FAST: Cleanup/harmonization of Simple and NVA net stages (#2287)
Cleanup/harmonization of Simple and NVA net stages
This commit is contained in:
parent
887c7e7926
commit
21f3b733ab
|
@ -465,7 +465,8 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
|||
| [cloud_dns_inbound_policy](outputs.tf#L87) | IP Addresses for Cloud DNS inbound policy. | | |
|
||||
| [host_project_ids](outputs.tf#L92) | Network project ids. | | |
|
||||
| [host_project_numbers](outputs.tf#L97) | Network project numbers. | | |
|
||||
| [shared_vpc_self_links](outputs.tf#L102) | Shared VPC host projects. | | |
|
||||
| [tfvars](outputs.tf#L107) | Terraform variables file for the following stages. | ✓ | |
|
||||
| [vpn_gateway_endpoints](outputs.tf#L113) | External IP Addresses for the GCP VPN gateways. | | |
|
||||
| [ping_commands](outputs.tf#L102) | Ping commands for test instances to be run to check VPC reachability. | | |
|
||||
| [shared_vpc_self_links](outputs.tf#L107) | Shared VPC host projects. | | |
|
||||
| [tfvars](outputs.tf#L112) | Terraform variables file for the following stages. | ✓ | |
|
||||
| [vpn_gateway_endpoints](outputs.tf#L118) | External IP Addresses for the GCP VPN gateways. | | |
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# skip boilerplate check
|
||||
|
||||
ingress:
|
||||
ingress-default-deny:
|
||||
ingress-default-landing-deny:
|
||||
description: "Deny and log any unmatched ingress traffic."
|
||||
deny: true
|
||||
priority: 65535
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# You can retain `---` (start of the document) to indicate an empty document.
|
||||
|
||||
ingress:
|
||||
allow-onprem-probes-example:
|
||||
allow-onprem-probes-landing-example:
|
||||
description: "Allow traffic from onprem probes"
|
||||
source_ranges:
|
||||
- onprem_probes
|
||||
|
|
|
@ -3,4 +3,4 @@
|
|||
name: dev-default
|
||||
region: europe-west1
|
||||
ip_cidr_range: 10.68.0.0/24
|
||||
description: Default subnet for dev
|
||||
description: Default europe-west1 subnet for dev
|
||||
|
|
|
@ -3,4 +3,4 @@
|
|||
name: landing-default
|
||||
region: europe-west1
|
||||
ip_cidr_range: 10.64.0.0/24
|
||||
description: Default subnet for landing
|
||||
description: Default europe-west1 subnet for landing
|
||||
|
|
|
@ -3,4 +3,4 @@
|
|||
name: prod-default
|
||||
region: europe-west1
|
||||
ip_cidr_range: 10.72.0.0/24
|
||||
description: Default subnet for prod
|
||||
description: Default europe-west1 subnet for prod
|
||||
|
|
|
@ -89,6 +89,15 @@ module "dev-spoke-vpc" {
|
|||
private = true
|
||||
restricted = true
|
||||
}
|
||||
delete_default_routes_on_create = true
|
||||
routes = {
|
||||
default = {
|
||||
dest_range = "0.0.0.0/0"
|
||||
next_hop = "default-internet-gateway"
|
||||
next_hop_type = "gateway"
|
||||
priority = 1000
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "dev-spoke-firewall" {
|
||||
|
|
|
@ -51,14 +51,18 @@ module "landing-vpc" {
|
|||
inbound = true
|
||||
logging = var.dns.enable_logging
|
||||
}
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
create_googleapis_routes = {
|
||||
private = true
|
||||
restricted = true
|
||||
}
|
||||
factories_config = {
|
||||
subnets_folder = "${var.factories_config.data_dir}/subnets/landing"
|
||||
}
|
||||
delete_default_routes_on_create = true
|
||||
routes = {
|
||||
default = {
|
||||
dest_range = "0.0.0.0/0"
|
||||
next_hop = "default-internet-gateway"
|
||||
next_hop_type = "gateway"
|
||||
priority = 1000
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "landing-firewall" {
|
||||
|
|
|
@ -81,11 +81,15 @@ module "prod-spoke-vpc" {
|
|||
factories_config = {
|
||||
subnets_folder = "${var.factories_config.data_dir}/subnets/prod"
|
||||
}
|
||||
psa_configs = var.psa_ranges.prod
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
create_googleapis_routes = {
|
||||
private = true
|
||||
restricted = true
|
||||
psa_configs = var.psa_ranges.prod
|
||||
delete_default_routes_on_create = true
|
||||
routes = {
|
||||
default = {
|
||||
dest_range = "0.0.0.0/0"
|
||||
next_hop = "default-internet-gateway"
|
||||
next_hop_type = "gateway"
|
||||
priority = 1000
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -99,6 +99,11 @@ output "host_project_numbers" {
|
|||
value = local.host_project_numbers
|
||||
}
|
||||
|
||||
output "ping_commands" {
|
||||
description = "Ping commands for test instances to be run to check VPC reachability."
