Merge remote-tracking branch 'origin/master' into fast/gke2
This commit is contained in:
commit
0bec03b0a0
|
@ -9,6 +9,8 @@ All notable changes to this project will be documented in this file.
|
||||||
|
|
||||||
### FAST
|
### FAST
|
||||||
|
|
||||||
|
- [[#766](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/766)] FAST: refactor teams branch ([ludoo](https://github.com/ludoo)) <!-- 2022-08-03 14:34:09+00:00 -->
|
||||||
|
- [[#765](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/765)] FAST: move region trigrams to a variable in network stages ([ludoo](https://github.com/ludoo)) <!-- 2022-08-03 09:36:28+00:00 -->
|
||||||
- [[#759](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/759)] FAST: fix missing value to format principalSet ([imp14a](https://github.com/imp14a)) <!-- 2022-07-27 06:18:27+00:00 -->
|
- [[#759](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/759)] FAST: fix missing value to format principalSet ([imp14a](https://github.com/imp14a)) <!-- 2022-07-27 06:18:27+00:00 -->
|
||||||
- [[#753](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/753)] Add support for IAM bindings on service accounts to project factory ([ludoo](https://github.com/ludoo)) <!-- 2022-07-21 13:13:40+00:00 -->
|
- [[#753](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/753)] Add support for IAM bindings on service accounts to project factory ([ludoo](https://github.com/ludoo)) <!-- 2022-07-21 13:13:40+00:00 -->
|
||||||
- [[#745](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/745)] FAST: specify gitlab / github providers in CI/CD stage ([imp14a](https://github.com/imp14a)) <!-- 2022-07-19 21:03:33+00:00 -->
|
- [[#745](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/745)] FAST: specify gitlab / github providers in CI/CD stage ([imp14a](https://github.com/imp14a)) <!-- 2022-07-19 21:03:33+00:00 -->
|
||||||
|
@ -78,7 +80,7 @@ All notable changes to this project will be documented in this file.
|
||||||
|
|
||||||
- [[#763](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/763)] Changelog generator ([ludoo](https://github.com/ludoo)) <!-- 2022-08-02 09:45:06+00:00 -->
|
- [[#763](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/763)] Changelog generator ([ludoo](https://github.com/ludoo)) <!-- 2022-08-02 09:45:06+00:00 -->
|
||||||
- [[#762](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/762)] Update changelog on pull request merge ([ludoo](https://github.com/ludoo)) <!-- 2022-07-30 17:04:00+00:00 -->
|
- [[#762](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/762)] Update changelog on pull request merge ([ludoo](https://github.com/ludoo)) <!-- 2022-07-30 17:04:00+00:00 -->
|
||||||
- [[#680](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/680)] Toos: fix Raise ValueError when check_names detects overlong names ([27Bslash6](https://github.com/27Bslash6)) <!-- 2022-06-16 08:01:59+00:00 -->
|
- [[#680](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/680)] Tools: fix `ValueError` raised in `check_names.py` when overlong names are detected ([27Bslash6](https://github.com/27Bslash6)) <!-- 2022-06-16 08:01:59+00:00 -->
|
||||||
- [[#672](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/672)] Module attribution and version updater tool, plus release automation ([rosmo](https://github.com/rosmo)) <!-- 2022-06-09 11:40:50+00:00 -->
|
- [[#672](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/672)] Module attribution and version updater tool, plus release automation ([rosmo](https://github.com/rosmo)) <!-- 2022-06-09 11:40:50+00:00 -->
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -196,15 +196,15 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|
||||||
|
|
||||||
| name | description | sensitive | consumers |
|
| name | description | sensitive | consumers |
|
||||||
|---|---|:---:|---|
|
|---|---|:---:|---|
|
||||||
| [cicd_repositories](outputs.tf#L171) | WIF configuration for CI/CD repositories. | | |
|
| [cicd_repositories](outputs.tf#L188) | WIF configuration for CI/CD repositories. | | |
|
||||||
| [dataplatform](outputs.tf#L185) | Data for the Data Platform stage. | | |
