2024-01-30 08:53:01 -08:00
# Copyright 2024 Google LLC
2023-04-04 11:41:04 -07:00
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
2024-02-28 22:45:19 -08:00
values :
google_compute_address.nva_static_ip_landing["primary-b"]:
address : 10.64 .0 .101
address_type : INTERNAL
description : null
ip_version : null
ipv6_endpoint_type : null
labels : null
name : nva-ip-landing-ew1-b
network : null
project : fast2-prod-net-landing-0
region : europe-west1
timeouts : null
google_compute_address.nva_static_ip_landing["primary-c"]:
address : 10.64 .0 .102
address_type : INTERNAL
description : null
ip_version : null
ipv6_endpoint_type : null
labels : null
name : nva-ip-landing-ew1-c
network : null
project : fast2-prod-net-landing-0
region : europe-west1
timeouts : null
google_compute_address.nva_static_ip_landing["secondary-b"]:
address : 10.80 .0 .101
address_type : INTERNAL
description : null
ip_version : null
ipv6_endpoint_type : null
labels : null
name : nva-ip-landing-ew4-b
network : null
project : fast2-prod-net-landing-0
region : europe-west4
timeouts : null
google_compute_address.nva_static_ip_landing["secondary-c"]:
address : 10.80 .0 .102
address_type : INTERNAL
description : null
ip_version : null
ipv6_endpoint_type : null
labels : null
name : nva-ip-landing-ew4-c
network : null
project : fast2-prod-net-landing-0
region : europe-west4
timeouts : null
google_compute_address.nva_static_ip_dmz["primary-b"]:
address : 10.64 .128 .101
address_type : INTERNAL
description : null
ip_version : null
ipv6_endpoint_type : null
labels : null
name : nva-ip-dmz-ew1-b
network : null
project : fast2-prod-net-landing-0
region : europe-west1
timeouts : null
google_compute_address.nva_static_ip_dmz["primary-c"]:
address : 10.64 .128 .102
address_type : INTERNAL
description : null
ip_version : null
ipv6_endpoint_type : null
labels : null
name : nva-ip-dmz-ew1-c
network : null
project : fast2-prod-net-landing-0
region : europe-west1
timeouts : null
google_compute_address.nva_static_ip_dmz["secondary-b"]:
address : 10.80 .128 .101
address_type : INTERNAL
description : null
ip_version : null
ipv6_endpoint_type : null
labels : null
name : nva-ip-dmz-ew4-b
network : null
project : fast2-prod-net-landing-0
region : europe-west4
timeouts : null
google_compute_address.nva_static_ip_dmz["secondary-c"]:
address : 10.80 .128 .102
address_type : INTERNAL
description : null
ip_version : null
ipv6_endpoint_type : null
labels : null
name : nva-ip-dmz-ew4-c
network : null
project : fast2-prod-net-landing-0
region : europe-west4
timeouts : null
google_monitoring_alert_policy.vpn_tunnel_bandwidth[0] :
alert_strategy : [ ]
combiner : OR
conditions :
- condition_absent : [ ]
condition_matched_log : [ ]
condition_monitoring_query_language :
- duration : 120s
evaluation_missing_data : null
query : fetch vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count;
metric vpn.googleapis.com/network/received_bytes_count }| align rate (1m)|
group_by [metric.tunnel_name]| outer_join 0,0| value val(0) + val(1)| condition
val() > 187.5 "MBy/s"
trigger :
- count : 1
percent : null
condition_prometheus_query_language : [ ]
condition_threshold : [ ]
display_name : VPN Tunnel Bandwidth usage
display_name : VPN Tunnel Bandwidth usage
documentation : [ ]
enabled : true
notification_channels : [ ]
project : fast2-prod-net-landing-0
severity : null
timeouts : null
user_labels : null
google_monitoring_alert_policy.vpn_tunnel_established[0] :
alert_strategy : [ ]
combiner : OR
conditions :
- condition_absent : [ ]
condition_matched_log : [ ]
condition_monitoring_query_language :
- duration : 120s
evaluation_missing_data : null
query : 'fetch vpn_gateway| metric vpn.googleapis.com/tunnel_established| group_by
5m, [value_tunnel_established_max : max(value.tunnel_established)]| every
5m| condition val() < 1 ''1'''
trigger :
- count : 1
percent : null
condition_prometheus_query_language : [ ]
condition_threshold : [ ]
display_name : VPN Tunnel Established
display_name : VPN Tunnel Established
documentation : [ ]
enabled : true
notification_channels : [ ]
project : fast2-prod-net-landing-0
severity : null
timeouts : null
user_labels : null
google_monitoring_dashboard.dashboard["firewall_insights.json"]:
dashboard_json : '{"displayName":"Firewall Insights Monitoring","gridLayout":{"columns":"2","widgets":[{"title":"Subnet
Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/subnet/firewall_hit_count\"
resource.type=\"gce_subnetwork\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},{"title":"VM
Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/vm/firewall_hit_count\"
resource.type=\"gce_instance\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}}]}}'
project : fast2-prod-net-landing-0
timeouts : null
google_monitoring_dashboard.dashboard["vpc_and_vpc_peering_group_quotas.json"]:
dashboard_json : '{"dashboardFilters":[],"displayName":"VPC \u0026 VPC Peering
Group Quotas","labels":{},"mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Internal
network (L4) Load Balancers per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6},{"height":4,"widget":{"title":"Internal
network (L4) Load Balancers per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6},{"height":4,"widget":{"title":"Internal
application (L7) Load Balancers per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":4},{"height":4,"widget":{"title":"Internal
application (L7) Load Balancers per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_peering_group/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_peering_group/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":4},{"height":4,"widget":{"title":"Instances
per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/instances_per_vpc_network/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/instances_per_vpc_network/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\") ","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":8},{"height":4,"widget":{"title":"Instances
per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/instances_per_peering_group/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/instances_per_peering_group/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":8},{"height":4,"widget":{"title":"Subnet
ranges per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/subnet_ranges_per_vpc_network/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/subnet_ranges_per_vpc_network/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":12},{"height":4,"widget":{"title":"Subnet
ranges per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/subnet_ranges_per_peering_group/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/subnet_ranges_per_peering_group/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\") ","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":12}]}}'
project : fast2-prod-net-landing-0
timeouts : null
google_monitoring_dashboard.dashboard["vpn.json"]:
dashboard_json : '{"displayName":"VPN Monitoring","mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Number
of connections","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/gateway/connections\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":4},{"height":4,"widget":{"title":"Tunnel
established","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/tunnel_established\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":4,"xPos":4},{"height":4,"widget":{"title":"VPN
Tunnel Bandwidth usage","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count; metric vpn.googleapis.com/network/received_bytes_count
}| align rate (1m)| group_by [metric.tunnel_name]| outer_join 0,0| value val(0)
+ val(1)| condition val() \u003e 187.5 \"MBy/s\""}}],"thresholds":[{"targetAxis":"Y1","value":187500000}],"timeshiftDuration":"0s","yAxis":{"scale":"LINEAR"}}},"width":4,"xPos":8},{"height":4,"widget":{"title":"Cloud
VPN Gateway - Received bytes","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/received_bytes_count\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"By"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":4},{"height":4,"widget":{"title":"Cloud
VPN Gateway - Sent bytes","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/sent_bytes_count\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"By"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":4},{"height":4,"widget":{"title":"Cloud
VPN Gateway - Received packets","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/received_packets_count\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"{packets}"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":8},{"height":4,"widget":{"title":"Cloud
VPN Gateway - Sent packets","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/sent_packets_count\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"{packets}"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":8},{"height":4,"widget":{"title":"Incoming
packets dropped","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/dropped_received_packets_count\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":12},{"height":4,"widget":{"title":"Outgoing
packets dropped","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/dropped_sent_packets_count\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":12}]}}'
project : fast2-prod-net-landing-0
timeouts : null
google_network_connectivity_hub.hub_landing :
description : Prod hub landing (trusted)
labels : null
name : prod-hub-landing
project : fast2-prod-net-landing-0
timeouts : null
google_network_connectivity_hub.hub_dmz :
description : Prod hub DMZ (untrusted)
labels : null
name : prod-hub-dmz
project : fast2-prod-net-landing-0
timeouts : null
google_storage_bucket_object.tfvars :
bucket : test
cache_control : null
content_disposition : null
content_encoding : null
content_language : null
customer_encryption : [ ]
detect_md5hash : different hash
event_based_hold : null
metadata : null
name : tfvars/2-networking.auto.tfvars.json
retention : [ ]
source : null
temporary_hold : null
timeouts : null
module.dev-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0] :
cloud_logging_config :
- enable_logging : false
description : Terraform managed.
dns_name : 10. in-addr.arpa.
dnssec_config : [ ]
force_destroy : false
forwarding_config : [ ]
labels : null
name : dev-reverse-10-dns-peering
project : fast2-dev-net-spoke-0
reverse_lookup : false
service_directory_config : [ ]
timeouts : null
visibility : private
module.dev-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0] :
cloud_logging_config :
- enable_logging : false
description : Terraform managed.
dns_name : .
dnssec_config : [ ]
force_destroy : false
forwarding_config : [ ]
labels : null
name : dev-root-dns-peering
project : fast2-dev-net-spoke-0
reverse_lookup : false
service_directory_config : [ ]
timeouts : null
visibility : private
module.dev-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0] :
cloud_logging_config :
- enable_logging : false
description : Terraform managed.
dns_name : dev.gcp.example.com.
dnssec_config : [ ]
force_destroy : false
forwarding_config : [ ]
labels : null
name : dev-gcp-example-com
peering_config : [ ]
project : fast2-dev-net-spoke-0
service_directory_config : [ ]
timeouts : null
visibility : private
module.dev-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]:
managed_zone : dev-gcp-example-com
name : localhost.dev.gcp.example.com.
project : fast2-dev-net-spoke-0
routing_policy : [ ]
rrdatas :
- 127.0 .0 .1
ttl : 300
type : A
module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-composer-nodes"]:
allow :
- ports :
- '80'
- '443'
- '3306'
- '3307'
protocol : tcp
deny : [ ]
description : Allow traffic to Composer nodes.
direction : INGRESS
disabled : false
log_config : [ ]
name : ingress-allow-composer-nodes
priority : 1000
project : fast2-dev-net-spoke-0
source_ranges : null
source_service_accounts : null
source_tags :
- composer-worker
target_service_accounts : null
target_tags :
- composer-worker
timeouts : null
module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-dataflow-load"]:
allow :
- ports :
- '12345'
- '12346'
protocol : tcp
deny : [ ]
description : Allow traffic to Dataflow nodes.
direction : INGRESS
disabled : false
log_config : [ ]
name : ingress-allow-dataflow-load
priority : 1000
project : fast2-dev-net-spoke-0
source_ranges : null
source_service_accounts : null
source_tags :
- dataflow
target_service_accounts : null
target_tags :
- dataflow
timeouts : null
module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]:
allow : [ ]
deny :
- ports : [ ]
protocol : all
description : Deny and log any unmatched ingress traffic.
direction : INGRESS
disabled : false
log_config :
- metadata : EXCLUDE_ALL_METADATA
name : ingress-default-deny
priority : 65535
project : fast2-dev-net-spoke-0
source_ranges :
- 0.0 .0 .0 /0
source_service_accounts : null
source_tags : null
target_service_accounts : null
target_tags : null
timeouts : null
module.dev-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0] :
project : fast2-dev-net-spoke-0
timeouts : null
module.dev-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]:
metrics_scope : fast2-prod-net-landing-0
name : fast2-dev-net-spoke-0
timeouts : null
module.dev-spoke-project.google_project.project[0] :
auto_create_network : false
billing_account : 000000 -111111 -222222
folder_id : null
labels : null
name : fast2-dev-net-spoke-0
org_id : null
project_id : fast2-dev-net-spoke-0
skip_delete : false
timeouts : null
module.dev-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]:
condition : [ ]
members :
- serviceAccount:string
project : fast2-dev-net-spoke-0
role : roles/dns.admin
module.dev-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]:
condition :
- description : Development host project delegated grants.