|
||||
value = var.create_test_instances ? join("\n", [for instance, _ in local.test-vms : "ping -c 1 ${module.test-vms[instance].internal_ip} # ${instance}"]) : ""
|
||||
}
|
||||
|
||||
output "shared_vpc_self_links" {
|
||||
description = "Shared VPC host projects."
|
||||
value = local.vpc_self_links
|
||||
|
|
|
@ -18,21 +18,21 @@
|
|||
|
||||
locals {
|
||||
test-vms = {
|
||||
dev = {
|
||||
dev-spoke-primary = {
|
||||
region = var.regions.primary
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
zone = "b"
|
||||
network = module.dev-spoke-vpc.self_link
|
||||
subnetwork = module.dev-spoke-vpc.subnet_self_links["${var.regions.primary}/dev-default"]
|
||||
}
|
||||
landing = {
|
||||
landing-primary = {
|
||||
region = var.regions.primary
|
||||
project_id = module.landing-project.project_id
|
||||
zone = "b"
|
||||
network = module.landing-vpc.self_link
|
||||
subnetwork = module.landing-vpc.subnet_self_links["${var.regions.primary}/landing-default"]
|
||||
}
|
||||
prod = {
|
||||
prod-spoke-primary = {
|
||||
region = var.regions.primary
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
zone = "b"
|
||||
|
@ -72,8 +72,3 @@ module "test-vms" {
|
|||
EOF
|
||||
}
|
||||
}
|
||||
|
||||
output "ping_commands" {
|
||||
description = "Ping commands that can be run to check VPC reachability."
|
||||
value = var.create_test_instances ? join("\n", [for instance, _ in local.test-vms : "ping -c 1 ${module.test-vms[instance].internal_ip} # ${instance}"]) : ""
|
||||
}
|
||||
|
|
|
@ -448,7 +448,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
|||
| [nva.tf](./nva.tf) | None | <code>compute-mig</code> · <code>compute-vm</code> · <code>simple-nva</code> | |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>google_storage_bucket_object</code> · <code>local_file</code> |
|
||||
| [regions.tf](./regions.tf) | Compute short names for regions. | | |
|
||||
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> | |
|
||||
| [test-resources.tf](./test-resources.tf) | Temporary instances for testing | | |
|
||||
| [variables.tf](./variables.tf) | Module variables. | | |
|
||||
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> | |
|
||||
|
||||
|
@ -458,23 +458,24 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
|||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| [automation](variables.tf#L42) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [billing_account](variables.tf#L50) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [folder_ids](variables.tf#L126) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||
| [organization](variables.tf#L151) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables.tf#L167) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [folder_ids](variables.tf#L132) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||
| [organization](variables.tf#L157) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables.tf#L173) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | <code title="object({ vpn_tunnel_established = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) user_labels = optional(map(string), {}) })) vpn_tunnel_bandwidth = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) threshold_mbys = optional(string, "187.5") user_labels = optional(map(string), {}) })) })">object({…})</code> | | <code title="{ vpn_tunnel_established = {} vpn_tunnel_bandwidth = {} }">{…}</code> | |
|
||||
| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [dns](variables.tf#L72) | DNS configuration. | <code title="object({ enable_logging = optional(bool, true) resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [enable_cloud_nat](variables.tf#L82) | Deploy Cloud NAT. | <code>bool</code> | | <code>false</code> | |
|
||||
| [essential_contacts](variables.tf#L89) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L95) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml") firewall_policy_name = optional(string, "net-default") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||
| [fast_features](variables.tf#L116) | Selective control for top-level FAST features. | <code title="object({ gcve = optional(bool, false) })">object({…})</code> | | <code>{}</code> | <code>0-0-bootstrap</code> |
