zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move squid to __need_fixing (#1936) 

* Moved `modules/cloud-config-container/squid` to __need_fixing
* Moved `blueprints/networking/filtering-proxy{,-psc}` to __need_fixing
This commit is contained in:
Simone Ruffilli 2023-12-19 15:27:37 +01:00 committed by GitHub
parent 0d486fb34e
commit 0255c80e90
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
25 changed files with 36 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
blueprints/README.md
View File

@ -9,7 +9,7 @@ Currently available blueprints:
- **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Minimal Data Platform](./data-solutions/data-platform-minimal), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground), [MLOps with Vertex AI](./data-solutions/vertex-mlops), [Shielded Folder](./data-solutions/shielded-folder), [BigQuery ML and Vertex AI Pipeline](./data-solutions/bq-ml)
- **factories** - [The why and the how of Resource Factories](./factories), [Google Cloud Identity Group Factory](./factories/cloud-identity-group-factory), [Google Cloud BQ Factory](./factories/bigquery-factory), [Google Cloud VPC Firewall Factory](./factories/net-vpc-firewall-yaml), [Minimal Project Factory](./factories/project-factory)
- **GKE** - [Binary Authorization Pipeline Blueprint](./gke/binauthz), [Storage API](./gke/binauthz/image), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api), [GKE Multitenant Blueprint](./gke/multitenant-fleet), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [GKE Autopilot](./gke/autopilot)
- **networking** - [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [Network filtering with Squid](./networking/filtering-proxy), [HA VPN over Interconnect](./networking/ha-vpn-over-interconnect/), [GLB and multi-regional daisy-chaining through hybrid NEGs](./networking/glb-hybrid-neg-internal), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), [Network filtering with Squid with isolated VPCs using Private Service Connect](./networking/filtering-proxy-psc), On-prem DNS and Google Private Access, [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke)
- **networking** - [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [HA VPN over Interconnect](./networking/ha-vpn-over-interconnect/), [GLB and multi-regional daisy-chaining through hybrid NEGs](./networking/glb-hybrid-neg-internal), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), On-prem DNS and Google Private Access, [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke)
- **serverless** - [Cloud Run series](./serverless/cloud-run-explore)
- **third party solutions** - [OpenShift on GCP user-provisioned infrastructure](./third-party-solutions/openshift), [Wordpress deployment on Cloud Run](./third-party-solutions/wordpress/cloudrun)

4
blueprints/networking/README.md
View File

@ -73,14 +73,14 @@ The emulated on-premises environment can be used to test access to different ser
<br clear="left">
-->
### Network filtering with Squid
<a href="./filtering-proxy/" title="Network filtering with Squid"><img src="./filtering-proxy/squid.png" align="left" width="280px"></a> This [blueprint](./filtering-proxy/) how to deploy a filtering HTTP proxy to restrict Internet access, in a simplified setup using a VPC with two subnets and a Cloud DNS zone, and an optional MIG for scaling.
<br clear="left">
-->
### Shared VPC with GKE and per-subnet support
<a href="./shared-vpc-gke/" title="Shared VPC with GKE"><img src="./shared-vpc-gke/diagram.png" align="left" width="280px"></a> This [blueprint](./shared-vpc-gke/) shows how to configure a Shared VPC, including the specific IAM configurations needed for GKE, and to give different level of access to the VPC subnets to different identities.

1
blueprints/networking/__need_fixing/README.md
View File

@ -3,3 +3,4 @@
The blueprints in this folder are either deprecated or need work on them.
- nginx reverse proxy cluster needs tests and resolving a cycle
- filtering-proxy needs upstream `cloud-config-container/__need_fixing/squid` to be fixed

3
blueprints/networking/filtering-proxy-psc/README.md → blueprints/networking/__need_fixing/filtering-proxy-psc/README.md
View File