expression : api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'])
title : dev_stage3_sa_delegated_grants
members :
- serviceAccount:string
project : fast2-dev-net-spoke-0
role : roles/resourcemanager.projectIamAdmin
module.dev-spoke-project.google_project_iam_member.servicenetworking[0] :
condition : [ ]
project : fast2-dev-net-spoke-0
role : roles/servicenetworking.serviceAgent
module.dev-spoke-project.google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-dev-net-spoke-0
service : compute.googleapis.com
timeouts : null
module.dev-spoke-project.google_project_service.project_services["dns.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-dev-net-spoke-0
service : dns.googleapis.com
timeouts : null
module.dev-spoke-project.google_project_service.project_services["iap.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-dev-net-spoke-0
service : iap.googleapis.com
timeouts : null
module.dev-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-dev-net-spoke-0
service : networkmanagement.googleapis.com
timeouts : null
module.dev-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-dev-net-spoke-0
service : servicenetworking.googleapis.com
timeouts : null
module.dev-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-dev-net-spoke-0
service : stackdriver.googleapis.com
timeouts : null
module.dev-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-dev-net-spoke-0
service : vpcaccess.googleapis.com
timeouts : null
module.dev-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]:
project : fast2-dev-net-spoke-0
service : iap.googleapis.com
timeouts : null
module.dev-spoke-project.google_project_service_identity.servicenetworking[0] :
project : fast2-dev-net-spoke-0
service : servicenetworking.googleapis.com
timeouts : null
module.dev-spoke-vpc.google_compute_network.network[0] :
auto_create_subnetworks : false
delete_default_routes_on_create : true
description : Terraform-managed.
enable_ula_internal_ipv6 : null
mtu : 1500
name : dev-spoke-0
network_firewall_policy_enforcement_order : AFTER_CLASSIC_FIREWALL
project : fast2-dev-net-spoke-0
routing_mode : GLOBAL
timeouts : null
module.dev-spoke-vpc.google_compute_route.gateway["private-googleapis"]:
description : Terraform-managed.
dest_range : 199.36 .153 .8 /30
name : dev-spoke-0-private-googleapis
next_hop_gateway : default-internet-gateway
next_hop_ilb : null
next_hop_instance : null
next_hop_vpn_tunnel : null
priority : 1000
project : fast2-dev-net-spoke-0
tags : null
timeouts : null
module.dev-spoke-vpc.google_compute_route.gateway["restricted-googleapis"]:
description : Terraform-managed.
dest_range : 199.36 .153 .4 /30
name : dev-spoke-0-restricted-googleapis
next_hop_gateway : default-internet-gateway
next_hop_ilb : null
next_hop_instance : null
next_hop_vpn_tunnel : null
priority : 1000
project : fast2-dev-net-spoke-0
tags : null
timeouts : null
module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-dataplatform"]:
description : Default subnet for dev Data Platform
ip_cidr_range : 10.68 .2 .0 /24
ipv6_access_type : null
log_config : [ ]
name : dev-dataplatform
private_ip_google_access : true
project : fast2-dev-net-spoke-0
region : europe-west1
role : null
secondary_ip_range :
- ip_cidr_range : 100.69 .0 .0 /16
range_name : pods
- ip_cidr_range : 100.71 .2 .0 /24
range_name : services
timeouts : null
module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-default"]:
description : Default europe-west1 subnet for dev
ip_cidr_range : 10.68 .0 .0 /24
ipv6_access_type : null
log_config : [ ]
name : dev-default
private_ip_google_access : true
project : fast2-dev-net-spoke-0
region : europe-west1
role : null
secondary_ip_range : [ ]
timeouts : null
module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-gke-nodes"]:
description : Default subnet for prod gke nodes
ip_cidr_range : 10.68 .1 .0 /24
ipv6_access_type : null
log_config : [ ]
name : dev-gke-nodes
private_ip_google_access : true
project : fast2-dev-net-spoke-0
region : europe-west1
role : null
secondary_ip_range :
- ip_cidr_range : 100.68 .0 .0 /16
range_name : pods
- ip_cidr_range : 100.71 .1 .0 /24
range_name : services
timeouts : null
module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/dev-default"]:
description : Default europe-west4 subnet for dev
ip_cidr_range : 10.84 .0 .0 /24
ipv6_access_type : null
log_config : [ ]
name : dev-default
private_ip_google_access : true
project : fast2-dev-net-spoke-0
region : europe-west4
role : null
secondary_ip_range : [ ]
timeouts : null
module.dev-spoke-vpc.google_dns_policy.default[0] :
alternative_name_server_config : [ ]
description : Managed by Terraform
enable_inbound_forwarding : null
enable_logging : true
name : dev-spoke-0
networks :
- {}
project : fast2-dev-net-spoke-0
timeouts : null
module.firewall-policy-default.google_compute_firewall_policy.hierarchical[0] :
description : null
short_name : net-default
timeouts : null
module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]:
action : allow
description : Enable HTTP and HTTPS healthchecks
direction : INGRESS
disabled : false
enable_logging : null
match :
- dest_address_groups : null
dest_fqdns : null
dest_ip_ranges : null
dest_region_codes : null
dest_threat_intelligences : null
layer4_configs :
- ip_protocol : tcp
ports :
- '80'
- '443'
src_address_groups : null
src_fqdns : null
src_ip_ranges :
- 35.191 .0 .0 /16
- 130.211 .0 .0 /22
- 209.85 .152 .0 /22
- 209.85 .204 .0 /22
src_region_codes : null
src_threat_intelligences : null
priority : 1001
target_resources : null
target_service_accounts : null
timeouts : null
module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-icmp"]:
action : allow
description : Enable ICMP
direction : INGRESS
disabled : false
enable_logging : null
match :
- dest_address_groups : null
dest_fqdns : null
dest_ip_ranges : null
dest_region_codes : null
dest_threat_intelligences : null
layer4_configs :
- ip_protocol : icmp
ports : [ ]
src_address_groups : null
src_fqdns : null
src_ip_ranges :
- 0.0 .0 .0 /0
src_region_codes : null
src_threat_intelligences : null
priority : 1003
target_resources : null
target_service_accounts : null
timeouts : null
module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-nat-ranges"]:
action : allow
description : Enable NAT ranges for VPC serverless connector
direction : INGRESS
disabled : false
enable_logging : null
match :
- dest_address_groups : null
dest_fqdns : null
dest_ip_ranges : null
dest_region_codes : null
dest_threat_intelligences : null
layer4_configs :
- ip_protocol : all
ports : null
src_address_groups : null
src_fqdns : null
src_ip_ranges :
- 107.178 .230 .64 /26
- 35.199 .224 .0 /19
src_region_codes : null
src_threat_intelligences : null
priority : 1004
target_resources : null
target_service_accounts : null
timeouts : null
module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-ssh-from-iap"]:
action : allow
description : Enable SSH from IAP
direction : INGRESS
disabled : false
enable_logging : true
match :
- dest_address_groups : null
dest_fqdns : null
dest_ip_ranges : null
dest_region_codes : null
dest_threat_intelligences : null
layer4_configs :
- ip_protocol : tcp
ports :
- '22'
src_address_groups : null
src_fqdns : null
src_ip_ranges :
- 35.235 .240 .0 /20
src_region_codes : null
src_threat_intelligences : null
priority : 1002
target_resources : null
target_service_accounts : null
timeouts : null
module.folder.google_compute_firewall_policy_association.default[0] :
name : default
timeouts : null
module.folder.google_essential_contacts_contact.contact["gcp-network-admins@fast.example.com"]:
email : gcp-network-admins@fast.example.com
language_tag : en
notification_category_subscriptions :
- ALL
timeouts : null
module.folder.google_folder.folder[0] :
display_name : Networking
parent : organizations/123456789012
timeouts : null
module.landing-dns-fwd-onprem-example[0].google_dns_managed_zone.dns_managed_zone[0] :
cloud_logging_config :
- enable_logging : false
description : Terraform managed.
dns_name : onprem.example.com.
dnssec_config : [ ]
force_destroy : false
forwarding_config :
- target_name_servers :
- forwarding_path : ''
ipv4_address : 10.10 .10 .10
labels : null
name : example-com
peering_config : [ ]
project : fast2-prod-net-landing-0
reverse_lookup : false
service_directory_config : [ ]
timeouts : null
visibility : private
module.landing-dns-fwd-onprem-rev-10[0].google_dns_managed_zone.dns_managed_zone[0] :
cloud_logging_config :
- enable_logging : false
description : Terraform managed.
dns_name : 10. in-addr.arpa.
dnssec_config : [ ]
force_destroy : false
forwarding_config :
- target_name_servers :
- forwarding_path : ''
ipv4_address : 10.10 .10 .10
labels : null
name : root-reverse-10
peering_config : [ ]
project : fast2-prod-net-landing-0
reverse_lookup : false
service_directory_config : [ ]
timeouts : null
visibility : private
module.landing-dns-policy-googleapis.google_dns_response_policy.default[0] :
description : Managed by Terraform
gke_clusters : [ ]
networks :
- {}
- {}
project : fast2-prod-net-landing-0
response_policy_name : googleapis
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["accounts"]:
behavior : null
dns_name : accounts.google.com.
local_data :
- local_datas :
- name : accounts.google.com.
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : accounts
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud"]:
behavior : null
dns_name : backupdr.cloud.google.com.
local_data :
- local_datas :
- name : backupdr.cloud.google.com.
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : backupdr-cloud
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud-all"]:
behavior : null
dns_name : '*.backupdr.cloud.google.com.'
local_data :
- local_datas :
- name : '*.backupdr.cloud.google.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : backupdr-cloud-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu"]:
behavior : null
dns_name : backupdr.googleusercontent.google.com.
local_data :
- local_datas :
- name : backupdr.googleusercontent.google.com.
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : backupdr-gu
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu-all"]:
behavior : null
dns_name : '*.backupdr.googleusercontent.google.com.'
local_data :
- local_datas :
- name : '*.backupdr.googleusercontent.google.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : backupdr-gu-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudfunctions"]:
behavior : null
dns_name : '*.cloudfunctions.net.'
local_data :
- local_datas :
- name : '*.cloudfunctions.net.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : cloudfunctions
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudproxy"]:
behavior : null
dns_name : '*.cloudproxy.app.'
local_data :
- local_datas :
- name : '*.cloudproxy.app.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : cloudproxy
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-cloud-all"]:
behavior : null
dns_name : '*.composer.cloud.google.com.'
local_data :
- local_datas :
- name : '*.composer.cloud.google.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : composer-cloud-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-gu-all"]:
behavior : null
dns_name : '*.composer.googleusercontent.com.'
local_data :
- local_datas :
- name : '*.composer.googleusercontent.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : composer-gu-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-all"]:
behavior : null
dns_name : '*.datafusion.cloud.google.com.'
local_data :
- local_datas :
- name : '*.datafusion.cloud.google.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : datafusion-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-gu-all"]:
behavior : null
dns_name : '*.datafusion.googleusercontent.com.'
local_data :
- local_datas :
- name : '*.datafusion.googleusercontent.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : datafusion-gu-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc"]:
behavior : null
dns_name : dataproc.cloud.google.com.
local_data :
- local_datas :
- name : dataproc.cloud.google.com.
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : dataproc
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-all"]:
behavior : null
dns_name : '*.dataproc.cloud.google.com.'
local_data :
- local_datas :
- name : '*.dataproc.cloud.google.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : dataproc-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu"]:
behavior : null
dns_name : dataproc.googleusercontent.com.
local_data :
- local_datas :
- name : dataproc.googleusercontent.com.
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : dataproc-gu
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu-all"]:
behavior : null
dns_name : '*.dataproc.googleusercontent.com.'
local_data :
- local_datas :
- name : '*.dataproc.googleusercontent.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : dataproc-gu-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dl"]:
behavior : null
dns_name : dl.google.com.
local_data :
- local_datas :
- name : dl.google.com.
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : dl
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr"]:
behavior : null
dns_name : gcr.io.
local_data :
- local_datas :
- name : gcr.io.
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : gcr
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr-all"]:
behavior : null
dns_name : '*.gcr.io.'
local_data :
- local_datas :
- name : '*.gcr.io.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : gcr-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-all"]:
behavior : null
dns_name : '*.googleapis.com.'
local_data :
- local_datas :
- name : '*.googleapis.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : googleapis-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-private"]:
behavior : null
dns_name : private.googleapis.com.
local_data :
- local_datas :
- name : private.googleapis.com.
rrdatas :
- 199.36 .153 .8
- 199.36 .153 .9
- 199.36 .153 .10
- 199.36 .153 .11
ttl : null
type : A
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : googleapis-private
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-restricted"]:
behavior : null
dns_name : restricted.googleapis.com.
local_data :
- local_datas :
- name : restricted.googleapis.com.
rrdatas :
- 199.36 .153 .4
- 199.36 .153 .5
- 199.36 .153 .6
- 199.36 .153 .7
ttl : null
type : A
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : googleapis-restricted
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gstatic-all"]:
behavior : null
dns_name : '*.gstatic.com.'
local_data :
- local_datas :
- name : '*.gstatic.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : gstatic-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu"]:
behavior : null
dns_name : kernels.googleusercontent.com.
local_data :
- local_datas :
- name : kernels.googleusercontent.com.