|
||||
| [gcp_ranges](variables.tf#L136) | GCP address ranges in name => range format. | <code>map(string)</code> | | <code title="{ gcp_dev_primary = "10.68.0.0/16" gcp_dev_secondary = "10.84.0.0/16" gcp_landing_landing_primary = "10.64.0.0/17" gcp_landing_landing_secondary = "10.80.0.0/17" gcp_dmz_primary = "10.64.127.0/17" gcp_dmz_secondary = "10.80.127.0/17" gcp_prod_primary = "10.72.0.0/16" gcp_prod_secondary = "10.88.0.0/16" }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L161) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L178) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L198) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L210) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||
| [vpn_onprem_primary_config](variables.tf#L224) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpn_onprem_secondary_config](variables.tf#L267) | VPN gateway configuration for onprem interconnection in the secondary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [create_test_instances](variables.tf#L63) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | <code>bool</code> | | <code>false</code> | |
|
||||
| [custom_roles](variables.tf#L69) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [dns](variables.tf#L78) | DNS configuration. | <code title="object({ enable_logging = optional(bool, true) resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [enable_cloud_nat](variables.tf#L88) | Deploy Cloud NAT. | <code>bool</code> | | <code>false</code> | |
|
||||
| [essential_contacts](variables.tf#L95) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L101) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml") firewall_policy_name = optional(string, "net-default") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||
| [fast_features](variables.tf#L122) | Selective control for top-level FAST features. | <code title="object({ gcve = optional(bool, false) })">object({…})</code> | | <code>{}</code> | <code>0-0-bootstrap</code> |
|
||||
| [gcp_ranges](variables.tf#L142) | GCP address ranges in name => range format. | <code>map(string)</code> | | <code title="{ gcp_dev_primary = "10.68.0.0/16" gcp_dev_secondary = "10.84.0.0/16" gcp_landing_landing_primary = "10.64.0.0/17" gcp_landing_landing_secondary = "10.80.0.0/17" gcp_dmz_primary = "10.64.127.0/17" gcp_dmz_secondary = "10.80.127.0/17" gcp_prod_primary = "10.72.0.0/16" gcp_prod_secondary = "10.88.0.0/16" }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L167) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L184) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L204) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L216) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||
| [vpn_onprem_primary_config](variables.tf#L230) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpn_onprem_secondary_config](variables.tf#L273) | VPN gateway configuration for onprem interconnection in the secondary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
@ -482,7 +483,8 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
|||
|---|---|:---:|---|
|
||||
| [host_project_ids](outputs.tf#L88) | Network project ids. | | |
|
||||
| [host_project_numbers](outputs.tf#L93) | Network project numbers. | | |
|
||||
| [shared_vpc_self_links](outputs.tf#L98) | Shared VPC host projects. | | |
|
||||
| [tfvars](outputs.tf#L103) | Terraform variables file for the following stages. | ✓ | |
|
||||
| [vpn_gateway_endpoints](outputs.tf#L109) | External IP Addresses for the GCP VPN gateways. | | |
|
||||
| [ping_commands](outputs.tf#L98) | Ping commands for test instances to be run to check VPC reachability. | | |
|
||||
| [shared_vpc_self_links](outputs.tf#L103) | Shared VPC host projects. | | |
|
||||
| [tfvars](outputs.tf#L108) | Terraform variables file for the following stages. | ✓ | |
|
||||
| [vpn_gateway_endpoints](outputs.tf#L114) | External IP Addresses for the GCP VPN gateways. | | |
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# skip boilerplate check
|
||||
|
||||
ingress:
|
||||
landing-ingress-default-deny:
|
||||
ingress-default-landing-deny:
|
||||
description: "Deny and log any unmatched ingress traffic."