|
| [dataplatform](outputs.tf#L202) | Data for the Data Platform stage. | | |
|
||||||
| [gke_multitenant](outputs.tf#L257) | Data for the GKE multitenant stage. | | <code>03-gke-multitenant</code> |
|
| [gke_multitenant](outputs.tf#L274) | Data for the GKE multitenant stage. | | <code>03-gke-multitenant</code> |
|
||||||
| [networking](outputs.tf#L201) | Data for the networking stage. | | |
|
| [networking](outputs.tf#L218) | Data for the networking stage. | | |
|
||||||
| [project_factories](outputs.tf#L210) | Data for the project factories stage. | | |
|
| [project_factories](outputs.tf#L227) | Data for the project factories stage. | | |
|
||||||
| [providers](outputs.tf#L226) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
|
| [providers](outputs.tf#L243) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
|
||||||
| [sandbox](outputs.tf#L233) | Data for the sandbox stage. | | <code>xx-sandbox</code> |
|
| [sandbox](outputs.tf#L250) | Data for the sandbox stage. | | <code>xx-sandbox</code> |
|
||||||
| [security](outputs.tf#L247) | Data for the networking stage. | | <code>02-security</code> |
|
| [security](outputs.tf#L264) | Data for the networking stage. | | <code>02-security</code> |
|
||||||
| [teams](outputs.tf#L278) | Data for the teams stage. | | |
|
| [teams](outputs.tf#L295) | Data for the teams stage. | | |
|
||||||
| [tfvars](outputs.tf#L291) | Terraform variable files for the following stages. | ✓ | |
|
| [tfvars](outputs.tf#L308) | Terraform variable files for the following stages. | ✓ | |
|
||||||
|
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
||||||
|
|
|
@ -23,13 +23,12 @@ locals {
|
||||||
module.branch-network-sa.iam_email,
|
module.branch-network-sa.iam_email,
|
||||||
module.branch-security-sa.iam_email,
|
module.branch-security-sa.iam_email,
|
||||||
],
|
],
|
||||||
local.branch_dataplatform_sa_iam_emails,
|
local.branch_optional_sa_lists.dp-dev,
|
||||||
local.branch_gke_sa_iam_emails,
|
local.branch_optional_sa_lists.dp-prod,
|
||||||
local.branch_pf_sa_iam_emails,
|
local.branch_optional_sa_lists.gke-dev,
|
||||||
# enable if individual teams can create their own projects
|
local.branch_optional_sa_lists.gke-prod,
|
||||||
# [
|
local.branch_optional_sa_lists.pf-dev,
|
||||||
# for k, v in module.branch-teams-team-sa : v.iam_email
|
local.branch_optional_sa_lists.pf-prod,
|
||||||
# ],
|
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -50,11 +50,11 @@ module "branch-network-prod-folder" {
|
||||||
parent = module.branch-network-folder.id
|
parent = module.branch-network-folder.id
|
||||||
name = "Production"
|
name = "Production"
|
||||||
iam = {
|
iam = {
|
||||||
(local.custom_roles.service_project_network_admin) = compact([
|
(local.custom_roles.service_project_network_admin) = concat(
|
||||||
try(module.branch-dp-prod-sa.0.iam_email, ""),
|
local.branch_optional_sa_lists.dp-prod,
|
||||||
try(module.branch-pf-prod-sa.0.iam_email, ""),
|
local.branch_optional_sa_lists.gke-prod,
|
||||||
try(module.branch-gke-prod-sa.0.iam_email, ""),
|
local.branch_optional_sa_lists.pf-prod,
|
||||||
])
|
)
|
||||||
}
|
}
|
||||||
tag_bindings = {
|
tag_bindings = {
|
||||||
environment = try(
|
environment = try(
|
||||||
|
@ -69,11 +69,11 @@ module "branch-network-dev-folder" {
|
||||||
parent = module.branch-network-folder.id
|
parent = module.branch-network-folder.id
|
||||||
name = "Development"
|
name = "Development"
|
||||||
iam = {
|
iam = {
|
||||||
(local.custom_roles.service_project_network_admin) = compact([
|
(local.custom_roles.service_project_network_admin) = concat(
|
||||||
try(module.branch-dp-dev-sa.0.iam_email, ""),
|
local.branch_optional_sa_lists.dp-dev,
|
||||||
try(module.branch-pf-dev-sa.0.iam_email, ""),
|
local.branch_optional_sa_lists.gke-dev,
|
||||||
try(module.branch-gke-dev-sa.iam_email, ""),
|
local.branch_optional_sa_lists.pf-dev,
|
||||||
])
|
)
|
||||||
}
|
}
|
||||||
tag_bindings = {
|
tag_bindings = {
|
||||||
environment = try(
|
environment = try(
|
||||||
|
|
|
@ -21,11 +21,22 @@ moved {
|
||||||
to = module.branch-teams-folder.0
|