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : kernels-gu
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu-all"]:
behavior : null
dns_name : '*.kernels.googleusercontent.com.'
local_data :
- local_datas :
- name : '*.kernels.googleusercontent.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : kernels-gu-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-all"]:
behavior : null
dns_name : '*.notebooks.cloud.google.com.'
local_data :
- local_datas :
- name : '*.notebooks.cloud.google.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : notebooks-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-gu-all"]:
behavior : null
dns_name : '*.notebooks.googleusercontent.com.'
local_data :
- local_datas :
- name : '*.notebooks.googleusercontent.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : notebooks-gu-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud"]:
behavior : null
dns_name : packages.cloud.google.com.
local_data :
- local_datas :
- name : packages.cloud.google.com.
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : packages-cloud
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud-all"]:
behavior : null
dns_name : '*.packages.cloud.google.com.'
local_data :
- local_datas :
- name : '*.packages.cloud.google.com.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : packages-cloud-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev"]:
behavior : null
dns_name : pkg.dev.
local_data :
- local_datas :
- name : pkg.dev.
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : pkgdev
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev-all"]:
behavior : null
dns_name : '*.pkg.dev.'
local_data :
- local_datas :
- name : '*.pkg.dev.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : pkgdev-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog"]:
behavior : null
dns_name : pki.goog.
local_data :
- local_datas :
- name : pki.goog.
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : pkigoog
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog-all"]:
behavior : null
dns_name : '*.pki.goog.'
local_data :
- local_datas :
- name : '*.pki.goog.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : pkigoog-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["run-all"]:
behavior : null
dns_name : '*.run.app.'
local_data :
- local_datas :
- name : '*.run.app.'
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : run-all
timeouts : null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["source"]:
behavior : null
dns_name : source.developers.google.com.
local_data :
- local_datas :
- name : source.developers.google.com.
rrdatas :
- private.googleapis.com.
ttl : null
type : CNAME
project : fast2-prod-net-landing-0
response_policy : googleapis
rule_name : source
timeouts : null
module.landing-dns-priv-gcp.google_dns_managed_zone.dns_managed_zone[0] :
cloud_logging_config :
- enable_logging : false
description : Terraform managed.
dns_name : gcp.example.com.
dnssec_config : [ ]
force_destroy : false
forwarding_config : [ ]
labels : null
name : gcp-example-com
peering_config : [ ]
project : fast2-prod-net-landing-0
service_directory_config : [ ]
timeouts : null
visibility : private
module.landing-dns-priv-gcp.google_dns_record_set.dns_record_set["A localhost"]:
managed_zone : gcp-example-com
name : localhost.gcp.example.com.
project : fast2-prod-net-landing-0
routing_policy : [ ]
rrdatas :
- 127.0 .0 .1
ttl : 300
type : A
module.landing-nat-primary[0].google_compute_router.router[0] :
bgp : [ ]
description : null
encrypted_interconnect_router : null
name : prod-nat-ew1
project : fast2-prod-net-landing-0
region : europe-west1
timeouts : null
module.landing-nat-primary[0].google_compute_router_nat.nat :
drain_nat_ips : null
enable_dynamic_port_allocation : false
enable_endpoint_independent_mapping : true
icmp_idle_timeout_sec : 30
log_config :
- enable : false
filter : ALL
max_ports_per_vm : 65536
min_ports_per_vm : 64
name : ew1
nat_ip_allocate_option : AUTO_ONLY
nat_ips : null
project : fast2-prod-net-landing-0
region : europe-west1
router : prod-nat-ew1
rules : [ ]
source_subnetwork_ip_ranges_to_nat : ALL_SUBNETWORKS_ALL_IP_RANGES
subnetwork : [ ]
tcp_established_idle_timeout_sec : 1200
tcp_time_wait_timeout_sec : 120
tcp_transitory_idle_timeout_sec : 30
timeouts : null
udp_idle_timeout_sec : 30
module.landing-nat-secondary[0].google_compute_router.router[0] :
bgp : [ ]
description : null
encrypted_interconnect_router : null
name : prod-nat-ew4
project : fast2-prod-net-landing-0
region : europe-west4
timeouts : null
module.landing-nat-secondary[0].google_compute_router_nat.nat :
drain_nat_ips : null
enable_dynamic_port_allocation : false
enable_endpoint_independent_mapping : true
icmp_idle_timeout_sec : 30
log_config :
- enable : false
filter : ALL
max_ports_per_vm : 65536
min_ports_per_vm : 64
name : ew4
nat_ip_allocate_option : AUTO_ONLY
nat_ips : null
project : fast2-prod-net-landing-0
region : europe-west4
router : prod-nat-ew4
rules : [ ]
source_subnetwork_ip_ranges_to_nat : ALL_SUBNETWORKS_ALL_IP_RANGES
subnetwork : [ ]
tcp_established_idle_timeout_sec : 1200
tcp_time_wait_timeout_sec : 120
tcp_transitory_idle_timeout_sec : 30
timeouts : null
udp_idle_timeout_sec : 30
module.landing-project.google_compute_shared_vpc_host_project.shared_vpc_host[0] :
project : fast2-prod-net-landing-0
timeouts : null
module.landing-project.google_project.project[0] :
auto_create_network : false
billing_account : 000000 -111111 -222222
folder_id : null
labels : null
name : fast2-prod-net-landing-0
org_id : null
project_id : fast2-prod-net-landing-0
skip_delete : false
timeouts : null
module.landing-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/foo"]:
condition : [ ]
members :
- serviceAccount:string
project : fast2-prod-net-landing-0
role : organizations/123456789012/roles/foo
module.landing-project.google_project_iam_binding.authoritative["roles/dns.admin"]:
condition : [ ]
members :
- serviceAccount:string
project : fast2-prod-net-landing-0
role : roles/dns.admin
module.landing-project.google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-prod-net-landing-0
service : compute.googleapis.com
timeouts : null
module.landing-project.google_project_service.project_services["dns.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-prod-net-landing-0
service : dns.googleapis.com
timeouts : null
module.landing-project.google_project_service.project_services["iap.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-prod-net-landing-0
service : iap.googleapis.com
timeouts : null
module.landing-project.google_project_service.project_services["networkconnectivity.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-prod-net-landing-0
service : networkconnectivity.googleapis.com
timeouts : null
module.landing-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-prod-net-landing-0
service : networkmanagement.googleapis.com
timeouts : null
module.landing-project.google_project_service.project_services["stackdriver.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-prod-net-landing-0
service : stackdriver.googleapis.com
timeouts : null
module.landing-project.google_project_service_identity.jit_si["iap.googleapis.com"]:
project : fast2-prod-net-landing-0
service : iap.googleapis.com
timeouts : null
module.landing-to-onprem-primary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]:
description : Terraform managed external VPN gateway
interface :
- id : 0
ip_address : 8.8 .8 .8
labels : null
name : vpn-to-onprem-ew1-default
project : fast2-prod-net-landing-0
redundancy_type : SINGLE_IP_INTERNALLY_REDUNDANT
timeouts : null
module.landing-to-onprem-primary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0] :
description : Terraform managed external VPN gateway
name : vpn-to-onprem-ew1
project : fast2-prod-net-landing-0
region : europe-west1
stack_type : IPV4_ONLY
timeouts : null
module.landing-to-onprem-primary-vpn[0].google_compute_router.router[0] :
bgp :
- advertise_mode : CUSTOM
advertised_groups : [ ]
advertised_ip_ranges :
- description : gcp
range : 10.1 .0 .0 /16
- description : gcp-restricted
range : 199.36 .153 .4 /30
- description : gcp-dns
range : 35.199 .192 .0 /19
asn : 65501
keepalive_interval : 20
description : null
encrypted_interconnect_router : null
name : vpn-vpn-to-onprem-ew1
project : fast2-prod-net-landing-0
region : europe-west1
timeouts : null
module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["0"]:
interconnect_attachment : null
ip_range : 169.254 .1 .2 /30
name : vpn-to-onprem-ew1-0
private_ip_address : null
project : fast2-prod-net-landing-0
region : europe-west1
router : vpn-vpn-to-onprem-ew1
subnetwork : null
timeouts : null
vpn_tunnel : vpn-to-onprem-ew1-0
module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["1"]:
interconnect_attachment : null
ip_range : 169.254 .2 .2 /30
name : vpn-to-onprem-ew1-1
private_ip_address : null
project : fast2-prod-net-landing-0
region : europe-west1
router : vpn-vpn-to-onprem-ew1
subnetwork : null
timeouts : null
vpn_tunnel : vpn-to-onprem-ew1-1
module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["0"]:
advertise_mode : DEFAULT
advertised_groups : [ ]
advertised_ip_ranges : [ ]
advertised_route_priority : 1000
enable : true
enable_ipv6 : false
interface : vpn-to-onprem-ew1-0
md5_authentication_key : [ ]
name : vpn-to-onprem-ew1-0
peer_asn : 65500
peer_ip_address : 169.254 .1 .1
project : fast2-prod-net-landing-0
region : europe-west1
router : vpn-vpn-to-onprem-ew1
router_appliance_instance : null
timeouts : null
module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["1"]:
advertise_mode : DEFAULT
advertised_groups : [ ]
advertised_ip_ranges : [ ]
advertised_route_priority : 1000
enable : true
enable_ipv6 : false
interface : vpn-to-onprem-ew1-1
md5_authentication_key : [ ]
name : vpn-to-onprem-ew1-1
peer_asn : 64513
peer_ip_address : 169.254 .2 .1
project : fast2-prod-net-landing-0
region : europe-west1
router : vpn-vpn-to-onprem-ew1
router_appliance_instance : null
timeouts : null
module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]:
description : null
ike_version : 2
labels : null
name : vpn-to-onprem-ew1-0
peer_external_gateway_interface : null
peer_gcp_gateway : null
project : fast2-prod-net-landing-0
region : europe-west1
router : vpn-vpn-to-onprem-ew1
shared_secret : foo
target_vpn_gateway : null
timeouts : null
vpn_gateway_interface : 0
module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]:
description : null
ike_version : 2
labels : null
name : vpn-to-onprem-ew1-1
peer_external_gateway_interface : null
peer_gcp_gateway : null
project : fast2-prod-net-landing-0
region : europe-west1
router : vpn-vpn-to-onprem-ew1
shared_secret : foo
target_vpn_gateway : null
timeouts : null
vpn_gateway_interface : 1
module.landing-to-onprem-primary-vpn[0].random_id.secret :
byte_length : 8
keepers : null
prefix : null
module.landing-to-onprem-secondary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]:
description : Terraform managed external VPN gateway
interface :
- id : 0
ip_address : 8.8 .4 .4
labels : null
name : vpn-to-onprem-ew4-default
project : fast2-prod-net-landing-0
redundancy_type : SINGLE_IP_INTERNALLY_REDUNDANT
timeouts : null
module.landing-to-onprem-secondary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0] :
description : Terraform managed external VPN gateway