|
||||
deny: true
|
||||
priority: 65535
|
||||
|
|
|
@ -3,4 +3,4 @@
|
|||
name: landing-default
|
||||
region: europe-west1
|
||||
ip_cidr_range: 10.64.0.0/24
|
||||
description: Default europe-west1 subnet for landing landing
|
||||
description: Default europe-west1 subnet for landing
|
||||
|
|
|
@ -26,8 +26,8 @@ module "dev-dns-priv-example" {
|
|||
domain = "dev.gcp.example.com."
|
||||
private = {
|
||||
client_networks = [
|
||||
# module.dmz-vpc.self_link
|
||||
module.landing-vpc.self_link,
|
||||
module.dmz-vpc.self_link
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -60,7 +60,7 @@ module "landing-dns-priv-gcp" {
|
|||
domain = "gcp.example.com."
|
||||
private = {
|
||||
client_networks = [
|
||||
module.dmz-vpc.self_link,
|
||||
# module.dmz-vpc.self_link,
|
||||
module.landing-vpc.self_link
|
||||
]
|
||||
}
|
||||
|
|
|
@ -25,7 +25,10 @@ module "prod-dns-priv-example" {
|
|||
zone_config = {
|
||||
domain = "prod.gcp.example.com."
|
||||
private = {
|
||||
client_networks = [module.landing-vpc.self_link, module.dmz-vpc.self_link]
|
||||
client_networks = [
|
||||
# module.dmz-vpc.self_link
|
||||
module.landing-vpc.self_link,
|
||||
]
|
||||
}
|
||||
}
|
||||
recordsets = {
|
||||
|
|
|
@ -93,28 +93,28 @@ module "dev-spoke-vpc" {
|
|||
nva-primary-to-primary = {
|
||||
dest_range = "0.0.0.0/0"
|
||||
priority = 1000
|
||||
tags = ["primary"]
|
||||
tags = [local.region_shortnames[var.regions.primary]]
|
||||
next_hop_type = "ilb"
|
||||
next_hop = module.ilb-nva-landing["primary"].forwarding_rule_addresses[""]
|
||||
}
|
||||
nva-secondary-to-secondary = {
|
||||
dest_range = "0.0.0.0/0"
|
||||
priority = 1000
|
||||
tags = ["secondary"]
|
||||
tags = [local.region_shortnames[var.regions.secondary]]
|
||||
next_hop_type = "ilb"
|
||||
next_hop = module.ilb-nva-landing["secondary"].forwarding_rule_addresses[""]
|
||||
}
|
||||
nva-primary-to-secondary = {
|
||||
dest_range = "0.0.0.0/0"
|
||||
priority = 1001
|
||||
tags = ["primary"]
|
||||
tags = [local.region_shortnames[var.regions.primary]]
|
||||
next_hop_type = "ilb"
|
||||
next_hop = module.ilb-nva-landing["primary"].forwarding_rule_addresses[""]
|
||||
}
|
||||
nva-secondary-to-primary = {
|
||||
dest_range = "0.0.0.0/0"
|
||||
priority = 1001
|
||||
tags = ["secondary"]
|
||||
tags = [local.region_shortnames[var.regions.secondary]]