to = module.branch-teams-folder.0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# TODO(ludo): add support for CI/CD
|
||||||
|
|
||||||
|
############### top-level Teams branch and automation resources ###############
|
||||||
|
|
||||||
module "branch-teams-folder" {
|
module "branch-teams-folder" {
|
||||||
source = "../../../modules/folder"
|
source = "../../../modules/folder"
|
||||||
count = var.fast_features.teams ? 1 : 0
|
count = var.fast_features.teams ? 1 : 0
|
||||||
parent = "organizations/${var.organization.id}"
|
parent = "organizations/${var.organization.id}"
|
||||||
name = "Teams"
|
name = "Teams"
|
||||||
|
iam = {
|
||||||
|
"roles/logging.admin" = [module.branch-teams-sa.0.iam_email]
|
||||||
|
"roles/owner" = [module.branch-teams-sa.0.iam_email]
|
||||||
|
"roles/resourcemanager.folderAdmin" = [module.branch-teams-sa.0.iam_email]
|
||||||
|
"roles/resourcemanager.projectCreator" = [module.branch-teams-sa.0.iam_email]
|
||||||
|
"roles/compute.xpnAdmin" = [module.branch-teams-sa.0.iam_email]
|
||||||
|
}
|
||||||
tag_bindings = {
|
tag_bindings = {
|
||||||
context = try(
|
context = try(
|
||||||
module.organization.tag_values["${var.tag_names.context}/teams"].id, null
|
module.organization.tag_values["${var.tag_names.context}/teams"].id, null
|
||||||
|
@ -33,27 +44,44 @@ module "branch-teams-folder" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
moved {
|
module "branch-teams-sa" {
|
||||||
from = module.branch-teams-prod-sa
|
|
||||||
to = module.branch-teams-prod-sa.0
|
|
||||||
}
|
|
||||||
|
|
||||||
module "branch-teams-prod-sa" {
|
|
||||||
source = "../../../modules/iam-service-account"
|
source = "../../../modules/iam-service-account"
|
||||||
count = var.fast_features.teams ? 1 : 0
|
count = var.fast_features.teams ? 1 : 0
|
||||||
project_id = var.automation.project_id
|
project_id = var.automation.project_id
|
||||||
name = "prod-resman-teams-0"
|
name = "prod-resman-teams-0"
|
||||||
description = "Terraform resman production service account."
|
description = "Terraform resman teams service account."
|
||||||
prefix = var.prefix
|
prefix = var.prefix
|
||||||
|
iam_storage_roles = {
|
||||||
|
(var.automation.outputs_bucket) = ["roles/storage.admin"]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Team-level folders, service accounts and buckets for each individual team
|
module "branch-teams-gcs" {
|
||||||
|
source = "../../../modules/gcs"
|
||||||
|
count = var.fast_features.teams ? 1 : 0
|
||||||
|
project_id = var.automation.project_id
|
||||||
|
name = "prod-resman-teams-0"
|
||||||
|
prefix = var.prefix
|
||||||
|
versioning = true
|
||||||
|
iam = {
|
||||||
|
"roles/storage.objectAdmin" = [module.branch-teams-sa.0.iam_email]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
################## per-team folders and automation resources ##################
|
||||||
|
|
||||||
module "branch-teams-team-folder" {
|
module "branch-teams-team-folder" {
|
||||||
source = "../../../modules/folder"
|
source = "../../../modules/folder"
|
||||||
for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
|
for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
|
||||||
parent = module.branch-teams-folder.0.id
|
parent = module.branch-teams-folder.0.id
|
||||||
name = each.value.descriptive_name
|
name = each.value.descriptive_name
|
||||||
|
iam = {
|
||||||
|
"roles/logging.admin" = [module.branch-teams-team-sa[each.key].iam_email]
|
||||||
|
"roles/owner" = [module.branch-teams-team-sa[each.key].iam_email]
|
||||||
|
"roles/resourcemanager.folderAdmin" = [module.branch-teams-team-sa[each.key].iam_email]
|
||||||
|
"roles/resourcemanager.projectCreator" = [module.branch-teams-team-sa[each.key].iam_email]
|
||||||
|
"roles/compute.xpnAdmin" = [module.branch-teams-team-sa[each.key].iam_email]
|
||||||
|
}
|
||||||
group_iam = each.value.group_iam == null ? {} : each.value.group_iam
|
group_iam = each.value.group_iam == null ? {} : each.value.group_iam
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -85,7 +113,7 @@ module "branch-teams-team-gcs" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# project factory per-team environment folders
