutput("restricted_host_project_id") + dnsFwZoneName := "fz-dns-hub" servicePerimeter, err := gcloud.RunCmdE(t, fmt.Sprintf("access-context-manager perimeters dry-run describe %s --policy %s", servicePerimeterLink, policyID)) assert.NoError(err) @@ -386,15 +389,10 @@ func TestNetworks(t *testing.T) { assert.Equal(dnsName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsName)) } - baseSharedProjectID := networks.GetStringOutput("base_host_project_id") - dnsFwZoneName := "fz-dns-hub" - dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, baseSharedProjectID, terraformSA) - assert.Equal(dnsFwZoneName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsFwZoneName)) - - restrictedProjectID := networks.GetStringOutput("restricted_host_project_id") - dnsFwZoneName := "fz-dns-hub" - dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, restrictedProjectID, terraformSA) - assert.Equal(dnsFwZoneName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsFwZoneName)) + dnsZoneSharedBaseHubSpoke := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, baseSharedProjectID, terraformSA) + assert.Equal(dnsFwZoneName, dnsZoneSharedBaseHubSpoke.Get("name").String(), fmt.Sprintf("dnsZone %s should exist for base", dnsFwZoneName)) + dnsZoneRestrictedHubSpoke := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, restrictedProjectID, terraformSA) + assert.Equal(dnsFwZoneName, dnsZoneRestrictedHubSpoke .Get("name").String(), fmt.Sprintf("dnsZone %s should exist for restricted", dnsFwZoneName)) networkName := networkNames[networkType]["network_name"] networkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", projectID, networkName) @@ -472,15 +470,10 @@ func TestNetworks(t *testing.T) { assert.Equal(googleapisCIDR[envName][networkType], computeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have only range %s", routerName, googleapisCIDR[envName][networkType])) assert.Equal(networkSelfLink, computeRouter.Get("network").String(), fmt.Sprintf("router %s should have be from network %s", routerName, networkNames[networkType]["network_name"])) - baseSharedProjectID := networks.GetStringOutput("base_host_project_id") - dnsFwZoneName := "fz-dns-hub" - dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, baseSharedProjectID, terraformSA) - assert.Equal(dnsFwZoneName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsFwZoneName)) - - restrictedProjectID := networks.GetStringOutput("restricted_host_project_id") - dnsFwZoneName := "fz-dns-hub" - dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, restrictedProjectID, terraformSA) - assert.Equal(dnsFwZoneName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsFwZoneName)) + dnsZoneSharedBaseSVPC := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, baseSharedProjectID, terraformSA) + assert.Equal(dnsFwZoneName, dnsZoneSharedBaseSVPC.Get("name").String(), fmt.Sprintf("dnsZone %s should exist for base", dnsFwZoneName)) + dnsZoneRestrictedSVPC := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, restrictedProjectID, terraformSA) + assert.Equal(dnsFwZoneName, dnsZoneRestrictedSVPC.Get("name").String(), fmt.Sprintf("dnsZone %s should exist for restricted", dnsFwZoneName)) } } } @@ -490,3 +483,4 @@ func TestNetworks(t *testing.T) { } } + From caf01026dc22782efd776cc6a690c19819d08645 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Mon, 13 Jan 2025 10:57:36 -0300 Subject: [PATCH 25/47] disable shared function --- test/disable_tf_files.sh | 34 +++++++++++++++++----------------- test/restore_tf_files.sh | 38 +++++++++++++++++++------------------- 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/test/disable_tf_files.sh b/test/disable_tf_files.sh index 6b2743493..c6549d9ff 100755 --- a/test/disable_tf_files.sh +++ b/test/disable_tf_files.sh @@ -36,23 +36,23 @@ function networks(){ mv $network_dir/envs/production/common.auto.tfvars $network_dir/envs/production/common.auto.tfvars.disabled } -function shared(){ +# function shared(){ - if [ "$TF_VAR_example_foundations_mode" == "HubAndSpoke" ]; then - network_dir="3-networks-hub-and-spoke" - else - network_dir="3-networks-dual-svpc" - fi +# if [ "$TF_VAR_example_foundations_mode" == "HubAndSpoke" ]; then +# network_dir="3-networks-hub-and-spoke" +# else +# network_dir="3-networks-dual-svpc" +# fi - # disable access_context.auto.tfvars in main module - mv $network_dir/envs/shared/access_context.auto.tfvars $network_dir/envs/shared/access_context.auto.tfvars.disabled +# # disable access_context.auto.tfvars in main module +# mv $network_dir/envs/shared/access_context.auto.tfvars $network_dir/envs/shared/access_context.auto.tfvars.disabled - # disable common.auto.tfvars in main module - mv $network_dir/envs/shared/common.auto.tfvars $network_dir/envs/shared/common.auto.tfvars.disabled +# # disable common.auto.tfvars in main module +# mv $network_dir/envs/shared/common.auto.tfvars $network_dir/envs/shared/common.auto.tfvars.disabled - # disable shared.auto.tfvars in main module - mv $network_dir/envs/shared/shared.auto.tfvars $network_dir/envs/shared/shared.auto.tfvars.disabled -} +# # disable shared.auto.tfvars in main module +# mv $network_dir/envs/shared/shared.auto.tfvars $network_dir/envs/shared/shared.auto.tfvars.disabled +# } function projectsshared(){ # disable shared.auto.tfvars @@ -90,10 +90,10 @@ do networks shift ;; - -s|--shared) - shared - shift - ;; + # -s|--shared) + # shared + # shift + # ;; -a|--appinfra) appinfra shift diff --git a/test/restore_tf_files.sh b/test/restore_tf_files.sh index 4a71bfa9e..5313bdd4b 100644 --- a/test/restore_tf_files.sh +++ b/test/restore_tf_files.sh @@ -53,26 +53,26 @@ function networks(){ mv $network_dir/envs/production/common.auto.tfvars.disabled $network_dir/envs/production/common.auto.tfvars } -function shared(){ +# function shared(){ - if [ "$TF_VAR_example_foundations_mode" == "HubAndSpoke" ]; then - network_dir="3-networks-hub-and-spoke" - else - network_dir="3-networks-dual-svpc" - fi +# if [ "$TF_VAR_example_foundations_mode" == "HubAndSpoke" ]; then +# network_dir="3-networks-hub-and-spoke" +# else +# network_dir="3-networks-dual-svpc" +# fi - # restore backend configs in main module - mv $network_dir/envs/shared/backend.tf.disabled $network_dir/envs/shared/backend.tf +# # restore backend configs in main module +# mv $network_dir/envs/shared/backend.tf.disabled $network_dir/envs/shared/backend.tf - # restore access_context.auto.tfvars in main module - mv $network_dir/envs/shared/access_context.auto.tfvars.disabled $network_dir/envs/shared/access_context.auto.tfvars +# # restore access_context.auto.tfvars in main module +# mv $network_dir/envs/shared/access_context.auto.tfvars.disabled $network_dir/envs/shared/access_context.auto.tfvars - # restore common.auto.tfvars in main module - mv $network_dir/envs/shared/common.auto.tfvars.disabled $network_dir/envs/shared/common.auto.tfvars +# # restore common.auto.tfvars in main module +# mv $network_dir/envs/shared/common.auto.tfvars.disabled $network_dir/envs/shared/common.auto.tfvars - # restore shared.auto.tfvars in main module - mv $network_dir/envs/shared/shared.auto.tfvars.disabled $network_dir/envs/shared/shared.auto.tfvars -} +# # restore shared.auto.tfvars in main module +# mv $network_dir/envs/shared/shared.auto.tfvars.disabled $network_dir/envs/shared/shared.auto.tfvars +# } function projects(){ # restore backend configs in main module @@ -131,10 +131,10 @@ do networks shift ;; - -s|--shared) - shared - shift - ;; + # -s|--shared) + # shared + # shift + # ;; -o|--org) org shift From 10c4f9593184b30557e4a7de263ac3b4bd99d965 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Mon, 13 Jan 2025 22:50:52 -0300 Subject: [PATCH 26/47] add .tfvars files in TestNetwork --- test/disable_tf_files.sh | 5 +++++ test/restore_tf_files.sh | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/test/disable_tf_files.sh b/test/disable_tf_files.sh index c6549d9ff..7c7892c3a 100755 --- a/test/disable_tf_files.sh +++ b/test/disable_tf_files.sh @@ -26,14 +26,19 @@ function networks(){ fi # disable access_context.auto.tfvars in main module + mv $network_dir/envs/shared/access_context.auto.tfvars $network_dir/envs/shared/access_context.auto.tfvars.disabled # mv $network_dir/envs/development/access_context.auto.tfvars $network_dir/envs/development/access_context.auto.tfvars.disabled mv $network_dir/envs/nonproduction/access_context.auto.tfvars $network_dir/envs/nonproduction/access_context.auto.tfvars.disabled mv $network_dir/envs/production/access_context.auto.tfvars $network_dir/envs/production/access_context.auto.tfvars.disabled # disable common.auto.tfvars in main module + mv $network_dir/envs/shared/common.auto.tfvars $network_dir/envs/shared/common.auto.tfvars.disabled # mv $network_dir/envs/development/common.auto.tfvars $network_dir/envs/development/common.auto.tfvars.disabled mv $network_dir/envs/nonproduction/common.auto.tfvars $network_dir/envs/nonproduction/common.auto.tfvars.disabled mv $network_dir/envs/production/common.auto.tfvars $network_dir/envs/production/common.auto.tfvars.disabled + + # disable shared.auto.tfvars in main module # + mv $network_dir/envs/shared/shared.auto.tfvars $network_dir/envs/shared/shared.auto.tfvars.disabled } # function shared(){ diff --git a/test/restore_tf_files.sh b/test/restore_tf_files.sh index 5313bdd4b..946c666b2 100644 --- a/test/restore_tf_files.sh +++ b/test/restore_tf_files.sh @@ -38,19 +38,25 @@ function networks(){ fi # restore backend configs in main module + mv $network_dir/envs/shared/backend.tf.disabled $network_dir/envs/shared/backend.tf # mv $network_dir/envs/development/backend.tf.disabled $network_dir/envs/development/backend.tf mv $network_dir/envs/nonproduction/backend.tf.disabled $network_dir/envs/nonproduction/backend.tf mv $network_dir/envs/production/backend.tf.disabled $network_dir/envs/production/backend.tf # restore access_context.auto.tfvars in main module + mv $network_dir/envs/shared/access_context.auto.tfvars.disabled $network_dir/envs/shared/access_context.auto.tfvars # mv $network_dir/envs/development/access_context.auto.tfvars.disabled $network_dir/envs/development/access_context.auto.tfvars mv $network_dir/envs/nonproduction/access_context.auto.tfvars.disabled $network_dir/envs/nonproduction/access_context.auto.tfvars mv $network_dir/envs/production/access_context.auto.tfvars.disabled $network_dir/envs/production/access_context.auto.tfvars # restore common.auto.tfvars in main module + mv $network_dir/envs/shared/common.auto.tfvars.disabled $network_dir/envs/shared/common.auto.tfvars # mv $network_dir/envs/development/common.auto.tfvars.disabled $network_dir/envs/development/common.auto.tfvars mv $network_dir/envs/nonproduction/common.auto.tfvars.disabled $network_dir/envs/nonproduction/common.auto.tfvars mv $network_dir/envs/production/common.auto.tfvars.disabled $network_dir/envs/production/common.auto.tfvars + + # restore shared.auto.tfvars in main module # + mv $network_dir/envs/shared/shared.auto.tfvars.disabled $network_dir/envs/shared/shared.auto.tfvars } # function shared(){ From 25335d55f5ee0ea217857fe1232b9de41d4414f5 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 17 Jan 2025 10:18:34 -0300 Subject: [PATCH 27/47] rename variables and small fixes --- 0-bootstrap/README-GitHub.md | 6 +- 0-bootstrap/README-GitLab.md | 6 +- 0-bootstrap/README-Jenkins.md | 6 +- 0-bootstrap/README-Terraform-Cloud.md | 6 +- 3-networks-dual-svpc/README.md | 12 +- 3-networks-dual-svpc/envs/production/main.tf | 28 +-- .../envs/production/shared.auto.tfvars | 1 - 3-networks-dual-svpc/envs/shared/README.md | 2 - .../envs/shared/interconnect.tf.example | 60 ------- .../partner_interconnect.auto.tfvars.example | 18 -- .../shared/partner_interconnect.tf.example | 46 ----- 3-networks-dual-svpc/envs/shared/remote.tf | 4 +- .../envs/shared/remote.tf.cloud.example | 6 +- .../envs/shared/shared.auto.tfvars | 1 - 3-networks-dual-svpc/envs/shared/variables.tf | 12 -- .../modules/base_env/remote.tf.cloud.example | 1 - .../modules/base_shared_vpc/README.md | 1 + .../modules/base_shared_vpc/dns.tf | 2 +- .../modules/base_shared_vpc/main.tf | 11 +- .../modules/base_shared_vpc/variables.tf | 6 + .../modules/restricted_shared_vpc/README.md | 4 +- .../modules/restricted_shared_vpc/dns.tf | 2 +- .../modules/restricted_shared_vpc/main.tf | 10 +- .../restricted_shared_vpc/variables.tf | 16 +- .../shared.auto.example.tfvars | 28 --- .../modules/base_shared_vpc/dns.tf | 8 +- .../modules/base_shared_vpc/main.tf | 12 +- .../modules/restricted_shared_vpc/dns.tf | 8 +- .../modules/restricted_shared_vpc/main.tf | 12 +- build/int.cloudbuild.yaml | 16 ++ test/disable_tf_files.sh | 42 +++-- test/integration/shared/shared_test.go | 159 ++++++++++++++++++ test/restore_tf_files.sh | 47 +++--- 33 files changed, 289 insertions(+), 310 deletions(-) delete mode 120000 3-networks-dual-svpc/envs/production/shared.auto.tfvars delete mode 100644 3-networks-dual-svpc/envs/shared/interconnect.tf.example delete mode 100644 3-networks-dual-svpc/envs/shared/partner_interconnect.auto.tfvars.example delete mode 100644 3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example delete mode 120000 3-networks-dual-svpc/envs/shared/shared.auto.tfvars delete mode 100644 3-networks-dual-svpc/shared.auto.example.tfvars create mode 100644 test/integration/shared/shared_test.go diff --git a/0-bootstrap/README-GitHub.md b/0-bootstrap/README-GitHub.md index 6aba496d4..8c98ea3cf 100644 --- a/0-bootstrap/README-GitHub.md +++ b/0-bootstrap/README-GitHub.md @@ -565,15 +565,15 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu chmod 755 ./tf-wrapper.sh ``` -1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. +1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. ```bash mv common.auto.example.tfvars common.auto.tfvars - mv shared.auto.example.tfvars shared.auto.tfvars + mv production.auto.example.tfvars production.auto.tfvars mv access_context.auto.example.tfvars access_context.auto.tfvars ``` -1. Update the file `shared.auto.tfvars` with the values for the `target_name_server_addresses`. +1. Update the file `production.auto.tfvars` with the values for the `target_name_server_addresses`. 1. Update the file `access_context.auto.tfvars` with the organization's `access_context_manager_policy_id`. ```bash diff --git a/0-bootstrap/README-GitLab.md b/0-bootstrap/README-GitLab.md index b0ab4a312..1a27609a7 100644 --- a/0-bootstrap/README-GitLab.md +++ b/0-bootstrap/README-GitLab.md @@ -568,15 +568,15 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu chmod 755 ./*.sh ``` -1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. +1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. ```bash mv common.auto.example.tfvars common.auto.tfvars - mv shared.auto.example.tfvars shared.auto.tfvars + mv production.auto.example.tfvars production.auto.tfvars mv access_context.auto.example.tfvars access_context.auto.tfvars ``` -1. Update the file `shared.auto.tfvars` with the values for the `target_name_server_addresses`. +1. Update the file `production.auto.tfvars` with the values for the `target_name_server_addresses`. 1. Update the file `access_context.auto.tfvars` with the organization's `access_context_manager_policy_id`. ```bash diff --git a/0-bootstrap/README-Jenkins.md b/0-bootstrap/README-Jenkins.md index ac536a6c4..5ece83a8f 100644 --- a/0-bootstrap/README-Jenkins.md +++ b/0-bootstrap/README-Jenkins.md @@ -599,16 +599,16 @@ Here you will configure a VPN Network tunnel to enable connectivity between the sed -i'' -e "s/CICD_PROJECT_ID/${CICD_PROJECT_ID}/" ./Jenkinsfile ``` -1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. +1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. ```bash mv common.auto.example.tfvars common.auto.tfvars - mv shared.auto.example.tfvars shared.auto.tfvars + mv production.auto.example.tfvars production.auto.tfvars mv access_context.auto.example.tfvars access_context.auto.tfvars ``` 1. Update `common.auto.tfvars` file with values from your environment and bootstrap. See any of the envs folder [README.md](../3-networks-dual-svpc/envs/production/README.md) files for additional information on the values in the `common.auto.tfvars` file. -1. Update `shared.auto.tfvars` file with the `target_name_server_addresses`. +1. Update `production.auto.tfvars` file with the `target_name_server_addresses`. 1. Update `access_context.auto.tfvars` file with the `access_context_manager_policy_id`. 1. Use `terraform output` to get the backend bucket and networks step Terraform Service Account values from gcp-bootstrap output. diff --git a/0-bootstrap/README-Terraform-Cloud.md b/0-bootstrap/README-Terraform-Cloud.md index c13a88bb4..f68977a4f 100644 --- a/0-bootstrap/README-Terraform-Cloud.md +++ b/0-bootstrap/README-Terraform-Cloud.md @@ -476,15 +476,15 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu chmod 755 ./tf-wrapper.sh ``` -1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. +1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. ```bash mv common.auto.example.tfvars common.auto.tfvars - mv shared.auto.example.tfvars shared.auto.tfvars + mv production.auto.example.tfvars production.auto.tfvars mv access_context.auto.example.tfvars access_context.auto.tfvars ``` -1. Update the file `shared.auto.tfvars` with the values for the `target_name_server_addresses`. +1. Update the file `production.auto.tfvars` with the values for the `target_name_server_addresses`. 1. Update the file `access_context.auto.tfvars` with the organization's `access_context_manager_policy_id`. ```bash diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md index ddfb54ab2..6b19953cc 100644 --- a/3-networks-dual-svpc/README.md +++ b/3-networks-dual-svpc/README.md @@ -163,16 +163,16 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get chmod 755 ./tf-wrapper.sh ``` -1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. +1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. ```bash mv common.auto.example.tfvars common.auto.tfvars - mv shared.auto.example.tfvars shared.auto.tfvars + mv production.auto.example.tfvars production.auto.tfvars mv access_context.auto.example.tfvars access_context.auto.tfvars ``` 1. Update `common.auto.tfvars` file with values from your environment and bootstrap. See any of the envs folder [README.md](./envs/production/README.md) files for additional information on the values in the `common.auto.tfvars` file. - Update `shared.auto.tfvars` file with the `target_name_server_addresses`. + Update `production.auto.tfvars` file with the `target_name_server_addresses`. Update `access_context.auto.tfvars` file with the `access_context_manager_policy_id`. Use `terraform output` to get the backend bucket value from 0-bootstrap output. @@ -305,16 +305,16 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s git checkout -b production ``` -1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. +1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. ```bash mv common.auto.example.tfvars common.auto.tfvars - mv shared.auto.example.tfvars shared.auto.tfvars + mv production.auto.example.tfvars production.auto.tfvars mv access_context.auto.example.tfvars access_context.auto.tfvars ``` 1. Update `common.auto.tfvars` file with values from your environment and bootstrap. See any of the envs folder [README.md](./envs/production/README.md) files for additional information on the values in the `common.auto.tfvars` file. -1. Update `shared.auto.tfvars` file with the `target_name_server_addresses`. +1. Update `production.auto.tfvars` file with the `target_name_server_addresses`. 