|
||||
next_hop_type = "ilb"
|
||||
next_hop = module.ilb-nva-landing["secondary"].forwarding_rule_addresses[""]
|
||||
}
|
||||
|
|
|
@ -57,6 +57,15 @@ module "dmz-vpc" {
|
|||
factories_config = {
|
||||
subnets_folder = "${var.factories_config.data_dir}/subnets/dmz"
|
||||
}
|
||||
delete_default_routes_on_create = true
|
||||
routes = {
|
||||
default = {
|
||||
dest_range = "0.0.0.0/0"
|
||||
next_hop = "default-internet-gateway"
|
||||
next_hop_type = "gateway"
|
||||
priority = 1000
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "dmz-firewall" {
|
||||
|
|
|
@ -91,28 +91,28 @@ module "prod-spoke-vpc" {
|
|||
nva-primary-to-primary = {
|
||||
dest_range = "0.0.0.0/0"
|
||||
priority = 1000
|
||||
tags = ["primary"]
|
||||
tags = [local.region_shortnames[var.regions.primary]]
|
||||
next_hop_type = "ilb"
|
||||
next_hop = module.ilb-nva-landing["primary"].forwarding_rule_addresses[""]
|
||||
}
|
||||
nva-secondary-to-secondary = {
|
||||
dest_range = "0.0.0.0/0"
|
||||
priority = 1000
|
||||
tags = ["secondary"]
|
||||
tags = [local.region_shortnames[var.regions.secondary]]
|
||||
next_hop_type = "ilb"
|
||||
next_hop = module.ilb-nva-landing["secondary"].forwarding_rule_addresses[""]
|
||||
}
|
||||
nva-primary-to-secondary = {
|
||||
dest_range = "0.0.0.0/0"
|
||||
priority = 1001
|
||||
tags = ["primary"]
|
||||
tags = [local.region_shortnames[var.regions.primary]]
|
||||
next_hop_type = "ilb"
|
||||
next_hop = module.ilb-nva-landing["secondary"].forwarding_rule_addresses[""]
|
||||
}
|
||||
nva-secondary-to-primary = {
|
||||
dest_range = "0.0.0.0/0"
|
||||
priority = 1001
|
||||
tags = ["secondary"]
|
||||
tags = [local.region_shortnames[var.regions.secondary]]
|
||||
next_hop_type = "ilb"
|
||||
next_hop = module.ilb-nva-landing["primary"].forwarding_rule_addresses[""]
|
||||
}
|
||||
|
|
|
@ -95,6 +95,11 @@ output "host_project_numbers" {
|
|||
value = local.host_project_numbers
|
||||
}
|
||||
|
||||
output "ping_commands" {
|
||||
description = "Ping commands for test instances to be run to check VPC reachability."
|
||||
value = var.create_test_instances ? join("\n", [for instance, _ in local.test-vms : "ping -c 1 ${module.test-vms[instance].internal_ip} # ${instance}"]) : ""
|
||||
}
|
||||
|
||||
output "shared_vpc_self_links" {
|
||||
description = "Shared VPC host projects."