|
# per-team environment folders where project factory SAs can create projects
|
||||||
|
|
||||||
module "branch-teams-team-dev-folder" {
|
module "branch-teams-team-dev-folder" {
|
||||||
source = "../../../modules/folder"
|
source = "../../../modules/folder"
|
||||||
|
@ -96,12 +124,14 @@ module "branch-teams-team-dev-folder" {
|
||||||
# environment-wide human permissions on the whole teams environment
|
# environment-wide human permissions on the whole teams environment
|
||||||
group_iam = {}
|
group_iam = {}
|
||||||
iam = {
|
iam = {
|
||||||
(local.custom_roles.service_project_network_admin) = [module.branch-pf-dev-sa.0.iam_email]
|
(local.custom_roles.service_project_network_admin) = (
|
||||||
|
local.branch_optional_sa_lists.pf-dev
|
||||||
|
)
|
||||||
# remove owner here and at project level if SA does not manage project resources
|
# remove owner here and at project level if SA does not manage project resources
|
||||||
"roles/owner" = [module.branch-pf-dev-sa.0.iam_email]
|
"roles/owner" = local.branch_optional_sa_lists.pf-dev
|
||||||
"roles/logging.admin" = [module.branch-pf-dev-sa.0.iam_email]
|
"roles/logging.admin" = local.branch_optional_sa_lists.pf-dev
|
||||||
"roles/resourcemanager.folderAdmin" = [module.branch-pf-dev-sa.0.iam_email]
|
"roles/resourcemanager.folderAdmin" = local.branch_optional_sa_lists.pf-dev
|
||||||
"roles/resourcemanager.projectCreator" = [module.branch-pf-dev-sa.0.iam_email]
|
"roles/resourcemanager.projectCreator" = local.branch_optional_sa_lists.pf-dev
|
||||||
}
|
}
|
||||||
tag_bindings = {
|
tag_bindings = {
|
||||||
environment = try(
|
environment = try(
|
||||||
|
@ -119,12 +149,14 @@ module "branch-teams-team-prod-folder" {
|
||||||
# environment-wide human permissions on the whole teams environment
|
# environment-wide human permissions on the whole teams environment
|
||||||
group_iam = {}
|
group_iam = {}
|
||||||
iam = {
|
iam = {
|
||||||
(local.custom_roles.service_project_network_admin) = [module.branch-pf-prod-sa.0.iam_email]
|
(local.custom_roles.service_project_network_admin) = (
|
||||||
|
local.branch_optional_sa_lists.pf-prod
|
||||||
|
)
|
||||||
# remove owner here and at project level if SA does not manage project resources
|
# remove owner here and at project level if SA does not manage project resources
|
||||||
"roles/owner" = [module.branch-pf-prod-sa.0.iam_email]
|
"roles/owner" = local.branch_optional_sa_lists.pf-prod
|
||||||
"roles/logging.admin" = [module.branch-pf-prod-sa.0.iam_email]
|
"roles/logging.admin" = local.branch_optional_sa_lists.pf-prod
|
||||||
"roles/resourcemanager.folderAdmin" = [module.branch-pf-prod-sa.0.iam_email]
|
"roles/resourcemanager.folderAdmin" = local.branch_optional_sa_lists.pf-prod
|
||||||
"roles/resourcemanager.projectCreator" = [module.branch-pf-prod-sa.0.iam_email]
|
"roles/resourcemanager.projectCreator" = local.branch_optional_sa_lists.pf-prod
|
||||||
}
|
}
|
||||||
tag_bindings = {
|
tag_bindings = {
|
||||||
environment = try(
|
environment = try(
|
||||||
|
|
|
@ -26,6 +26,14 @@ locals {
|
||||||
billing_ext = var.billing_account.organization_id == null
|
billing_ext = var.billing_account.organization_id == null
|
||||||
billing_org = var.billing_account.organization_id == var.organization.id
|
billing_org = var.billing_account.organization_id == var.organization.id
|
||||||
billing_org_ext = !local.billing_ext && !local.billing_org
|
billing_org_ext = !local.billing_ext && !local.billing_org
|
||||||
|
branch_optional_sa_lists = {
|
||||||
|
dp-dev = compact([try(module.branch-dp-dev-sa.0.iam_email, "")])
|
||||||
|
dp-prod = compact([try(module.branch-dp-prod-sa.0.iam_email, "")])
|
||||||
|
gke-dev = compact([try(module.branch-gke-dev-sa.0.iam_email, "")])
|
||||||
|
gke-prod = compact([try(module.branch-gke-prod-sa.0.iam_email, "")])
|
||||||
|
pf-dev = compact([try(module.branch-pf-dev-sa.0.iam_email, "")])
|
||||||
|
pf-prod = compact([try(module.branch-pf-prod-sa.0.iam_email, "")])
|
||||||
|
}
|
||||||
cicd_repositories = {
|
cicd_repositories = {
|
||||||