1. Update `access_context.auto.tfvars` file with the `access_context_manager_policy_id`. 1. Use `terraform output` to get the backend bucket value from gcp-bootstrap output. diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index 233cafe53..c6512b2ac 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -20,48 +20,48 @@ locals { /* * Base network ranges */ - base_private_service_cidr = "10.16.16.0/21" + base_private_service_cidr = "10.16.24.0/21" base_subnet_primary_ranges = { - (local.default_region1) = "10.0.128.0/18" - (local.default_region2) = "10.1.128.0/18" + (local.default_region1) = "10.0.192.0/18" + (local.default_region2) = "10.1.192.0/18" } base_subnet_proxy_ranges = { - (local.default_region1) = "10.18.4.0/23" - (local.default_region2) = "10.19.4.0/23" + (local.default_region1) = "10.18.6.0/23" + (local.default_region2) = "10.19.6.0/23" } base_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.128.0/18" + ip_cidr_range = "100.64.192.0/18" }, { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.65.128.0/18" + ip_cidr_range = "100.65.192.0/18" } ] } /* * Restricted network ranges */ - restricted_private_service_cidr = "10.16.48.0/21" + restricted_private_service_cidr = "10.16.56.0/21" restricted_subnet_primary_ranges = { - (local.default_region1) = "10.8.128.0/18" - (local.default_region2) = "10.9.128.0/18" + (local.default_region1) = "10.8.192.0/18" + (local.default_region2) = "10.9.192.0/18" } restricted_subnet_proxy_ranges = { - (local.default_region1) = "10.26.4.0/23" - (local.default_region2) = "10.27.4.0/23" + (local.default_region1) = "10.26.6.0/23" + (local.default_region2) = "10.27.6.0/23" } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" - ip_cidr_range = "100.72.128.0/18" + ip_cidr_range = "100.72.192.0/18" }, { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" - ip_cidr_range = "100.73.128.0/18" + ip_cidr_range = "100.73.192.0/18" } ] } diff --git a/3-networks-dual-svpc/envs/production/shared.auto.tfvars b/3-networks-dual-svpc/envs/production/shared.auto.tfvars deleted file mode 120000 index b7f8387a8..000000000 --- a/3-networks-dual-svpc/envs/production/shared.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../shared.auto.tfvars \ No newline at end of file diff --git a/3-networks-dual-svpc/envs/shared/README.md b/3-networks-dual-svpc/envs/shared/README.md index 84a48fa06..37d6649d7 100644 --- a/3-networks-dual-svpc/envs/shared/README.md +++ b/3-networks-dual-svpc/envs/shared/README.md @@ -13,9 +13,7 @@ | bgp\_asn\_dns | BGP Autonomous System Number (ASN). | `number` | `64667` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | | domain | The DNS name of forwarding managed zone, for instance 'example.com'. Must end with a period. | `string` | n/a | yes | -| enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no | | firewall\_policies\_enable\_logging | Toggle hierarchical firewall logging. | `bool` | `true` | no | -| preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | | vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | 
object({
    enable_logging       = optional(string, "true")
    aggregation_interval = optional(string, "INTERVAL_5_SEC")
    flow_sampling        = optional(string, "0.5")
    metadata             = optional(string, "INCLUDE_ALL_METADATA")
    metadata_fields      = optional(list(string), [])
    filter_expr          = optional(string, "true")
  })
| `{}` | no | diff --git a/3-networks-dual-svpc/envs/shared/interconnect.tf.example b/3-networks-dual-svpc/envs/shared/interconnect.tf.example deleted file mode 100644 index 818d8b26e..000000000 --- a/3-networks-dual-svpc/envs/shared/interconnect.tf.example +++ /dev/null @@ -1,60 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "dns_hub_interconnect" { - source = "../../modules/dedicated_interconnect" - - vpc_name = "vpc-p-shared-restricted" - interconnect_project_id = local.restricted_project_id - - region1 = local.default_region1 - region1_router1_name = module.dns_hub_region1_router1.router.name - region1_interconnect1_candidate_subnets = ["169.254.0.0/29"] - region1_interconnect1_vlan_tag8021q = "3931" - region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1" - region1_interconnect1_location = "las-zone1-770" - region1_interconnect1_onprem_dc = "onprem-dc1" - region1_router2_name = module.dns_hub_region1_router2.router.name - region1_interconnect2_candidate_subnets = ["169.254.0.8/29"] - region1_interconnect2_vlan_tag8021q = "3932" - region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2" - region1_interconnect2_location = "las-zone1-770" - region1_interconnect2_onprem_dc = "onprem-dc2" - - region2 = local.default_region2 - region2_router1_name = module.dns_hub_region2_router1.router.name - region2_interconnect1_candidate_subnets = ["169.254.0.16/29"] - region2_interconnect1_vlan_tag8021q = "3933" - region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3" - region2_interconnect1_location = "lax-zone2-19" - region2_interconnect1_onprem_dc = "onprem-dc3" - region2_router2_name = module.dns_hub_region2_router2.router.name - region2_interconnect2_candidate_subnets = ["169.254.0.24/29"] - region2_interconnect2_vlan_tag8021q = "3934" - region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4" - region2_interconnect2_location = "lax-zone1-403" - region2_interconnect2_onprem_dc = "onprem-dc4" - - peer_asn = "64515" - peer_name = "interconnect-peer" - - cloud_router_labels = { - vlan_1 = "cr1", - vlan_2 = "cr2", - vlan_3 = "cr3", - vlan_4 = "cr4" - } -} diff --git a/3-networks-dual-svpc/envs/shared/partner_interconnect.auto.tfvars.example b/3-networks-dual-svpc/envs/shared/partner_interconnect.auto.tfvars.example deleted file mode 100644 index aae4c298e..000000000 --- a/3-networks-dual-svpc/envs/shared/partner_interconnect.auto.tfvars.example +++ /dev/null @@ -1,18 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -enable_partner_interconnect = true -preactivate_partner_interconnect = true diff --git a/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example b/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example deleted file mode 100644 index 67d045e7e..000000000 --- a/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example +++ /dev/null @@ -1,46 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "dns_hub_interconnect" { - source = "../../modules/partner_interconnect" - - vpc_name = "vpc-p-shared-restricted" - attachment_project_id = local.restricted_project_id - preactivate = var.preactivate_partner_interconnect - - region1 = local.default_region1 - region1_router1_name = module.dns_hub_region1_router1.router.name - region1_interconnect1_location = "las-zone1-770" - region1_interconnect1_onprem_dc = "onprem-dc1" - region1_router2_name = module.dns_hub_region1_router2.router.name - region1_interconnect2_location = "las-zone1-770" - region1_interconnect2_onprem_dc = "onprem-dc2" - - region2 = local.default_region2 - region2_router1_name = module.dns_hub_region2_router1.router.name - region2_interconnect1_location = "lax-zone2-19" - region2_interconnect1_onprem_dc = "onprem-dc3" - region2_router2_name = module.dns_hub_region2_router2.router.name - region2_interconnect2_location = "lax-zone1-403" - region2_interconnect2_onprem_dc = "onprem-dc4" - - cloud_router_labels = { - vlan_1 = "cr1", - vlan_2 = "cr2", - vlan_3 = "cr3", - vlan_4 = "cr4" - } -} diff --git a/3-networks-dual-svpc/envs/shared/remote.tf b/3-networks-dual-svpc/envs/shared/remote.tf index 72017f904..3afb75cb7 100644 --- a/3-networks-dual-svpc/envs/shared/remote.tf +++ b/3-networks-dual-svpc/envs/shared/remote.tf @@ -17,12 +17,10 @@ locals { env = "common" environment_code = "c" - dns_bgp_asn_number = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns + dns_bgp_asn_number = var.bgp_asn_dns default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id - restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id bootstrap_folder_name = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name diff --git a/3-networks-dual-svpc/envs/shared/remote.tf.cloud.example b/3-networks-dual-svpc/envs/shared/remote.tf.cloud.example index f12825173..10ffccb73 100644 --- a/3-networks-dual-svpc/envs/shared/remote.tf.cloud.example +++ b/3-networks-dual-svpc/envs/shared/remote.tf.cloud.example @@ -17,18 +17,16 @@ locals { env = "common" environment_code = "c" - dns_bgp_asn_number = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns + dns_bgp_asn_number = var.bgp_asn_dns default_region1 = data.tfe_outputs.bootstrap.outputs.common_config.default_region default_region2 = data.tfe_outputs.bootstrap.outputs.common_config.default_region_2 folder_prefix = data.tfe_outputs.bootstrap.nonsensitive_values.common_config.folder_prefix - dns_hub_project_id = data.tfe_outputs.org.nonsensitive_values.dns_hub_project_id - interconnect_project_id = data.tfe_outputs.org.nonsensitive_values.interconnect_project_id parent_id = data.tfe_outputs.bootstrap.nonsensitive_values.common_config.parent_id bootstrap_folder_name = data.tfe_outputs.bootstrap.nonsensitive_values.common_config.bootstrap_folder_name common_folder_name = data.tfe_outputs.org.nonsensitive_values.common_folder_name network_folder_name = data.tfe_outputs.org.nonsensitive_values.network_folder_name development_folder_name = data.tfe_outputs.env_development.nonsensitive_values.env_folder - nonproduction_folder_name = data.tfe_outputs.env_nonproduction.nonsensitive_values.env_folder + nonproduction_folder_name = data.tfe_outputs.env_nonproduction.nonsensitive_values.env_folder production_folder_name = data.tfe_outputs.env_production.nonsensitive_values.env_folder } diff --git a/3-networks-dual-svpc/envs/shared/shared.auto.tfvars b/3-networks-dual-svpc/envs/shared/shared.auto.tfvars deleted file mode 120000 index b7f8387a8..000000000 --- a/3-networks-dual-svpc/envs/shared/shared.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../shared.auto.tfvars \ No newline at end of file diff --git a/3-networks-dual-svpc/envs/shared/variables.tf b/3-networks-dual-svpc/envs/shared/variables.tf index 960985cd8..ef776e33e 100644 --- a/3-networks-dual-svpc/envs/shared/variables.tf +++ b/3-networks-dual-svpc/envs/shared/variables.tf @@ -62,18 +62,6 @@ variable "firewall_policies_enable_logging" { default = true } -variable "enable_partner_interconnect" { - description = "Enable Partner Interconnect in the environment." - type = bool - default = false -} - -variable "preactivate_partner_interconnect" { - description = "Preactivate Partner Interconnect VLAN attachment in the environment." - type = bool - default = false -} - variable "tfc_org_name" { description = "Name of the TFC organization" type = string diff --git a/3-networks-dual-svpc/modules/base_env/remote.tf.cloud.example b/3-networks-dual-svpc/modules/base_env/remote.tf.cloud.example index 6ba8d057d..df60f9e1c 100644 --- a/3-networks-dual-svpc/modules/base_env/remote.tf.cloud.example +++ b/3-networks-dual-svpc/modules/base_env/remote.tf.cloud.example @@ -19,7 +19,6 @@ locals { restricted_project_number = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].restricted_shared_vpc_project_number base_project_id = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].base_shared_vpc_project_id interconnect_project_number = data.tfe_outputs.org.nonsensitive_values.interconnect_project_number - dns_hub_project_id = data.tfe_outputs.org.nonsensitive_values.dns_hub_project_id organization_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.organization_step_terraform_service_account_email networks_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.networks_step_terraform_service_account_email projects_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.projects_step_terraform_service_account_email diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md index 1372cc47e..707c8acd1 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/base_shared_vpc/README.md @@ -3,6 +3,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| base\_dns\_project\_id | Project ID for DNS Base Shared. | `string` | `""` | no | | base\_network\_name | The name of the VPC being created | `string` | `""` | no | | bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes | | default\_region1 | Default region 1 for subnets and Cloud Routers | `string` | n/a | yes | diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf index 9ed5abc34..dd065135e 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf @@ -36,7 +36,7 @@ data "google_compute_network" "vpc_dns_hub" { count = var.environment_code != "p" ? 1 : 0 name = "vpc-p-shared-base" - project = var.production_project_id + project = var.base_dns_project_id } module "peering_zone" { diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf index e4c22a827..8fdbaf055 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf @@ -15,11 +15,12 @@ */ locals { - vpc_name = "${var.environment_code}-shared-base" - network_name = "vpc-${local.vpc_name}" - private_googleapis_cidr = module.private_service_connect.private_service_connect_ip - google_private_service_range = "35.199.192.0/19" - advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] + vpc_name = "${var.environment_code}-shared-base" + network_name = "vpc-${local.vpc_name}" + private_googleapis_cidr = module.private_service_connect.private_service_connect_ip + google_forward_source_range = "35.199.192.0/19" + advertised_ip = var.private_service_cidr == "p" ? [{ range = local.google_forward_source_range }, { range = local.private_googleapis_cidr }] : [{ range = local.private_googleapis_cidr }] + } /****************************************** diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf index 5afba9883..6a4ba92da 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf @@ -14,6 +14,12 @@ * limitations under the License. */ +variable "base_dns_project_id" { + description = "Project ID for DNS Base Shared." + type = string + default = "" +} + variable "target_name_server_addresses" { description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." type = list(map(any)) diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index f0937fcb1..3ad3b457d 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -26,11 +26,9 @@ | nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | -| production\_restricted\_project\_id | Project ID for Restricted Shared. | `string` | `""` | no | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | -| restricted\_net\_hub\_project\_id | The restricted net hub project ID | `string` | `""` | no | -| restricted\_network\_name | The name of the VPC being created | `string` | `""` | no | +| restricted\_dns\_project\_id | Project ID for DNS Restricted Shared. | `string` | `""` | no | | restricted\_services | List of services to restrict in an enforced perimeter. | `list(string)` | n/a | yes | | restricted\_services\_dry\_run | List of services to restrict in a dry-run perimeter. | `list(string)` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf index 2d07d80a9..85b190d82 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf @@ -36,7 +36,7 @@ data "google_compute_network" "vpc_dns_hub" { count = var.environment_code != "p" ? 1 : 0 name = "vpc-p-shared-restricted" - project = var.production_restricted_project_id + project = var.restricted_dns_project_id } module "peering_zone" { diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf index 306a19d28..53802c22a 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf @@ -15,11 +15,11 @@ */ locals { - vpc_name = "${var.environment_code}-shared-restricted" - network_name = "vpc-${local.vpc_name}" - restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip - google_private_service_range = "35.199.192.0/19" - advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] + vpc_name = "${var.environment_code}-shared-restricted" + network_name = "vpc-${local.vpc_name}" + restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip + google_forward_source_range = "35.199.192.0/19" + advertised_ip = var.private_service_cidr == "p" ? [{ range = local.google_forward_source_range }, { range = local.restricted_googleapis_cidr }] : [{ range = local.restricted_googleapis_cidr }] } /****************************************** diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf index f73965b07..27e733385 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf @@ -14,8 +14,8 @@ * limitations under the License. */ -variable "production_restricted_project_id" { - description = "Project ID for Restricted Shared." +variable "restricted_dns_project_id" { + description = "Project ID for DNS Restricted Shared." type = string default = "" } @@ -25,18 +25,6 @@ variable "target_name_server_addresses" { type = list(map(any)) } -variable "restricted_net_hub_project_id" { - type = string - description = "The restricted net hub project ID" - default = "" -} - -variable "restricted_network_name" { - type = string - description = "The name of the VPC being created" - default = "" -} - variable "access_context_manager_policy_id" { type = number description = "The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." diff --git a/3-networks-dual-svpc/shared.auto.example.tfvars b/3-networks-dual-svpc/shared.auto.example.tfvars deleted file mode 100644 index 0db7e30ea..000000000 --- a/3-networks-dual-svpc/shared.auto.example.tfvars +++ /dev/null @@ -1,28 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -// List of IPv4 address of target name servers for the forwarding zone configuration. -// See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones -target_name_server_addresses = [ - { - ipv4_address = "192.168.0.1", - forwarding_path = "default" - }, - { - ipv4_address = "192.168.0.2", - forwarding_path = "default" - } -] diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf index d20c3f0df..355031822 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf @@ -31,12 +31,6 @@ resource "google_dns_policy" "default_policy" { /****************************************** Creates DNS Peering to DNS HUB *****************************************/ -data "google_compute_network" "vpc_dns_hub" { - count = var.mode == "spoke" ? 1 : 0 - - name = data.google_compute_network.vpc_base_net_hub[0].name - project = var.base_net_hub_project_id -} module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" @@ -53,7 +47,7 @@ module "peering_zone" { private_visibility_config_networks = [ module.main.network_self_link ] - target_network = data.google_compute_network.vpc_dns_hub[0].self_link + target_network = data.google_compute_network.vpc_base_net_hub[0].self_link } /****************************************** diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf index e9c4fbba6..49ef53872 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf @@ -15,12 +15,12 @@ */ locals { - mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke" - vpc_name = "${var.environment_code}-shared-base${local.mode}" - network_name = "vpc-${local.vpc_name}" - private_googleapis_cidr = module.private_service_connect.private_service_connect_ip - google_private_service_range = "35.199.192.0/19" - advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }] + mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke" + vpc_name = "${var.environment_code}-shared-base${local.mode}" + network_name = "vpc-${local.vpc_name}" + private_googleapis_cidr = module.private_service_connect.private_service_connect_ip + google_forward_source_range = "35.199.192.0/19" + advertised_ip = var.private_service_cidr == null ? [{ range = local.google_forward_source_range }] : [{ range = local.private_googleapis_cidr }] } /****************************************** diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf index e5706d46f..e9dadbb59 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf @@ -31,12 +31,6 @@ resource "google_dns_policy" "default_policy" { /****************************************** Creates DNS Peering to DNS HUB *****************************************/ -data "google_compute_network" "vpc_dns_hub" { - count = var.mode == "spoke" ? 