|
||||
value = local.vpc_self_links
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2024 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
@ -14,242 +14,107 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
# tfdoc:file:description temporary instances for testing
|
||||
# tfdoc:file:description Temporary instances for testing
|
||||
|
||||
# # dmz (Landing)
|
||||
locals {
|
||||
test-vms = {
|
||||
dev-spoke-primary = {
|
||||
network = module.dev-spoke-vpc.self_link
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
region = var.regions.primary
|
||||
subnetwork = module.dev-spoke-vpc.subnet_self_links["${var.regions.primary}/dev-default"]
|
||||
tags = [local.region_shortnames[var.regions.primary]]
|
||||
zone = "b"
|
||||
}
|
||||
dev-spoke-secondary = {
|
||||
network = module.dev-spoke-vpc.self_link
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
region = var.regions.secondary
|
||||
subnetwork = module.dev-spoke-vpc.subnet_self_links["${var.regions.secondary}/dev-default"]
|
||||
tags = [local.region_shortnames[var.regions.secondary]]
|
||||
zone = "b"
|
||||
}
|
||||
dmz-primary = {
|
||||
network = module.dmz-vpc.self_link
|
||||
project_id = module.landing-project.project_id
|
||||
region = var.regions.primary
|
||||
subnetwork = module.dmz-vpc.subnet_self_links["${var.regions.primary}/dmz-default"]
|
||||
tags = [local.region_shortnames[var.regions.primary]]
|
||||
zone = "b"
|
||||
}
|
||||
dmz-secondary = {
|
||||
network = module.dmz-vpc.self_link
|
||||
project_id = module.landing-project.project_id
|
||||
region = var.regions.secondary
|
||||
subnetwork = module.dmz-vpc.subnet_self_links["${var.regions.secondary}/dmz-default"]
|
||||
tags = [local.region_shortnames[var.regions.secondary]]
|
||||
zone = "b"
|
||||
}
|
||||
landing-primary = {
|
||||
network = module.landing-vpc.self_link
|
||||
project_id = module.landing-project.project_id
|
||||
region = var.regions.primary
|
||||
subnetwork = module.landing-vpc.subnet_self_links["${var.regions.primary}/landing-default"]
|
||||
tags = [local.region_shortnames[var.regions.primary]]
|
||||
zone = "b"
|
||||
}
|
||||
landing-secondary = {
|
||||
network = module.landing-vpc.self_link
|
||||
project_id = module.landing-project.project_id
|
||||
region = var.regions.secondary
|
||||
subnetwork = module.landing-vpc.subnet_self_links["${var.regions.secondary}/landing-default"]
|
||||
tags = [local.region_shortnames[var.regions.secondary]]
|
||||
zone = "b"
|
||||
}
|
||||
prod-spoke-primary = {
|
||||
network = module.prod-spoke-vpc.self_link
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
region = var.regions.primary
|
||||
subnetwork = module.prod-spoke-vpc.subnet_self_links["${var.regions.primary}/prod-default"]
|
||||
tags = [local.region_shortnames[var.regions.primary]]
|
||||
zone = "b"
|
||||
}
|
||||
prod-spoke-secondary = {
|
||||
network = module.prod-spoke-vpc.self_link
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
region = var.regions.secondary
|
||||
subnetwork = module.prod-spoke-vpc.subnet_self_links["${var.regions.secondary}/prod-default"]
|
||||
tags = [local.region_shortnames[var.regions.secondary]]
|
||||
zone = "b"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# module "test-vm-dmz-primary-0" {
|
||||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.landing-project.project_id
|
||||
# zone = "${var.regions.primary}-b"
|
||||
# name = "test-vm-lnd-unt-pri-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.dmz-vpc.self_link
|
||||
# subnetwork = module.dmz-vpc.subnet_self_links["${var.regions.primary}/dmz-default"]
|
||||
# }]
|
||||
# tags = ["primary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
# termination_action = "STOP"
|
||||
# }
|
||||
# metadata = {
|
||||
# startup-script = <<EOF
|