name : vpn-to-onprem-ew4
project : fast2-prod-net-landing-0
region : europe-west4
stack_type : IPV4_ONLY
timeouts : null
module.landing-to-onprem-secondary-vpn[0].google_compute_router.router[0] :
bgp :
- advertise_mode : CUSTOM
advertised_groups : [ ]
advertised_ip_ranges :
- description : gcp
range : 10.1 .0 .0 /16
- description : gcp-restricted
range : 199.36 .153 .4 /30
- description : gcp-dns
range : 35.199 .192 .0 /19
asn : 65501
keepalive_interval : 20
description : null
encrypted_interconnect_router : null
name : vpn-vpn-to-onprem-ew4
project : fast2-prod-net-landing-0
region : europe-west4
timeouts : null
module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["0"]:
interconnect_attachment : null
ip_range : 169.254 .3 .2 /30
name : vpn-to-onprem-ew4-0
private_ip_address : null
project : fast2-prod-net-landing-0
region : europe-west4
router : vpn-vpn-to-onprem-ew4
subnetwork : null
timeouts : null
vpn_tunnel : vpn-to-onprem-ew4-0
module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["1"]:
interconnect_attachment : null
ip_range : 169.254 .4 .2 /30
name : vpn-to-onprem-ew4-1
private_ip_address : null
project : fast2-prod-net-landing-0
region : europe-west4
router : vpn-vpn-to-onprem-ew4
subnetwork : null
timeouts : null
vpn_tunnel : vpn-to-onprem-ew4-1
module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["0"]:
advertise_mode : DEFAULT
advertised_groups : [ ]
advertised_ip_ranges : [ ]
advertised_route_priority : 1000
enable : true
enable_ipv6 : false
interface : vpn-to-onprem-ew4-0
md5_authentication_key : [ ]
name : vpn-to-onprem-ew4-0
peer_asn : 65500
peer_ip_address : 169.254 .1 .1
project : fast2-prod-net-landing-0
region : europe-west4
router : vpn-vpn-to-onprem-ew4
router_appliance_instance : null
timeouts : null
module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["1"]:
advertise_mode : DEFAULT
advertised_groups : [ ]
advertised_ip_ranges : [ ]
advertised_route_priority : 1000
enable : true
enable_ipv6 : false
interface : vpn-to-onprem-ew4-1
md5_authentication_key : [ ]
name : vpn-to-onprem-ew4-1
peer_asn : 64513
peer_ip_address : 169.254 .2 .1
project : fast2-prod-net-landing-0
region : europe-west4
router : vpn-vpn-to-onprem-ew4
router_appliance_instance : null
timeouts : null
module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]:
description : null
ike_version : 2
labels : null
name : vpn-to-onprem-ew4-0
peer_external_gateway_interface : null
peer_gcp_gateway : null
project : fast2-prod-net-landing-0
region : europe-west4
router : vpn-vpn-to-onprem-ew4
shared_secret : foo
target_vpn_gateway : null
timeouts : null
vpn_gateway_interface : 0
module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]:
description : null
ike_version : 2
labels : null
name : vpn-to-onprem-ew4-1
peer_external_gateway_interface : null
peer_gcp_gateway : null
project : fast2-prod-net-landing-0
region : europe-west4
router : vpn-vpn-to-onprem-ew4
shared_secret : foo
target_vpn_gateway : null
timeouts : null
vpn_gateway_interface : 1
module.landing-to-onprem-secondary-vpn[0].random_id.secret :
byte_length : 8
keepers : null
prefix : null
module.landing-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-landing"]:
allow :
- ports :
- '22'
protocol : tcp
deny : [ ]
description : Allow traffic from Google healthchecks to NVA appliances
direction : INGRESS
disabled : false
log_config : [ ]
name : allow-hc-nva-ssh-landing
priority : 1000
project : fast2-prod-net-landing-0
source_ranges :
- 130.211 .0 .0 /22
- 209.85 .152 .0 /22
- 209.85 .204 .0 /22
- 35.191 .0 .0 /16
source_service_accounts : null
source_tags : null
target_service_accounts : null
target_tags : null
timeouts : null
module.landing-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-landing"]:
allow :
- ports :
- '179'
protocol : tcp
deny : [ ]
description : Allow BGP traffic from NCC Cloud Routers to NVAs
direction : INGRESS
disabled : false
log_config : [ ]
name : allow-ncc-nva-bgp-landing
priority : 1000
project : fast2-prod-net-landing-0
source_ranges :
- 10.128 .64 .201 /32
- 10.128 .64 .202 /32
- 10.128 .96 .201 /32
- 10.128 .96 .202 /32
source_service_accounts : null
source_tags : null
target_service_accounts : null
target_tags :
- nva
timeouts : null
module.landing-firewall.google_compute_firewall.custom-rules["allow-onprem-probes-landing-example"]:
allow :
- ports :
- '12345'
protocol : tcp
deny : [ ]
description : Allow traffic from onprem probes
direction : INGRESS
disabled : false
log_config : [ ]
name : allow-onprem-probes-landing-example
priority : 1000
project : fast2-prod-net-landing-0
source_ranges :
- 10.255 .255 .254 /32
source_service_accounts : null
source_tags : null
target_service_accounts : null
target_tags : null
timeouts : null
module.landing-firewall.google_compute_firewall.custom-rules["landing-ingress-default-deny"]:
allow : [ ]
deny :
- ports : [ ]
protocol : all
description : Deny and log any unmatched ingress traffic.
direction : INGRESS
disabled : false
log_config :
- metadata : EXCLUDE_ALL_METADATA
name : landing-ingress-default-deny
priority : 65535
project : fast2-prod-net-landing-0
source_ranges :
- 0.0 .0 .0 /0
source_service_accounts : null
source_tags : null
target_service_accounts : null
target_tags : null
timeouts : null
module.landing-vpc.google_compute_network.network[0] :
auto_create_subnetworks : false
delete_default_routes_on_create : true
description : Terraform-managed.
enable_ula_internal_ipv6 : null
mtu : 1500
name : prod-landing-0
network_firewall_policy_enforcement_order : AFTER_CLASSIC_FIREWALL
project : fast2-prod-net-landing-0
routing_mode : GLOBAL
timeouts : null
module.landing-vpc.google_compute_route.gateway["private-googleapis"]:
description : Terraform-managed.
dest_range : 199.36 .153 .8 /30
name : prod-landing-0-private-googleapis
next_hop_gateway : default-internet-gateway
next_hop_ilb : null
next_hop_instance : null
next_hop_vpn_tunnel : null
priority : 1000
project : fast2-prod-net-landing-0
tags : null
timeouts : null
module.landing-vpc.google_compute_route.gateway["restricted-googleapis"]:
description : Terraform-managed.
dest_range : 199.36 .153 .4 /30
name : prod-landing-0-restricted-googleapis
next_hop_gateway : default-internet-gateway
next_hop_ilb : null
next_hop_instance : null
next_hop_vpn_tunnel : null
priority : 1000
project : fast2-prod-net-landing-0
tags : null
timeouts : null
module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west1/landing-default"]:
description : Default europe-west1 subnet for landing
ip_cidr_range : 10.64 .0 .0 /24
ipv6_access_type : null
log_config : [ ]
name : landing-default
private_ip_google_access : true
project : fast2-prod-net-landing-0
region : europe-west1
role : null
secondary_ip_range : [ ]
timeouts : null
module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west4/landing-default"]:
description : Default europe-west4 subnet for landing
ip_cidr_range : 10.80 .0 .0 /24
ipv6_access_type : null
log_config : [ ]
name : landing-default
private_ip_google_access : true
project : fast2-prod-net-landing-0
region : europe-west4
role : null
secondary_ip_range : [ ]
timeouts : null
module.landing-vpc.google_dns_policy.default[0] :
alternative_name_server_config : [ ]
description : Managed by Terraform
enable_inbound_forwarding : true
enable_logging : null
name : prod-landing-0
networks :
- {}
project : fast2-prod-net-landing-0
timeouts : null
module.dmz-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-dmz"]:
allow :
- ports :
- '22'
protocol : tcp
deny : [ ]
description : Allow traffic from Google healthchecks to NVA appliances
direction : INGRESS
disabled : false
log_config : [ ]
name : allow-hc-nva-ssh-dmz
priority : 1000
project : fast2-prod-net-landing-0
source_ranges :
- 130.211 .0 .0 /22
- 209.85 .152 .0 /22
- 209.85 .204 .0 /22
- 35.191 .0 .0 /16
source_service_accounts : null
source_tags : null
target_service_accounts : null
target_tags : null
timeouts : null
module.dmz-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-dmz"]:
allow :
- ports :
- '179'
protocol : tcp
deny : [ ]
description : Allow BGP traffic from NCC Cloud Routers to NVAs
direction : INGRESS
disabled : false
log_config : [ ]
name : allow-ncc-nva-bgp-dmz
priority : 1000
project : fast2-prod-net-landing-0
source_ranges :
- 10.128 .0 .201 /32
- 10.128 .0 .202 /32
- 10.128 .32 .201 /32
- 10.128 .32 .202 /32
source_service_accounts : null
source_tags : null
target_service_accounts : null
target_tags :
- nva
timeouts : null
module.dmz-firewall.google_compute_firewall.custom-rules["allow-nva-nva-bgp-dmz"]:
allow :
- ports :
- '179'
protocol : tcp
deny : [ ]
description : Allow BGP traffic from cross-regional NVAs
direction : INGRESS
disabled : false
log_config : [ ]
name : allow-nva-nva-bgp-dmz
priority : 1000
project : fast2-prod-net-landing-0
source_ranges : null
source_service_accounts : null
source_tags :
- nva
target_service_accounts : null
target_tags :
- nva
timeouts : null
module.dmz-firewall.google_compute_firewall.custom-rules["dmz-ingress-default-deny"]:
allow : [ ]
deny :
- ports : [ ]
protocol : all
description : Deny and log any unmatched ingress traffic.
direction : INGRESS
disabled : false
log_config :
- metadata : EXCLUDE_ALL_METADATA
name : dmz-ingress-default-deny
priority : 65535
project : fast2-prod-net-landing-0
source_ranges :
- 0.0 .0 .0 /0
source_service_accounts : null
source_tags : null
target_service_accounts : null
target_tags : null
timeouts : null
module.dmz-vpc.google_compute_network.network[0] :
auto_create_subnetworks : false
delete_default_routes_on_create : false
description : Terraform-managed.
enable_ula_internal_ipv6 : null
mtu : 1500
name : prod-dmz-0
network_firewall_policy_enforcement_order : AFTER_CLASSIC_FIREWALL
project : fast2-prod-net-landing-0
routing_mode : GLOBAL
timeouts : null
module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west1/dmz-default"]:
description : Default europe-west1 subnet for DMZ
ip_cidr_range : 10.64 .128 .0 /24
ipv6_access_type : null
log_config : [ ]
name : dmz-default
private_ip_google_access : true
project : fast2-prod-net-landing-0
region : europe-west1
role : null
secondary_ip_range : [ ]
timeouts : null
module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west4/dmz-default"]:
description : Default europe-west4 subnet for DMZ
ip_cidr_range : 10.80 .128 .0 /24
ipv6_access_type : null
log_config : [ ]
name : dmz-default
private_ip_google_access : true
project : fast2-prod-net-landing-0
region : europe-west4
role : null
secondary_ip_range : [ ]
timeouts : null
module.dmz-vpc.google_dns_policy.default[0] :
alternative_name_server_config : [ ]
description : Managed by Terraform
enable_inbound_forwarding : true
enable_logging : true
name : prod-dmz-0
networks :
- {}
project : fast2-prod-net-landing-0
timeouts : null
module.nva["primary-b"].google_compute_instance.default[0]:
advanced_machine_features : [ ]
allow_stopping_for_update : true
attached_disk : [ ]
boot_disk :
- auto_delete : true
disk_encryption_key_raw : null
initialize_params :
- enable_confidential_compute : null
image : projects/cos-cloud/global/images/family/cos-stable
resource_manager_tags : null
size : 10
type : pd-balanced
mode : READ_WRITE
can_ip_forward : true
deletion_protection : false
description : Managed by the compute-vm Terraform module.