1 : 0 - - name = data.google_compute_network.vpc_restricted_net_hub[0].name - project = var.restricted_net_hub_project_id -} module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" @@ -53,7 +47,7 @@ module "peering_zone" { private_visibility_config_networks = [ module.main.network_self_link ] - target_network = data.google_compute_network.vpc_dns_hub[0].self_link + target_network = data.google_compute_network.vpc_restricted_net_hub[0].self_link } /****************************************** diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf index 07cd09540..5742c7540 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf @@ -15,12 +15,12 @@ */ locals { - mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke" - vpc_name = "${var.environment_code}-shared-restricted${local.mode}" - network_name = "vpc-${local.vpc_name}" - restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip - google_private_service_range = "35.199.192.0/19" - advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }] + mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke" + vpc_name = "${var.environment_code}-shared-restricted${local.mode}" + network_name = "vpc-${local.vpc_name}" + restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip + google_forward_source_range = "35.199.192.0/19" + advertised_ip = var.private_service_cidr == null ? [{ range = local.google_forward_source_range }] : [{ range = local.restricted_googleapis_cidr }] } /****************************************** diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 49216a86b..41dfabe41 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -66,6 +66,18 @@ steps: name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestEnvs --stage verify --verbose --test-dir /workspace/test/integration'] +- id: create-shared + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', './test/disable_tf_files.sh --shared && cft test run TestShared --stage init --verbose --test-dir /workspace/test/integration'] + +- id: converge-shared + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestShared --stage apply --verbose --test-dir /workspace/test/integration'] + +- id: verify-shared + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestShared --stage verify --verbose --test-dir /workspace/test/integration'] + - id: create-networks name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', './test/disable_tf_files.sh --networks && cft test run TestNetworks --stage init --verbose --test-dir /workspace/test/integration'] @@ -130,6 +142,10 @@ steps: name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestNetworks --stage destroy --verbose --test-dir /workspace/test/integration'] +- id: destroy-shared + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestShared --stage destroy --verbose --test-dir /workspace/test/integration'] + - id: destroy-envs name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestEnvs --stage destroy --verbose --test-dir /workspace/test/integration'] diff --git a/test/disable_tf_files.sh b/test/disable_tf_files.sh index 7c7892c3a..bdd22f199 100755 --- a/test/disable_tf_files.sh +++ b/test/disable_tf_files.sh @@ -23,41 +23,39 @@ function networks(){ network_dir="3-networks-hub-and-spoke" else network_dir="3-networks-dual-svpc" + + # disable production.auto.tfvars in main module # + mv $network_dir/envs/production/production.auto.tfvars $network_dir/envs/production/production.auto.tfvars.disabled fi # disable access_context.auto.tfvars in main module - mv $network_dir/envs/shared/access_context.auto.tfvars $network_dir/envs/shared/access_context.auto.tfvars.disabled # mv $network_dir/envs/development/access_context.auto.tfvars $network_dir/envs/development/access_context.auto.tfvars.disabled mv $network_dir/envs/nonproduction/access_context.auto.tfvars $network_dir/envs/nonproduction/access_context.auto.tfvars.disabled mv $network_dir/envs/production/access_context.auto.tfvars $network_dir/envs/production/access_context.auto.tfvars.disabled # disable common.auto.tfvars in main module - mv $network_dir/envs/shared/common.auto.tfvars $network_dir/envs/shared/common.auto.tfvars.disabled # mv $network_dir/envs/development/common.auto.tfvars $network_dir/envs/development/common.auto.tfvars.disabled mv $network_dir/envs/nonproduction/common.auto.tfvars $network_dir/envs/nonproduction/common.auto.tfvars.disabled mv $network_dir/envs/production/common.auto.tfvars $network_dir/envs/production/common.auto.tfvars.disabled - - # disable shared.auto.tfvars in main module # - mv $network_dir/envs/shared/shared.auto.tfvars $network_dir/envs/shared/shared.auto.tfvars.disabled } -# function shared(){ +function shared(){ -# if [ "$TF_VAR_example_foundations_mode" == "HubAndSpoke" ]; then -# network_dir="3-networks-hub-and-spoke" -# else -# network_dir="3-networks-dual-svpc" -# fi + if [ "$TF_VAR_example_foundations_mode" == "HubAndSpoke" ]; then + network_dir="3-networks-hub-and-spoke" -# # disable access_context.auto.tfvars in main module -# mv $network_dir/envs/shared/access_context.auto.tfvars $network_dir/envs/shared/access_context.auto.tfvars.disabled + # disable shared.auto.tfvars in main module + mv $network_dir/envs/shared/shared.auto.tfvars $network_dir/envs/shared/shared.auto.tfvars.disabled + else + network_dir="3-networks-dual-svpc" + fi -# # disable common.auto.tfvars in main module -# mv $network_dir/envs/shared/common.auto.tfvars $network_dir/envs/shared/common.auto.tfvars.disabled + # disable access_context.auto.tfvars in main module + mv $network_dir/envs/shared/access_context.auto.tfvars $network_dir/envs/shared/access_context.auto.tfvars.disabled -# # disable shared.auto.tfvars in main module -# mv $network_dir/envs/shared/shared.auto.tfvars $network_dir/envs/shared/shared.auto.tfvars.disabled -# } + # disable common.auto.tfvars in main module + mv $network_dir/envs/shared/common.auto.tfvars $network_dir/envs/shared/common.auto.tfvars.disabled +} function projectsshared(){ # disable shared.auto.tfvars @@ -95,10 +93,10 @@ do networks shift ;; - # -s|--shared) - # shared - # shift - # ;; + -s|--shared) + shared + shift + ;; -a|--appinfra) appinfra shift diff --git a/test/integration/shared/shared_test.go b/test/integration/shared/shared_test.go new file mode 100644 index 000000000..8102b7163 --- /dev/null +++ b/test/integration/shared/shared_test.go @@ -0,0 +1,159 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package shared + +import ( + "fmt" + "testing" + "time" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" + "github.com/gruntwork-io/terratest/modules/terraform" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/terraform-google-modules/terraform-example-foundation/test/integration/testutils" +) + +func isHubAndSpokeMode(t *testing.T) bool { + mode := utils.ValFromEnv(t, "TF_VAR_example_foundations_mode") + return mode == "HubAndSpoke" +} + +func TestShared(t *testing.T) { + + bootstrap := tft.NewTFBlueprintTest(t, + tft.WithTFDir("../../../0-bootstrap"), + ) + + orgID := terraform.OutputMap(t, bootstrap.GetTFOptions(), "common_config")["org_id"] + policyID := testutils.GetOrgACMPolicyID(t, orgID) + require.NotEmpty(t, policyID, "Access Context Manager Policy ID must be configured in the organization for the test to proceed.") + + // Configure impersonation for test execution + terraformSA := bootstrap.GetStringOutput("networks_step_terraform_service_account_email") + utils.SetEnv(t, "GOOGLE_IMPERSONATE_SERVICE_ACCOUNT", terraformSA) + backend_bucket := bootstrap.GetStringOutput("gcs_bucket_tfstate") + + backendConfig := map[string]interface{}{ + "bucket": backend_bucket, + } + + vars := map[string]interface{}{ + "remote_state_bucket": backend_bucket, + } + var tfdDir string + if isHubAndSpokeMode(t) { + vars["access_context_manager_policy_id"] = policyID + vars["perimeter_additional_members"] = []string{} + tfdDir = "../../../3-networks-hub-and-spoke/envs/shared" + } else { + tfdDir = "../../../3-networks-dual-svpc/envs/shared" + } + + shared := tft.NewTFBlueprintTest(t, + tft.WithTFDir(tfdDir), + tft.WithVars(vars), + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 1, 2*time.Minute), + tft.WithPolicyLibraryPath("/workspace/policy-library", bootstrap.GetTFSetupStringOutput("project_id")), + tft.WithBackendConfig(backendConfig), + ) + shared.DefineVerify( + func(assert *assert.Assertions) { + + // do a time.Sleep to wait for propagation of VPC Service Controls configuration in the Hub and Spoke network mode + if isHubAndSpokeMode(t) { + time.Sleep(60 * time.Second) + } + + // perform default verification ensuring Terraform reports no additional changes on an applied blueprint + // Comment DefaultVerify because proxy-only subnets tries to change `ipv6_access_type` from `INTERNAL` to `null` on every run (plan and apply) + // Module issue: https://github.com/terraform-google-modules/terraform-google-network/issues/528 + // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16801 + // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16804 + // shared.DefaultVerify(assert) + + projectID := shared.GetStringOutput("dns_hub_project_id") + networkName := "vpc-net-dns" + dnsHubNetworkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/vpc-net-dns", projectID) + dnsPolicyName := "dp-dns-hub-default-policy" + + dnsPolicy := gcloud.Runf(t, "dns policies describe %s --project %s", dnsPolicyName, projectID) + assert.True(dnsPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", dnsPolicyName)) + assert.Equal(dnsHubNetworkUrl, dnsPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", dnsPolicyName, networkName)) + + dnsFwZoneName := "fz-dns-hub" + dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s", dnsFwZoneName, projectID) + assert.Equal(dnsFwZoneName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsFwZoneName)) + + projectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s", networkName, projectID) + assert.Equal(networkName, projectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", networkName)) + + for _, subnet := range []struct { + name string + cidrRange string + region string + }{ + { + name: "sb-net-dns-us-west1", + cidrRange: "172.16.0.128/25", + region: "us-west1", + }, + { + name: "sb-net-dns-us-central1", + cidrRange: "172.16.0.0/25", + region: "us-central1", + }, + } { + sub := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnet.name, subnet.region, projectID) + assert.Equal(subnet.name, sub.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnet.name)) + assert.Equal(subnet.cidrRange, sub.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnet.cidrRange)) + } + + bgpAdvertisedIpRange := "35.199.192.0/19" + + for _, router := range []struct { + name string + region string + }{ + { + name: "cr-net-dns-us-central1-cr1", + region: "us-central1", + }, + { + name: "cr-net-dns-us-central1-cr2", + region: "us-central1", + }, + { + name: "cr-net-dns-us-west1-cr3", + region: "us-west1", + }, + { + name: "cr-net-dns-us-west1-cr4", + region: "us-west1", + }, + } { + computeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s", router.name, router.region, projectID) + assert.Equal(router.name, computeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", router.name)) + assert.Equal("64667", computeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64667", router.name)) + assert.Equal(1, len(computeRouter.Get("bgp.advertisedIpRanges").Array()), fmt.Sprintf("router %s should have only one advertised IP range", router.name)) + assert.Equal(bgpAdvertisedIpRange, computeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have only range %s", router.name, bgpAdvertisedIpRange)) + assert.Equal(dnsHubNetworkUrl, computeRouter.Get("network").String(), fmt.Sprintf("router %s should have be from network vpc-net-dns", router.name)) + } + }) + shared.Test() +} diff --git a/test/restore_tf_files.sh b/test/restore_tf_files.sh index 946c666b2..74d530c13 100644 --- a/test/restore_tf_files.sh +++ b/test/restore_tf_files.sh @@ -35,50 +35,47 @@ function networks(){ network_dir="3-networks-hub-and-spoke" else network_dir="3-networks-dual-svpc" + + # disable shared.auto.tfvars in main module # + mv $network_dir/envs/production/production.auto.tfvars.disabled $network_dir/envs/production/production.auto.tfvars fi # restore backend configs in main module - mv $network_dir/envs/shared/backend.tf.disabled $network_dir/envs/shared/backend.tf # mv $network_dir/envs/development/backend.tf.disabled $network_dir/envs/development/backend.tf mv $network_dir/envs/nonproduction/backend.tf.disabled $network_dir/envs/nonproduction/backend.tf mv $network_dir/envs/production/backend.tf.disabled $network_dir/envs/production/backend.tf # restore access_context.auto.tfvars in main module - mv $network_dir/envs/shared/access_context.auto.tfvars.disabled $network_dir/envs/shared/access_context.auto.tfvars # mv $network_dir/envs/development/access_context.auto.tfvars.disabled $network_dir/envs/development/access_context.auto.tfvars mv $network_dir/envs/nonproduction/access_context.auto.tfvars.disabled $network_dir/envs/nonproduction/access_context.auto.tfvars mv $network_dir/envs/production/access_context.auto.tfvars.disabled $network_dir/envs/production/access_context.auto.tfvars # restore common.auto.tfvars in main module - mv $network_dir/envs/shared/common.auto.tfvars.disabled $network_dir/envs/shared/common.auto.tfvars # mv $network_dir/envs/development/common.auto.tfvars.disabled $network_dir/envs/development/common.auto.tfvars mv $network_dir/envs/nonproduction/common.auto.tfvars.disabled $network_dir/envs/nonproduction/common.auto.tfvars mv $network_dir/envs/production/common.auto.tfvars.disabled $network_dir/envs/production/common.auto.tfvars - - # restore shared.auto.tfvars in main module # - mv $network_dir/envs/shared/shared.auto.tfvars.disabled $network_dir/envs/shared/shared.auto.tfvars } -# function shared(){ +function shared(){ -# if [ "$TF_VAR_example_foundations_mode" == "HubAndSpoke" ]; then -# network_dir="3-networks-hub-and-spoke" -# else -# network_dir="3-networks-dual-svpc" -# fi + if [ "$TF_VAR_example_foundations_mode" == "HubAndSpoke" ]; then + network_dir="3-networks-hub-and-spoke" -# # restore backend configs in main module -# mv $network_dir/envs/shared/backend.tf.disabled $network_dir/envs/shared/backend.tf + # restore shared.auto.tfvars in main module + mv $network_dir/envs/shared/shared.auto.tfvars.disabled $network_dir/envs/shared/shared.auto.tfvars + else + network_dir="3-networks-dual-svpc" + fi -# # restore access_context.auto.tfvars in main module -# mv $network_dir/envs/shared/access_context.auto.tfvars.disabled $network_dir/envs/shared/access_context.auto.tfvars + # restore backend configs in main module + mv $network_dir/envs/shared/backend.tf.disabled $network_dir/envs/shared/backend.tf -# # restore common.auto.tfvars in main module -# mv $network_dir/envs/shared/common.auto.tfvars.disabled $network_dir/envs/shared/common.auto.tfvars + # restore access_context.auto.tfvars in main module + mv $network_dir/envs/shared/access_context.auto.tfvars.disabled $network_dir/envs/shared/access_context.auto.tfvars -# # restore shared.auto.tfvars in main module -# mv $network_dir/envs/shared/shared.auto.tfvars.disabled $network_dir/envs/shared/shared.auto.tfvars -# } + # restore common.auto.tfvars in main module + mv $network_dir/envs/shared/common.auto.tfvars.disabled $network_dir/envs/shared/common.auto.tfvars +} function projects(){ # restore backend configs in main module @@ -137,10 +134,10 @@ do networks shift ;; - # -s|--shared) - # shared - # shift - # ;; + -s|--shared) + shared + shift + ;; -o|--org) org shift From bc3c6c8c2bf16828cddd4d93ce894fcd5b9d6a3c Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 17 Jan 2025 10:33:55 -0300 Subject: [PATCH 28/47] fix advertised_ip value --- 3-networks-dual-svpc/modules/base_shared_vpc/main.tf | 2 +- 3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf | 2 +- 3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf | 2 +- 3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf index 8fdbaf055..cefba1987 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf @@ -19,7 +19,7 @@ locals { network_name = "vpc-${local.vpc_name}" private_googleapis_cidr = module.private_service_connect.private_service_connect_ip google_forward_source_range = "35.199.192.0/19" - advertised_ip = var.private_service_cidr == "p" ? [{ range = local.google_forward_source_range }, { range = local.private_googleapis_cidr }] : [{ range = local.private_googleapis_cidr }] + advertised_ip = var.environment_code == "p" ? [{ range = local.google_forward_source_range }, { range = local.private_googleapis_cidr }] : [{ range = local.private_googleapis_cidr }] } diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf index 53802c22a..17da512a8 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf @@ -19,7 +19,7 @@ locals { network_name = "vpc-${local.vpc_name}" restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip google_forward_source_range = "35.199.192.0/19" - advertised_ip = var.private_service_cidr == "p" ? [{ range = local.google_forward_source_range }, { range = local.restricted_googleapis_cidr }] : [{ range = local.restricted_googleapis_cidr }] + advertised_ip = var.environment_code == "p" ? [{ range = local.google_forward_source_range }, { range = local.restricted_googleapis_cidr }] : [{ range = local.restricted_googleapis_cidr }] } /****************************************** diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf index 49ef53872..60b87afb4 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf @@ -20,7 +20,7 @@ locals { network_name = "vpc-${local.vpc_name}" private_googleapis_cidr = module.private_service_connect.private_service_connect_ip google_forward_source_range = "35.199.192.0/19" - advertised_ip = var.private_service_cidr == null ? [{ range = local.google_forward_source_range }] : [{ range = local.private_googleapis_cidr }] + advertised_ip = var.environment_code == "p" ? [{ range = local.google_forward_source_range }, { range = local.private_googleapis_cidr }] : [{ range = local.private_googleapis_cidr }] } /****************************************** diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf index 5742c7540..bff9f77e1 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf @@ -20,7 +20,7 @@ locals { network_name = "vpc-${local.vpc_name}" restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip google_forward_source_range = "35.199.192.0/19" - advertised_ip = var.private_service_cidr == null ? [{ range = local.google_forward_source_range }] : [{ range = local.restricted_googleapis_cidr }] + advertised_ip = var.environment_code == "p" ? [{ range = local.google_forward_source_range }, { range = local.restricted_googleapis_cidr }] : [{ range = local.restricted_googleapis_cidr}] } /****************************************** From 49453c7707851879b47e50fb7cfcb6b30dc33517 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 17 Jan 2025 17:52:47 -0300 Subject: [PATCH 29/47] fix lint --- 3-networks-dual-svpc/modules/base_env/main.tf | 2 +- 3-networks-dual-svpc/modules/base_env/remote.tf | 1 - .../modules/restricted_shared_vpc/README.md | 1 + .../modules/restricted_shared_vpc/variables.tf | 6 ++++++ .../modules/restricted_shared_vpc/main.tf | 2 +- 5 files changed, 9 insertions(+), 3 deletions(-) diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index c5679eea7..930d869a0 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -171,7 +171,7 @@ module "restricted_shared_vpc" { project_id = local.restricted_project_id project_number = local.restricted_project_number - production_restricted_project_id = local.production_restricted_project_id + production_project_id = local.production_restricted_project_id environment_code = var.environment_code access_context_manager_policy_id = var.access_context_manager_policy_id restricted_services = local.restricted_services diff --git a/3-networks-dual-svpc/modules/base_env/remote.tf b/3-networks-dual-svpc/modules/base_env/remote.tf index 80db5b34a..a768cdde5 100644 --- a/3-networks-dual-svpc/modules/base_env/remote.tf +++ b/3-networks-dual-svpc/modules/base_env/remote.tf @@ -26,7 +26,6 @@ locals { production_base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].base_shared_vpc_project_id } - data "terraform_remote_state" "bootstrap" { backend = "gcs" diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index 3ad3b457d..4530eb09c 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -26,6 +26,7 @@ | nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | +| production\_project\_id | Project ID for Restricted Shared. | `string` | `""` | no | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | | restricted\_dns\_project\_id | Project ID for DNS Restricted Shared. | `string` | `""` | no | diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf index 27e733385..9753fc176 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf @@ -20,6 +20,12 @@ variable "restricted_dns_project_id" { default = "" } +variable "production_project_id" { + description = "Project ID for Restricted Shared." + type = string + default = "" +} + variable "target_name_server_addresses" { description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." type = list(map(any)) diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf index bff9f77e1..4021a4dd4 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf @@ -20,7 +20,7 @@ locals { network_name = "vpc-${local.vpc_name}" restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip google_forward_source_range = "35.199.192.0/19" - advertised_ip = var.environment_code == "p" ? [{ range = local.google_forward_source_range }, { range = local.restricted_googleapis_cidr }] : [{ range = local.restricted_googleapis_cidr}] + advertised_ip = var.environment_code == "p" ? [{ range = local.google_forward_source_range }, { range = local.restricted_googleapis_cidr }] : [{ range = local.restricted_googleapis_cidr }] } /****************************************** From 027fa2826e105ab7cb85b25764fd3fd366db1a50 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Thu, 30 Jan 2025 11:33:00 -0300 Subject: [PATCH 30/47] update integration tests --- .../envs/shared/README.md | 4 + .../envs/shared/outputs.tf | 20 +++ .../modules/base_shared_vpc/README.md | 1 + .../modules/base_shared_vpc/main.tf | 3 +- .../modules/base_shared_vpc/outputs.tf | 5 + .../modules/restricted_shared_vpc/README.md | 1 + .../modules/restricted_shared_vpc/main.tf | 2 +- .../modules/restricted_shared_vpc/outputs.tf | 5 + test/integration/networks/networks_test.go | 67 +++++----- test/integration/shared/shared_test.go | 123 +++++++++++++----- 10 files changed, 165 insertions(+), 66 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/shared/README.md b/3-networks-hub-and-spoke/envs/shared/README.md index 4d7df9dff..73394b3e5 100644 --- a/3-networks-hub-and-spoke/envs/shared/README.md +++ b/3-networks-hub-and-spoke/envs/shared/README.md @@ -52,7 +52,11 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google. | Name | Description | |------|-------------| +| base\_dns\_policy | The name of the DNS policy being created | | base\_host\_project\_id | The base host project ID | +| base\_network\_name | The name of the VPC being created | +| restricted\_dns\_policy | The name of the DNS policy being created | | restricted\_host\_project\_id | The restricted host project ID | +| restricted\_network\_name | The name of the VPC being created | diff --git a/3-networks-hub-and-spoke/envs/shared/outputs.tf b/3-networks-hub-and-spoke/envs/shared/outputs.tf index 351152ace..6af4101cf 100644 --- a/3-networks-hub-and-spoke/envs/shared/outputs.tf +++ b/3-networks-hub-and-spoke/envs/shared/outputs.tf @@ -23,3 +23,23 @@ output "base_host_project_id" { value = local.base_net_hub_project_id description = "The base host project ID" } + +output "base_network_name" { + value = module.base_shared_vpc.network_name + description = "The name of the VPC being created" +} + +output "restricted_network_name" { + value = module.restricted_shared_vpc.network_name + description = "The name of the VPC being created" +} + +output "base_dns_policy" { + value = module.base_shared_vpc.base_dns_policy + description = "The name of the DNS policy being created" +} + +output "restricted_dns_policy" { + value = module.restricted_shared_vpc.restricted_dns_policy + description = "The name of the DNS policy being created" +} diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md index e0ed9e736..7e0b74baa 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md @@ -31,6 +31,7 @@ | Name | Description | |------|-------------| +| base\_dns\_policy | The name of the DNS policy being created | | firewall\_policy | Policy created for firewall policy rules. | | network\_name | The name of the VPC being created | | network\_self\_link | The URI of the VPC being created | diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf index 60b87afb4..e27860359 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf @@ -20,7 +20,8 @@ locals { network_name = "vpc-${local.vpc_name}" private_googleapis_cidr = module.private_service_connect.private_service_connect_ip google_forward_source_range = "35.199.192.0/19" - advertised_ip = var.environment_code == "p" ? [{ range = local.google_forward_source_range }, { range = local.private_googleapis_cidr }] : [{ range = local.private_googleapis_cidr }] + advertised_ip = var.environment_code == "c" ? [{ range = local.google_forward_source_range }, { range = local.private_googleapis_cidr }] : [{ range = local.private_googleapis_cidr }] + } /****************************************** diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf index d7527cbc7..3d13190d7 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/outputs.tf @@ -19,6 +19,11 @@ output "network_name" { description = "The name of the VPC being created" } +output "base_dns_policy" { + value = google_dns_policy.default_policy.name + description = "The name of the DNS policy being created" +} + output "network_self_link" { value = module.main.network_self_link description = "The URI of the VPC being created" diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md index de75121ad..130845c51 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md @@ -53,6 +53,7 @@ | region1\_router2 | Router 2 for Region 1 | | region2\_router1 | Router 1 for Region 2 | | region2\_router2 | Router 2 for Region 2 | +| restricted\_dns\_policy | The name of the DNS policy being created | | service\_perimeter\_name | Access context manager service perimeter name for the enforced perimeter | | subnets\_ips | The IPs and CIDRs of the subnets being created | | subnets\_names | The names of the subnets being created | diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf index 4021a4dd4..7bfeeda13 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf @@ -20,7 +20,7 @@ locals { network_name = "vpc-${local.vpc_name}" restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip google_forward_source_range = "35.199.192.0/19" - advertised_ip = var.environment_code == "p" ? [{ range = local.google_forward_source_range }, { range = local.restricted_googleapis_cidr }] : [{ range = local.restricted_googleapis_cidr }] + advertised_ip = var.environment_code == "c" ? [{ range = local.google_forward_source_range }, { range = local.restricted_googleapis_cidr }] : [{ range = local.restricted_googleapis_cidr }] } /****************************************** diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf index 40ac84c4c..442fc44dc 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/outputs.tf @@ -19,6 +19,11 @@ output "network_name" { description = "The name of the VPC being created" } +output "restricted_dns_policy" { + value = google_dns_policy.default_policy.name + description = "The name of the DNS policy being created" +} + output "network_self_link" { value = module.main.network_self_link description = "The URI of the VPC being created" diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index ef053682e..c145f686d 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -51,6 +51,7 @@ func getNetworkResourceNames(envCode string, networkMode string, firewallMode st "base": { "network_name": fmt.Sprintf("vpc-%s-shared-base%s", envCode, networkMode), "global_address": fmt.Sprintf("ga-%s-shared-base%s-vpc-peering-internal", envCode, networkMode), + "dns_zone_forward": "fz-dns-hub", "dns_zone_googleapis": fmt.Sprintf("dz-%s-shared-base-apis", envCode), "dns_zone_gcr": fmt.Sprintf("dz-%s-shared-base-gcr", envCode), "dns_zone_pkg_dev": fmt.Sprintf("dz-%s-shared-base-pkg-dev", envCode), @@ -69,6 +70,7 @@ func getNetworkResourceNames(envCode string, networkMode string, firewallMode st "restricted": { "network_name": fmt.Sprintf("vpc-%s-shared-restricted%s", envCode, networkMode), "global_address": fmt.Sprintf("ga-%s-shared-restricted%s-vpc-peering-internal", envCode, networkMode), + "dns_zone_forward": "fz-dns-hub", "dns_zone_googleapis": fmt.Sprintf("dz-%s-shared-restricted-apis", envCode), "dns_zone_gcr": fmt.Sprintf("dz-%s-shared-restricted-gcr", envCode), "dns_zone_pkg_dev": fmt.Sprintf("dz-%s-shared-restricted-pkg-dev", envCode), @@ -331,22 +333,17 @@ func TestNetworks(t *testing.T) { tfdDir = "../../../3-networks-hub-and-spoke/envs/%s" } - var tfdDirDNS string - if networkMode == "" { - tfdDirDNS = "../../../3-networks-dual-svpc/envs/production" - } else { - tfdDirDNS = "../../../3-networks-hub-and-spoke/envs/shared" - } - envCode := string(envName[0:1]) networks := tft.NewTFBlueprintTest(t, tft.WithTFDir(fmt.Sprintf(tfdDir, envName)), - tft.WithTFDir(fmt.Sprintf(tfdDirDNS)), tft.WithVars(vars), tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 10, 2*time.Minute), tft.WithPolicyLibraryPath("/workspace/policy-library", bootstrap.GetTFSetupStringOutput("project_id")), tft.WithBackendConfig(backendConfig), ) + + networkMode := getNetworkMode(t) + networks.DefineVerify( func(assert *assert.Assertions) { // perform default verification ensuring Terraform reports no additional changes on an applied blueprint @@ -359,9 +356,6 @@ func TestNetworks(t *testing.T) { servicePerimeterLink := fmt.Sprintf("accessPolicies/%s/servicePerimeters/%s", policyID, networks.GetStringOutput("restricted_service_perimeter_name")) accessLevel := fmt.Sprintf("accessPolicies/%s/accessLevels/%s", policyID, networks.GetStringOutput("access_level_name_dry_run")) networkNames := getNetworkResourceNames(envCode, networkMode, firewallMode) - baseSharedProjectID := networks.GetStringOutput("base_host_project_id") - restrictedProjectID := networks.GetStringOutput("restricted_host_project_id") - dnsFwZoneName := "fz-dns-hub" servicePerimeter, err := gcloud.RunCmdE(t, fmt.Sprintf("access-context-manager perimeters dry-run describe %s --policy %s", servicePerimeterLink, policyID)) assert.NoError(err) @@ -378,22 +372,30 @@ func TestNetworks(t *testing.T) { } { projectID := networks.GetStringOutput(fmt.Sprintf("%s_host_project_id", networkType)) - for _, dnsType := range []string{ - "dns_zone_googleapis", - "dns_zone_gcr", - "dns_zone_pkg_dev", - "dns_zone_peering_zone", - } { - dnsName := networkNames[networkType][dnsType] - dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsName, projectID, terraformSA) - assert.Equal(dnsName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsName)) + if networkMode == "-spoke" { + for _, dnsType := range []string{ + "dns_zone_googleapis", + "dns_zone_gcr", + "dns_zone_pkg_dev", + "dns_zone_peering_zone", + } { + dnsName := networkNames[networkType][dnsType] + dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsName, projectID, terraformSA) + assert.Equal(dnsName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsName)) + } + } else { + for _, dnsType := range []string{ + "dns_zone_googleapis", + "dns_zone_gcr", + "dns_zone_pkg_dev", + "dns_zone_forward", + } { + dnsName := networkNames[networkType][dnsType] + dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsName, projectID, terraformSA) + assert.Equal(dnsName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsName)) + } } - dnsZoneSharedBaseHubSpoke := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, baseSharedProjectID, terraformSA) - assert.Equal(dnsFwZoneName, dnsZoneSharedBaseHubSpoke.Get("name").String(), fmt.Sprintf("dnsZone %s should exist for base", dnsFwZoneName)) - dnsZoneRestrictedHubSpoke := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, restrictedProjectID, terraformSA) - assert.Equal(dnsFwZoneName, dnsZoneRestrictedHubSpoke .Get("name").String(), fmt.Sprintf("dnsZone %s should exist for restricted", dnsFwZoneName)) - networkName := networkNames[networkType]["network_name"] networkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", projectID, networkName) dnsPolicyName := networkNames[networkType]["dns_policy_name"] @@ -462,18 +464,16 @@ func TestNetworks(t *testing.T) { } { routerName := networkNames[networkType][router.router] + bgpAdvertisedIpRange := "35.199.192.0/19" computeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s --impersonate-service-account %s", routerName, router.region, projectID, terraformSA) networkSelfLink := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", projectID, networkNames[networkType]["network_name"]) assert.Equal(routerName, computeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", routerName)) assert.Equal("64514", computeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", routerName)) - assert.Equal(1, len(computeRouter.Get("bgp.advertisedIpRanges").Array()), fmt.Sprintf("router %s should have only one advertised IP range", routerName)) - assert.Equal(googleapisCIDR[envName][networkType], computeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have only range %s", routerName, googleapisCIDR[envName][networkType])) - assert.Equal(networkSelfLink, computeRouter.Get("network").String(), fmt.Sprintf("router %s should have be from network %s", routerName, networkNames[networkType]["network_name"])) - - dnsZoneSharedBaseSVPC := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, baseSharedProjectID, terraformSA) - assert.Equal(dnsFwZoneName, dnsZoneSharedBaseSVPC.Get("name").String(), fmt.Sprintf("dnsZone %s should exist for base", dnsFwZoneName)) - dnsZoneRestrictedSVPC := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsFwZoneName, restrictedProjectID, terraformSA) - assert.Equal(dnsFwZoneName, dnsZoneRestrictedSVPC.Get("name").String(), fmt.Sprintf("dnsZone %s should exist for restricted", dnsFwZoneName)) + assert.Equal(networkSelfLink, computeRouter.Get("network").String(), fmt.Sprintf("router %s should be on network %s", routerName, networkNames[networkType]["network_name"])) + if strings.Contains(projectID, "prj-p") && networkMode != "-spoke" { + assert.Equal(bgpAdvertisedIpRange, computeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have range %s", routerName, bgpAdvertisedIpRange)) + assert.Equal(googleapisCIDR[envName][networkType], computeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have only range %s", routerName, googleapisCIDR[envName][networkType])) + } } } } @@ -483,4 +483,3 @@ func TestNetworks(t *testing.T) { } } - diff --git a/test/integration/shared/shared_test.go b/test/integration/shared/shared_test.go index 8102b7163..796f1fb30 100644 --- a/test/integration/shared/shared_test.go +++ b/test/integration/shared/shared_test.go @@ -87,21 +87,23 @@ func TestShared(t *testing.T) { // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16804 // shared.DefaultVerify(assert) - projectID := shared.GetStringOutput("dns_hub_project_id") - networkName := "vpc-net-dns" - dnsHubNetworkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/vpc-net-dns", projectID) - dnsPolicyName := "dp-dns-hub-default-policy" + dnsFwZoneName := "fz-dns-hub" + bgpAdvertisedIpRange := "35.199.192.0/19" - dnsPolicy := gcloud.Runf(t, "dns policies describe %s --project %s", dnsPolicyName, projectID) - assert.True(dnsPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", dnsPolicyName)) - assert.Equal(dnsHubNetworkUrl, dnsPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", dnsPolicyName, networkName)) + baseProjectID := shared.GetStringOutput("base_host_project_id") + baseNetworkName := shared.GetStringOutput("base_network_name") + baseDNSPolicyName := shared.GetStringOutput("base_dns_policy") + baseDNSHubNetworkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", baseProjectID, baseNetworkName) - dnsFwZoneName := "fz-dns-hub" - dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s", dnsFwZoneName, projectID) - assert.Equal(dnsFwZoneName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsFwZoneName)) + baseDNSPolicy := gcloud.Runf(t, "dns policies describe %s --project %s", baseDNSPolicyName, baseProjectID) /////// + assert.True(baseDNSPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", baseDNSPolicyName)) + assert.Equal(baseDNSHubNetworkUrl, baseDNSPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", baseDNSPolicyName, baseNetworkName)) - projectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s", networkName, projectID) - assert.Equal(networkName, projectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", networkName)) + baseDNSZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s", dnsFwZoneName, baseProjectID) + assert.Equal(dnsFwZoneName, baseDNSZone.Get("name").String(), fmt.Sprintf("baseDNSZone %s should exist", dnsFwZoneName)) // + + baseProjectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s", baseNetworkName, baseProjectID) + assert.Equal(baseNetworkName, baseProjectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", baseNetworkName)) for _, subnet := range []struct { name string @@ -109,50 +111,111 @@ func TestShared(t *testing.T) { region string }{ { - name: "sb-net-dns-us-west1", - cidrRange: "172.16.0.128/25", + name: "sb-c-shared-base-hub-us-west1", + cidrRange: "10.1.0.0/18", region: "us-west1", }, { - name: "sb-net-dns-us-central1", - cidrRange: "172.16.0.0/25", + name: "sb-c-shared-base-hub-us-central1", + cidrRange: "10.0.0.0/18", region: "us-central1", }, } { - sub := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnet.name, subnet.region, projectID) - assert.Equal(subnet.name, sub.