@ -29,10 +29,9 @@ To simplify the usage of the proxy, a Cloud DNS private zone is created in each
## Test
```hcl
module "test" {
source = "./fabric/blueprints/networking/filtering-proxy-psc"
source = "./fabric/blueprints/networking/__need_fixing/filtering-proxy-psc"
prefix = "fabric"
project_create = {
billing_account = "123456-ABCDEF-123456"

8
blueprints/networking/filtering-proxy-psc/consumer.tf → blueprints/networking/__need_fixing/filtering-proxy-psc/consumer.tf
View File

@ -19,7 +19,7 @@
###############################################################################
module "vpc-consumer" {
source = "../../../modules/net-vpc"
source = "../../../../modules/net-vpc"
project_id = module.project.project_id
name = "${var.prefix}-app"
subnets = [
@ -36,7 +36,7 @@ module "vpc-consumer" {
###############################################################################
module "test-vm-consumer" {
source = "../../../modules/compute-vm"
source = "../../../../modules/compute-vm"
project_id = module.project.project_id
zone = "${var.region}-b"
name = "${var.prefix}-test-vm"
@ -83,7 +83,7 @@ resource "google_compute_forwarding_rule" "psc_ilb_consumer" {
###############################################################################
module "private-dns" {
source = "../../../modules/dns"
source = "../../../../modules/dns"
project_id = module.project.project_id
name = "${var.prefix}-internal"
zone_config = {
@ -99,7 +99,7 @@ module "private-dns" {
}
module "firewall-consumer" {
source = "../../../modules/net-vpc-firewall"
source = "../../../../modules/net-vpc-firewall"
project_id = module.project.project_id
network = module.vpc-consumer.name
}

18
blueprints/networking/filtering-proxy-psc/main.tf → blueprints/networking/__need_fixing/filtering-proxy-psc/main.tf
View File

@ -19,7 +19,7 @@
###############################################################################
module "project" {
source = "../../../modules/project"
source = "../../../../modules/project"
project_create = var.project_create != null
billing_account = try(var.project_create.billing_account, null)
parent = try(var.project_create.parent, null)
@ -33,7 +33,7 @@ module "project" {
}
module "vpc" {
source = "../../../modules/net-vpc"
source = "../../../../modules/net-vpc"
project_id = module.project.project_id
name = "${var.prefix}-vpc"
subnets = [
@ -53,7 +53,7 @@ module "vpc" {
}
module "firewall" {
source = "../../../modules/net-vpc-firewall"
source = "../../../../modules/net-vpc-firewall"
project_id = module.project.project_id
network = module.vpc.name
ingress_rules = {
@ -73,7 +73,7 @@ module "firewall" {
}
module "nat" {
source = "../../../modules/net-cloudnat"
source = "../../../../modules/net-cloudnat"
project_id = module.project.project_id
region = var.region
name = "default"
@ -118,7 +118,7 @@ resource "google_compute_service_attachment" "service_attachment" {
###############################################################################
module "service-account-squid" {
source = "../../../modules/iam-service-account"
source = "../../../../modules/iam-service-account"
project_id = module.project.project_id
name = "svc-squid"
iam_project_roles = {
@ -130,7 +130,7 @@ module "service-account-squid" {
}
module "cos-squid" {
source = "../../../modules/cloud-config-container/squid"
source = "../../../../modules/cloud-config-container/__need_fixing/squid"
allow = var.allowed_domains
clients = [var.cidrs.app]
squid_config = "${path.module}/squid.conf"
@ -140,7 +140,7 @@ module "cos-squid" {
}
module "squid-vm" {
source = "../../../modules/compute-vm"
source = "../../../../modules/compute-vm"
project_id = module.project.project_id
zone = "${var.region}-b"
name = "squid-vm"
@ -165,7 +165,7 @@ module "squid-vm" {
}
module "squid-mig" {
source = "../../../modules/compute-mig"
source = "../../../../modules/compute-mig"
project_id = module.project.project_id
location = "${var.region}-b"
name = "squid-mig"
@ -202,7 +202,7 @@ module "squid-mig" {
}
module "squid-ilb" {