desired_status : null
enable_display : false
hostname : null
labels : null
machine_type : e2-standard-2
metadata :
user-data : "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
\ file except in compliance with the License.\n# You may obtain a copy of\
\ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\
# Unless required by applicable law or agreed to in writing, software\n# distributed\
\ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\
\ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\
\ for the specific language governing permissions and\n# limitations under\
\ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner : root\n\
\ permissions: 0744\n content : |\n # Copyright 2023 Google LLC\n\
\ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\
);\n # you may not use this file except in compliance with the License.\n\
\ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n zebra=no\n\
\ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\
\ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\
\ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \
\ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\
\ script automatically loads\n # the config via \"vtysh -b\" when the\
\ servers are started.\n # Check /etc/pam.d/frr if you intend to use\
\ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\
\ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\
\ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \
\ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\
\ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\
\ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\
\n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\
\ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\
\n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\
\ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\
\n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\
\ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\
\ of daemons to watch is automatically generated by the init script.\n \
\ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\
\ specify a \"wrap\" command to start instead\n # of starting the daemon\
\ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\
\n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\
\ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\
\ daemon command is added to this at the end.\n \n\n - path : /etc/frr/frr.conf\n\
\ owner: root\n permissions: 0744\n content : |\n # NVAs configuration\
\ template\n \n log syslog informational\n no ipv6 forwarding\n\
\ service integrated-vtysh-config\n \n interface lo\n \
\ ip address 10.64.128.101/32\n \n ip prefix-list DEFAULT seq 10\
\ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\
\ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\
\ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\
\ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\
\ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\
\ \n route-map TO-DMZ permit 10\n match ip address\
\ prefix-list PRIMARY\n set metric 100\n !\n route-map TO-DMZ\
\ permit 20\n match ip address prefix-list SECONDARY\n set metric\
\ 10100\n !\n route-map TO-LANDING permit 10\n match ip address\
\ prefix-list DEFAULT\n set metric 100\n !\n route-map TO-NVA\
\ permit 10\n match ip address prefix-list PRIMARY\n set metric\
\ 50\n \n router bgp 64513\n bgp router-id 10.64.128.101\n\
\ bgp bestpath as-path ignore\n bgp disable-ebgp-connected-route-check\n\
\ bgp timers 20 60\n !\n no bgp ebgp-requires-policy\n \
\ no bgp network import-check\n !\n neighbor 10.64.128.201\
\ remote-as 64512\n neighbor 10.64.128.202 remote-as 64512\n !\n\
\ neighbor 10.64.0.201 remote-as 64515\n neighbor 10.64.0.201\
\ update-source 10.64.0.101\n neighbor 10.64.0.202 remote-as 64515\n\
\ neighbor 10.64.0.202 update-source 10.64.0.101\n !\n neighbor\
\ 10.80.128.101 remote-as 64514\n neighbor 10.80.128.101 ebgp-multihop\
\ 2\n neighbor 10.80.128.102 remote-as 64514\n neighbor 10.80.128.102\
\ ebgp-multihop 2\n !\n address-family ipv4 unicast\n neighbor\
\ 10.64.128.201 route-map TO-DMZ out\n neighbor 10.64.128.201\
\ soft-reconfiguration inbound\n !\n neighbor 10.64.128.202 route-map\
\ TO-DMZ out\n neighbor 10.64.128.202 soft-reconfiguration inbound\n\
\ !\n neighbor 10.64.0.201 route-map TO-LANDING out\n neighbor\
\ 10.64.0.201 soft-reconfiguration inbound\n !\n neighbor 10.64.0.202\
\ route-map TO-LANDING out\n neighbor 10.64.0.202 soft-reconfiguration\
\ inbound\n !\n neighbor 10.80.128.101 route-map TO-NVA out\n\
\ neighbor 10.80.128.101 soft-reconfiguration inbound\n !\n \
\ neighbor 10.80.128.102 route-map TO-NVA out\n neighbor 10.80.128.102\
\ soft-reconfiguration inbound\n exit-address-family\n \n\n -\
\ path: /etc/frr/vtysh.conf\n owner: root\n permissions : 0644 \n content:\
\ |\n # Copyright 2023 Google LLC\n #\n # Licensed under the\
\ Apache License, Version 2.0 (the \"License\");\n # you may not use\
\ this file except in compliance with the License.\n # You may obtain\
\ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ This is a sample file used to remove warnings\n # when users open the\
\ vtysh console.\n \n\n - path : /etc/profile.d/00-aliases.sh\n owner:\
\ root\n permissions: 0644\n content : |\n alias vtysh='sudo docker\
\ exec -it frr sh -c vtysh'\n\n - path : /etc/systemd/system/frr.service\n\
\ owner: root\n permissions: 0644\n content : |\n # Copyright\
\ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n [Unit]\n Description=Start\
\ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\
\ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\
HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\
\ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\
\ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \
\ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path : /var/lib/docker/daemon.json\n\
\ owner: root\n permissions: 0644\n content : |\n {\n\
\ \"live-restore\": true,\n \"storage-driver\"\
: \"overlay2\",\n \"log-opts\": {\n \"max-size\"\
: \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\
\ owner: root\n permissions: 0744\n content : |\n #!/bin/bash\n\
\ \n # Copyright 2023 Google LLC\n #\n # Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n # you may not\
\ use this file except in compliance with the License.\n # You may obtain\
\ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\
\ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \
\ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\
\ path: /var/run/nva/policy_based_routing.sh\n owner : root\n permissions:\
\ 0744\n content : |\n #!/bin/bash\n \n # Copyright 2023\
\ Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\
\ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\
\ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\
\ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\
\ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\
\ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\
\ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\
\ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\
n ' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\
\ do\n # Configure hc routing table if not available for this\
\ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\
\ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\
\ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\
\ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\
\ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\
\ configure PBR for old LB removed from network interface\n # first\
\ get list of PBR on this network interface and retrieve LB IP addresses\n\
\ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\
\ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\
\ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\
\n do\n # check if the PBR LB IP belongs to the current array\
\ of LB IPs attached to the\n # network interface, if not delete\
\ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\
\ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\
\ fi\n done\n sleep 2\n done\n \n\n\n -\
\ path: /etc/systemd/system/routing.service\n permissions : 0644 \n owner:\
\ root\n content : |\n [Install]\n WantedBy=multi-user.target\n\
\ [Unit]\n Description=Start routing\n After=network-online.target\n\
\ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\
\ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\
\ permissions: 0744\n owner: root\n content : |\n iptables --policy\
\ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
\ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\
\ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\
\ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\
\ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\
\nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\
\ systemctl start routing\n - systemctl start frr\n"
metadata_startup_script : null
name : nva-ew1-b
network_interface :
- access_config : [ ]
alias_ip_range : [ ]
ipv6_access_config : [ ]
network_ip : 10.64 .128 .101
nic_type : null
queue_count : null
security_policy : null
- access_config : [ ]
alias_ip_range : [ ]
ipv6_access_config : [ ]
network_ip : 10.64 .0 .101
nic_type : null
queue_count : null
security_policy : null
network_performance_config : [ ]
params : [ ]
project : fast2-prod-net-landing-0
resource_policies : null
scheduling :
- automatic_restart : true
instance_termination_action : null
local_ssd_recovery_timeout : [ ]
maintenance_interval : null
max_run_duration : [ ]
min_node_cpus : null
node_affinities : [ ]
on_host_maintenance : MIGRATE
preemptible : false
provisioning_model : STANDARD
scratch_disk : [ ]
service_account :
- scopes :
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
shielded_instance_config : [ ]
tags :
- nva
timeouts : null
zone : europe-west1-b
module.nva["primary-c"].google_compute_instance.default[0]:
advanced_machine_features : [ ]
allow_stopping_for_update : true
attached_disk : [ ]
boot_disk :
- auto_delete : true
disk_encryption_key_raw : null
initialize_params :
- enable_confidential_compute : null
image : projects/cos-cloud/global/images/family/cos-stable
resource_manager_tags : null
size : 10
type : pd-balanced
mode : READ_WRITE
can_ip_forward : true
deletion_protection : false
description : Managed by the compute-vm Terraform module.
desired_status : null
enable_display : false
hostname : null
labels : null
machine_type : e2-standard-2
metadata :
user-data : "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
\ file except in compliance with the License.\n# You may obtain a copy of\
\ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\
# Unless required by applicable law or agreed to in writing, software\n# distributed\
\ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\
\ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\
\ for the specific language governing permissions and\n# limitations under\
\ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner : root\n\
\ permissions: 0744\n content : |\n # Copyright 2023 Google LLC\n\
\ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\
);\n # you may not use this file except in compliance with the License.\n\
\ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n zebra=no\n\
\ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\
\ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\
\ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \
\ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\
\ script automatically loads\n # the config via \"vtysh -b\" when the\
\ servers are started.\n # Check /etc/pam.d/frr if you intend to use\
\ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\
\ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\
\ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \
\ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\
\ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\
\ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\
\n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\
\ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\
\n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\
\ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\
\n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\
\ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\
\ of daemons to watch is automatically generated by the init script.\n \
\ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\
\ specify a \"wrap\" command to start instead\n # of starting the daemon\
\ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\
\n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\
\ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\
\ daemon command is added to this at the end.\n \n\n - path : /etc/frr/frr.conf\n\
\ owner: root\n permissions: 0744\n content : |\n # NVAs configuration\
\ template\n \n log syslog informational\n no ipv6 forwarding\n\
\ service integrated-vtysh-config\n \n interface lo\n \
\ ip address 10.64.128.102/32\n \n ip prefix-list DEFAULT seq 10\
\ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\
\ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\
\ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\
\ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\
\ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\
\ \n route-map TO-DMZ permit 10\n match ip address\
\ prefix-list PRIMARY\n set metric 100\n !\n route-map TO-DMZ\
\ permit 20\n match ip address prefix-list SECONDARY\n set metric\
\ 10100\n !\n route-map TO-LANDING permit 10\n match ip address\
\ prefix-list DEFAULT\n set metric 100\n !\n route-map TO-NVA\
\ permit 10\n match ip address prefix-list PRIMARY\n set metric\
\ 50\n \n router bgp 64513\n bgp router-id 10.64.128.102\n\
\ bgp bestpath as-path ignore\n bgp disable-ebgp-connected-route-check\n\
\ bgp timers 20 60\n !\n no bgp ebgp-requires-policy\n \
\ no bgp network import-check\n !\n neighbor 10.64.128.201\
\ remote-as 64512\n neighbor 10.64.128.202 remote-as 64512\n !\n\
\ neighbor 10.64.0.201 remote-as 64515\n neighbor 10.64.0.201\
\ update-source 10.64.0.102\n neighbor 10.64.0.202 remote-as 64515\n\
\ neighbor 10.64.0.202 update-source 10.64.0.102\n !\n neighbor\
\ 10.80.128.101 remote-as 64514\n neighbor 10.80.128.101 ebgp-multihop\
\ 2\n neighbor 10.80.128.102 remote-as 64514\n neighbor 10.80.128.102\
\ ebgp-multihop 2\n !\n address-family ipv4 unicast\n neighbor\
\ 10.64.128.201 route-map TO-DMZ out\n neighbor 10.64.128.201\
\ soft-reconfiguration inbound\n !\n neighbor 10.64.128.202 route-map\
\ TO-DMZ out\n neighbor 10.64.128.202 soft-reconfiguration inbound\n\
\ !\n neighbor 10.64.0.201 route-map TO-LANDING out\n neighbor\
\ 10.64.0.201 soft-reconfiguration inbound\n !\n neighbor 10.64.0.202\
\ route-map TO-LANDING out\n neighbor 10.64.0.202 soft-reconfiguration\
\ inbound\n !\n neighbor 10.80.128.101 route-map TO-NVA out\n\
\ neighbor 10.80.128.101 soft-reconfiguration inbound\n !\n \
\ neighbor 10.80.128.102 route-map TO-NVA out\n neighbor 10.80.128.102\
\ soft-reconfiguration inbound\n exit-address-family\n \n\n -\
\ path: /etc/frr/vtysh.conf\n owner: root\n permissions : 0644 \n content:\
\ |\n # Copyright 2023 Google LLC\n #\n # Licensed under the\
\ Apache License, Version 2.0 (the \"License\");\n # you may not use\
\ this file except in compliance with the License.\n # You may obtain\
\ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ This is a sample file used to remove warnings\n # when users open the\
\ vtysh console.\n \n\n - path : /etc/profile.d/00-aliases.sh\n owner:\
\ root\n permissions: 0644\n content : |\n alias vtysh='sudo docker\
\ exec -it frr sh -c vtysh'\n\n - path : /etc/systemd/system/frr.service\n\
\ owner: root\n permissions: 0644\n content : |\n # Copyright\
\ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n [Unit]\n Description=Start\
\ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\
\ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\
HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\
\ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\
\ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \
\ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path : /var/lib/docker/daemon.json\n\
\ owner: root\n permissions: 0644\n content : |\n {\n\
\ \"live-restore\": true,\n \"storage-driver\"\
: \"overlay2\",\n \"log-opts\": {\n \"max-size\"\
: \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\
\ owner: root\n permissions: 0744\n content : |\n #!/bin/bash\n\
\ \n # Copyright 2023 Google LLC\n #\n # Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n # you may not\
\ use this file except in compliance with the License.\n # You may obtain\
\ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\
\ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \
\ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\
\ path: /var/run/nva/policy_based_routing.sh\n owner : root\n permissions:\
\ 0744\n content : |\n #!/bin/bash\n \n # Copyright 2023\
\ Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\
\ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\
\ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\
\ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\
\ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\
\ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\
\ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\
\ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\
n ' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\
\ do\n # Configure hc routing table if not available for this\
\ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\
\ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\
\ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\
\ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\
\ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\
\ configure PBR for old LB removed from network interface\n # first\
\ get list of PBR on this network interface and retrieve LB IP addresses\n\
\ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\
\ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\
\ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\
\n do\n # check if the PBR LB IP belongs to the current array\
\ of LB IPs attached to the\n # network interface, if not delete\
\ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\
\ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\
\ fi\n done\n sleep 2\n done\n \n\n\n -\
\ path: /etc/systemd/system/routing.service\n permissions : 0644 \n owner:\
\ root\n content : |\n [Install]\n WantedBy=multi-user.target\n\
\ [Unit]\n Description=Start routing\n After=network-online.target\n\
\ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\
\ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\
\ permissions: 0744\n owner: root\n content : |\n iptables --policy\
\ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
\ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\
\ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\
\ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\
\ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\
\nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\
\ systemctl start routing\n - systemctl start frr\n"
metadata_startup_script : null
name : nva-ew1-c
network_interface :
- access_config : [ ]
alias_ip_range : [ ]
ipv6_access_config : [ ]
network_ip : 10.64 .128 .102
nic_type : null
queue_count : null
security_policy : null
- access_config : [ ]
alias_ip_range : [ ]
ipv6_access_config : [ ]
network_ip : 10.64 .0 .102
nic_type : null
queue_count : null
security_policy : null
network_performance_config : [ ]
params : [ ]
project : fast2-prod-net-landing-0
resource_policies : null
scheduling :
- automatic_restart : true
instance_termination_action : null
local_ssd_recovery_timeout : [ ]
maintenance_interval : null
max_run_duration : [ ]
min_node_cpus : null
node_affinities : [ ]
on_host_maintenance : MIGRATE
preemptible : false
provisioning_model : STANDARD
scratch_disk : [ ]
service_account :
- scopes :
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
shielded_instance_config : [ ]
tags :
- nva
timeouts : null
zone : europe-west1-c
module.nva["secondary-b"].google_compute_instance.default[0]:
advanced_machine_features : [ ]
allow_stopping_for_update : true
attached_disk : [ ]
boot_disk :
- auto_delete : true
disk_encryption_key_raw : null
initialize_params :
- enable_confidential_compute : null
image : projects/cos-cloud/global/images/family/cos-stable
resource_manager_tags : null
size : 10
type : pd-balanced
mode : READ_WRITE
can_ip_forward : true
deletion_protection : false
description : Managed by the compute-vm Terraform module.