for k, v in coalesce(var.cicd_repositories, {}) : k => v
|
for k, v in coalesce(var.cicd_repositories, {}) : k => v
|
||||||
if(
|
if(
|
||||||
|
|
|
@ -18,30 +18,6 @@
|
||||||
|
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
branch_dataplatform_sa_iam_emails = (
|
|
||||||
var.fast_features.data_platform
|
|
||||||
? [
|
|
||||||
module.branch-dp-dev-sa.0.iam_email,
|
|
||||||
module.branch-dp-prod-sa.0.iam_email
|
|
||||||
]
|
|
||||||
: []
|
|
||||||
)
|
|
||||||
branch_gke_sa_iam_emails = (
|
|
||||||
var.fast_features.gke
|
|
||||||
? [
|
|
||||||
module.branch-gke-dev-sa.0.iam_email,
|
|
||||||
module.branch-gke-prod-sa.0.iam_email
|
|
||||||
]
|
|
||||||
: []
|
|
||||||
)
|
|
||||||
branch_pf_sa_iam_emails = (
|
|
||||||
var.fast_features.project_factory
|
|
||||||
? [
|
|
||||||
module.branch-pf-dev-sa.0.iam_email,
|
|
||||||
module.branch-pf-prod-sa.0.iam_email
|
|
||||||
]
|
|
||||||
: []
|
|
||||||
)
|
|
||||||
list_allow = {
|
list_allow = {
|
||||||
inherit_from_parent = false
|
inherit_from_parent = false
|
||||||
suggested_value = null
|
suggested_value = null
|
||||||
|
@ -79,19 +55,21 @@ module "organization" {
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
local.billing_org ? {
|
local.billing_org ? {
|
||||||
"roles/billing.costsManager" = local.branch_pf_sa_iam_emails
|
"roles/billing.costsManager" = concat(
|
||||||
|
local.branch_optional_sa_lists.pf-dev,
|
||||||
|
local.branch_optional_sa_lists.pf-prod
|
||||||
|
)
|
||||||
"roles/billing.user" = concat(
|
"roles/billing.user" = concat(
|
||||||
[
|
[
|
||||||
module.branch-network-sa.iam_email,
|
module.branch-network-sa.iam_email,
|
||||||
module.branch-security-sa.iam_email,
|
module.branch-security-sa.iam_email,
|
||||||
],
|
],
|
||||||
local.branch_dataplatform_sa_iam_emails,
|
local.branch_optional_sa_lists.dp-dev,
|
||||||
local.branch_gke_sa_iam_emails,
|
local.branch_optional_sa_lists.dp-prod,
|
||||||
local.branch_pf_sa_iam_emails,
|
local.branch_optional_sa_lists.gke-dev,
|
||||||
# enable if individual teams can create their own projects
|
local.branch_optional_sa_lists.gke-prod,
|
||||||
# [
|
local.branch_optional_sa_lists.pf-dev,
|
||||||
# for k, v in module.branch-teams-team-sa : v.iam_email
|
local.branch_optional_sa_lists.pf-prod,
|
||||||
# ],
|
|
||||||
)
|
)
|
||||||
} : {}
|
} : {}
|
||||||
)
|
)
|
||||||
|
|
|
@ -142,7 +142,24 @@ locals {
|
||||||
name = "sandbox"
|
name = "sandbox"
|
||||||
sa = module.branch-sandbox-sa.0.email
|
sa = module.branch-sandbox-sa.0.email
|
||||||
})
|
})
|
||||||
}
|
},
|
||||||
|
!var.fast_features.teams ? {} : merge(
|
||||||
|
{
|
||||||
|
"03-teams" = templatefile(local._tpl_providers, {
|
||||||
|
bucket = module.branch-teams-gcs.0.name
|
||||||
|
name = "teams"
|
||||||
|
sa = module.branch-teams-sa.0.email
|
||||||
|
})
|
||||||
|
},
|
||||||
|
{
|
||||||
|
for k, v in module.branch-teams-team-sa :
|
||||||
|
"03-teams-${k}" => templatefile(local._tpl_providers, {
|
||||||
|
bucket = module.branch-teams-team-gcs[k].name
|
||||||
|
name = "teams"
|
||||||
|
sa = v.email
|
||||||
|
})
|
||||||
|
}
|
||||||
|
)
|
||||||
)
|
)
|
||||||
service_accounts = merge(
|
service_accounts = merge(
|
||||||
{
|
{
|
||||||
|
@ -155,7 +172,7 @@ locals {
|
||||||
project-factory-prod = try(module.branch-pf-prod-sa.0.email, null)
|
project-factory-prod = try(module.branch-pf-prod-sa.0.email, null)
|
||||||
sandbox = try(module.branch-sandbox-sa.0.email, null)
|
sandbox = try(module.branch-sandbox-sa.0.email, null)
|
||||||
security = module.branch-security-sa.email
|
security = module.branch-security-sa.email
|
||||||
teams = try(module.branch-teams-prod-sa.0.email, null)
|
teams = try(module.branch-teams-sa.0.email, null)
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
for k, v in module.branch-teams-team-sa : "team-${k}" => v.email
|
for k, v in module.branch-teams-team-sa : "team-${k}" => v.email
|
||||||
|
|
|
@ -377,9 +377,10 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
| [onprem_cidr](variables.tf#L107) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
| [onprem_cidr](variables.tf#L107) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