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnet.name)) - assert.Equal(subnet.cidrRange, sub.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnet.cidrRange)) + baseSubnet := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnet.name, subnet.region, baseProjectID) + assert.Equal(subnet.name, baseSubnet.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnet.name)) + assert.Equal(subnet.cidrRange, baseSubnet.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnet.cidrRange)) } - bgpAdvertisedIpRange := "35.199.192.0/19" + for _, router := range []struct { + name string + region string + }{ + { + name: "cr-c-shared-base-hub-us-central1-cr1", + region: "us-central1", + }, + { + name: "cr-c-shared-base-hub-us-central1-cr2", + region: "us-central1", + }, + { + name: "cr-c-shared-base-hub-us-west1-cr3", + region: "us-west1", + }, + { + name: "cr-c-shared-base-hub-us-west1-cr4", + region: "us-west1", + }, + } { + baseComputeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s", router.name, router.region, baseProjectID) + assert.Equal(router.name, baseComputeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", router.name)) + assert.Equal("64514", baseComputeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", router.name)) + assert.Equal(bgpAdvertisedIpRange, baseComputeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have range %s", router.name, bgpAdvertisedIpRange)) + assert.Equal(baseDNSHubNetworkUrl, baseComputeRouter.Get("network").String(), fmt.Sprintf("router %s should be on network vpc-c-shared-base-hub", router.name)) + } + + restrictedProjectID := shared.GetStringOutput("restricted_host_project_id") + restrictedNetworkName := shared.GetStringOutput("restricted_network_name") + restrictedDNSPolicyName := shared.GetStringOutput("restricted_dns_policy") + restrictedDNSHubNetworkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", restrictedProjectID, restrictedNetworkName) + + restrictedDNSPolicy := gcloud.Runf(t, "dns policies describe %s --project %s", restrictedDNSPolicyName, restrictedProjectID) + assert.True(restrictedDNSPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", restrictedDNSPolicyName)) + assert.Equal(restrictedDNSHubNetworkUrl, restrictedDNSPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", restrictedDNSPolicyName, restrictedNetworkName)) + + restrictedDNSZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s", dnsFwZoneName, restrictedProjectID) + assert.Equal(dnsFwZoneName, restrictedDNSZone.Get("name").String(), fmt.Sprintf("restrictedDNSZone %s should exist", dnsFwZoneName)) + + restrictedProjectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s", restrictedNetworkName, restrictedProjectID) + assert.Equal(restrictedNetworkName, restrictedProjectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", restrictedNetworkName)) + + for _, subnet := range []struct { + name string + cidrRange string + region string + }{ + { + name: "sb-c-shared-restricted-hub-us-west1", + cidrRange: "10.9.0.0/18", + region: "us-west1", + }, + { + name: "sb-c-shared-restricted-hub-us-central1", + cidrRange: "10.8.0.0/18", + region: "us-central1", + }, + } { + restrictedSubnet := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnet.name, subnet.region, restrictedProjectID) + assert.Equal(subnet.name, restrictedSubnet.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnet.name)) + assert.Equal(subnet.cidrRange, restrictedSubnet.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnet.cidrRange)) + } for _, router := range []struct { name string region string }{ { - name: "cr-net-dns-us-central1-cr1", + name: "cr-c-shared-restricted-hub-us-central1-cr5", region: "us-central1", }, { - name: "cr-net-dns-us-central1-cr2", + name: "cr-c-shared-restricted-hub-us-central1-cr6", region: "us-central1", }, { - name: "cr-net-dns-us-west1-cr3", + name: "cr-c-shared-restricted-hub-us-west1-cr7", region: "us-west1", }, { - name: "cr-net-dns-us-west1-cr4", + name: "cr-c-shared-restricted-hub-us-west1-cr8", region: "us-west1", }, } { - computeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s", router.name, router.region, projectID) - assert.Equal(router.name, computeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", router.name)) - assert.Equal("64667", computeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64667", router.name)) - assert.Equal(1, len(computeRouter.Get("bgp.advertisedIpRanges").Array()), fmt.Sprintf("router %s should have only one advertised IP range", router.name)) - assert.Equal(bgpAdvertisedIpRange, computeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have only range %s", router.name, bgpAdvertisedIpRange)) - assert.Equal(dnsHubNetworkUrl, computeRouter.Get("network").String(), fmt.Sprintf("router %s should have be from network vpc-net-dns", router.name)) + restrictedComputeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s", router.name, router.region, restrictedProjectID) + assert.Equal(router.name, restrictedComputeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", router.name)) + assert.Equal("64514", restrictedComputeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", router.name)) + assert.Equal(bgpAdvertisedIpRange, restrictedComputeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have range %s", router.name, bgpAdvertisedIpRange)) + assert.Equal(restrictedDNSHubNetworkUrl, restrictedComputeRouter.Get("network").String(), fmt.Sprintf("router %s should be on network vpc-c-shared-restricted-hub", router.name)) } }) shared.Test() From 32afc3e0e0c258d219808786c7793281fa9f159c Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Thu, 30 Jan 2025 17:49:27 -0300 Subject: [PATCH 31/47] update dual-shared --- 3-networks-dual-svpc/README.md | 51 ++++++++++++++----- .../envs/production/README.md | 1 + 3-networks-dual-svpc/envs/production/main.tf | 1 + .../envs/production/production.auto.tfvars | 1 + .../envs/production/variables.tf | 6 +++ 3-networks-dual-svpc/envs/shared/README.md | 5 +- 3-networks-dual-svpc/envs/shared/outputs.tf | 11 ++++ 3-networks-dual-svpc/envs/shared/remote.tf | 28 +++++----- .../modules/base_env/README.md | 2 + 3-networks-dual-svpc/modules/base_env/main.tf | 4 +- .../modules/base_env/outputs.tf | 10 ++++ .../modules/base_env/remote.tf | 18 +++---- .../modules/base_shared_vpc/README.md | 1 - .../modules/base_shared_vpc/variables.tf | 6 --- .../modules/restricted_shared_vpc/README.md | 1 - .../restricted_shared_vpc/variables.tf | 6 --- .../production.auto.example.tfvars | 29 +++++++++++ 17 files changed, 129 insertions(+), 52 deletions(-) create mode 120000 3-networks-dual-svpc/envs/production/production.auto.tfvars create mode 100644 3-networks-dual-svpc/production.auto.example.tfvars diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md index 6b19953cc..9ede0897e 100644 --- a/3-networks-dual-svpc/README.md +++ b/3-networks-dual-svpc/README.md @@ -195,10 +195,15 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get ```bash git add . - git commit -m 'Initialize networks repo' + git commit -m 'Initialize networks repo - plan' + ``` + +1. You must manually plan and apply the `production` environment since the `development`, `nonproduction` and `plan` environments depend on it. + + ```bash + git checkout -b production ``` -1. You must manually plan and apply the `shared` environment (only once) since the `development`, `nonproduction` and `production` environments depend on it. 1. To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component. 1. Use `terraform output` to get the Cloud Build project ID and the networks step Terraform Service Account from 0-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation. @@ -210,6 +215,36 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` +1. Run `init` and `plan` and review output for environment production. + + ```bash + ./tf-wrapper.sh init production + ./tf-wrapper.sh plan production + ``` + +1. Run `validate` and check for violations. + + ```bash + ./tf-wrapper.sh validate production $(pwd)/../gcp-policies ${CLOUD_BUILD_PROJECT_ID} + ``` + +1. Run `apply` production. + + ```bash + ./tf-wrapper.sh apply production + ``` + + 1. Push your production branch since development and nonproduction depends it. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + +*Note:** The Production envrionment must be the first branch to be pushed as it includes the DNS Hub communication that will be used by other environments. + + ```bash + git push --set-upstream origin production + ``` + +1. You must manually plan and apply the `shared` environment (only once) since the `development`, `nonproduction` and `production` environments depend on it. + 1. Run `init` and `plan` and review output for environment shared. ```bash @@ -237,17 +272,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get git push --set-upstream origin plan ``` -1. Merge changes to production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID - -*Note:** The Production envrionment must be the next branch to be merged as it includes the DNS Hub communication that will be used by other environments. - - ```bash - git checkout -b production - git push origin production - ``` - -1. After production has been applied, apply development. +1. After plan has been applied, apply development. 1. Merge changes to development. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID diff --git a/3-networks-dual-svpc/envs/production/README.md b/3-networks-dual-svpc/envs/production/README.md index b769dce48..4cedf43a6 100644 --- a/3-networks-dual-svpc/envs/production/README.md +++ b/3-networks-dual-svpc/envs/production/README.md @@ -24,6 +24,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | +| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | `[]` | no | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | ## Outputs diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index c6512b2ac..80ff6be01 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -95,4 +95,5 @@ module "base_env" { restricted_private_service_connect_ip = "10.17.0.7" remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name + target_name_server_addresses = var.target_name_server_addresses } diff --git a/3-networks-dual-svpc/envs/production/production.auto.tfvars b/3-networks-dual-svpc/envs/production/production.auto.tfvars new file mode 120000 index 000000000..be31a2edd --- /dev/null +++ b/3-networks-dual-svpc/envs/production/production.auto.tfvars @@ -0,0 +1 @@ +../../production.auto.tfvars \ No newline at end of file diff --git a/3-networks-dual-svpc/envs/production/variables.tf b/3-networks-dual-svpc/envs/production/variables.tf index 02448e5a9..588a9e69d 100644 --- a/3-networks-dual-svpc/envs/production/variables.tf +++ b/3-networks-dual-svpc/envs/production/variables.tf @@ -14,6 +14,12 @@ * limitations under the License. */ +variable "target_name_server_addresses" { + description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." + type = list(map(any)) + default = [] +} + variable "remote_state_bucket" { description = "Backend bucket to load Terraform Remote State Data from previous steps." type = string diff --git a/3-networks-dual-svpc/envs/shared/README.md b/3-networks-dual-svpc/envs/shared/README.md index 37d6649d7..b25a5bac8 100644 --- a/3-networks-dual-svpc/envs/shared/README.md +++ b/3-networks-dual-svpc/envs/shared/README.md @@ -20,6 +20,9 @@ ## Outputs -No outputs. +| Name | Description | +|------|-------------| +| base\_host\_project\_id | The base host project ID | +| restricted\_host\_project\_id | The restricted host project ID | diff --git a/3-networks-dual-svpc/envs/shared/outputs.tf b/3-networks-dual-svpc/envs/shared/outputs.tf index 9d277cce1..12eb65a63 100644 --- a/3-networks-dual-svpc/envs/shared/outputs.tf +++ b/3-networks-dual-svpc/envs/shared/outputs.tf @@ -14,3 +14,14 @@ * limitations under the License. */ + +output "restricted_host_project_id" { + value = local.restricted_net_hub_project_id + description = "The restricted host project ID" +} + +output "base_host_project_id" { + value = local.base_net_hub_project_id + description = "The base host project ID" +} + diff --git a/3-networks-dual-svpc/envs/shared/remote.tf b/3-networks-dual-svpc/envs/shared/remote.tf index 3afb75cb7..2ea494953 100644 --- a/3-networks-dual-svpc/envs/shared/remote.tf +++ b/3-networks-dual-svpc/envs/shared/remote.tf @@ -15,19 +15,21 @@ */ locals { - env = "common" - environment_code = "c" - dns_bgp_asn_number = var.bgp_asn_dns - default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region - default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 - folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id - bootstrap_folder_name = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name - common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name - network_folder_name = data.terraform_remote_state.org.outputs.network_folder_name - development_folder_name = data.terraform_remote_state.env_development.outputs.env_folder - nonproduction_folder_name = data.terraform_remote_state.env_nonproduction.outputs.env_folder - production_folder_name = data.terraform_remote_state.env_production.outputs.env_folder + env = "common" + environment_code = "c" + dns_bgp_asn_number = var.bgp_asn_dns + default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id + bootstrap_folder_name = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name + common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name + network_folder_name = data.terraform_remote_state.org.outputs.network_folder_name + development_folder_name = data.terraform_remote_state.env_development.outputs.env_folder + nonproduction_folder_name = data.terraform_remote_state.env_nonproduction.outputs.env_folder + production_folder_name = data.terraform_remote_state.env_production.outputs.env_folder + base_net_hub_project_id = data.terraform_remote_state.org.outputs.base_net_hub_project_id // + restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id // } data "terraform_remote_state" "bootstrap" { diff --git a/3-networks-dual-svpc/modules/base_env/README.md b/3-networks-dual-svpc/modules/base_env/README.md index 4ce102cfc..39744b3ba 100644 --- a/3-networks-dual-svpc/modules/base_env/README.md +++ b/3-networks-dual-svpc/modules/base_env/README.md @@ -41,6 +41,7 @@ |------|-------------| | access\_level\_name | Access context manager access level name for the enforced perimeter | | access\_level\_name\_dry\_run | Access context manager access level name for the dry-run perimeter | +| base\_dns\_project\_id | The base DNS project ID | | base\_host\_project\_id | The base host project ID | | base\_network\_name | The name of the VPC being created | | base\_network\_self\_link | The URI of the VPC being created | @@ -49,6 +50,7 @@ | base\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets | | base\_subnets\_self\_links | The self-links of subnets being created | | enforce\_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. | +| restricted\_dns\_project\_id | The restricted DNS project ID | | restricted\_host\_project\_id | The restricted host project ID | | restricted\_network\_name | The name of the VPC being created | | restricted\_network\_self\_link | The URI of the VPC being created | diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index 930d869a0..ffd7a9c32 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -171,7 +171,7 @@ module "restricted_shared_vpc" { project_id = local.restricted_project_id project_number = local.restricted_project_number - production_project_id = local.production_restricted_project_id + restricted_dns_project_id = local.restricted_dns_project_id environment_code = var.environment_code access_context_manager_policy_id = var.access_context_manager_policy_id restricted_services = local.restricted_services @@ -265,7 +265,7 @@ module "base_shared_vpc" { source = "../base_shared_vpc" project_id = local.base_project_id - production_project_id = local.production_base_project_id + base_dns_project_id = local.base_dns_project_id environment_code = var.environment_code private_service_cidr = var.base_private_service_cidr private_service_connect_ip = var.base_private_service_connect_ip diff --git a/3-networks-dual-svpc/modules/base_env/outputs.tf b/3-networks-dual-svpc/modules/base_env/outputs.tf index c67e52119..2b8044a12 100644 --- a/3-networks-dual-svpc/modules/base_env/outputs.tf +++ b/3-networks-dual-svpc/modules/base_env/outputs.tf @@ -24,6 +24,11 @@ output "target_name_server_addresses" { Restricted Outputs *********************/ +output "restricted_dns_project_id" { + value = local.restricted_dns_project_id + description = "The restricted DNS project ID" +} + output "restricted_host_project_id" { value = local.restricted_project_id description = "The restricted host project ID" @@ -85,6 +90,11 @@ output "restricted_service_perimeter_name" { Private Outputs *****************************************/ +output "base_dns_project_id" { + value = local.base_dns_project_id + description = "The base DNS project ID" +} + output "base_host_project_id" { value = local.base_project_id description = "The base host project ID" diff --git a/3-networks-dual-svpc/modules/base_env/remote.tf b/3-networks-dual-svpc/modules/base_env/remote.tf index a768cdde5..8c8f853ec 100644 --- a/3-networks-dual-svpc/modules/base_env/remote.tf +++ b/3-networks-dual-svpc/modules/base_env/remote.tf @@ -15,15 +15,15 @@ */ locals { - restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id - base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id - restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number - interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number - organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email - networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email - projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email - production_restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].restricted_shared_vpc_project_id - production_base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].base_shared_vpc_project_id + restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id + base_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id + restricted_project_number = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number + interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number + organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email + networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email + projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email + restricted_dns_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].restricted_shared_vpc_project_id + base_dns_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects["production"].base_shared_vpc_project_id } data "terraform_remote_state" "bootstrap" { diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md index 707c8acd1..6636bf604 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/base_shared_vpc/README.md @@ -20,7 +20,6 @@ | nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint | `string` | n/a | yes | -| production\_project\_id | Project ID for Base Shared. | `string` | `""` | no | | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | | subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf index 6a4ba92da..d1cab59d4 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf @@ -31,12 +31,6 @@ variable "base_network_name" { default = "" } -variable "production_project_id" { - description = "Project ID for Base Shared." - type = string - default = "" -} - variable "project_id" { type = string description = "Project ID for Private Shared VPC." diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index 4530eb09c..3ad3b457d 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -26,7 +26,6 @@ | nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | -| production\_project\_id | Project ID for Restricted Shared. | `string` | `""` | no | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | | restricted\_dns\_project\_id | Project ID for DNS Restricted Shared. | `string` | `""` | no | diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf index 9753fc176..27e733385 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf @@ -20,12 +20,6 @@ variable "restricted_dns_project_id" { default = "" } -variable "production_project_id" { - description = "Project ID for Restricted Shared." - type = string - default = "" -} - variable "target_name_server_addresses" { description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones." type = list(map(any)) diff --git a/3-networks-dual-svpc/production.auto.example.tfvars b/3-networks-dual-svpc/production.auto.example.tfvars new file mode 100644 index 000000000..1517d7964 --- /dev/null +++ b/3-networks-dual-svpc/production.auto.example.tfvars @@ -0,0 +1,29 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// List of IPv4 address of target name servers for the forwarding zone configuration. +// See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones +target_name_server_addresses = [ + { + ipv4_address = "192.168.0.1", + forwarding_path = "default" + }, + { + ipv4_address = "192.168.0.2", + forwarding_path = "default" + } +] + From 15d95a6da69409893b0aa2712cf489d8cf299293 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 31 Jan 2025 15:57:44 -0300 Subject: [PATCH 32/47] fix dual-svpc integration test --- 3-networks-dual-svpc/envs/shared/outputs.tf | 11 - 3-networks-dual-svpc/envs/shared/remote.tf | 28 +- test/integration/shared/shared_test.go | 274 ++++++++++---------- 3 files changed, 150 insertions(+), 163 deletions(-) diff --git a/3-networks-dual-svpc/envs/shared/outputs.tf b/3-networks-dual-svpc/envs/shared/outputs.tf index 12eb65a63..9d277cce1 100644 --- a/3-networks-dual-svpc/envs/shared/outputs.tf +++ b/3-networks-dual-svpc/envs/shared/outputs.tf @@ -14,14 +14,3 @@ * limitations under the License. */ - -output "restricted_host_project_id" { - value = local.restricted_net_hub_project_id - description = "The restricted host project ID" -} - -output "base_host_project_id" { - value = local.base_net_hub_project_id - description = "The base host project ID" -} - diff --git a/3-networks-dual-svpc/envs/shared/remote.tf b/3-networks-dual-svpc/envs/shared/remote.tf index 2ea494953..3afb75cb7 100644 --- a/3-networks-dual-svpc/envs/shared/remote.tf +++ b/3-networks-dual-svpc/envs/shared/remote.tf @@ -15,21 +15,19 @@ */ locals { - env = "common" - environment_code = "c" - dns_bgp_asn_number = var.bgp_asn_dns - default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region - default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 - folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id - bootstrap_folder_name = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name - common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name - network_folder_name = data.terraform_remote_state.org.outputs.network_folder_name - development_folder_name = data.terraform_remote_state.env_development.outputs.env_folder - nonproduction_folder_name = data.terraform_remote_state.env_nonproduction.outputs.env_folder - production_folder_name = data.terraform_remote_state.env_production.outputs.env_folder - base_net_hub_project_id = data.terraform_remote_state.org.outputs.base_net_hub_project_id // - restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id // + env = "common" + environment_code = "c" + dns_bgp_asn_number = var.bgp_asn_dns + default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id + bootstrap_folder_name = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name + common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name + network_folder_name = data.terraform_remote_state.org.outputs.network_folder_name + development_folder_name = data.terraform_remote_state.env_development.outputs.env_folder + nonproduction_folder_name = data.terraform_remote_state.env_nonproduction.outputs.env_folder + production_folder_name = data.terraform_remote_state.env_production.outputs.env_folder } data "terraform_remote_state" "bootstrap" { diff --git a/test/integration/shared/shared_test.go b/test/integration/shared/shared_test.go index 796f1fb30..6f7d21f9d 100644 --- a/test/integration/shared/shared_test.go +++ b/test/integration/shared/shared_test.go @@ -78,144 +78,144 @@ func TestShared(t *testing.T) { // do a time.Sleep to wait for propagation of VPC Service Controls configuration in the Hub and Spoke network mode if isHubAndSpokeMode(t) { time.Sleep(60 * time.Second) - } - - // perform default verification ensuring Terraform reports no additional changes on an applied blueprint - // Comment DefaultVerify because proxy-only subnets tries to change `ipv6_access_type` from `INTERNAL` to `null` on every run (plan and apply) - // Module issue: https://github.com/terraform-google-modules/terraform-google-network/issues/528 - // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16801 - // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16804 - // shared.DefaultVerify(assert) - - dnsFwZoneName := "fz-dns-hub" - bgpAdvertisedIpRange := "35.199.192.0/19" - - baseProjectID := shared.GetStringOutput("base_host_project_id") - baseNetworkName := shared.GetStringOutput("base_network_name") - baseDNSPolicyName := shared.GetStringOutput("base_dns_policy") - baseDNSHubNetworkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", baseProjectID, baseNetworkName) - - baseDNSPolicy := gcloud.Runf(t, "dns policies describe %s --project %s", baseDNSPolicyName, baseProjectID) /////// - assert.True(baseDNSPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", baseDNSPolicyName)) - assert.Equal(baseDNSHubNetworkUrl, baseDNSPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", baseDNSPolicyName, baseNetworkName)) - - baseDNSZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s", dnsFwZoneName, baseProjectID) - assert.Equal(dnsFwZoneName, baseDNSZone.Get("name").String(), fmt.Sprintf("baseDNSZone %s should exist", dnsFwZoneName)) // - - baseProjectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s", baseNetworkName, baseProjectID) - assert.Equal(baseNetworkName, baseProjectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", baseNetworkName)) - - for _, subnet := range []struct { - name string - cidrRange string - region string - }{ - { - name: "sb-c-shared-base-hub-us-west1", - cidrRange: "10.1.0.0/18", - region: "us-west1", - }, - { - name: "sb-c-shared-base-hub-us-central1", - cidrRange: "10.0.0.0/18", - region: "us-central1", - }, - } { - baseSubnet := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnet.name, subnet.region, baseProjectID) - assert.Equal(subnet.name, baseSubnet.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnet.name)) - assert.Equal(subnet.cidrRange, baseSubnet.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnet.cidrRange)) - } - - for _, router := range []struct { - name string - region string - }{ - { - name: "cr-c-shared-base-hub-us-central1-cr1", - region: "us-central1", - }, - { - name: "cr-c-shared-base-hub-us-central1-cr2", - region: "us-central1", - }, - { - name: "cr-c-shared-base-hub-us-west1-cr3", - region: "us-west1", - }, - { - name: "cr-c-shared-base-hub-us-west1-cr4", - region: "us-west1", - }, - } { - baseComputeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s", router.name, router.region, baseProjectID) - assert.Equal(router.name, baseComputeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", router.name)) - assert.Equal("64514", baseComputeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", router.name)) - assert.Equal(bgpAdvertisedIpRange, baseComputeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have range %s", router.name, bgpAdvertisedIpRange)) - assert.Equal(baseDNSHubNetworkUrl, baseComputeRouter.Get("network").String(), fmt.Sprintf("router %s should be on network vpc-c-shared-base-hub", router.name)) - } - - restrictedProjectID := shared.GetStringOutput("restricted_host_project_id") - restrictedNetworkName := shared.GetStringOutput("restricted_network_name") - restrictedDNSPolicyName := shared.GetStringOutput("restricted_dns_policy") - restrictedDNSHubNetworkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", restrictedProjectID, restrictedNetworkName) - - restrictedDNSPolicy := gcloud.Runf(t, "dns policies describe %s --project %s", restrictedDNSPolicyName, restrictedProjectID) - assert.True(restrictedDNSPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", restrictedDNSPolicyName)) - assert.Equal(restrictedDNSHubNetworkUrl, restrictedDNSPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", restrictedDNSPolicyName, restrictedNetworkName)) - - restrictedDNSZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s", dnsFwZoneName, restrictedProjectID) - assert.Equal(dnsFwZoneName, restrictedDNSZone.Get("name").String(), fmt.Sprintf("restrictedDNSZone %s should exist", dnsFwZoneName)) - - restrictedProjectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s", restrictedNetworkName, restrictedProjectID) - assert.Equal(restrictedNetworkName, restrictedProjectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", restrictedNetworkName)) - - for _, subnet := range []struct { - name string - cidrRange string - region string - }{ - { - name: "sb-c-shared-restricted-hub-us-west1", - cidrRange: "10.9.0.0/18", - region: "us-west1", - }, - { - name: "sb-c-shared-restricted-hub-us-central1", - cidrRange: "10.8.0.0/18", - region: "us-central1", - }, - } { - restrictedSubnet := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnet.name, subnet.region, restrictedProjectID) - assert.Equal(subnet.name, restrictedSubnet.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnet.name)) - assert.Equal(subnet.cidrRange, restrictedSubnet.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnet.cidrRange)) - } - for _, router := range []struct { - name string - region string - }{ - { - name: "cr-c-shared-restricted-hub-us-central1-cr5", - region: "us-central1", - }, - { - name: "cr-c-shared-restricted-hub-us-central1-cr6", - region: "us-central1", - }, - { - name: "cr-c-shared-restricted-hub-us-west1-cr7", - region: "us-west1", - }, - { - name: "cr-c-shared-restricted-hub-us-west1-cr8", - region: "us-west1", - }, - } { - restrictedComputeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s", router.name, router.region, restrictedProjectID) - assert.Equal(router.name, restrictedComputeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", router.name)) - assert.Equal("64514", restrictedComputeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", router.name)) - assert.Equal(bgpAdvertisedIpRange, restrictedComputeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have range %s", router.name, bgpAdvertisedIpRange)) - assert.Equal(restrictedDNSHubNetworkUrl, restrictedComputeRouter.Get("network").String(), fmt.Sprintf("router %s should be on network vpc-c-shared-restricted-hub", router.name)) + // perform default verification ensuring Terraform reports no additional changes on an applied blueprint + // Comment DefaultVerify because proxy-only subnets tries to change `ipv6_access_type` from `INTERNAL` to `null` on every run (plan and apply) + // Module issue: https://github.com/terraform-google-modules/terraform-google-network/issues/528 + // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16801 + // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16804 + // shared.DefaultVerify(assert) + + dnsFwZoneName := "fz-dns-hub" + bgpAdvertisedIpRange := "35.199.192.0/19" + + baseProjectID := shared.GetStringOutput("base_host_project_id") + baseNetworkName := shared.GetStringOutput("base_network_name") + baseDNSPolicyName := shared.GetStringOutput("base_dns_policy") + baseDNSHubNetworkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", baseProjectID, baseNetworkName) + + baseDNSPolicy := gcloud.Runf(t, "dns policies describe %s --project %s", baseDNSPolicyName, baseProjectID) /////// + assert.True(baseDNSPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", baseDNSPolicyName)) + assert.Equal(baseDNSHubNetworkUrl, baseDNSPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", baseDNSPolicyName, baseNetworkName)) + + baseDNSZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s", dnsFwZoneName, baseProjectID) + assert.Equal(dnsFwZoneName, baseDNSZone.Get("name").String(), fmt.Sprintf("baseDNSZone %s should exist", dnsFwZoneName)) // + + baseProjectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s", baseNetworkName, baseProjectID) + assert.Equal(baseNetworkName, baseProjectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", baseNetworkName)) + + for _, subnet := range []struct { + name string + cidrRange string + region string + }{ + { + name: "sb-c-shared-base-hub-us-west1", + cidrRange: "10.1.0.0/18", + region: "us-west1", + }, + { + name: "sb-c-shared-base-hub-us-central1", + cidrRange: "10.0.0.0/18", + region: "us-central1", + }, + } { + baseSubnet := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnet.name, subnet.region, baseProjectID) + assert.Equal(subnet.name, baseSubnet.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnet.name)) + assert.Equal(subnet.cidrRange, baseSubnet.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnet.cidrRange)) + } + + for _, router := range []struct { + name string + region string + }{ + { + name: "cr-c-shared-base-hub-us-central1-cr1", + region: "us-central1", + }, + { + name: "cr-c-shared-base-hub-us-central1-cr2", + region: "us-central1", + }, + { + name: "cr-c-shared-base-hub-us-west1-cr3", + region: "us-west1", + }, + { + name: "cr-c-shared-base-hub-us-west1-cr4", + region: "us-west1", + }, + } { + baseComputeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s", router.name, router.region, baseProjectID) + assert.Equal(router.name, baseComputeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", router.name)) + assert.Equal("64514", baseComputeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", router.name)) + assert.Equal(bgpAdvertisedIpRange, baseComputeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have range %s", router.name, bgpAdvertisedIpRange)) + assert.Equal(baseDNSHubNetworkUrl, baseComputeRouter.Get("network").String(), fmt.Sprintf("router %s should be on network vpc-c-shared-base-hub", router.name)) + } + + restrictedProjectID := shared.GetStringOutput("restricted_host_project_id") + restrictedNetworkName := shared.GetStringOutput("restricted_network_name") + restrictedDNSPolicyName := shared.GetStringOutput("restricted_dns_policy") + restrictedDNSHubNetworkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/%s", restrictedProjectID, restrictedNetworkName) + + restrictedDNSPolicy := gcloud.Runf(t, "dns policies describe %s --project %s", restrictedDNSPolicyName, restrictedProjectID) + assert.True(restrictedDNSPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", restrictedDNSPolicyName)) + assert.Equal(restrictedDNSHubNetworkUrl, restrictedDNSPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", restrictedDNSPolicyName, restrictedNetworkName)) + + restrictedDNSZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s", dnsFwZoneName, restrictedProjectID) + assert.Equal(dnsFwZoneName, restrictedDNSZone.Get("name").String(), fmt.Sprintf("restrictedDNSZone %s should exist", dnsFwZoneName)) + + restrictedProjectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s", restrictedNetworkName, restrictedProjectID) + assert.Equal(restrictedNetworkName, restrictedProjectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", restrictedNetworkName)) + + for _, subnet := range []struct { + name string + cidrRange string + region string + }{ + { + name: "sb-c-shared-restricted-hub-us-west1", + cidrRange: "10.9.0.0/18", + region: "us-west1", + }, + { + name: "sb-c-shared-restricted-hub-us-central1", + cidrRange: "10.8.0.0/18", + region: "us-central1", + }, + } { + restrictedSubnet := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnet.name, subnet.region, restrictedProjectID) + assert.Equal(subnet.name, restrictedSubnet.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnet.name)) + assert.Equal(subnet.cidrRange, restrictedSubnet.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnet.cidrRange)) + } + + for _, router := range []struct { + name string + region string + }{ + { + name: "cr-c-shared-restricted-hub-us-central1-cr5", + region: "us-central1", + }, + { + name: "cr-c-shared-restricted-hub-us-central1-cr6", + region: "us-central1", + }, + { + name: "cr-c-shared-restricted-hub-us-west1-cr7", + region: "us-west1", + }, + { + name: "cr-c-shared-restricted-hub-us-west1-cr8", + region: "us-west1", + }, + } { + restrictedComputeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s", router.name, router.region, restrictedProjectID) + assert.Equal(router.name, restrictedComputeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", router.name)) + assert.Equal("64514", restrictedComputeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", router.name)) + assert.Equal(bgpAdvertisedIpRange, restrictedComputeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have range %s", router.name, bgpAdvertisedIpRange)) + assert.Equal(restrictedDNSHubNetworkUrl, restrictedComputeRouter.Get("network").String(), fmt.Sprintf("router %s should be on network vpc-c-shared-restricted-hub", router.name)) + } } }) shared.Test() From c79dd078665fe0c0038455e3c4a65883e2dcc1d0 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 31 Jan 2025 16:37:54 -0300 Subject: [PATCH 33/47] fix lint --- 3-networks-dual-svpc/envs/shared/README.