desired_status : null
enable_display : false
hostname : null
labels : null
machine_type : e2-standard-2
metadata :
user-data : "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
\ file except in compliance with the License.\n# You may obtain a copy of\
\ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\
# Unless required by applicable law or agreed to in writing, software\n# distributed\
\ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\
\ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\
\ for the specific language governing permissions and\n# limitations under\
\ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner : root\n\
\ permissions: 0744\n content : |\n # Copyright 2023 Google LLC\n\
\ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\
);\n # you may not use this file except in compliance with the License.\n\
\ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n zebra=no\n\
\ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\
\ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\
\ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \
\ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\
\ script automatically loads\n # the config via \"vtysh -b\" when the\
\ servers are started.\n # Check /etc/pam.d/frr if you intend to use\
\ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\
\ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\
\ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \
\ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\
\ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\
\ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\
\n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\
\ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\
\n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\
\ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\
\n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\
\ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\
\ of daemons to watch is automatically generated by the init script.\n \
\ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\
\ specify a \"wrap\" command to start instead\n # of starting the daemon\
\ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\
\n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\
\ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\
\ daemon command is added to this at the end.\n \n\n - path : /etc/frr/frr.conf\n\
\ owner: root\n permissions: 0744\n content : |\n # NVAs configuration\
\ template\n \n log syslog informational\n no ipv6 forwarding\n\
\ service integrated-vtysh-config\n \n interface lo\n \
\ ip address 10.80.128.101/32\n \n ip prefix-list DEFAULT seq 10\
\ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\
\ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\
\ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\
\ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\
\ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\
\ \n route-map TO-DMZ permit 10\n match ip address\
\ prefix-list PRIMARY\n set metric 10100\n !\n route-map\
\ TO-DMZ permit 20\n match ip address prefix-list SECONDARY\n\
\ set metric 100\n !\n route-map TO-LANDING permit 10\n \
\ match ip address prefix-list DEFAULT\n set metric 100\n \
\ !\n route-map TO-NVA permit 10\n match ip address prefix-list\
\ SECONDARY\n set metric 50\n \n router bgp 64514\n \
\ bgp router-id 10.80.128.101\n bgp bestpath as-path ignore\n \
\ bgp disable-ebgp-connected-route-check\n bgp timers 20 60\n \
\ !\n no bgp ebgp-requires-policy\n no bgp network import-check\n\
\ !\n neighbor 10.80.128.201 remote-as 64512\n neighbor 10.80.128.202\
\ remote-as 64512\n !\n neighbor 10.80.0.201 remote-as 64515\n\
\ neighbor 10.80.0.201 update-source 10.80.0.101\n neighbor 10.80.0.202\
\ remote-as 64515\n neighbor 10.80.0.202 update-source 10.80.0.101\n\
\ !\n neighbor 10.64.128.101 remote-as 64513\n neighbor 10.64.128.101\
\ ebgp-multihop 2\n neighbor 10.64.128.102 remote-as 64513\n neighbor\
\ 10.64.128.102 ebgp-multihop 2\n !\n address-family ipv4 unicast\n\
\ neighbor 10.80.128.201 route-map TO-DMZ out\n neighbor\
\ 10.80.128.201 soft-reconfiguration inbound\n !\n neighbor 10.80.128.202\
\ route-map TO-DMZ out\n neighbor 10.80.128.202 soft-reconfiguration\
\ inbound\n !\n neighbor 10.80.0.201 route-map TO-LANDING out\n\
\ neighbor 10.80.0.201 soft-reconfiguration inbound\n !\n \
\ neighbor 10.80.0.202 route-map TO-LANDING out\n neighbor 10.80.0.202\
\ soft-reconfiguration inbound\n !\n neighbor 10.64.128.101 route-map\
\ TO-NVA out\n neighbor 10.64.128.101 soft-reconfiguration inbound\n\
\ !\n neighbor 10.64.128.102 route-map TO-NVA out\n neighbor\
\ 10.64.128.102 soft-reconfiguration inbound\n exit-address-family\n\
\ \n\n - path: /etc/frr/vtysh.conf\n owner : root\n permissions:\
\ 0644\n content : |\n # Copyright 2023 Google LLC\n #\n \
\ # Licensed under the Apache License, Version 2.0 (the \"License\");\n \
\ # you may not use this file except in compliance with the License.\n\
\ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ This is a sample file used to remove warnings\n # when users open the\
\ vtysh console.\n \n\n - path : /etc/profile.d/00-aliases.sh\n owner:\
\ root\n permissions: 0644\n content : |\n alias vtysh='sudo docker\
\ exec -it frr sh -c vtysh'\n\n - path : /etc/systemd/system/frr.service\n\
\ owner: root\n permissions: 0644\n content : |\n # Copyright\
\ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n [Unit]\n Description=Start\
\ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\
\ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\
HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\
\ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\
\ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \
\ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path : /var/lib/docker/daemon.json\n\
\ owner: root\n permissions: 0644\n content : |\n {\n\
\ \"live-restore\": true,\n \"storage-driver\"\
: \"overlay2\",\n \"log-opts\": {\n \"max-size\"\
: \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\
\ owner: root\n permissions: 0744\n content : |\n #!/bin/bash\n\
\ \n # Copyright 2023 Google LLC\n #\n # Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n # you may not\
\ use this file except in compliance with the License.\n # You may obtain\
\ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\
\ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \
\ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\
\ path: /var/run/nva/policy_based_routing.sh\n owner : root\n permissions:\
\ 0744\n content : |\n #!/bin/bash\n \n # Copyright 2023\
\ Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\
\ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\
\ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\
\ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\
\ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\
\ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\
\ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\
\ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\
n ' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\
\ do\n # Configure hc routing table if not available for this\
\ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\
\ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\
\ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\
\ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\
\ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\
\ configure PBR for old LB removed from network interface\n # first\
\ get list of PBR on this network interface and retrieve LB IP addresses\n\
\ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\
\ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\
\ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\
\n do\n # check if the PBR LB IP belongs to the current array\
\ of LB IPs attached to the\n # network interface, if not delete\
\ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\
\ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\
\ fi\n done\n sleep 2\n done\n \n\n\n -\
\ path: /etc/systemd/system/routing.service\n permissions : 0644 \n owner:\
\ root\n content : |\n [Install]\n WantedBy=multi-user.target\n\
\ [Unit]\n Description=Start routing\n After=network-online.target\n\
\ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\
\ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\
\ permissions: 0744\n owner: root\n content : |\n iptables --policy\
\ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
\ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\
\ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\
\ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\
\ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\
\nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\
\ systemctl start routing\n - systemctl start frr\n"
metadata_startup_script : null
name : nva-ew4-b
network_interface :
- access_config : [ ]
alias_ip_range : [ ]
ipv6_access_config : [ ]
network_ip : 10.80 .128 .101
nic_type : null
queue_count : null
security_policy : null
- access_config : [ ]
alias_ip_range : [ ]
ipv6_access_config : [ ]
network_ip : 10.80 .0 .101
nic_type : null
queue_count : null
security_policy : null
network_performance_config : [ ]
params : [ ]
project : fast2-prod-net-landing-0
resource_policies : null
scheduling :
- automatic_restart : true
instance_termination_action : null
local_ssd_recovery_timeout : [ ]
maintenance_interval : null
max_run_duration : [ ]
min_node_cpus : null
node_affinities : [ ]
on_host_maintenance : MIGRATE
preemptible : false
provisioning_model : STANDARD
scratch_disk : [ ]
service_account :
- scopes :
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
shielded_instance_config : [ ]
tags :
- nva
timeouts : null
zone : europe-west4-b
module.nva["secondary-c"].google_compute_instance.default[0]:
advanced_machine_features : [ ]
allow_stopping_for_update : true
attached_disk : [ ]
boot_disk :
- auto_delete : true
disk_encryption_key_raw : null
initialize_params :
- enable_confidential_compute : null
image : projects/cos-cloud/global/images/family/cos-stable
resource_manager_tags : null
size : 10
type : pd-balanced
mode : READ_WRITE
can_ip_forward : true
deletion_protection : false
description : Managed by the compute-vm Terraform module.