source = "../../../modules/net-lb-int"
source = "../../../../modules/net-lb-int"
project_id = module.project.project_id
region = var.region
name = "squid-ilb"

0
blueprints/networking/filtering-proxy-psc/squid.conf → blueprints/networking/__need_fixing/filtering-proxy-psc/squid.conf
View File

0
blueprints/networking/filtering-proxy-psc/startup.sh → blueprints/networking/__need_fixing/filtering-proxy-psc/startup.sh
View File

0
blueprints/networking/filtering-proxy-psc/variables.tf → blueprints/networking/__need_fixing/filtering-proxy-psc/variables.tf
View File

4
blueprints/networking/filtering-proxy/README.md → blueprints/networking/__need_fixing/filtering-proxy/README.md
View File

@ -41,7 +41,7 @@ You can optionally deploy the Squid server as [Managed Instance Group](https://c
```hcl
module "test1" {
source = "./fabric/blueprints/networking/filtering-proxy"
source = "./fabric/blueprints/networking/__need_fixing/filtering-proxy"
billing_account = "123456-123456-123456"
mig = true
prefix = "fabric"
@ -52,7 +52,7 @@ module "test1" {
```hcl
module "test2" {
source = "./fabric/blueprints/networking/filtering-proxy"
source = "./fabric/blueprints/networking/__need_fixing/filtering-proxy"
billing_account = "123456-123456-123456"
mig = false
prefix = "fabric"

28
blueprints/networking/filtering-proxy/main.tf → blueprints/networking/__need_fixing/filtering-proxy/main.tf
View File

@ -27,7 +27,7 @@ locals {
###############################################################################
module "folder-netops" {
source = "../../../modules/folder"
source = "../../../../modules/folder"
parent = var.root_node
name = "netops"
}
@ -37,7 +37,7 @@ module "folder-netops" {
###############################################################################
module "project-host" {
source = "../../../modules/project"
source = "../../../../modules/project"
billing_account = var.billing_account
name = "host"
parent = module.folder-netops.id
@ -53,7 +53,7 @@ module "project-host" {
}
module "vpc" {
source = "../../../modules/net-vpc"
source = "../../../../modules/net-vpc"
project_id = module.project-host.project_id
name = "vpc"
subnets = [
@ -71,7 +71,7 @@ module "vpc" {
}
module "firewall" {
source = "../../../modules/net-vpc-firewall"
source = "../../../../modules/net-vpc-firewall"
project_id = module.project-host.project_id
network = module.vpc.name
ingress_rules = {
@ -91,7 +91,7 @@ module "firewall" {
}
module "nat" {
source = "../../../modules/net-cloudnat"
source = "../../../../modules/net-cloudnat"
project_id = module.project-host.project_id
region = var.region
name = "default"
@ -114,7 +114,7 @@ module "nat" {
}
module "private-dns" {
source = "../../../modules/dns"
source = "../../../../modules/dns"
project_id = module.project-host.project_id
name = "internal"
zone_config = {
@ -134,7 +134,7 @@ module "private-dns" {
###############################################################################
module "service-account-squid" {
source = "../../../modules/iam-service-account"
source = "../../../../modules/iam-service-account"
project_id = module.project-host.project_id
name = "svc-squid"
iam_project_roles = {
@ -146,13 +146,13 @@ module "service-account-squid" {
}
module "cos-squid" {
source = "../../../modules/cloud-config-container/squid"
source = "../../../../modules/cloud-config-container/__need_fixing/squid"
allow = var.allowed_domains
clients = [var.cidrs.apps]
}
module "squid-vm" {
source = "../../../modules/compute-vm"
source = "../../../../modules/compute-vm"
project_id = module.project-host.project_id
zone = "${var.region}-b"
name = "squid-vm"
@ -177,7 +177,7 @@ module "squid-vm" {
module "squid-mig" {
count = var.mig ? 1 : 0
source = "../../../modules/compute-mig"
source = "../../../../modules/compute-mig"
project_id = module.project-host.project_id
location = "${var.region}-b"
name = "squid-mig"
@ -206,7 +206,7 @@ module "squid-mig" {
module "squid-ilb" {
count = var.mig ? 1 : 0
source = "../../../modules/net-lb-int"