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/3-networks-dual-svpc/envs/shared/README.md b/3-networks-dual-svpc/envs/shared/README.md index b25a5bac8..37d6649d7 100644 --- a/3-networks-dual-svpc/envs/shared/README.md +++ b/3-networks-dual-svpc/envs/shared/README.md @@ -20,9 +20,6 @@ ## Outputs -| Name | Description | -|------|-------------| -| base\_host\_project\_id | The base host project ID | -| restricted\_host\_project\_id | The restricted host project ID | +No outputs. From 62d908c6216bb64aebb784a69df7ac2a92278f35 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Mon, 3 Feb 2025 20:12:00 -0300 Subject: [PATCH 34/47] change array order for network test --- test/integration/networks/networks_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index c145f686d..3699ec87f 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -310,9 +310,9 @@ func TestNetworks(t *testing.T) { } for _, envName := range []string{ + "production", "development", "nonproduction", - "production", } { envName := envName t.Run(envName, func(t *testing.T) { From 11bf750ac31d04a74f1e25b84cc91883f6606fe5 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Wed, 5 Feb 2025 16:32:49 -0300 Subject: [PATCH 35/47] update integration tests for helper --- helpers/foundation-deployer/stages/apply.go | 181 ++++++++++++------ helpers/foundation-deployer/stages/data.go | 5 +- helpers/foundation-deployer/stages/destroy.go | 6 +- 3 files changed, 128 insertions(+), 64 deletions(-) diff --git a/helpers/foundation-deployer/stages/apply.go b/helpers/foundation-deployer/stages/apply.go index d48083083..badf1088c 100644 --- a/helpers/foundation-deployer/stages/apply.go +++ b/helpers/foundation-deployer/stages/apply.go @@ -278,13 +278,24 @@ func DeployNetworksStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outpu step := GetNetworkStep(c.EnableHubAndSpoke) - // shared - sharedTfvars := NetSharedTfvars{ - TargetNameServerAddresses: tfvars.TargetNameServerAddresses, - } - err := utils.WriteTfvars(filepath.Join(c.FoundationPath, step, "shared.auto.tfvars"), sharedTfvars) - if err != nil { - return err + if c.EnableHubAndSpoke { + // shared + sharedTfvars := NetSharedTfvars{ + TargetNameServerAddresses: tfvars.TargetNameServerAddresses, + } + err := utils.WriteTfvars(filepath.Join(c.FoundationPath, step, "shared.auto.tfvars"), sharedTfvars) + if err != nil { + return err + } + + } else { + productionTfvars := NetSharedTfvars{ + TargetNameServerAddresses: tfvars.TargetNameServerAddresses, + } + err := utils.WriteTfvars(filepath.Join(c.FoundationPath, step, "production.auto.tfvars"), productionTfvars) + if err != nil { + return err + } } // common commonTfvars := NetCommonTfvars{ @@ -295,7 +306,7 @@ func DeployNetworksStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outpu if tfvars.EnableHubAndSpoke { commonTfvars.EnableHubAndSpokeTransitivity = &tfvars.EnableHubAndSpokeTransitivity } - err = utils.WriteTfvars(filepath.Join(c.FoundationPath, step, "common.auto.tfvars"), commonTfvars) + err := utils.WriteTfvars(filepath.Join(c.FoundationPath, step, "common.auto.tfvars"), commonTfvars) if err != nil { return err } @@ -308,37 +319,67 @@ func DeployNetworksStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outpu return err } - conf := utils.CloneCSR(t, NetworksRepo, filepath.Join(c.CheckoutPath, NetworksRepo), outputs.CICDProject, c.Logger) - stageConf := StageConf{ - Stage: NetworksRepo, - StageSA: outputs.NetworkSA, - CICDProject: outputs.CICDProject, - DefaultRegion: outputs.DefaultRegion, - Step: step, - Repo: NetworksRepo, - GitConf: conf, - HasManualStep: true, - GroupingUnits: []string{"envs"}, - Envs: []string{"production", "nonproduction", "development"}, - } + if c.EnableHubAndSpoke { - return deployStage(t, stageConf, s, c) + conf := utils.CloneCSR(t, NetworksRepo, filepath.Join(c.CheckoutPath, NetworksRepo), outputs.CICDProject, c.Logger) + stageConf := StageConf{ + Stage: NetworksRepo, + StageSA: outputs.NetworkSA, + CICDProject: outputs.CICDProject, + DefaultRegion: outputs.DefaultRegion, + Step: step, + Repo: NetworksRepo, + GitConf: conf, + HasLocalStep: true, + LocalSteps: []string{"shared"}, + GroupingUnits: []string{"envs"}, + Envs: []string{"production", "nonproduction", "development"}, + } + return deployStage(t, stageConf, s, c) + } else { + conf := utils.CloneCSR(t, NetworksRepo, filepath.Join(c.CheckoutPath, NetworksRepo), outputs.CICDProject, c.Logger) + stageConf := StageConf{ + Stage: NetworksRepo, + StageSA: outputs.NetworkSA, + CICDProject: outputs.CICDProject, + DefaultRegion: outputs.DefaultRegion, + Step: step, + Repo: NetworksRepo, + GitConf: conf, + HasLocalStep: true, + LocalSteps: []string{"production", "shared"}, + GroupingUnits: []string{"envs"}, + Envs: []string{"nonproduction", "development"}, + } + return deployStage(t, stageConf, s, c) + } } func DeployProjectsStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outputs BootstrapOutputs, c CommonConf) error { - // shared - sharedTfvars := ProjSharedTfvars{ - DefaultRegion: tfvars.DefaultRegion, - } - err := utils.WriteTfvars(filepath.Join(c.FoundationPath, ProjectsStep, "shared.auto.tfvars"), sharedTfvars) - if err != nil { - return err + + if c.EnableHubAndSpoke { + // shared + sharedTfvars := ProjSharedTfvars{ + DefaultRegion: tfvars.DefaultRegion, + } + err := utils.WriteTfvars(filepath.Join(c.FoundationPath, ProjectsStep, "shared.auto.tfvars"), sharedTfvars) + if err != nil { + return err + } + } else { + productionTfvars := ProjSharedTfvars{ + DefaultRegion: tfvars.DefaultRegion, + } + err := utils.WriteTfvars(filepath.Join(c.FoundationPath, ProjectsStep, "production.auto.tfvars"), productionTfvars) + if err != nil { + return err + } } // common commonTfvars := ProjCommonTfvars{ RemoteStateBucket: outputs.RemoteStateBucket, } - err = utils.WriteTfvars(filepath.Join(c.FoundationPath, ProjectsStep, "common.auto.tfvars"), commonTfvars) + err := utils.WriteTfvars(filepath.Join(c.FoundationPath, ProjectsStep, "common.auto.tfvars"), commonTfvars) if err != nil { return err } @@ -359,22 +400,40 @@ func DeployProjectsStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outpu } } - conf := utils.CloneCSR(t, ProjectsRepo, filepath.Join(c.CheckoutPath, ProjectsRepo), outputs.CICDProject, c.Logger) - stageConf := StageConf{ - Stage: ProjectsRepo, - StageSA: outputs.ProjectsSA, - CICDProject: outputs.CICDProject, - DefaultRegion: outputs.DefaultRegion, - Step: ProjectsStep, - Repo: ProjectsRepo, - GitConf: conf, - HasManualStep: true, - GroupingUnits: []string{"business_unit_1"}, - Envs: []string{"production", "nonproduction", "development"}, + if c.EnableHubAndSpoke { + + conf := utils.CloneCSR(t, ProjectsRepo, filepath.Join(c.CheckoutPath, ProjectsRepo), outputs.CICDProject, c.Logger) + stageConf := StageConf{ + Stage: ProjectsRepo, + StageSA: outputs.ProjectsSA, + CICDProject: outputs.CICDProject, + DefaultRegion: outputs.DefaultRegion, + Step: ProjectsStep, + Repo: ProjectsRepo, + GitConf: conf, + HasLocalStep: true, + LocalSteps: []string{"shared"}, + GroupingUnits: []string{"business_unit_1"}, + Envs: []string{"production", "nonproduction", "development"}, + } + return deployStage(t, stageConf, s, c) + } else { + conf := utils.CloneCSR(t, ProjectsRepo, filepath.Join(c.CheckoutPath, ProjectsRepo), outputs.CICDProject, c.Logger) + stageConf := StageConf{ + Stage: ProjectsRepo, + StageSA: outputs.ProjectsSA, + CICDProject: outputs.CICDProject, + DefaultRegion: outputs.DefaultRegion, + Step: ProjectsStep, + Repo: ProjectsRepo, + GitConf: conf, + HasLocalStep: true, + LocalSteps: []string{"production", "shared"}, + GroupingUnits: []string{"business_unit_1"}, + Envs: []string{"nonproduction", "development"}, + } + return deployStage(t, stageConf, s, c) } - - return deployStage(t, stageConf, s, c) - } func DeployExampleAppStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outputs InfraPipelineOutputs, c CommonConf) error { @@ -433,22 +492,25 @@ func deployStage(t testing.TB, sc StageConf, s steps.Steps, c CommonConf) error return err } - shared := []string{} - if sc.HasManualStep { - shared = sc.GroupingUnits + groupunit := []string{} + if sc.HasLocalStep { + groupunit = sc.GroupingUnits } - for _, bu := range shared { - buOptions := &terraform.Options{ - TerraformDir: filepath.Join(filepath.Join(c.CheckoutPath, sc.Repo), bu, "shared"), - Logger: c.Logger, - NoColor: true, - } - err := s.RunStep(fmt.Sprintf("%s.%s.apply-shared", sc.Stage, bu), func() error { - return applyLocal(t, buOptions, sc.StageSA, c.PolicyPath, c.ValidatorProject) - }) - if err != nil { - return err + for _, bu := range groupunit { + for _, localStep := range sc.LocalSteps { + buOptions := &terraform.Options{ + TerraformDir: filepath.Join(filepath.Join(c.CheckoutPath, sc.Repo), bu, localStep), + Logger: c.Logger, + NoColor: true, + } + + err := s.RunStep(fmt.Sprintf("%s.%s.apply-shared", sc.Stage, bu), func() error { + return applyLocal(t, buOptions, sc.StageSA, c.PolicyPath, c.ValidatorProject) + }) + if err != nil { + return err + } } } @@ -514,6 +576,7 @@ func copyStepCode(t testing.TB, conf utils.GitRepo, foundationPath, checkoutPath } func planStage(t testing.TB, conf utils.GitRepo, project, region, repo string) error { + err := conf.CommitFiles(fmt.Sprintf("Initialize %s repo", repo)) if err != nil { return err diff --git a/helpers/foundation-deployer/stages/data.go b/helpers/foundation-deployer/stages/data.go index a3b64687c..2bc9722cf 100644 --- a/helpers/foundation-deployer/stages/data.go +++ b/helpers/foundation-deployer/stages/data.go @@ -63,9 +63,10 @@ type StageConf struct { Repo string CustomTargetDirPath string GitConf utils.GitRepo - HasManualStep bool + HasLocalStep bool GroupingUnits []string Envs []string + LocalSteps []string } type BootstrapOutputs struct { @@ -307,7 +308,7 @@ func GetInfraPipelineOutputs(t testing.TB, checkoutPath, workspace string) Infra func ReadGlobalTFVars(file string) (GlobalTFVars, error) { var globalTfvars GlobalTFVars if file == "" { - return globalTfvars, fmt.Errorf("tfvars file is required.") + return globalTfvars, fmt.Errorf("tfvars file is required") } _, err := os.Stat(file) if os.IsNotExist(err) { diff --git a/helpers/foundation-deployer/stages/destroy.go b/helpers/foundation-deployer/stages/destroy.go index 392a2f24a..3b02873e4 100644 --- a/helpers/foundation-deployer/stages/destroy.go +++ b/helpers/foundation-deployer/stages/destroy.go @@ -120,7 +120,7 @@ func DestroyNetworksStage(t testing.TB, s steps.Steps, outputs BootstrapOutputs, CICDProject: outputs.CICDProject, Step: step, Repo: NetworksRepo, - HasManualStep: true, + HasLocalStep: true, GroupingUnits: []string{"envs"}, Envs: []string{"development", "nonproduction", "production"}, } @@ -134,7 +134,7 @@ func DestroyProjectsStage(t testing.TB, s steps.Steps, outputs BootstrapOutputs, CICDProject: outputs.CICDProject, Step: ProjectsStep, Repo: ProjectsRepo, - HasManualStep: true, + HasLocalStep: true, GroupingUnits: []string{"business_unit_1"}, Envs: []string{"development", "nonproduction", "production"}, } @@ -188,7 +188,7 @@ func destroyStage(t testing.TB, sc StageConf, s steps.Steps, c CommonConf) error } } groupingUnits := []string{} - if sc.HasManualStep { + if sc.HasLocalStep { groupingUnits = sc.GroupingUnits } for _, g := range groupingUnits { From 42e8202a5dbf579d7bc6c5bba376eca5ae966681 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Thu, 6 Feb 2025 13:56:39 -0300 Subject: [PATCH 36/47] fix for helper deployer --- helpers/foundation-deployer/stages/apply.go | 155 +++++++------------- 1 file changed, 53 insertions(+), 102 deletions(-) diff --git a/helpers/foundation-deployer/stages/apply.go b/helpers/foundation-deployer/stages/apply.go index badf1088c..795cb7b97 100644 --- a/helpers/foundation-deployer/stages/apply.go +++ b/helpers/foundation-deployer/stages/apply.go @@ -278,24 +278,21 @@ func DeployNetworksStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outpu step := GetNetworkStep(c.EnableHubAndSpoke) - if c.EnableHubAndSpoke { - // shared - sharedTfvars := NetSharedTfvars{ - TargetNameServerAddresses: tfvars.TargetNameServerAddresses, - } - err := utils.WriteTfvars(filepath.Join(c.FoundationPath, step, "shared.auto.tfvars"), sharedTfvars) - if err != nil { - return err - } + var localStep string + if c.EnableHubAndSpoke { + localStep = "shared" } else { - productionTfvars := NetSharedTfvars{ - TargetNameServerAddresses: tfvars.TargetNameServerAddresses, - } - err := utils.WriteTfvars(filepath.Join(c.FoundationPath, step, "production.auto.tfvars"), productionTfvars) - if err != nil { - return err - } + localStep = "production" + } + + // shared + sharedTfvars := NetSharedTfvars{ + TargetNameServerAddresses: tfvars.TargetNameServerAddresses, + } + err := utils.WriteTfvars(filepath.Join(c.FoundationPath, step, "shared.auto.tfvars"), sharedTfvars) + if err != nil { + return err } // common commonTfvars := NetCommonTfvars{ @@ -306,7 +303,7 @@ func DeployNetworksStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outpu if tfvars.EnableHubAndSpoke { commonTfvars.EnableHubAndSpokeTransitivity = &tfvars.EnableHubAndSpokeTransitivity } - err := utils.WriteTfvars(filepath.Join(c.FoundationPath, step, "common.auto.tfvars"), commonTfvars) + err = utils.WriteTfvars(filepath.Join(c.FoundationPath, step, "common.auto.tfvars"), commonTfvars) if err != nil { return err } @@ -319,67 +316,38 @@ func DeployNetworksStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outpu return err } - if c.EnableHubAndSpoke { - - conf := utils.CloneCSR(t, NetworksRepo, filepath.Join(c.CheckoutPath, NetworksRepo), outputs.CICDProject, c.Logger) - stageConf := StageConf{ - Stage: NetworksRepo, - StageSA: outputs.NetworkSA, - CICDProject: outputs.CICDProject, - DefaultRegion: outputs.DefaultRegion, - Step: step, - Repo: NetworksRepo, - GitConf: conf, - HasLocalStep: true, - LocalSteps: []string{"shared"}, - GroupingUnits: []string{"envs"}, - Envs: []string{"production", "nonproduction", "development"}, - } - return deployStage(t, stageConf, s, c) - } else { - conf := utils.CloneCSR(t, NetworksRepo, filepath.Join(c.CheckoutPath, NetworksRepo), outputs.CICDProject, c.Logger) - stageConf := StageConf{ - Stage: NetworksRepo, - StageSA: outputs.NetworkSA, - CICDProject: outputs.CICDProject, - DefaultRegion: outputs.DefaultRegion, - Step: step, - Repo: NetworksRepo, - GitConf: conf, - HasLocalStep: true, - LocalSteps: []string{"production", "shared"}, - GroupingUnits: []string{"envs"}, - Envs: []string{"nonproduction", "development"}, - } - return deployStage(t, stageConf, s, c) + conf := utils.CloneCSR(t, NetworksRepo, filepath.Join(c.CheckoutPath, NetworksRepo), outputs.CICDProject, c.Logger) + stageConf := StageConf{ + Stage: NetworksRepo, + StageSA: outputs.NetworkSA, + CICDProject: outputs.CICDProject, + DefaultRegion: outputs.DefaultRegion, + Step: step, + Repo: NetworksRepo, + GitConf: conf, + HasLocalStep: true, + LocalSteps: []string{localStep}, + GroupingUnits: []string{"envs"}, + Envs: []string{"production", "nonproduction", "development"}, } + return deployStage(t, stageConf, s, c) } func DeployProjectsStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outputs BootstrapOutputs, c CommonConf) error { - if c.EnableHubAndSpoke { - // shared - sharedTfvars := ProjSharedTfvars{ - DefaultRegion: tfvars.DefaultRegion, - } - err := utils.WriteTfvars(filepath.Join(c.FoundationPath, ProjectsStep, "shared.auto.tfvars"), sharedTfvars) - if err != nil { - return err - } - } else { - productionTfvars := ProjSharedTfvars{ - DefaultRegion: tfvars.DefaultRegion, - } - err := utils.WriteTfvars(filepath.Join(c.FoundationPath, ProjectsStep, "production.auto.tfvars"), productionTfvars) - if err != nil { - return err - } + // shared + sharedTfvars := ProjSharedTfvars{ + DefaultRegion: tfvars.DefaultRegion, + } + err := utils.WriteTfvars(filepath.Join(c.FoundationPath, ProjectsStep, "shared.auto.tfvars"), sharedTfvars) + if err != nil { + return err } // common commonTfvars := ProjCommonTfvars{ RemoteStateBucket: outputs.RemoteStateBucket, } - err := utils.WriteTfvars(filepath.Join(c.FoundationPath, ProjectsStep, "common.auto.tfvars"), commonTfvars) + err = utils.WriteTfvars(filepath.Join(c.FoundationPath, ProjectsStep, "common.auto.tfvars"), commonTfvars) if err != nil { return err } @@ -400,40 +368,23 @@ func DeployProjectsStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outpu } } - if c.EnableHubAndSpoke { - - conf := utils.CloneCSR(t, ProjectsRepo, filepath.Join(c.CheckoutPath, ProjectsRepo), outputs.CICDProject, c.Logger) - stageConf := StageConf{ - Stage: ProjectsRepo, - StageSA: outputs.ProjectsSA, - CICDProject: outputs.CICDProject, - DefaultRegion: outputs.DefaultRegion, - Step: ProjectsStep, - Repo: ProjectsRepo, - GitConf: conf, - HasLocalStep: true, - LocalSteps: []string{"shared"}, - GroupingUnits: []string{"business_unit_1"}, - Envs: []string{"production", "nonproduction", "development"}, - } - return deployStage(t, stageConf, s, c) - } else { - conf := utils.CloneCSR(t, ProjectsRepo, filepath.Join(c.CheckoutPath, ProjectsRepo), outputs.CICDProject, c.Logger) - stageConf := StageConf{ - Stage: ProjectsRepo, - StageSA: outputs.ProjectsSA, - CICDProject: outputs.CICDProject, - DefaultRegion: outputs.DefaultRegion, - Step: ProjectsStep, - Repo: ProjectsRepo, - GitConf: conf, - HasLocalStep: true, - LocalSteps: []string{"production", "shared"}, - GroupingUnits: []string{"business_unit_1"}, - Envs: []string{"nonproduction", "development"}, - } - return deployStage(t, stageConf, s, c) + conf := utils.CloneCSR(t, ProjectsRepo, filepath.Join(c.CheckoutPath, ProjectsRepo), outputs.CICDProject, c.Logger) + stageConf := StageConf{ + Stage: ProjectsRepo, + StageSA: outputs.ProjectsSA, + CICDProject: outputs.CICDProject, + DefaultRegion: outputs.DefaultRegion, + Step: ProjectsStep, + Repo: ProjectsRepo, + GitConf: conf, + HasLocalStep: true, + LocalSteps: []string{"shared", "production"}, + GroupingUnits: []string{"business_unit_1"}, + Envs: []string{"production", "nonproduction", "development"}, } + + return deployStage(t, stageConf, s, c) + } func DeployExampleAppStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outputs InfraPipelineOutputs, c CommonConf) error { @@ -505,7 +456,7 @@ func deployStage(t testing.TB, sc StageConf, s steps.Steps, c CommonConf) error NoColor: true, } - err := s.RunStep(fmt.Sprintf("%s.%s.apply-shared", sc.Stage, bu), func() error { + err := s.RunStep(fmt.Sprintf("%s.%s.apply-%s", sc.Stage, bu, localStep), func() error { return applyLocal(t, buOptions, sc.StageSA, c.PolicyPath, c.ValidatorProject) }) if err != nil { From 72481b0bab6e18163eb3a618891af8f8fa40f4c4 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 7 Feb 2025 10:44:15 -0300 Subject: [PATCH 37/47] fix for apply.go --- helpers/foundation-deployer/stages/apply.