desired_status : null
enable_display : false
hostname : null
labels : null
machine_type : e2-standard-2
metadata :
user-data : "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
\ file except in compliance with the License.\n# You may obtain a copy of\
\ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\
# Unless required by applicable law or agreed to in writing, software\n# distributed\
\ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\
\ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\
\ for the specific language governing permissions and\n# limitations under\
\ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner : root\n\
\ permissions: 0744\n content : |\n # Copyright 2023 Google LLC\n\
\ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\
);\n # you may not use this file except in compliance with the License.\n\
\ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n zebra=no\n\
\ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\
\ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\
\ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \
\ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\
\ script automatically loads\n # the config via \"vtysh -b\" when the\
\ servers are started.\n # Check /etc/pam.d/frr if you intend to use\
\ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\
\ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\
\ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \
\ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\
\ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\
\ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\
\n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\
\ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\
\n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\
\ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\
\n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\
\ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\
\ of daemons to watch is automatically generated by the init script.\n \
\ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\
\ specify a \"wrap\" command to start instead\n # of starting the daemon\
\ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\
\n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\
\ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\
\ daemon command is added to this at the end.\n \n\n - path : /etc/frr/frr.conf\n\
\ owner: root\n permissions: 0744\n content : |\n # NVAs configuration\
\ template\n \n log syslog informational\n no ipv6 forwarding\n\
\ service integrated-vtysh-config\n \n interface lo\n \
\ ip address 10.80.128.102/32\n \n ip prefix-list DEFAULT seq 10\
\ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\
\ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\
\ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\
\ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\
\ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\
\ \n route-map TO-DMZ permit 10\n match ip address\
\ prefix-list PRIMARY\n set metric 10100\n !\n route-map\
\ TO-DMZ permit 20\n match ip address prefix-list SECONDARY\n\
\ set metric 100\n !\n route-map TO-LANDING permit 10\n \
\ match ip address prefix-list DEFAULT\n set metric 100\n \
\ !\n route-map TO-NVA permit 10\n match ip address prefix-list\
\ SECONDARY\n set metric 50\n \n router bgp 64514\n \
\ bgp router-id 10.80.128.102\n bgp bestpath as-path ignore\n \
\ bgp disable-ebgp-connected-route-check\n bgp timers 20 60\n \
\ !\n no bgp ebgp-requires-policy\n no bgp network import-check\n\
\ !\n neighbor 10.80.128.201 remote-as 64512\n neighbor 10.80.128.202\
\ remote-as 64512\n !\n neighbor 10.80.0.201 remote-as 64515\n\
\ neighbor 10.80.0.201 update-source 10.80.0.102\n neighbor 10.80.0.202\
\ remote-as 64515\n neighbor 10.80.0.202 update-source 10.80.0.102\n\
\ !\n neighbor 10.64.128.101 remote-as 64513\n neighbor 10.64.128.101\
\ ebgp-multihop 2\n neighbor 10.64.128.102 remote-as 64513\n neighbor\
\ 10.64.128.102 ebgp-multihop 2\n !\n address-family ipv4 unicast\n\
\ neighbor 10.80.128.201 route-map TO-DMZ out\n neighbor\
\ 10.80.128.201 soft-reconfiguration inbound\n !\n neighbor 10.80.128.202\
\ route-map TO-DMZ out\n neighbor 10.80.128.202 soft-reconfiguration\
\ inbound\n !\n neighbor 10.80.0.201 route-map TO-LANDING out\n\
\ neighbor 10.80.0.201 soft-reconfiguration inbound\n !\n \
\ neighbor 10.80.0.202 route-map TO-LANDING out\n neighbor 10.80.0.202\
\ soft-reconfiguration inbound\n !\n neighbor 10.64.128.101 route-map\
\ TO-NVA out\n neighbor 10.64.128.101 soft-reconfiguration inbound\n\
\ !\n neighbor 10.64.128.102 route-map TO-NVA out\n neighbor\
\ 10.64.128.102 soft-reconfiguration inbound\n exit-address-family\n\
\ \n\n - path: /etc/frr/vtysh.conf\n owner : root\n permissions:\
\ 0644\n content : |\n # Copyright 2023 Google LLC\n #\n \
\ # Licensed under the Apache License, Version 2.0 (the \"License\");\n \
\ # you may not use this file except in compliance with the License.\n\
\ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ This is a sample file used to remove warnings\n # when users open the\
\ vtysh console.\n \n\n - path : /etc/profile.d/00-aliases.sh\n owner:\
\ root\n permissions: 0644\n content : |\n alias vtysh='sudo docker\
\ exec -it frr sh -c vtysh'\n\n - path : /etc/systemd/system/frr.service\n\
\ owner: root\n permissions: 0644\n content : |\n # Copyright\
\ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n [Unit]\n Description=Start\
\ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\
\ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\
HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\
\ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\
\ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \
\ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path : /var/lib/docker/daemon.json\n\
\ owner: root\n permissions: 0644\n content : |\n {\n\
\ \"live-restore\": true,\n \"storage-driver\"\
: \"overlay2\",\n \"log-opts\": {\n \"max-size\"\
: \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\
\ owner: root\n permissions: 0744\n content : |\n #!/bin/bash\n\
\ \n # Copyright 2023 Google LLC\n #\n # Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n # you may not\
\ use this file except in compliance with the License.\n # You may obtain\
\ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\
\ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \
\ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\
\ path: /var/run/nva/policy_based_routing.sh\n owner : root\n permissions:\
\ 0744\n content : |\n #!/bin/bash\n \n # Copyright 2023\
\ Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\
\ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\
\ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\
\ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\
\ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\
\ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\
\ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\
\ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\
n ' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\
\ do\n # Configure hc routing table if not available for this\
\ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\
\ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\
\ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\
\ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\
\ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\
\ configure PBR for old LB removed from network interface\n # first\
\ get list of PBR on this network interface and retrieve LB IP addresses\n\
\ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\
\ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\
\ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\
\n do\n # check if the PBR LB IP belongs to the current array\
\ of LB IPs attached to the\n # network interface, if not delete\
\ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\
\ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\
\ fi\n done\n sleep 2\n done\n \n\n\n -\
\ path: /etc/systemd/system/routing.service\n permissions : 0644 \n owner:\
\ root\n content : |\n [Install]\n WantedBy=multi-user.target\n\
\ [Unit]\n Description=Start routing\n After=network-online.target\n\
\ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\
\ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\
\ permissions: 0744\n owner: root\n content : |\n iptables --policy\
\ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
\ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\
\ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\
\ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\
\ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\
\nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\
\ systemctl start routing\n - systemctl start frr\n"
metadata_startup_script : null
name : nva-ew4-c
network_interface :
- access_config : [ ]
alias_ip_range : [ ]
ipv6_access_config : [ ]
network_ip : 10.80 .128 .102
nic_type : null
queue_count : null
security_policy : null
- access_config : [ ]
alias_ip_range : [ ]
ipv6_access_config : [ ]
network_ip : 10.80 .0 .102
nic_type : null
queue_count : null
security_policy : null
network_performance_config : [ ]
params : [ ]
project : fast2-prod-net-landing-0
resource_policies : null
scheduling :
- automatic_restart : true
instance_termination_action : null
local_ssd_recovery_timeout : [ ]
maintenance_interval : null
max_run_duration : [ ]
min_node_cpus : null
node_affinities : [ ]
on_host_maintenance : MIGRATE
preemptible : false
provisioning_model : STANDARD
scratch_disk : [ ]
service_account :
- scopes :
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
shielded_instance_config : [ ]
tags :
- nva
timeouts : null
zone : europe-west4-c
module.peering-dev.google_compute_network_peering.local_network_peering :
export_custom_routes : true
export_subnet_routes_with_public_ip : true
import_custom_routes : true
import_subnet_routes_with_public_ip : null
stack_type : IPV4_ONLY
timeouts : null
module.peering-dev.google_compute_network_peering.peer_network_peering[0] :
export_custom_routes : true
export_subnet_routes_with_public_ip : true
import_custom_routes : true
import_subnet_routes_with_public_ip : null
stack_type : IPV4_ONLY
timeouts : null
module.peering-prod.google_compute_network_peering.local_network_peering :
export_custom_routes : true
export_subnet_routes_with_public_ip : true
import_custom_routes : true
import_subnet_routes_with_public_ip : null
stack_type : IPV4_ONLY
timeouts : null
module.peering-prod.google_compute_network_peering.peer_network_peering[0] :
export_custom_routes : true
export_subnet_routes_with_public_ip : true
import_custom_routes : true
import_subnet_routes_with_public_ip : null
stack_type : IPV4_ONLY
timeouts : null
module.prod-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0] :
cloud_logging_config :
- enable_logging : false
description : Terraform managed.
dns_name : 10. in-addr.arpa.
dnssec_config : [ ]
force_destroy : false
forwarding_config : [ ]
labels : null
name : prod-reverse-10-dns-peering
project : fast2-prod-net-spoke-0
reverse_lookup : false
service_directory_config : [ ]
timeouts : null
visibility : private
module.prod-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0] :
cloud_logging_config :
- enable_logging : false
description : Terraform managed.
dns_name : .
dnssec_config : [ ]
force_destroy : false
forwarding_config : [ ]
labels : null
name : prod-root-dns-peering
project : fast2-prod-net-spoke-0
reverse_lookup : false
service_directory_config : [ ]
timeouts : null
visibility : private
module.prod-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0] :
cloud_logging_config :
- enable_logging : false
description : Terraform managed.
dns_name : prod.gcp.example.com.
dnssec_config : [ ]
force_destroy : false
forwarding_config : [ ]
labels : null
name : prod-gcp-example-com
peering_config : [ ]
project : fast2-prod-net-spoke-0
service_directory_config : [ ]
timeouts : null
visibility : private
module.prod-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]:
managed_zone : prod-gcp-example-com
name : localhost.prod.gcp.example.com.
project : fast2-prod-net-spoke-0
routing_policy : [ ]
rrdatas :
- 127.0 .0 .1
ttl : 300
type : A
module.prod-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]:
allow : [ ]
deny :
- ports : [ ]
protocol : all
description : Deny and log any unmatched ingress traffic.
direction : INGRESS
disabled : false
log_config :
- metadata : EXCLUDE_ALL_METADATA
name : ingress-default-deny
priority : 65535
project : fast2-prod-net-spoke-0
source_ranges :
- 0.0 .0 .0 /0
source_service_accounts : null
source_tags : null
target_service_accounts : null
target_tags : null
timeouts : null
module.prod-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0] :
project : fast2-prod-net-spoke-0
timeouts : null
module.prod-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]:
metrics_scope : fast2-prod-net-landing-0
name : fast2-prod-net-spoke-0
timeouts : null
module.prod-spoke-project.google_project.project[0] :
auto_create_network : false
billing_account : 000000 -111111 -222222
folder_id : null
labels : null
name : fast2-prod-net-spoke-0
org_id : null
project_id : fast2-prod-net-spoke-0
skip_delete : false
timeouts : null
module.prod-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]:
condition : [ ]
members :
- serviceAccount:string
project : fast2-prod-net-spoke-0
role : roles/dns.admin
module.prod-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]:
condition :
- description : Production host project delegated grants.
expression : api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'])
title : prod_stage3_sa_delegated_grants
members :
- serviceAccount:string
project : fast2-prod-net-spoke-0
role : roles/resourcemanager.projectIamAdmin
module.prod-spoke-project.google_project_iam_member.servicenetworking[0] :
condition : [ ]
project : fast2-prod-net-spoke-0
role : roles/servicenetworking.serviceAgent
module.prod-spoke-project.google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-prod-net-spoke-0
service : compute.googleapis.com
timeouts : null
module.prod-spoke-project.google_project_service.project_services["dns.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-prod-net-spoke-0
service : dns.googleapis.com
timeouts : null
module.prod-spoke-project.google_project_service.project_services["iap.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-prod-net-spoke-0
service : iap.googleapis.com
timeouts : null
module.prod-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-prod-net-spoke-0
service : networkmanagement.googleapis.com
timeouts : null
module.prod-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-prod-net-spoke-0
service : servicenetworking.googleapis.com
timeouts : null
module.prod-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-prod-net-spoke-0
service : stackdriver.googleapis.com
timeouts : null
module.prod-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]:
disable_dependent_services : false
disable_on_destroy : false
project : fast2-prod-net-spoke-0
service : vpcaccess.googleapis.com
timeouts : null
module.prod-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]:
project : fast2-prod-net-spoke-0
service : iap.googleapis.com
timeouts : null
module.prod-spoke-project.google_project_service_identity.servicenetworking[0] :
project : fast2-prod-net-spoke-0
service : servicenetworking.googleapis.com
timeouts : null
module.prod-spoke-vpc.google_compute_network.network[0] :
auto_create_subnetworks : false
delete_default_routes_on_create : true
description : Terraform-managed.
enable_ula_internal_ipv6 : null
mtu : 1500
name : prod-spoke-0
network_firewall_policy_enforcement_order : AFTER_CLASSIC_FIREWALL
project : fast2-prod-net-spoke-0
routing_mode : GLOBAL
timeouts : null
module.prod-spoke-vpc.google_compute_route.gateway["private-googleapis"]:
description : Terraform-managed.
dest_range : 199.36 .153 .8 /30
name : prod-spoke-0-private-googleapis
next_hop_gateway : default-internet-gateway
next_hop_ilb : null
next_hop_instance : null
next_hop_vpn_tunnel : null
priority : 1000
project : fast2-prod-net-spoke-0
tags : null
timeouts : null
module.prod-spoke-vpc.google_compute_route.gateway["restricted-googleapis"]:
description : Terraform-managed.
dest_range : 199.36 .153 .4 /30
name : prod-spoke-0-restricted-googleapis
next_hop_gateway : default-internet-gateway
next_hop_ilb : null
next_hop_instance : null
next_hop_vpn_tunnel : null
priority : 1000
project : fast2-prod-net-spoke-0
tags : null
timeouts : null
module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/prod-default"]:
description : Default europe-west1 subnet for prod
ip_cidr_range : 10.72 .0 .0 /24
ipv6_access_type : null
log_config : [ ]
name : prod-default
private_ip_google_access : true
project : fast2-prod-net-spoke-0
region : europe-west1
role : null
secondary_ip_range : [ ]
timeouts : null
module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/prod-default"]:
description : Default europe-west4 subnet for prod
ip_cidr_range : 10.88 .0 .0 /24
ipv6_access_type : null
log_config : [ ]
name : prod-default
private_ip_google_access : true
project : fast2-prod-net-spoke-0
region : europe-west4
role : null
secondary_ip_range : [ ]
timeouts : null
module.prod-spoke-vpc.google_dns_policy.default[0] :
alternative_name_server_config : [ ]
description : Managed by Terraform
enable_inbound_forwarding : null
enable_logging : true
name : prod-spoke-0
networks :
- {}
project : fast2-prod-net-spoke-0
timeouts : null
module.spokes-landing["primary"].google_compute_router.cr:
bgp :
- advertise_mode : CUSTOM
advertised_groups : [ ]
advertised_ip_ranges :
- description : GCP landing primary.
range : 10.64 .0 .0 /17
- description : GCP dev primary.
range : 10.68 .0 .0 /16
- description : GCP prod primary.
range : 10.72 .0 .0 /16
- description : GCP landing secondary.
range : 10.80 .0 .0 /17
- description : GCP dev secondary.
range : 10.84 .0 .0 /16
- description : GCP prod secondary.