||||||
| [outputs_location](variables.tf#L125) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L125) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [psa_ranges](variables.tf#L142) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
| [psa_ranges](variables.tf#L142) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [router_configs](variables.tf#L183) | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { asn = "64512" adv = null } landing-trusted-ew4 = { asn = "64512" adv = null } }">{…}</code> | |
|
| [region_trigram](variables.tf#L183) | Short names for GCP regions. | <code>map(string)</code> | | <code title="{ europe-west1 = "ew1" europe-west3 = "ew3" }">{…}</code> | |
|
||||||
| [service_accounts](variables.tf#L206) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
| [router_configs](variables.tf#L192) | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { asn = "64512" adv = null } landing-trusted-ew4 = { asn = "64512" adv = null } }">{…}</code> | |
|
||||||
| [vpn_onprem_configs](variables.tf#L220) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } landing-trusted-ew4 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
| [service_accounts](variables.tf#L215) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||||
|
| [vpn_onprem_configs](variables.tf#L229) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } landing-trusted-ew4 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -180,6 +180,15 @@ variable "psa_ranges" {
|
||||||
# }
|
# }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "region_trigram" {
|
||||||
|
description = "Short names for GCP regions."
|
||||||
|
type = map(string)
|
||||||
|
default = {
|
||||||
|
europe-west1 = "ew1"
|
||||||
|
europe-west3 = "ew3"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
variable "router_configs" {
|
variable "router_configs" {
|
||||||
description = "Configurations for CRs and onprem routers."
|
description = "Configurations for CRs and onprem routers."
|
||||||
type = map(object({
|
type = map(object({
|
||||||
|
|
|
@ -301,9 +301,10 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | <code title="map(object({ export_local_custom_routes = bool export_peer_custom_routes = bool }))">map(object({…}))</code> | | <code title="{ dev = { export_local_custom_routes = true export_peer_custom_routes = true } prod = { export_local_custom_routes = true export_peer_custom_routes = true } }">{…}</code> | |
|
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | <code title="map(object({ export_local_custom_routes = bool export_peer_custom_routes = bool }))">map(object({…}))</code> | | <code title="{ dev = { export_local_custom_routes = true export_peer_custom_routes = true } prod = { export_local_custom_routes = true export_peer_custom_routes = true } }">{…}</code> | |
|
||||||
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "65533" adv = null } }">{…}</code> | |
|
| [region_trigram](variables.tf#L166) | Short names for GCP regions. | <code>map(string)</code> | | <code title="{ europe-west1 = "ew1" europe-west3 = "ew3" }">{…}</code> | |
|
||||||
| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
| [router_onprem_configs](variables.tf#L175) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "65533" adv = null } }">{…}</code> | |
|
||||||
| [vpn_onprem_configs](variables.tf#L198) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
| [service_accounts](variables.tf#L193) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||||
|
| [vpn_onprem_configs](variables.tf#L207) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -25,10 +25,6 @@ locals {
|
||||||
name = "${env}-l7ilb-${s.region}"
|
name = "${env}-l7ilb-${s.region}"
|
||||||
})]
|
})]
|
||||||
}
|
}
|
||||||
region_trigram = {
|
|
||||||
europe-west1 = "ew1"
|
|
||||||
europe-west3 = "ew3"
|
|
||||||
}
|
|
||||||
stage3_sas_delegated_grants = [
|
stage3_sas_delegated_grants = [
|
||||||
"roles/composer.sharedVpcAgent",
|
"roles/composer.sharedVpcAgent",
|
||||||
"roles/compute.networkUser",
|
"roles/compute.networkUser",
|
||||||
|
|
|
@ -92,7 +92,7 @@ module "dev-spoke-cloudnat" {