source = "../../../../modules/net-lb-int"
project_id = module.project-host.project_id
region = var.region
name = "squid-ilb"
@ -236,7 +236,7 @@ module "squid-ilb" {
###############################################################################
module "folder-apps" {
source = "../../../modules/folder"
source = "../../../../modules/folder"
parent = var.root_node
name = "apps"
org_policies = {
@ -248,7 +248,7 @@ module "folder-apps" {
}
module "project-app" {
source = "../../../modules/project"
source = "../../../../modules/project"
billing_account = var.billing_account
name = "app1"
parent = module.folder-apps.id
@ -263,7 +263,7 @@ module "project-app" {
}
module "test-vm" {
source = "../../../modules/compute-vm"
source = "../../../../modules/compute-vm"
project_id = module.project-app.project_id
zone = "${var.region}-b"
name = "test-vm"

0
blueprints/networking/filtering-proxy/outputs.tf → blueprints/networking/__need_fixing/filtering-proxy/outputs.tf
View File

0
blueprints/networking/filtering-proxy/squid.png → blueprints/networking/__need_fixing/filtering-proxy/squid.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 52 KiB

0
blueprints/networking/filtering-proxy/variables.tf → blueprints/networking/__need_fixing/filtering-proxy/variables.tf
View File

1
modules/cloud-config-container/README.md
View File

@ -14,7 +14,6 @@ These modules are designed for several use cases:
- [CoreDNS](./coredns)
- [MySQL](./mysql)
- [Nginx](./nginx)
- [Squid forward proxy](./squid)
- On-prem in Docker (*needs fixing*)
## Using the modules

4
modules/cloud-config-container/squid/README.md → modules/cloud-config-container/__need_fixing/squid/README.md
View File

@ -14,7 +14,7 @@ Logging and monitoring are enabled via the [Google Cloud Logging agent](https://
The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
For convenience during development or for simple use cases, the module can optionally manage a single instance via the `test_instance` variable. If the instance is not needed the `instance*tf` files can be safely removed. Refer to the [top-level README](../README.md) for more details on the included instance.
For convenience during development or for simple use cases, the module can optionally manage a single instance via the `test_instance` variable. If the instance is not needed the `instance*tf` files can be safely removed. Refer to the [top-level README](../../README.md) for more details on the included instance.
## Examples
@ -24,7 +24,7 @@ This example will create a `cloud-config` that allows any client in the 10.0.0.0
```hcl
module "cos-squid" {
source = "./fabric/modules/cloud-config-container/squid"
source = "./fabric/modules/cloud-config-container/__need_fixing/squid"
allow = [".github.com"]
clients = ["10.0.0.0/8"]
}

0
modules/cloud-config-container/squid/cloud-config.yaml → modules/cloud-config-container/__need_fixing/squid/cloud-config.yaml
View File

0
modules/cloud-config-container/squid/docker/Dockerfile → modules/cloud-config-container/__need_fixing/squid/docker/Dockerfile
View File

0
modules/cloud-config-container/squid/docker/cloudbuild.yaml → modules/cloud-config-container/__need_fixing/squid/docker/cloudbuild.yaml
View File

0
modules/cloud-config-container/squid/docker/entrypoint.sh → modules/cloud-config-container/__need_fixing/squid/docker/entrypoint.sh
View File

0
modules/cloud-config-container/squid/main.tf → modules/cloud-config-container/__need_fixing/squid/main.tf
View File

0
modules/cloud-config-container/squid/outputs.tf → modules/cloud-config-container/__need_fixing/squid/outputs.tf
View File

0
modules/cloud-config-container/squid/squid.conf → modules/cloud-config-container/__need_fixing/squid/squid.conf
View File

0
modules/cloud-config-container/squid/variables.tf → modules/cloud-config-container/__need_fixing/squid/variables.tf
View File

0
modules/cloud-config-container/squid/versions.tf → modules/cloud-config-container/__need_fixing/squid/versions.tf
View File