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/helpers/foundation-deployer/stages/apply.go b/helpers/foundation-deployer/stages/apply.go index 795cb7b97..f7986acb4 100644 --- a/helpers/foundation-deployer/stages/apply.go +++ b/helpers/foundation-deployer/stages/apply.go @@ -278,12 +278,12 @@ func DeployNetworksStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outpu step := GetNetworkStep(c.EnableHubAndSpoke) - var localStep string + var localStep []string if c.EnableHubAndSpoke { - localStep = "shared" + localStep = []string{"shared"} } else { - localStep = "production" + localStep = []string{"shared", "production"} } // shared @@ -326,7 +326,7 @@ func DeployNetworksStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outpu Repo: NetworksRepo, GitConf: conf, HasLocalStep: true, - LocalSteps: []string{localStep}, + LocalSteps: localStep, GroupingUnits: []string{"envs"}, Envs: []string{"production", "nonproduction", "development"}, } @@ -378,7 +378,7 @@ func DeployProjectsStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outpu Repo: ProjectsRepo, GitConf: conf, HasLocalStep: true, - LocalSteps: []string{"shared", "production"}, + LocalSteps: []string{"shared"}, GroupingUnits: []string{"business_unit_1"}, Envs: []string{"production", "nonproduction", "development"}, } From 203556618c151ccd9d4e8bd9e026991558ec7de4 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Wed, 12 Feb 2025 11:00:33 -0300 Subject: [PATCH 38/47] fix for help deployer --- helpers/foundation-deployer/stages/apply.go | 8 ++++++++ helpers/foundation-deployer/stages/data.go | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/helpers/foundation-deployer/stages/apply.go b/helpers/foundation-deployer/stages/apply.go index f7986acb4..827527746 100644 --- a/helpers/foundation-deployer/stages/apply.go +++ b/helpers/foundation-deployer/stages/apply.go @@ -294,6 +294,14 @@ func DeployNetworksStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outpu if err != nil { return err } + // production + productionTfvars := NetProductionTfvars{ + TargetNameServerAddresses: tfvars.TargetNameServerAddresses, + } + err = utils.WriteTfvars(filepath.Join(c.FoundationPath, step, "production.auto.tfvars"), productionTfvars) + if err != nil { + return err + } // common commonTfvars := NetCommonTfvars{ Domain: tfvars.Domain, diff --git a/helpers/foundation-deployer/stages/data.go b/helpers/foundation-deployer/stages/data.go index 2bc9722cf..99d60ffbb 100644 --- a/helpers/foundation-deployer/stages/data.go +++ b/helpers/foundation-deployer/stages/data.go @@ -246,6 +246,10 @@ type NetSharedTfvars struct { TargetNameServerAddresses []ServerAddress `hcl:"target_name_server_addresses"` } +type NetProductionTfvars struct { + TargetNameServerAddresses []ServerAddress `hcl:"target_name_server_addresses"` +} + type NetAccessContextTfvars struct { AccessContextManagerPolicyID string `hcl:"access_context_manager_policy_id"` } From 5077d753bae1d283bc8904dfbba26d31f6a95a81 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Wed, 12 Feb 2025 11:00:48 -0300 Subject: [PATCH 39/47] update README instructions --- 3-networks-dual-svpc/README.md | 103 ++++++++++++++++----------------- 1 file changed, 51 insertions(+), 52 deletions(-) diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md index 9ede0897e..f545f1c4e 100644 --- a/3-networks-dual-svpc/README.md +++ b/3-networks-dual-svpc/README.md @@ -195,15 +195,10 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get ```bash git add . - git commit -m 'Initialize networks repo - plan' - ``` - -1. You must manually plan and apply the `production` environment since the `development`, `nonproduction` and `plan` environments depend on it. - - ```bash - git checkout -b production + git commit -m 'Initialize networks repo' ``` +1. You must manually plan and apply the `shared` environment (only once) since the `development`, `nonproduction` and `production` environments depend on it. 1. To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component. 1. Use `terraform output` to get the Cloud Build project ID and the networks step Terraform Service Account from 0-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation. @@ -215,53 +210,51 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` -1. Run `init` and `plan` and review output for environment production. +1. Run `init` and `plan` and review output for environment shared. ```bash - ./tf-wrapper.sh init production - ./tf-wrapper.sh plan production + ./tf-wrapper.sh init shared + ./tf-wrapper.sh plan shared ``` 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate production $(pwd)/../gcp-policies ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate shared $(pwd)/../gcp-policies ${CLOUD_BUILD_PROJECT_ID} ``` -1. Run `apply` production. +1. Run `apply` shared. ```bash - ./tf-wrapper.sh apply production + ./tf-wrapper.sh apply shared ``` - 1. Push your production branch since development and nonproduction depends it. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID - -*Note:** The Production envrionment must be the first branch to be pushed as it includes the DNS Hub communication that will be used by other environments. +1. You must manually plan and apply the `production` environment since the `development`, `nonproduction` and `plan` environments depend on it. ```bash - git push --set-upstream origin production + git checkout -b production ``` -1. You must manually plan and apply the `shared` environment (only once) since the `development`, `nonproduction` and `production` environments depend on it. - -1. Run `init` and `plan` and review output for environment shared. +1. Run `init` and `plan` and review output for environment production. ```bash - ./tf-wrapper.sh init shared - ./tf-wrapper.sh plan shared + ./tf-wrapper.sh init production + ./tf-wrapper.sh plan production ``` -1. Run `validate` and check for violations. +1. Run `apply` production. ```bash - ./tf-wrapper.sh validate shared $(pwd)/../gcp-policies ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh apply production ``` -1. Run `apply` shared. + 1. Push your production branch since development and nonproduction depends it. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + +*Note:** The Production envrionment must be the first branch to be pushed as it includes the DNS Hub communication that will be used by other environments. ```bash - ./tf-wrapper.sh apply shared + git push --set-upstream origin production ``` 1. Push your plan branch to trigger a plan for all environments. Because the @@ -325,9 +318,9 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s git init git commit -m "initialize empty directory" --allow-empty git checkout -b shared + git checkout -b production git checkout -b development git checkout -b nonproduction - git checkout -b production ``` 1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. @@ -388,6 +381,36 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i ```bash ./tf-wrapper.sh apply shared + ``` + +1. Checkout shared `production`. Run `init` and `plan` and review output for environment production. + + ```bash + git checkout production + git merge shared + ./tf-wrapper.sh init production + ./tf-wrapper.sh plan production + ``` + +1. Run `validate` and check for violations. + + ```bash + ./tf-wrapper.sh validate production $(pwd)/../gcp-policies ${SEED_PROJECT_ID} + ``` + +1. Run `apply` production. + + ```bash + ./tf-wrapper.sh apply production + git add . + git commit -m "Initial production commit." + cd ../ + ``` + +1. Run `git commit` shared. + + ```bash + git checkout shared git add . git commit -m "Initial shared commit." ``` @@ -438,30 +461,6 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i git commit -m "Initial nonproduction commit." ``` -1. Checkout shared `production`. Run `init` and `plan` and review output for environment development. - - ```bash - git checkout production - git merge nonproduction - ./tf-wrapper.sh init production - ./tf-wrapper.sh plan production - ``` - -1. Run `validate` and check for violations. - - ```bash - ./tf-wrapper.sh validate production $(pwd)/../gcp-policies ${SEED_PROJECT_ID} - ``` - -1. Run `apply` production. - - ```bash - ./tf-wrapper.sh apply production - git add . - git commit -m "Initial production commit." - cd ../ - ``` - If you received any errors or made any changes to the Terraform config or any `.tfvars`, you must re-run `./tf-wrapper.sh plan ` before run `./tf-wrapper.sh apply `. Before executing the next stages, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` environment variable. From cb95c1c0824d0f79c36c4be04a17d60eeb10e79b Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Tue, 18 Feb 2025 10:59:14 -0300 Subject: [PATCH 40/47] PR small fixes --- 3-networks-dual-svpc/envs/production/main.tf | 4 ++-- 3-networks-dual-svpc/envs/shared/remote.tf | 1 - 3-networks-dual-svpc/envs/shared/remote.tf.cloud.example | 1 - 3-networks-dual-svpc/production.auto.example.tfvars | 2 +- 4 files changed, 3 insertions(+), 5 deletions(-) diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index 80ff6be01..e68a0454e 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -87,12 +87,12 @@ module "base_env" { base_subnet_primary_ranges = local.base_subnet_primary_ranges base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.17.0.3" + base_private_service_connect_ip = "10.17.0.4" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.17.0.7" + restricted_private_service_connect_ip = "10.17.0.8" remote_state_bucket = var.remote_state_bucket tfc_org_name = var.tfc_org_name target_name_server_addresses = var.target_name_server_addresses diff --git a/3-networks-dual-svpc/envs/shared/remote.tf b/3-networks-dual-svpc/envs/shared/remote.tf index 3afb75cb7..d4ce9027d 100644 --- a/3-networks-dual-svpc/envs/shared/remote.tf +++ b/3-networks-dual-svpc/envs/shared/remote.tf @@ -17,7 +17,6 @@ locals { env = "common" environment_code = "c" - dns_bgp_asn_number = var.bgp_asn_dns default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2 folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix diff --git a/3-networks-dual-svpc/envs/shared/remote.tf.cloud.example b/3-networks-dual-svpc/envs/shared/remote.tf.cloud.example index 10ffccb73..78a4d2d7b 100644 --- a/3-networks-dual-svpc/envs/shared/remote.tf.cloud.example +++ b/3-networks-dual-svpc/envs/shared/remote.tf.cloud.example @@ -17,7 +17,6 @@ locals { env = "common" environment_code = "c" - dns_bgp_asn_number = var.bgp_asn_dns default_region1 = data.tfe_outputs.bootstrap.outputs.common_config.default_region default_region2 = data.tfe_outputs.bootstrap.outputs.common_config.default_region_2 folder_prefix = data.tfe_outputs.bootstrap.nonsensitive_values.common_config.folder_prefix diff --git a/3-networks-dual-svpc/production.auto.example.tfvars b/3-networks-dual-svpc/production.auto.example.tfvars index 1517d7964..6003cdb9a 100644 --- a/3-networks-dual-svpc/production.auto.example.tfvars +++ b/3-networks-dual-svpc/production.auto.example.tfvars @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2021 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. From 7eb6554236a7bc6401d3002c1a598e633127a23f Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Wed, 19 Feb 2025 13:24:00 -0300 Subject: [PATCH 41/47] removing t.parallel --- test/integration/networks/networks_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index 3699ec87f..9c37e3013 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -316,7 +316,6 @@ func TestNetworks(t *testing.T) { } { envName := envName t.Run(envName, func(t *testing.T) { - t.Parallel() vars := map[string]interface{}{ "access_context_manager_policy_id": policyID, From c386a986bd942bfdf1357c94c39473b6a6a679cc Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Tue, 25 Feb 2025 14:57:04 -0300 Subject: [PATCH 42/47] fix integration tests --- test/integration/networks/networks_test.go | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index 9c37e3013..20e1a2812 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -371,12 +371,12 @@ func TestNetworks(t *testing.T) { } { projectID := networks.GetStringOutput(fmt.Sprintf("%s_host_project_id", networkType)) - if networkMode == "-spoke" { + if strings.Contains(projectID, "prj-p") && networkMode != "-spoke" { for _, dnsType := range []string{ "dns_zone_googleapis", "dns_zone_gcr", "dns_zone_pkg_dev", - "dns_zone_peering_zone", + "dns_zone_forward", } { dnsName := networkNames[networkType][dnsType] dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsName, projectID, terraformSA) @@ -387,7 +387,7 @@ func TestNetworks(t *testing.T) { "dns_zone_googleapis", "dns_zone_gcr", "dns_zone_pkg_dev", - "dns_zone_forward", + "dns_zone_peering_zone", } { dnsName := networkNames[networkType][dnsType] dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s --impersonate-service-account %s", dnsName, projectID, terraformSA) @@ -469,10 +469,21 @@ func TestNetworks(t *testing.T) { assert.Equal(routerName, computeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", routerName)) assert.Equal("64514", computeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", routerName)) assert.Equal(networkSelfLink, computeRouter.Get("network").String(), fmt.Sprintf("router %s should be on network %s", routerName, networkNames[networkType]["network_name"])) + assert.Contains(googleapisCIDR[envName][networkType], computeRouter.Get("bgp.advertisedIpRanges.1.range").String(), fmt.Sprintf("router %s should have range %s", routerName, googleapisCIDR[envName][networkType])) + if strings.Contains(projectID, "prj-p") && networkMode != "-spoke" { - assert.Equal(bgpAdvertisedIpRange, computeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have range %s", routerName, bgpAdvertisedIpRange)) - assert.Equal(googleapisCIDR[envName][networkType], computeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have only range %s", routerName, googleapisCIDR[envName][networkType])) + advertisedIpRanges := computeRouter.Get("bgp.advertisedIpRanges").Array() + found := false + for _, ipRange := range advertisedIpRanges { + if ipRange.Get("range").String() == bgpAdvertisedIpRange { + found = true + break + } + } + assert.True(found, fmt.Sprintf("router %s should have range %s", routerName, bgpAdvertisedIpRange)) + assert.True(found, fmt.Sprintf("router %s should have range %s", routerName, googleapisCIDR[envName][networkType])) } + } } } From 7995aa7950365c3366cff59f96a78e64de04a46d Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Wed, 26 Feb 2025 17:29:40 -0300 Subject: [PATCH 43/47] adds retry for create service networking connection error --- test/integration/testutils/retry.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/integration/testutils/retry.go b/test/integration/testutils/retry.go index e50bc2a45..67c05bb19 100644 --- a/test/integration/testutils/retry.go +++ b/test/integration/testutils/retry.go @@ -42,5 +42,8 @@ var ( // Error 400: Service account {} does not exist. ".*Error 400.*Service account.*does not exist*": "Error setting IAM policy", + + // Error waiting for creating service network connection. This happens randomly for development, production and non-production environments + ".*Error code 16.*Error waiting for Create Service Networking Connection*": "Request had invalid authentication credentials", } ) From 0d9272a4356adcce5413fc7bcc494de50e980868 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 28 Feb 2025 15:30:39 -0300 Subject: [PATCH 44/47] fix retries exceeded on 1-org destroy step --- 1-org/modules/centralized-logging/main.tf | 1 + 1-org/modules/centralized-logging/versions.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/1-org/modules/centralized-logging/main.tf b/1-org/modules/centralized-logging/main.tf index 75cad1c1d..3c4bb38b6 100644 --- a/1-org/modules/centralized-logging/main.tf +++ b/1-org/modules/centralized-logging/main.tf @@ -189,6 +189,7 @@ resource "terracurl_request" "exclude_external_logs" { count = var.project_options != null ? 1 : 0 name = "exclude_external_logs" + destroy_skip = true url = "https://logging.googleapis.com/v2/projects/${var.logging_destination_project_id}/sinks/_Default?updateMask=exclusions" method = "PUT" response_codes = [200] diff --git a/1-org/modules/centralized-logging/versions.tf b/1-org/modules/centralized-logging/versions.tf index eac6e25c5..808adbe56 100644 --- a/1-org/modules/centralized-logging/versions.tf +++ b/1-org/modules/centralized-logging/versions.tf @@ -20,7 +20,7 @@ terraform { required_providers { terracurl = { source = "devops-rob/terracurl" - version = "1.2.1" + version = "1.2.2" } } } From 8a2d7a2d4ff442ffa25ad682440e25ba12905fcc Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Wed, 5 Mar 2025 10:32:13 -0300 Subject: [PATCH 45/47] fix validation for dns test --- test/integration/networks/networks_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index 20e1a2812..c3d938fde 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -371,7 +371,7 @@ func TestNetworks(t *testing.T) { } { projectID := networks.GetStringOutput(fmt.Sprintf("%s_host_project_id", networkType)) - if strings.Contains(projectID, "prj-p") && networkMode != "-spoke" { + if strings.Contains(projectID, "-p-") && networkMode != "-spoke" { for _, dnsType := range []string{ "dns_zone_googleapis", "dns_zone_gcr", From 1624e1ceb4a08047f4a8a61bd1f32fff0286f866 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 7 Mar 2025 17:25:51 -0300 Subject: [PATCH 46/47] fix correct order for network destroy step --- test/integration/networks/networks_test.go | 24 +++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index c3d938fde..b37a35682 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -16,6 +16,7 @@ package networks import ( "fmt" + "os" "strings" "testing" "time" @@ -309,11 +310,24 @@ func TestNetworks(t *testing.T) { }, } - for _, envName := range []string{ - "production", - "development", - "nonproduction", - } { + envStage := os.Getenv(utils.RUN_STAGE_ENV_VAR) + var envNames []string + + if strings.Contains(envStage, "teardown") { + envNames = []string{ + "nonproduction", + "development", + "production", + } + } else { + envNames = []string{ + "production", + "development", + "nonproduction", + } + } + + for _, envName := range envNames { envName := envName t.Run(envName, func(t *testing.T) { From 534f9bf088706445ca356baf5c8ccaf56e4cec82 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 7 Mar 2025 18:14:20 -0300 Subject: [PATCH 47/47] remove dns_hub module --- 1-org/envs/shared/projects.tf | 42 ----------------------------------- 1 file changed, 42 deletions(-) diff --git a/1-org/envs/shared/projects.tf b/1-org/envs/shared/projects.tf index be2ee3f1f..5ae87ac57 100644 --- a/1-org/envs/shared/projects.tf +++ b/1-org/envs/shared/projects.tf @@ -233,48 +233,6 @@ module "scc_notifications" { budget_alert_spend_basis = var.project_budget.scc_notifications_budget_alert_spend_basis } -/****************************************** - Project for DNS Hub -*****************************************/ - -module "dns_hub" { - source = "terraform-google-modules/project-factory/google" - version = "~> 18.0" - - random_project_id = true - random_project_id_length = 4 - default_service_account = "deprivilege" - name = "${local.project_prefix}-net-dns" - org_id = local.org_id - billing_account = local.billing_account - folder_id = google_folder.network.id - deletion_policy = var.project_deletion_policy - - activate_apis = [ - "compute.googleapis.com", - "dns.googleapis.com", - "servicenetworking.googleapis.com", - "logging.googleapis.com", - "cloudresourcemanager.googleapis.com", - "billingbudgets.googleapis.com" - ] - - labels = { - environment = "network" - application_name = "org-dns-hub" - billing_code = "1234" - primary_contact = "example1" - secondary_contact = "example2" - business_code = "shared" - env_code = "net" - vpc = "none" - } - budget_alert_pubsub_topic = var.project_budget.dns_hub_alert_pubsub_topic - budget_alert_spent_percents = var.project_budget.dns_hub_alert_spent_percents - budget_amount = var.project_budget.dns_hub_budget_amount - budget_alert_spend_basis = var.project_budget.dns_hub_budget_alert_spend_basis -} - /****************************************** Project for Base Network Hub *****************************************/