|
||||||
source = "../../../modules/net-cloudnat"
|
source = "../../../modules/net-cloudnat"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
region = each.value
|
region = each.value
|
||||||
name = "dev-nat-${local.region_trigram[each.value]}"
|
name = "dev-nat-${var.region_trigram[each.value]}"
|
||||||
router_create = true
|
router_create = true
|
||||||
router_network = module.dev-spoke-vpc.name
|
router_network = module.dev-spoke-vpc.name
|
||||||
router_asn = 4200001024
|
router_asn = 4200001024
|
||||||
|
|
|
@ -92,7 +92,7 @@ module "prod-spoke-cloudnat" {
|
||||||
source = "../../../modules/net-cloudnat"
|
source = "../../../modules/net-cloudnat"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
region = each.value
|
region = each.value
|
||||||
name = "prod-nat-${local.region_trigram[each.value]}"
|
name = "prod-nat-${var.region_trigram[each.value]}"
|
||||||
router_create = true
|
router_create = true
|
||||||
router_network = module.prod-spoke-vpc.name
|
router_network = module.prod-spoke-vpc.name
|
||||||
router_asn = 4200001024
|
router_asn = 4200001024
|
||||||
|
|
|
@ -163,6 +163,15 @@ variable "psa_ranges" {
|
||||||
# }
|
# }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "region_trigram" {
|
||||||
|
description = "Short names for GCP regions."
|
||||||
|
type = map(string)
|
||||||
|
default = {
|
||||||
|
europe-west1 = "ew1"
|
||||||
|
europe-west3 = "ew3"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
variable "router_onprem_configs" {
|
variable "router_onprem_configs" {
|
||||||
description = "Configurations for routers used for onprem connectivity."
|
description = "Configurations for routers used for onprem connectivity."
|
||||||
type = map(object({
|
type = map(object({
|
||||||
|
|
|
@ -325,10 +325,11 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
| [l7ilb_subnets](variables.tf#L84) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ prod = [ { ip_cidr_range = "10.128.92.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.93.0/24", region = "europe-west4" } ] dev = [ { ip_cidr_range = "10.128.60.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.61.0/24", region = "europe-west4" } ] }">{…}</code> | |
|
| [l7ilb_subnets](variables.tf#L84) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ prod = [ { ip_cidr_range = "10.128.92.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.93.0/24", region = "europe-west4" } ] dev = [ { ip_cidr_range = "10.128.60.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.61.0/24", region = "europe-west4" } ] }">{…}</code> | |
|
||||||
| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "65533" adv = null } }">{…}</code> | |
|
| [region_trigram](variables.tf#L166) | Short names for GCP regions. | <code>map(string)</code> | | <code title="{ europe-west1 = "ew1" europe-west3 = "ew3" }">{…}</code> | |
|
||||||
|
| [router_onprem_configs](variables.tf#L175) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "65533" adv = null } }">{…}</code> | |
|
||||||
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "64512", adv = null } landing-ew4 = { asn = "64512", adv = null } spoke-dev-ew1 = { asn = "64513", adv = null } spoke-dev-ew4 = { asn = "64513", adv = null } spoke-prod-ew1 = { asn = "64514", adv = null } spoke-prod-ew4 = { asn = "64514", adv = null } }">{…}</code> | |
|
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "64512", adv = null } landing-ew4 = { asn = "64512", adv = null } spoke-dev-ew1 = { asn = "64513", adv = null } spoke-dev-ew4 = { asn = "64513", adv = null } spoke-prod-ew1 = { asn = "64514", adv = null } spoke-prod-ew4 = { asn = "64514", adv = null } }">{…}</code> | |
|
||||||
| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
| [service_accounts](variables.tf#L193) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||||
| [vpn_onprem_configs](variables.tf#L198) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
| [vpn_onprem_configs](variables.tf#L207) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||||