range : 10.88 .0 .0 /16
asn : 64515
keepalive_interval : 20
description : null
encrypted_interconnect_router : null
name : prod-spoke-landing-ew1-cr
project : fast2-prod-net-landing-0
region : europe-west1
timeouts : null
module.spokes-landing["primary"].google_compute_router_interface.intf_0:
interconnect_attachment : null
name : prod-spoke-landing-ew1-cr-intf0
private_ip_address : 10.64 .0 .201
project : fast2-prod-net-landing-0
region : europe-west1
router : prod-spoke-landing-ew1-cr
timeouts : null
vpn_tunnel : null
module.spokes-landing["primary"].google_compute_router_interface.intf_1:
interconnect_attachment : null
name : prod-spoke-landing-ew1-cr-intf1
private_ip_address : 10.64 .0 .202
project : fast2-prod-net-landing-0
redundant_interface : prod-spoke-landing-ew1-cr-intf0
region : europe-west1
router : prod-spoke-landing-ew1-cr
timeouts : null
vpn_tunnel : null
module.spokes-landing["primary"].google_compute_router_peer.peer_0["0"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-landing-ew1-cr-intf0
md5_authentication_key : [ ]
peer_asn : 64513
project : fast2-prod-net-landing-0
region : europe-west1
router : prod-spoke-landing-ew1-cr
timeouts : null
module.spokes-landing["primary"].google_compute_router_peer.peer_0["1"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-landing-ew1-cr-intf0
md5_authentication_key : [ ]
peer_asn : 64513
project : fast2-prod-net-landing-0
region : europe-west1
router : prod-spoke-landing-ew1-cr
timeouts : null
module.spokes-landing["primary"].google_compute_router_peer.peer_1["0"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-landing-ew1-cr-intf1
md5_authentication_key : [ ]
peer_asn : 64513
project : fast2-prod-net-landing-0
region : europe-west1
router : prod-spoke-landing-ew1-cr
timeouts : null
module.spokes-landing["primary"].google_compute_router_peer.peer_1["1"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-landing-ew1-cr-intf1
md5_authentication_key : [ ]
peer_asn : 64513
project : fast2-prod-net-landing-0
region : europe-west1
router : prod-spoke-landing-ew1-cr
timeouts : null
module.spokes-landing["primary"].google_network_connectivity_spoke.spoke-ra:
description : null
labels : null
linked_interconnect_attachments : [ ]
linked_router_appliance_instances :
- instances :
- {}
- {}
site_to_site_data_transfer : false
linked_vpc_network : [ ]
linked_vpn_tunnels : [ ]
location : europe-west1
name : prod-spoke-landing-ew1
project : fast2-prod-net-landing-0
timeouts : null
module.spokes-landing["secondary"].google_compute_router.cr:
bgp :
- advertise_mode : CUSTOM
advertised_groups : [ ]
advertised_ip_ranges :
- description : GCP landing primary.
range : 10.64 .0 .0 /17
- description : GCP dev primary.
range : 10.68 .0 .0 /16
- description : GCP prod primary.
range : 10.72 .0 .0 /16
- description : GCP landing secondary.
range : 10.80 .0 .0 /17
- description : GCP dev secondary.
range : 10.84 .0 .0 /16
- description : GCP prod secondary.
range : 10.88 .0 .0 /16
asn : 64515
keepalive_interval : 20
description : null
encrypted_interconnect_router : null
name : prod-spoke-landing-ew4-cr
project : fast2-prod-net-landing-0
region : europe-west4
timeouts : null
module.spokes-landing["secondary"].google_compute_router_interface.intf_0:
interconnect_attachment : null
name : prod-spoke-landing-ew4-cr-intf0
private_ip_address : 10.80 .0 .201
project : fast2-prod-net-landing-0
region : europe-west4
router : prod-spoke-landing-ew4-cr
timeouts : null
vpn_tunnel : null
module.spokes-landing["secondary"].google_compute_router_interface.intf_1:
interconnect_attachment : null
name : prod-spoke-landing-ew4-cr-intf1
private_ip_address : 10.80 .0 .202
project : fast2-prod-net-landing-0
redundant_interface : prod-spoke-landing-ew4-cr-intf0
region : europe-west4
router : prod-spoke-landing-ew4-cr
timeouts : null
vpn_tunnel : null
module.spokes-landing["secondary"].google_compute_router_peer.peer_0["0"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-landing-ew4-cr-intf0
md5_authentication_key : [ ]
peer_asn : 64514
project : fast2-prod-net-landing-0
region : europe-west4
router : prod-spoke-landing-ew4-cr
timeouts : null
module.spokes-landing["secondary"].google_compute_router_peer.peer_0["1"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-landing-ew4-cr-intf0
md5_authentication_key : [ ]
peer_asn : 64514
project : fast2-prod-net-landing-0
region : europe-west4
router : prod-spoke-landing-ew4-cr
timeouts : null
module.spokes-landing["secondary"].google_compute_router_peer.peer_1["0"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-landing-ew4-cr-intf1
md5_authentication_key : [ ]
peer_asn : 64514
project : fast2-prod-net-landing-0
region : europe-west4
router : prod-spoke-landing-ew4-cr
timeouts : null
module.spokes-landing["secondary"].google_compute_router_peer.peer_1["1"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-landing-ew4-cr-intf1
md5_authentication_key : [ ]
peer_asn : 64514
project : fast2-prod-net-landing-0
region : europe-west4
router : prod-spoke-landing-ew4-cr
timeouts : null
module.spokes-landing["secondary"].google_network_connectivity_spoke.spoke-ra:
description : null
labels : null
linked_interconnect_attachments : [ ]
linked_router_appliance_instances :
- instances :
- {}
- {}
site_to_site_data_transfer : false
linked_vpc_network : [ ]
linked_vpn_tunnels : [ ]
location : europe-west4
name : prod-spoke-landing-ew4
project : fast2-prod-net-landing-0
timeouts : null
module.spokes-dmz["primary"].google_compute_router.cr:
bgp :
- advertise_mode : CUSTOM
advertised_groups : [ ]
advertised_ip_ranges :
- description : Default route.
range : 0.0 .0 .0 /0
asn : 64512
keepalive_interval : 20
description : null
encrypted_interconnect_router : null
name : prod-spoke-dmz-ew1-cr
project : fast2-prod-net-landing-0
region : europe-west1
timeouts : null
module.spokes-dmz["primary"].google_compute_router_interface.intf_0:
interconnect_attachment : null
name : prod-spoke-dmz-ew1-cr-intf0
private_ip_address : 10.64 .128 .201
project : fast2-prod-net-landing-0
region : europe-west1
router : prod-spoke-dmz-ew1-cr
timeouts : null
vpn_tunnel : null
module.spokes-dmz["primary"].google_compute_router_interface.intf_1:
interconnect_attachment : null
name : prod-spoke-dmz-ew1-cr-intf1
private_ip_address : 10.64 .128 .202
project : fast2-prod-net-landing-0
redundant_interface : prod-spoke-dmz-ew1-cr-intf0
region : europe-west1
router : prod-spoke-dmz-ew1-cr
timeouts : null
vpn_tunnel : null
module.spokes-dmz["primary"].google_compute_router_peer.peer_0["0"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-dmz-ew1-cr-intf0
md5_authentication_key : [ ]
peer_asn : 64513
project : fast2-prod-net-landing-0
region : europe-west1
router : prod-spoke-dmz-ew1-cr
timeouts : null
module.spokes-dmz["primary"].google_compute_router_peer.peer_0["1"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-dmz-ew1-cr-intf0
md5_authentication_key : [ ]
peer_asn : 64513
project : fast2-prod-net-landing-0
region : europe-west1
router : prod-spoke-dmz-ew1-cr
timeouts : null
module.spokes-dmz["primary"].google_compute_router_peer.peer_1["0"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-dmz-ew1-cr-intf1
md5_authentication_key : [ ]
peer_asn : 64513
project : fast2-prod-net-landing-0
region : europe-west1
router : prod-spoke-dmz-ew1-cr
timeouts : null
module.spokes-dmz["primary"].google_compute_router_peer.peer_1["1"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-dmz-ew1-cr-intf1
md5_authentication_key : [ ]
peer_asn : 64513
project : fast2-prod-net-landing-0
region : europe-west1
router : prod-spoke-dmz-ew1-cr
timeouts : null
module.spokes-dmz["primary"].google_network_connectivity_spoke.spoke-ra:
description : null
labels : null
linked_interconnect_attachments : [ ]
linked_router_appliance_instances :
- instances :
- {}
- {}
site_to_site_data_transfer : false
linked_vpc_network : [ ]
linked_vpn_tunnels : [ ]
location : europe-west1
name : prod-spoke-dmz-ew1
project : fast2-prod-net-landing-0
timeouts : null
module.spokes-dmz["secondary"].google_compute_router.cr:
bgp :
- advertise_mode : CUSTOM
advertised_groups : [ ]
advertised_ip_ranges :
- description : Default route.
range : 0.0 .0 .0 /0
asn : 64512
keepalive_interval : 20
description : null
encrypted_interconnect_router : null
name : prod-spoke-dmz-ew4-cr
project : fast2-prod-net-landing-0
region : europe-west4
timeouts : null
module.spokes-dmz["secondary"].google_compute_router_interface.intf_0:
interconnect_attachment : null
name : prod-spoke-dmz-ew4-cr-intf0
private_ip_address : 10.80 .128 .201
project : fast2-prod-net-landing-0
region : europe-west4
router : prod-spoke-dmz-ew4-cr
timeouts : null
vpn_tunnel : null
module.spokes-dmz["secondary"].google_compute_router_interface.intf_1:
interconnect_attachment : null
name : prod-spoke-dmz-ew4-cr-intf1
private_ip_address : 10.80 .128 .202
project : fast2-prod-net-landing-0
redundant_interface : prod-spoke-dmz-ew4-cr-intf0
region : europe-west4
router : prod-spoke-dmz-ew4-cr
timeouts : null
vpn_tunnel : null
module.spokes-dmz["secondary"].google_compute_router_peer.peer_0["0"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-dmz-ew4-cr-intf0
md5_authentication_key : [ ]
peer_asn : 64514
project : fast2-prod-net-landing-0
region : europe-west4
router : prod-spoke-dmz-ew4-cr
timeouts : null
module.spokes-dmz["secondary"].google_compute_router_peer.peer_0["1"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-dmz-ew4-cr-intf0
md5_authentication_key : [ ]
peer_asn : 64514
project : fast2-prod-net-landing-0
region : europe-west4
router : prod-spoke-dmz-ew4-cr
timeouts : null
module.spokes-dmz["secondary"].google_compute_router_peer.peer_1["0"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-dmz-ew4-cr-intf1
md5_authentication_key : [ ]
peer_asn : 64514
project : fast2-prod-net-landing-0
region : europe-west4
router : prod-spoke-dmz-ew4-cr
timeouts : null
module.spokes-dmz["secondary"].google_compute_router_peer.peer_1["1"]:
advertise_mode : DEFAULT
advertised_groups : null
advertised_ip_ranges : [ ]
advertised_route_priority : 100
enable : true
enable_ipv6 : false
interface : prod-spoke-dmz-ew4-cr-intf1
md5_authentication_key : [ ]
peer_asn : 64514
project : fast2-prod-net-landing-0
region : europe-west4
router : prod-spoke-dmz-ew4-cr
timeouts : null
module.spokes-dmz["secondary"].google_network_connectivity_spoke.spoke-ra:
description : null
labels : null
linked_interconnect_attachments : [ ]
linked_router_appliance_instances :
- instances :
- {}
- {}
site_to_site_data_transfer : false
linked_vpc_network : [ ]
linked_vpn_tunnels : [ ]
location : europe-west4
name : prod-spoke-dmz-ew4
project : fast2-prod-net-landing-0
timeouts : null
2023-04-04 11:41:04 -07:00
counts :
2024-02-28 22:45:19 -08:00
google_compute_address : 8
google_compute_external_vpn_gateway : 2
google_compute_firewall : 12
google_compute_firewall_policy : 1
google_compute_firewall_policy_association : 1
google_compute_firewall_policy_rule : 4
google_compute_ha_vpn_gateway : 2
google_compute_instance : 4
google_compute_network : 4
google_compute_network_peering : 4
google_compute_route : 6
google_compute_router : 8
google_compute_router_interface : 12
google_compute_router_nat : 2
google_compute_router_peer : 20
google_compute_shared_vpc_host_project : 3
google_compute_subnetwork : 10
google_compute_vpn_tunnel : 4
google_dns_managed_zone : 9
google_dns_policy : 4
google_dns_record_set : 3
google_dns_response_policy : 1
google_dns_response_policy_rule : 34
google_essential_contacts_contact : 1
google_folder : 1
google_monitoring_alert_policy : 2
google_monitoring_dashboard : 3
google_monitoring_monitored_project : 2
google_network_connectivity_hub : 2
google_network_connectivity_spoke : 4
google_project : 3
google_project_iam_binding : 6
google_project_iam_member : 2
google_project_service : 20
google_project_service_identity : 5
google_storage_bucket_object : 1
2024-01-30 08:53:01 -08:00
modules : 37
2024-02-28 22:45:19 -08:00
random_id : 2
2024-02-02 23:16:00 -08:00
resources : 212