||||
# apt update
|
||||
# apt install iputils-ping bind9-dnsutils
|
||||
# EOF
|
||||
# }
|
||||
# }
|
||||
|
||||
# module "test-vm-dmz-secondary-0" {
|
||||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.landing-project.project_id
|
||||
# zone = "${var.regions.secondary}-a"
|
||||
# name = "test-vm-lnd-unt-sec-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.dmz-vpc.self_link
|
||||
# subnetwork = module.dmz-vpc.subnet_self_links["${var.regions.secondary}/dmz-default"]
|
||||
# }]
|
||||
# tags = ["secondary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
# termination_action = "STOP"
|
||||
# }
|
||||
# metadata = {
|
||||
# startup-script = <<EOF
|
||||
# apt update
|
||||
# apt install iputils-ping bind9-dnsutils
|
||||
# EOF
|
||||
# }
|
||||
# }
|
||||
|
||||
# # landing (hub)
|
||||
|
||||
# module "test-vm-landing-primary-0" {
|
||||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.landing-project.project_id
|
||||
# zone = "${var.regions.primary}-b"
|
||||
# name = "test-vm-lnd-tru-pri-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.landing-vpc.self_link
|
||||
# subnetwork = module.landing-vpc.subnet_self_links["${var.regions.primary}/landing-default"]
|
||||
# }]
|
||||
# tags = ["primary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
# termination_action = "STOP"
|
||||
# }
|
||||
# metadata = {
|
||||
# startup-script = <<EOF
|
||||
# apt update
|
||||
# apt install iputils-ping bind9-dnsutils
|
||||
# EOF
|
||||
# }
|
||||
# }
|
||||
|
||||
# module "test-vm-landing-secondary-0" {
|
||||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.landing-project.project_id
|
||||
# zone = "${var.regions.secondary}-a"
|
||||
# name = "test-vm-lnd-tru-sec-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.landing-vpc.self_link
|
||||
# subnetwork = module.landing-vpc.subnet_self_links["${var.regions.secondary}/landing-default"]
|
||||
# }]
|
||||
# tags = ["secondary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
# termination_action = "STOP"
|
||||
# }
|
||||
# metadata = {
|
||||
# startup-script = <<EOF
|
||||
# apt update
|
||||
# apt install iputils-ping bind9-dnsutils
|
||||
# EOF
|
||||
# }
|
||||
# }
|
||||
|
||||
# # Dev spoke
|
||||
|
||||
# module "test-vm-dev-primary-0" {
|
||||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.dev-spoke-project.project_id
|
||||
# zone = "${var.regions.primary}-b"
|
||||
# name = "test-vm-dev-pri-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.dev-spoke-vpc.self_link
|
||||
# # change the subnet name to match the values you are actually using
|
||||
# subnetwork = module.dev-spoke-vpc.subnet_self_links["${var.regions.primary}/dev-default"]
|
||||
# }]
|
||||
# tags = ["primary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
# termination_action = "STOP"
|
||||
# }
|
||||
# metadata = {
|
||||
# startup-script = <<EOF
|
||||
# apt update
|
||||
# apt install iputils-ping bind9-dnsutils
|
||||
# EOF
|
||||
# }
|
||||
# }
|
||||
|
||||
# module "test-vm-dev-secondary-0" {
|
||||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.dev-spoke-project.project_id
|
||||
# zone = "${var.regions.secondary}-a"
|
||||
# name = "test-vm-dev-sec-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.dev-spoke-vpc.self_link
|
||||
# # change the subnet name to match the values you are actually using
|
||||
# subnetwork = module.dev-spoke-vpc.subnet_self_links["${var.regions.secondary}/dev-default"]
|
||||
# }]
|
||||
# tags = ["secondary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
# termination_action = "STOP"
|
||||
# }
|
||||
# metadata = {
|
||||
# startup-script = <<EOF
|
||||
# apt update
|
||||
# apt install iputils-ping bind9-dnsutils
|
||||
# EOF
|
||||
# }
|
||||
# }
|
||||
|
||||
# # Prod spoke
|
||||
|
||||