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | <code title="map(object({ default = bool custom = list(string) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } landing-ew4 = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } dev-ew1 = { default = false custom = ["gcp_dev"] } prod-ew1 = { default = false custom = ["gcp_prod"] } prod-ew4 = { default = false custom = ["gcp_prod"] } }">{…}</code> | |
|
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | <code title="map(object({ default = bool custom = list(string) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } landing-ew4 = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } dev-ew1 = { default = false custom = ["gcp_dev"] } prod-ew1 = { default = false custom = ["gcp_prod"] } prod-ew4 = { default = false custom = ["gcp_prod"] } }">{…}</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
|
@ -25,10 +25,6 @@ locals {
|
||||||
name = "${env}-l7ilb-${s.region}"
|
name = "${env}-l7ilb-${s.region}"
|
||||||
})]
|
})]
|
||||||
}
|
}
|
||||||
region_trigram = {
|
|
||||||
europe-west1 = "ew1"
|
|
||||||
europe-west3 = "ew3"
|
|
||||||
}
|
|
||||||
stage3_sas_delegated_grants = [
|
stage3_sas_delegated_grants = [
|
||||||
"roles/composer.sharedVpcAgent",
|
"roles/composer.sharedVpcAgent",
|
||||||
"roles/compute.networkUser",
|
"roles/compute.networkUser",
|
||||||
|
|
|
@ -92,7 +92,7 @@ module "dev-spoke-cloudnat" {
|
||||||
source = "../../../modules/net-cloudnat"
|
source = "../../../modules/net-cloudnat"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
region = each.value
|
region = each.value
|
||||||
name = "dev-nat-${local.region_trigram[each.value]}"
|
name = "dev-nat-${var.region_trigram[each.value]}"
|
||||||
router_create = true
|
router_create = true
|
||||||
router_network = module.dev-spoke-vpc.name
|
router_network = module.dev-spoke-vpc.name
|
||||||
router_asn = 4200001024
|
router_asn = 4200001024
|
||||||
|
|
|
@ -92,7 +92,7 @@ module "prod-spoke-cloudnat" {
|
||||||
source = "../../../modules/net-cloudnat"
|
source = "../../../modules/net-cloudnat"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
region = each.value
|
region = each.value
|
||||||
name = "prod-nat-${local.region_trigram[each.value]}"
|
name = "prod-nat-${var.region_trigram[each.value]}"
|
||||||
router_create = true
|
router_create = true
|
||||||
router_network = module.prod-spoke-vpc.name
|
router_network = module.prod-spoke-vpc.name
|
||||||
router_asn = 4200001024
|
router_asn = 4200001024
|
||||||
|
|
|
@ -163,6 +163,15 @@ variable "psa_ranges" {
|
||||||
# }
|
# }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "region_trigram" {
|
||||||
|
description = "Short names for GCP regions."
|
||||||
|
type = map(string)
|
||||||
|
default = {
|
||||||
|
europe-west1 = "ew1"
|
||||||
|
europe-west3 = "ew3"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
variable "router_onprem_configs" {
|
variable "router_onprem_configs" {
|
||||||
description = "Configurations for routers used for onprem connectivity."
|
description = "Configurations for routers used for onprem connectivity."
|
||||||
type = map(object({
|
type = map(object({
|
||||||
|
|
|
@ -32,6 +32,11 @@ module "stage" {
|
||||||
networking-dev = null
|
networking-dev = null
|
||||||
networking-prod = null
|
networking-prod = null
|
||||||
}
|
}
|
||||||
|
region_trigram = {
|
||||||
|
europe-west1 = "ew1"
|
||||||
|
europe-west3 = "ew3"
|
||||||
|
europe-west8 = "ew8"
|
||||||
|
}
|
||||||
service_accounts = {
|
service_accounts = {
|
||||||
data-platform-dev = "string"
|
data-platform-dev = "string"
|
||||||
data-platform-prod = "string"
|
data-platform-prod = "string"
|
||||||
|
|
|
@ -32,6 +32,11 @@ module "stage" {
|
||||||
networking-dev = null
|
networking-dev = null
|
||||||
networking-prod = null
|
networking-prod = null
|
||||||
}
|
}
|
||||||
|
region_trigram = {
|
||||||
|
europe-west1 = "ew1"
|
||||||
|
europe-west3 = "ew3"
|
||||||
|
europe-west8 = "ew8"
|
||||||
|
}
|
||||||
service_accounts = {
|
service_accounts = {
|
||||||
data-platform-dev = "string"
|
data-platform-dev = "string"
|
||||||
data-platform-prod = "string"
|
data-platform-prod = "string"
|
||||||
|
|
Loading…
Reference in New Issue