# module "test-vm-prod-primary-0" {
|
||||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.prod-spoke-project.project_id
|
||||
# zone = "${var.regions.primary}-b"
|
||||
# name = "test-vm-prod-pri-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.prod-spoke-vpc.self_link
|
||||
# # change the subnet name to match the values you are actually using
|
||||
# subnetwork = module.prod-spoke-vpc.subnet_self_links["${var.regions.primary}/prod-default"]
|
||||
# }]
|
||||
# tags = ["primary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# type = "pd-balanced"
|
||||
# size = 10
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
# termination_action = "STOP"
|
||||
# }
|
||||
# metadata = {
|
||||
# startup-script = <<EOF
|
||||
# apt update
|
||||
# apt install iputils-ping bind9-dnsutils
|
||||
# EOF
|
||||
# }
|
||||
# }
|
||||
|
||||
# module "test-vm-prod-secondary-0" {
|
||||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.prod-spoke-project.project_id
|
||||
# zone = "${var.regions.secondary}-a"
|
||||
# name = "test-vm-prod-sec-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.prod-spoke-vpc.self_link
|
||||
# # change the subnet name to match the values you are actually using
|
||||
# subnetwork = module.prod-spoke-vpc.subnet_self_links["${var.regions.secondary}/prod-default"]
|
||||
# }]
|
||||
# tags = ["secondary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
# termination_action = "STOP"
|
||||
# }
|
||||
# metadata = {
|
||||
# startup-script = <<EOF
|
||||
# apt update
|
||||
# apt install iputils-ping bind9-dnsutils
|
||||
# EOF
|
||||
# }
|
||||
# }
|
||||
module "test-vms" {
|
||||
for_each = var.create_test_instances ? local.test-vms : {}
|
||||
# for_each = {}
|
||||
source = "../../../modules/compute-vm"
|
||||
project_id = each.value.project_id
|
||||
zone = "${each.value.region}-${each.value.zone}"
|
||||
name = "test-vm-${each.key}"
|
||||
network_interfaces = [{
|
||||
network = each.value.network
|
||||
# change the subnet name to match the values you are actually using
|
||||
subnetwork = each.value.subnetwork
|
||||
}]
|
||||
instance_type = "e2-micro"
|
||||
tags = concat(
|
||||
["ssh"],
|
||||
each.value.tags == null ? [] : each.value.tags
|
||||
)
|
||||
boot_disk = {
|
||||
initialize_params = {
|
||||
image = "projects/debian-cloud/global/images/family/debian-11"
|
||||
}
|
||||
}
|
||||
options = {
|
||||
spot = true
|
||||
termination_action = "STOP"
|
||||
}
|
||||
metadata = {
|
||||
startup-script = <<EOF
|
||||
apt update
|
||||
apt install -y iputils-ping bind9-dnsutils
|
||||
EOF
|
||||
}
|
||||
}
|
||||
|
|
|
@ -60,6 +60,12 @@ variable "billing_account" {
|
|||
}
|
||||
}
|
||||
|
||||
variable "create_test_instances" {
|
||||
description = "Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity."
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "custom_roles" {
|
||||
# tfdoc:variable:source 0-bootstrap
|
||||
description = "Custom roles defined at the org level, in key => id format."
|
||||
|
|
|
@ -14,4 +14,4 @@
|
|||
|
||||
counts:
|
||||
modules: 29
|
||||
resources: 151
|
||||
resources: 154
|
||||
|
|
|
@ -14,4 +14,4 @@
|
|||
|
||||
counts:
|
||||
modules: 31
|
||||
resources: 188
|
||||
resources: 191
|
||||
|
|
|
@ -26,7 +26,7 @@ counts:
|
|||
google_compute_network_peering: 4
|
||||
google_compute_region_backend_service: 4
|
||||
google_compute_region_instance_group_manager: 4
|
||||
google_compute_route: 14
|
||||
google_compute_route: 15
|
||||
google_compute_router: 4
|
||||
google_compute_router_interface: 4
|
||||
google_compute_router_nat: 2
|
||||
|
@ -53,4 +53,4 @@ counts:
|
|||
google_vpc_access_connector: 2
|
||||
modules: 43
|
||||
random_id: 2
|
||||
resources: 201
|
||||
resources: 202
|
||||
|
|
Loading…
Reference in New Issue